IdentityServer on AKS

12/15/2019

I'm trying to setup our platform on a Kubernetes cluster (AKS, Azure) with Azure DevOps.

I'm currently stuck on having the websites up & running, but I can't login.\

My Ingress controller logs:

2019/12/15 15:37:27 [error] 790#790: *1135318 upstream sent too big header while reading response header from upstream

My application logs:

CORS request made for path: /Account/Login from origin: null but was ignored because path was not for an allowed IdentityServer CORS endpoint

And it's an IdentityServer4 project on .NET Core 3.1.

We use Docker containers, an AKS Cluster, using Azure DevOps (connection made by using the tools inside Azure, so it's all generated for us)

We

Please let me know if you need any other information!

We are exposing it to HTTPS through our load balancer, it's setup using cert-manager that uses Let's Encrypt (this works).

Also, if I try to connect using OIDC to the server from one of my web portals, it tries to do so over an http connection. This shouldn't happen because we did the steps for setting it all up with HTTPS.

So the two questions are: Is there anything we missed regarding http vs https when connecting to the identityserver4 project? How can we fix this issue regarding headers being too big?

The yaml we use in our 'Generate kubernetes manifest file' step on Azure DevOps:

'# $(appName)/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: $(appName)
  labels:
    app: $(appName)
spec:
  replicas: 1
  selector:
    matchLabels:
      app: $(appName)
  template:
    metadata:
      labels:
        app: $(appName)
    spec:
      containers:
        - name: $(appName)
          image: somelinktoimage.com/somename:$(Build.BuildId)
          ports:
            - name: http
              containerPort: 80
              protocol: TCP

---

# $(appName)/service.yaml
apiVersion: v1
kind: Service
metadata:
  name: $(appName)
  labels:
    app: $(appName)
spec:
  type: LoadBalancer
  ports:
    - port: 80
      targetPort: http
      protocol: TCP
      name: http
  selector:
    app: $(appName)

---

# $(appName)/service-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: some-ingress
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.org/proxy-connect-timeout: "30s"
    nginx.org/proxy-read-timeout: "20s"
    nginx.org/client-max-body-size: "4m"
    nginx.org/proxy-buffer-size: "128k"
    nginx.org/proxy-buffers: "4256k"
    nginx.org/proxy-busy-buffers-size: "256k"
    ingress.kubernetes.io/enable-cors: "true"
    ingress.kubernetes.io/ssl-redirect: "true"
    cert-manager.io/cluster-issuer: letsencrypt-prod
    nginx.ingress.kubernetes.io/rewrite-target: /$1
spec:
  tls:
  - hosts:
    - account.dapperdino.co.uk
    secretName: some-secret-name
  rules:
  - host: account.dapperdino.co.uk
    http:
      paths:
      - backend:
          serviceName: $(appName)
          servicePort: 80
        path: /(.*)' | Set-Content $(Agent.TempDirectory)/manifest.yaml
-- Mick Rustenhoven
asp.net-core
azure
azure-devops
kubernetes
nginx

0 Answers