Auth0 with Amazon EKS ALB Ingress handling Termination and OIDC

Hi!

I’m trying to use OpenAPI as an Auth0 hook with the ALB Ingress with EKS Kube to add some authentication to a Kibana metrics dashboard.
It works great as long as I have the OIDC configuration lines tagged out, but get all sorts of weird things when I untag them.

I’ve patterned this mostly off of Securing your applications with AWS ALB Built-in Authentication and Auth0 | by Sandrino Di Mattia | Medium and the ingress documentation here: https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/#authentication

But something is very much not working.


apiVersion: v1
kind: Secret
metadata:
  namespace: kube-system
  name: logs-ingress-secret
data:
  clientId: xxxx
  clientSecret: xxxxx


apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: logs-ingress
  namespace: kube-system
  labels:
    app: logs
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-regon-n:xxxxxx:certificate/xxxxxx
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443},{"HTTP":80}]'
    alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect",
                                                      "RedirectConfig":
                                                          { "Protocol":"HTTPS",
                                                            "Port": "443",
                                                            "StatusCode": "HTTP_301"}}'
    #alb.ingress.kubernetes.io/auth-type: oidc
    #alb.ingress.kubernetes.io/auth-idp-oidc: '{"Issuer":"https://xxxxxx.us.auth0.com,"AuthorizationEndpoint":"https://xxxxxx.us.auth0.com/authorize","TokenEndpoint":"https://xxxxxx.us.auth0.com/oauth/token","UserInfoEndpoint":"https://xxxxxx.us.auth0.com/userinfo","SecretName":logs-ingress-secret}'
spec:
  rules:
    - http:
        paths:
        - path: /*
          backend:
            serviceName: ssl-redirect
            servicePort: use-annotation
        - path: /*
          backend:
            serviceName: kibana-logging
            servicePort: 5601

Hey there Lucas!

Unfortunately don’t have any experience with any of the stacks you use. Have you tried reaching out to Sandrino via Twitter directly to get some guidance on that?