EKS的ALB Ingress 使用Cognito UserPool 做登入

这个教程是登入了cognito的验证之后，才能访问ingress。在使用alb ingres之前必须安装AWS Load Balancer Controller如果你还没安装的话就需要看这个教程先。

创建Cognito UserPool

1. 选择Traditional web application，然后输入你自定义的app名和选择email, 最后直接按下面的create user directory按钮就创建好了。

2. 进入你创建好的userpool做设定，需要登入开启MFA

3. 需要改掉原本的callback url，改成以下的url

https://www.example.com/oauth2/idpresponse

4. 关闭前台开放注册的功能，只能通过后台添加新用户

设置ingress yaml

修改以下的ingress yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  namespace: phpmyadmin
  name: phpmyadmin-ingress
  annotations:
    # 1. 指定使用 Cognito 进行认证
    alb.ingress.kubernetes.io/auth-type: "cognito"
    # 2. 当未认证时采用跳转到 Cognito 的方式进行认证
    alb.ingress.kubernetes.io/auth-on-unauthenticated-request: "authenticate"
    # 3. 请求需要的授权范围
    alb.ingress.kubernetes.io/auth-scope: "openid email"
    # 4. ALB 会通过此 Cookie 保存会话，单位为秒
    alb.ingress.kubernetes.io/auth-session-cookie: "AWSELBAuthSessionCookie"
    alb.ingress.kubernetes.io/auth-session-timeout: "3600"
    # 5. 配置 Cognito User Pool 相关信息
    alb.ingress.kubernetes.io/auth-idp-cognito: >-
      {"Issuer":"https://cognito-idp.ap-southeast-1.amazonaws.com/ap-southeast-1_KmVcO5S7g",
             "UserPoolArn":"arn:aws:cognito-idp:ap-southeast-1:213123:userpool/ap-southeast-1_oji3g20ii",
             "UserPoolClientId":"30gmdbk6ko771caq8h7iara0a2",
             "UserPoolDomain":"ap-southeast-1oji3g20ii.auth.ap-southeast-1.amazoncognito.com"}

    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
    alb.ingress.kubernetes.io/ssl-redirect: '443'
spec:
  ingressClassName: default-alb
  rules:
    - host: www.example.com
      http:
        paths:
          - backend:
              service:
                name: phpmyadmin-service
                port:
                  number: 80
            path: /
            pathType: Prefix

UserPoolArn的获取方式 ， Issuer 就从User pool ID当中获取

UserPoolClientId的获取方式

UserPoolDomain的获取方式，记得不能copy整个url，只能拿host而已