# Requirements: # # - For this template, Cognito should have the following basic settings: # - User Pool ARN ( Cognito -> General Settings ) # `arn:aws:cognito-idp:::userpool/` # - User Pool Client ID ( Cognito -> App Integration -> Application Client Settings ) # `` # - Domain Name ( Cognito -> App Integration -> Domain Name) # `` # - OAuth Scopes ( Cognito -> App Integration -> Application Client Settings ) # `[x] openid` # - OAuth Flows ( Cognito -> App Integration -> Application Client Settings ) # `[x] Authorization code grant` # - Callback URL(s) ( Cognito -> App Integration -> Application Client Settings ) # `https://./oauth2/idpresponse` # # - Related Kubernetes service/application # apiVersion: extensions/v1beta1 kind: Ingress metadata: name: # app.example.com namespace: # default annotations: kubernetes.io/ingress.class: alb alb.ingress.kubernetes.io/scheme: internet-facing alb.ingress.kubernetes.io/tags: Environment=,Owner= # For each `listen-ports` object defined an ALB lister is created # For each listener created the rules defined in `spec` apply with some basic caveats # SSL redirect rule is applied only to the HTTP listener. Cognito authentication rule # is applied to the HTTPS listener alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]' # Detailed redirect settings alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}' # Authentication type must be cognito alb.ingress.kubernetes.io/auth-type: cognito # Required parameter for ALB/Cognito integration alb.ingress.kubernetes.io/auth-scope: openid # Session timeout on authentication credentials alb.ingress.kubernetes.io/auth-session-timeout: '3600' # Session cookie name alb.ingress.kubernetes.io/auth-session-cookie: AWSELBAuthSessionCookie # Action to take when a request is not authenticated alb.ingress.kubernetes.io/auth-on-unauthenticated-request: authenticate # Cognito parameters required for creation of authentication rules # The subdomain name only is sufficient for `UserPoolDomain` # e.g. if `FQDN=app.auth.ap-northeast-1.amazoncognito.com` then `UserPoolDomain=app` alb.ingress.kubernetes.io/auth-idp-cognito: '{"UserPoolArn": "arn:aws:cognito-idp:::userpool/","UserPoolClientId":"","UserPoolDomain":""}' # ACM certificate ARN for your SSL domain alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:::certificate/ spec: rules: # If you are using ExternalDNS, this will become your applications FQDN - host: http: paths: # This first path should perform an ssl-redirect as below - path: /* backend: serviceName: ssl-redirect # Configured via the redirect settings in the annotations servicePort: use-annotation - path: backend: serviceName: servicePort: