# Requirements: # # - For this template, Cognito should have the following basic settings: # - User Pool ARN ( Cognito -> General Settings ) # `arn:aws:cognito-idp:::userpool/` # - User Pool Client ID ( Cognito -> App Integration -> Application Client Settings ) # `` # - Domain Name ( Cognito -> App Integration -> Domain Name) # `` # - OAuth Scopes ( Cognito -> App Integration -> Application Client Settings ) # `[x] openid` # - OAuth Flows ( Cognito -> App Integration -> Application Client Settings ) # `[x] Authorization code grant` # - Callback URL(s) ( Cognito -> App Integration -> Application Client Settings ) # `https://./oauth2/idpresponse` # # - Related Kubernetes service/application # apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: # app.example.com namespace: # default annotations: alb.ingress.kubernetes.io/scheme: internet-facing alb.ingress.kubernetes.io/tags: Environment=,Owner= # For each `listen-ports` object defined an ALB lister is created # For each listener created the rules defined in `spec` apply with some basic caveats # SSL redirect rule is applied only to the HTTP listener. Cognito authentication rule # is applied to the HTTPS listener alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]' # Detailed redirect settings alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}' # Authentication type must be cognito alb.ingress.kubernetes.io/auth-type: cognito # Required parameter for ALB/Cognito integration alb.ingress.kubernetes.io/auth-scope: openid # Session timeout on authentication credentials alb.ingress.kubernetes.io/auth-session-timeout: '3600' # Session cookie name alb.ingress.kubernetes.io/auth-session-cookie: AWSELBAuthSessionCookie # Action to take when a request is not authenticated alb.ingress.kubernetes.io/auth-on-unauthenticated-request: authenticate # Cognito parameters required for creation of authentication rules # The subdomain name only is sufficient for `UserPoolDomain` # e.g. if `FQDN=app.auth.ap-northeast-1.amazoncognito.com` then `UserPoolDomain=app` alb.ingress.kubernetes.io/auth-idp-cognito: '{"UserPoolArn": "arn:aws:cognito-idp:::userpool/","UserPoolClientId":"","UserPoolDomain":""}' # ACM certificate ARN for your TLS domain alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:::certificate/ spec: ingressClassName: alb rules: # If you are using ExternalDNS, this will become your application's FQDN - host: http: paths: # This first path should perform an ssl-redirect as below - path: / pathType: Prefix backend: service: name: ssl-redirect # Configured via the redirect settings in the annotations port: name: use-annotation - path: pathType: Prefix backend: service: name: port: number: