Apisix route OIDC plugin to connect to Zitadel odic not accessible within the same cluster

Question

Configured Apisix and Zitadel in kind cluster with single node configuration (contr).

• kind cluster config

kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
name: api6-zitadel
nodes:
- role: control-plane
  kubeadmConfigPatches:
  - |
    kind: InitConfiguration
    nodeRegistration:
      kubeletExtraArgs:
        node-labels: "ingress-ready=true"
  extraPortMappings:
  - containerPort: 30080
    hostPort: 80
    protocol: TCP
  - containerPort: 30443
    hostPort: 443
    protocol: TCP

• kind cluster info

$ k get nodes
NAME                         STATUS   ROLES           AGE   VERSION
api6-zitadel-control-plane   Ready    control-plane   37m   v1.29.2

Note:- the hosts file was updated with 127..0.0.1 localhost apisix.localhost zitadel.localhost backend.localhost

• Installed Apisix ingress controller and Apisix route for Apisix dashboard and zitadel ui

• apisix dashboard route

# use v1beta1 if your Kubernetes cluster version is older than v1.19.0
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: api6-dashboard-ingress
  namespace: ingress-apisix
spec:
  ingressClassName: apisix
  rules:
  - host: apisix.localhost
    http:
      paths:
      - backend:
          service:
            name: apisix-dashboard
            port:
              number: 80
        path: /
        pathType: Prefix

• Zitadel UI configuration

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: api6-zitadel-ingress
spec:
  ingressClassName: apisix
  rules:
  - host: zitadel.localhost
    http:
      paths:
      - backend:
          service:
            name: zitadel
            port:
              number: 80
        path: /
        pathType: Prefix

Note:- When configuring the zitadel, the ExternalDomain was set as zitadel.localhost.

• With the above configuration, from the browser I am able to access both Zitadel and Apisix UI's.

• Created a simple nginx backend to an endpoint /greet. The configuration looks like below.

apiVersion: v1
kind: Namespace
metadata:
  name: backend-app
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: backend-nginx-config
  namespace: backend-app
data:
  nginx.conf: |
    worker_processes auto;
    error_log stderr notice;
    events {
      worker_connections 1024;
    }
    http {
      variables_hash_max_size 1024;

      log_format main '$remote_addr - $remote_user [%time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
      access_log off;
      real_ip_header X-Real-IP;
      charset utf-8;

      server {
        listen 80;
        
        location /greet {
          default_type application/json;
          return 200 '{"status":"OK","message":"Greetings!! from server"}';
        }
        location /hello {
          default_type text/html;
          return 200 '<html><body><div>status: <b>OK</b></div><div>message:<b>Hello!! from server</b></div></body></html>';
        }
      }
    }

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: backend-server
  namespace: backend-app
  labels:
    app: backend-server
spec:
  replicas: 1
  selector:
    matchLabels:
      app: backend-server
  template:
    metadata:
      labels:
        app: backend-server
    spec:
      volumes:
       - name: nginx-config
         configMap:
           name: backend-nginx-config
           items:
           - key: nginx.conf
             path: nginx.conf
      containers:
      - name: backend-server
        image: nginx
        ports:
        - containerPort: 80
        volumeMounts:
         - name: nginx-config
           mountPath: /etc/nginx
        resources:
          requests: 
            memory: "128Mi"
            cpu: "250m"
          limits:
            memory: "256Mi"
            cpu: "500m"
---
apiVersion: v1
kind: Service
metadata:
  name: backend-svc
  namespace: backend-app
spec:
  selector:
    app: backend-server
  ports:
    - protocol: TCP
      port: 8081
      targetPort: 80

---

• In Apisix, created a route with below configuration and look like below
• The discovery url is not accessible since the apisix pod adds this configuration and reports not able to connect.
• The Apisix discovery is configured with kubernetes registry.

{
  "uri": "/greet",
  "name": "backend-greet",
  "methods": ["GET"],
  "host": "backend.localhost",
  "plugins": {
    "openid-connect": {
      "_meta": {
        "disable": false
      },
      "bearer_only": false,
      "client_id": "***********",
      "client_secret": "****--******--*****",
      "discovery": "http://zitadel.localhost",
      "introspection_endpoint": "http://zitadel.localhost/oauth/v2/introspect",
      "realm": "master"
    }
  },
  "upstream": {
    "nodes": [
      {
        "host": "backend-svc.backend-app",
        "port": 8081,
        "weight": 10
      }
    ],
    "timeout": {
      "connect": 6,
      "send": 6,
      "read": 6
    },
    "type": "roundrobin",
    "scheme": "http",
    "pass_host": "pass",
    "keepalive_pool": {
      "idle_timeout": 60,
      "requests": 1000,
      "size": 320
    }
  }
}

Since Zitadel is configured with ExternalDomain as zitadel.localhost, when APISIX route configuration plugin discovery url is set to http://zitadel.localhost it was not accessible.

I tried to configure the service name http://zitadel.zitadel:80/, Zitadel redirects and says domain name didn't match.

As a work around, created a namespace as localhost and helm release name as zitadel, which made the service to be zitadel.localhost and that was able to provide a redirect_url.

Question :-

• How to setup the Zitadel ODIC plugin in APISIX to access the http://zitadel.localhost without making any work-around. Created an externalName type service to the zitadel.localhost to access from the laptop, but didn't work.