|
本文档采用自动化机器翻译技术翻译。 尽管我们力求提供准确的译文,但不对翻译内容的完整性、准确性或可靠性作出任何保证。 若出现任何内容不一致情况,请以原始 英文 版本为准,且原始英文版本为权威文本。 |
|
这是尚未发布的文档。 SUSE® Storage 1.12 (Dev). |
创建带基本认证的 Ingress(nginx)
|
截至2025年11月,Kubernetes项目已宣布停止使用 ingress-nginx 控制器。有关详细信息, 请参阅官方公告。 推荐的替代方案:
|
如果您在 Kubernetes 集群上使用 kubectl 或 Helm 安装 SUSE Storage,则需要创建一个 Ingress,以允许外部流量访问 SUSE Storage UI。
默认情况下,kubectl 和 Helm 安装未启用认证。在这些步骤中,您将学习如何使用注释为 nginx ingress 控制器创建带基本认证的 Ingress。
-
创建基本认证文件
auth。生成的文件必须命名为 auth(实际上 - 该密钥必须为data.auth),否则 Ingress 将返回 503。$ USER=<USERNAME_HERE>; PASSWORD=<PASSWORD_HERE>; echo "${USER}:$(openssl passwd -stdin -apr1 <<< ${PASSWORD})" >> auth -
创建一个 Secret:
$ kubectl -n longhorn-system create secret generic basic-auth --from-file=auth -
创建 Ingress 清单
longhorn-ingress.yml:自 v1.2.0 起,SUSE Storage 支持从 UI 上传后端镜像,因此请按如下所示指定
nginx.ingress.kubernetes.io/proxy-body-size: 10000m以确保上传镜像按预期工作。apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: longhorn-ingress namespace: longhorn-system annotations: # type of authentication nginx.ingress.kubernetes.io/auth-type: basic # prevent the controller from redirecting (308) to HTTPS nginx.ingress.kubernetes.io/ssl-redirect: 'false' # name of the secret that contains the user/password definitions nginx.ingress.kubernetes.io/auth-secret: basic-auth # message to display with an appropriate context why the authentication is required nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required ' # custom max body size for file uploading like backing image uploading nginx.ingress.kubernetes.io/proxy-body-size: 10000m spec: ingressClassName: nginx rules: - http: paths: - pathType: Prefix path: "/" backend: service: name: longhorn-frontend port: number: 80 -
创建 Ingress:
$ kubectl -n longhorn-system apply -f longhorn-ingress.yml
例如:
$ USER=foo; PASSWORD=bar; echo "$\{USER}:$(openssl passwd -stdin -apr1 <<< $\{PASSWORD})" >> auth
$ cat auth
foo:$apr1$FnyKCYKb$6IP2C45fZxMcoLwkOwf7k0
$ kubectl -n longhorn-system create secret generic basic-auth --from-file=auth
secret/basic-auth created
$ kubectl -n longhorn-system get secret basic-auth -o yaml
apiVersion: v1
data:
auth: Zm9vOiRhcHIxJEZueUtDWUtiJDZJUDJDNDVmWnhNY29Md2tPd2Y3azAK
kind: Secret
metadata:
creationTimestamp: "2020-05-29T10:10:16Z"
name: basic-auth
namespace: longhorn-system
resourceVersion: "2168509"
selfLink: /api/v1/namespaces/longhorn-system/secrets/basic-auth
uid: 9f66233f-b12f-4204-9c9d-5bcaca794bb7
type: Opaque
$ echo "
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: longhorn-ingress
namespace: longhorn-system
annotations:
# type of authentication
nginx.ingress.kubernetes.io/auth-type: basic
# prevent the controller from redirecting (308) to HTTPS
nginx.ingress.kubernetes.io/ssl-redirect: 'false'
# name of the secret that contains the user/password definitions
nginx.ingress.kubernetes.io/auth-secret: basic-auth
# message to display with an appropriate context why the authentication is required
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required '
spec:
rules:
* http:
paths:
** pathType: Prefix
path: "/"
backend:
service:
name: longhorn-frontend
port:
number: 80
" | kubectl -n longhorn-system create -f -
ingress.networking.k8s.io/longhorn-ingress created
$ kubectl -n longhorn-system get ingress
NAME HOSTS ADDRESS PORTS AGE
longhorn-ingress * 45.79.165.114,66.228.45.37,97.107.142.125 80 2m7s
$ curl -v http://97.107.142.125/
* Trying 97.107.142.125...
* TCP_NODELAY set
* Connected to 97.107.142.125 (97.107.142.125) port 80 (#0)
+
____
GET / HTTP/1.1
Host: 97.107.142.125
User-Agent: curl/7.64.1
Accept: _/_
< HTTP/1.1 401 Unauthorized
< Server: openresty/1.15.8.1
< Date: Fri, 29 May 2020 11:47:33 GMT
< Content-Type: text/html
< Content-Length: 185
< Connection: keep-alive
< WWW-Authenticate: Basic realm="Authentication Required"
<