K8S里给nginx配置带认证的http代理(示例:配置安全访问kibana)

1、创建一个nginx.conf配置文件nginx.conf

#user  nginx;
worker_processes  1; 
error_log  /var/log/nginx/error.log warn;
#pid        /var/run/nginx.pid; 
events {
    worker_connections  1024;
} 
http {
    #include       /etc/nginx/mime.types;
    default_type  application/octet-stream; 
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"'; 
    access_log  /var/log/nginx/access.log  main; 
    sendfile        on;
    #tcp_nopush     on; 
    keepalive_timeout  65; 
    #gzip  on; 
    #include /etc/nginx/conf.d/*.conf;
	
	server {
		listen       5601;
		server_name  localhost;

		#charset koi8-r;
		#access_log  /var/log/nginx/host.access.log  main;

		location / {
			proxy_pass http://10.100.197.61:5601; #配置代理
                        #root   /usr/share/nginx/html;
			#index  index.html index.htm;
                        auth_basic "login"; #配置基本认证
                        auth_basic_user_file /etc/nginx-htpasswd/htpasswd; #这一步引用密码文件
		} 
		#error_page  404              /404.html;

		# redirect server error pages to the static page /50x.html
		#
		error_page   500 502 503 504  /50x.html;
		location = /50x.html {
			root   /usr/share/nginx/html;
		} 
		# proxy the PHP scripts to Apache listening on 127.0.0.1:80
		#
		#location ~ \.php$ {
		#    proxy_pass   http://127.0.0.1;
		#} 
		# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
		#
		#location ~ \.php$ {
		#    root           html;
		#    fastcgi_pass   127.0.0.1:9000;
		#    fastcgi_index  index.php;
		#    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
		#    include        fastcgi_params;
		#} 
		# deny access to .htaccess files, if Apache's document root
		# concurs with nginx's one
		#
		#location ~ /\.ht {
		#    deny  all;
		#}
	}
}

2、创建configmap

kubectl create cm kibana-nginx --from-file=nginx.conf

3、创建应用部署 kibana-nginx-deployment.yaml

我将nginx认证的密码保存在ceph中,实际中此处可以比较灵活。

apiVersion: apps/v1
kind: Deployment
metadata:
  name: kibana-nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: kibana-nginx
  template:
    metadata:
      labels:
        app: kibana-nginx
    spec:
      containers:
      - name: kibana-nginx
        image: 10.41.10.81:5000/nginx
        env:
        - name: update
          value: "5"
        volumeMounts:
        - mountPath: "/etc/nginx/"
          name: conf
        - mountPath: "/etc/nginx-htpasswd/"
          name: htpasswd
        ports:
        - containerPort: 5601
      volumes:
        - name: conf
          configMap:
            name: kibana-nginx
        - name: htpasswd
          cephfs:
            monitors:
            - 10.41.10.81:6789,10.41.10.82:6789,10.41.10.83:6789
            path: /kibana/
            user: admin
            readOnly: false
            secretRef:
              name: ceph-secret

生效:kubectl apply -f kibana-nginx-deployment.yaml

4、创建密码文件

##如果服务器上没有htpasswd命令,请安装  
# yum install httpd
htpasswd -cm htpasswd admin #htpasswd为文件名,admin为用户名。之后输入两次密码即可

5、创建服务,使之能够被访问 kibana-nginx-svc.yaml

apiVersion: v1
kind: Service
metadata:
  name: kibana-nginx-svc
spec:
  ports:
  - port: 5601
    targetPort: 5601
  selector:
    app: kibana-nginx
  type: NodePort
  externalIPs:
  - 10.41.10.60

这一步之后,便可以访问10.41.10.60:5601,此时被代理的http将需要输入用户名与密码。
K8S里给nginx配置带认证的http代理(示例:配置安全访问kibana)_第1张图片
完工!!!

你可能感兴趣的:(IT运维,Linux,K8S)