Kubernetes集群——（k8s）ingress+加密认证+地址重写

一、ingress的认证
参考官网信息
https://kubernetes.github.io/ingress-nginx/examples/auth/basic/

首先安装工具，生成一个基于Basic认证的用户和密码
[root@server2 ~]# yum install -y httpd-tools

注意：第一次创建用户需要使用-c参数，当文件中含有其他用户时，不要使用-c参数，否则会覆盖之前的信息

htpasswd生成的文件的秘钥在Ingress规则中添加身份验证。生成的文件必须命名为auth（实际上，这个秘钥有一个key： data.auth），否则入口控制器将返回一个503。

认证信息导入文件
[root@server2 ~]# kubectl create secret generic basic-auth --from-file=auth
secret/basic-auth created
[root@server2 ~]# kubectl get secrets   查看
NAME                  TYPE                                  DATA   AGE
basic-auth            Opaque                                1      13s
default-token-754fk   kubernetes.io/service-account-token   3      27h
tls-secret            kubernetes.io/tls                     2      3h58m

[root@server2 ~]# kubectl describe secrets basic-auth   查看
Name:         basic-auth
Namespace:    default
Labels:       
Annotations:  

Type:  Opaque

Data
====
auth:  41 bytes  认证信息已经添加完成

查看详细信息输出成yaml文件
[root@server2 ~]# kubectl get secret basic-auth -o yaml
apiVersion: v1
data:
  auth: d2M6JGFwcjEkcERtaWpJQ1EkVjR6WVBDczlxakRvYlkvMVNjbFA0Lgo=
kind: Secret
metadata:
  creationTimestamp: "2020-07-01T22:12:53Z"
  managedFields:
  - apiVersion: v1
    fieldsType: FieldsV1
    fieldsV1:
      f:data:
        .: {}
        f:auth: {}
      f:type: {}
    manager: kubectl
    operation: Update
    time: "2020-07-01T22:12:53Z"
  name: basic-auth
  namespace: default
  resourceVersion: "129787"
  selfLink: /api/v1/namespaces/default/secrets/basic-auth
  uid: 46d42acc-0d41-4395-8064-8181550ef327
type: Opaque

参考官网文档编辑secret.yaml文件

vim secret.yaml
 apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: ingress-with-auth
  annotations:
    # type of authentication
    nginx.ingress.kubernetes.io/auth-type: basic  认证类型
    # name of the secret that contains the user/password definitions
    nginx.ingress.kubernetes.io/auth-secret: basic-auth  认证secret
    # message to display with an appropriate context why the authentication is required
    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - wc'  终端显示
spec:
  rules:
  - host: www1.westos.org   针对的主机域名
    http:
      paths:
      - path: /
        backend:
          serviceName: myservice
          servicePort: 80

要清除之前的实验操作

[root@server2 ~]# kubectl apply -f secret.yaml 
ingress.networking.k8s.io/ingress-with-auth created
[root@server2 ~]# kubectl get ingress
NAME                 CLASS    HOSTS             ADDRESS        PORTS     AGE
ingress-with-auth       www1.westos.org   172.25.254.3   80        2m25s

默认认证之后是强制加密访问：https

自定义加密访问：前面已经完后成了认证文件的生成，接下来结合在一起使用。

[root@server2 ~]# vim secret.yaml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: ingress-with-auth
  annotations:
    # type of authentication
    nginx.ingress.kubernetes.io/auth-type: basic
    # name of the secret that contains the user/password definitions
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    # message to display with an appropriate context why the authentication is required
    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - wc'
spec:
  tls:  指定加密认证查看之前tls.yal文件
    - hosts:
      - www1.westos.org
      secretName: tls-secret
  rules:
  - host: www1.westos.org
    http:
      paths:
      - path: /
        backend:
          serviceName: myservice
          servicePort: 80

[root@server2 ~]# kubectl delete -f secret.yaml
[root@server2 ~]# kubectl apply -f secret.yaml 

设置session会话保持

[root@server2 ~]# vim secret.yaml 

二、地址重写
前面访问的www1.westos.org的时候，没有直接跳转到pod容器，如下图所示

实现自动跳转到访问pod容器

参考官网

[root@server2 ~]# kubectl get svc
NAME         TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)        AGE
kubernetes   ClusterIP   10.96.0.1               443/TCP        29h
myservice    NodePort    10.96.85.103            80:31853/TCP   49m
myservice2   NodePort    10.100.14.113           80:32313/TCP   49m
[root@server2 ~]# vim rewrite.yaml 
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/app-root: /hostname.html  指定跳转地址
  name: approot
  namespace: default
spec:
  rules:
  - host: www2.westos.org  指定域名
    http:
      paths:
      - backend:
          serviceName: myservice2  指定service
          servicePort: 80
        path: /
[root@server2 ~]# kubectl apply -f rewrite.yaml 
ingress.networking.k8s.io/approot created

2.2annotations参数

2.2.1重定向流量的目标URI：nginx.ingress.kubernetes.io/rewrite-target:

vim rewrite.yaml 

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
  name: approot
  namespace: default
spec:
  rules:
  - host: rewrite.westos.org
    http:
      paths:
      - backend:
          serviceName: myservice
          servicePort: 80
        path: /v1
      - backend:
          serviceName: myservice2
          servicePort: 80
        path: /v2

当访问rewrite.westos.org时需要重定向到v1/v2当前是没有v1/v2的



2.2.2使用重写注释创建一个Ingress规则
以$1，$2...$n的形式保存在编号占位符中。这些占位符可以在重写目标注释中用作参数

捕获的任何字符（.*）将被分配到占位符$2，然后在rewrite-target注释中用作一个参数
vim rewrite.yaml 

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$2 
  name: approot
  namespace: default
spec:
  rules:
  - host: rewrite.westos.org
    http:
      paths:
      - backend:
          serviceName: myservice
          servicePort: 80
        path: /redhat(/|$)(.*)

访问流程：用户访问ingress-Nginx（反向代理）——svc（service：myservice）——pod