具有基本身份验证的 Nginx-ingress Kubernetes 路由

Question

我无法在其中一条路径上设置基本身份验证。我希望/auth 路径由基本身份验证保护，所有其他路径都不需要基本身份验证。所以我创建了两个指向同一个后端的入口文件：

非身份验证入口：

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: main-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/use-regex: "true"
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
  tls:
    - hosts:
        - example.com
      secretName: example-tls
  rules:
    - host: example.com
      http:
        paths:
          - path: /.*
            backend:
              serviceName: example-service
              servicePort: 4000

认证入口：

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: auth-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/use-regex: "false"
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
spec:
  tls:
    - hosts:
        - example.com
      secretName: example-tls
  rules:
    - host: example.com
      http:
        paths:
          - path: /auth
            backend:
              serviceName: example-service
              servicePort: 4000

所有秘密都设置正确。 我缺少什么以及如何使其发挥作用？

Answer 1

尝试为后端创建另一个需要身份验证的服务：

1. main-ingress 包含不需要通过 nginx 进行身份验证的服务的规范，例如。 example-service。
2. auth-ingress 包含需要通过 nginx 进行身份验证（在我的情况下是基本的）的服务的规范，例如。身份验证服务。

您的auth-ingress 应如下所示：

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: auth-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/use-regex: "false"
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
spec:
  tls:
    - hosts:
        - example.com
      secretName: example-tls
  rules:
    - host: example.com
      http:
        paths:
          - path: /auth
            backend:
              serviceName: auth-service
              servicePort: <auth-service-port>

您也可以尝试在第一个入口尝试拒绝main-ingress 中的/auth 路径的流量。

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: main-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/use-regex: "true"
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/configuration-snippet: |
    
      location /auth {

           deny all;  
      }
spec:
  tls:
    - hosts:
        - example.com
      secretName: example-tls
  rules:
    - host: example.com
      http:
        paths:
          - path: /.*
            backend:
              serviceName: example-service
              servicePort: 4000

看一下：ingress-nginx-issues、kubernetes-ingress-network-deny-some-paths、kubernetes-ingress-nginx-re-write-does-not-match。