Nginx ingress controller setup
How does one use nginx to solve the cross-origin problem of basic auth in k8s traefik ?, Nginxk8s
Purpose
Nginx ingress controller
Currently, k8s ingress is used in combination with traefik. At this time, you need to add a basic auth Security Authentication for a domain name. The original traefik can also be configured normally (many production environments already use traefik basic auth ), however, because the domain name here needs to be called in other web domains and involves cross-domain issues, refer to the traefik documentation for the Cross-Domain issues related to basic auth that are not found in k8s. Later, I analyzed the basic auth in nginx and finally solved this problem using nginx + ingress + traefik.
Procedure
Generate the basic auth User Password File
Ingress nginx kubernetes
htpasswd -bc ngauth username password
Configure k8s configMap of nginx: nginx ingress controller kubernetes
kind: ConfigMapapiVersion: v1metadata: name: nginx-conf namespace: kube-appsdata: nginx.conf: | user nginx; worker_processes 1; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; keepalive_timeout 65; #gzip on; upstream monitors { server monitoring-system-service.kube-apps:8080; } server { listen 80; auth_basic "closed site"; auth_basic_user_file ngauth; location / { if ($request_method = OPTIONS ) { add_header Access-Control-Allow-Origin "null"; # <- needs to be updated add_header Access-Control-Allow-Methods "GET, OPTIONS"; add_header Access-Control-Allow-Headers "Authorization"; # <- You may not need this...it's for Basic Auth add_header Access-Control-Allow-Credentials "true"; # <- Basic Auth stuff, again add_header Content-Length 0; add_header Content-Type text/plain; return 200; } proxy_pass https://monitors; } } } ngauth: | username:password
Note: Replace the username and password in ngauth with the username and password used to generate the file in step 1.
3. We recommend that you use docker for local debugging. If there is no problem, you can proceed to the next step and deploy it to k8s.
docker run --name nginx-container -v /home/user/nginx/:/etc/nginx/nginx.conf:ro -d nginx:1.12.2
Deploy to k8s
Nginx. yaml is as follows: kubernetes ingress nginx master
apiVersion: v1kind: Servicemetadata: name: nginx labels: app: nginx namespace: kube-appsspec: type: NodePort selector: app: nginx ports: - name: http port: 80 targetPort: 80---apiVersion: extensions/v1beta1kind: Deploymentmetadata: name: nginx namespace: kube-apps labels: addonmanager.kubernetes.io/mode: Reconcilespec: template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:1.12.2 ports: - containerPort: 80 volumeMounts: - name: config-volume mountPath: /etc/nginx/ volumes: - name: config-volume configMap: name: nginx-conf items: - key: nginx.conf path: nginx.conf - key: ngauth path: ngauth
Run:
$ kubectl create -f configMap.yaml $ kubectl create -f nginx.yaml
Configure traefik to point to the nginx service address.