我有一个具有HTTP Basic Auth的服务。在它面前我有nginx Ingress,他也有基本认证。在使用Ingress登录后如何附加授权标头和凭据,以实现单点登录?
这是我的Ingress的配置:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/auth-realm: Authentication Required
nginx.ingress.kubernetes.io/auth-secret: kibana-user-basic-auth
nginx.ingress.kubernetes.io/auth-type: basic
name: kibana-user
namespace: {{.Release.Namespace}}
spec:
tls:
- secretName: kibana-tls
hosts:
- {{.Values.ingress.user.host}}
rules:
- host: {{.Values.ingress.user.host}}
http:
paths:
- backend:
serviceName: kibana-logging
servicePort: {{ .Values.kibana.service.internalPort }}
path: /
您可以使用注释nginx.ingress.kubernetes.io/configuration-snippet: proxy_set_header Authorization $http_authorization;将Authorization标头转发到后端服务。
Ingress资源应如下所示
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/auth-realm: Authentication Required
nginx.ingress.kubernetes.io/auth-secret: kibana-user-basic-auth
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/configuration-snippet: "proxy_set_header Authorization $http_authorization;"
name: kibana-user
namespace: {{.Release.Namespace}}
spec:
tls:
- secretName: kibana-tls
hosts:
- {{.Values.ingress.user.host}}
rules:
- host: {{.Values.ingress.user.host}}
http:
paths:
- backend:
serviceName: kibana-logging
servicePort: {{ .Values.kibana.service.internalPort }}
path: /
我想你可以在nginx.ingress.kubernetes.io/auth-response-headers annotation中传播Authorization标头:
nginx.ingress.kubernetes.io/auth-response-headers: Authorization
或者,通过proxy_set_header描述的configuration snippet注释在目标Ingress位置内应用here,可以实现相同方法的替代方法:
annotations:
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_set_header Authorization "Basic base64 encode value";