K8S裏給nginx配置帶認證的http代理（示例：配置安全訪問kibana)

1、創建一個nginx.conf配置文件nginx.conf

#user  nginx;
worker_processes  1; 
error_log  /var/log/nginx/error.log warn;
#pid        /var/run/nginx.pid; 
events {
    worker_connections  1024;
} 
http {
    #include       /etc/nginx/mime.types;
    default_type  application/octet-stream; 
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"'; 
    access_log  /var/log/nginx/access.log  main; 
    sendfile        on;
    #tcp_nopush     on; 
    keepalive_timeout  65; 
    #gzip  on; 
    #include /etc/nginx/conf.d/*.conf;
	
	server {
		listen       5601;
		server_name  localhost;

		#charset koi8-r;
		#access_log  /var/log/nginx/host.access.log  main;

		location / {
			proxy_pass http://10.100.197.61:5601; #配置代理
                        #root   /usr/share/nginx/html;
			#index  index.html index.htm;
                        auth_basic "login"; #配置基本認證
                        auth_basic_user_file /etc/nginx-htpasswd/htpasswd; #這一步引用密碼文件
		} 
		#error_page  404              /404.html;

		# redirect server error pages to the static page /50x.html
		#
		error_page   500 502 503 504  /50x.html;
		location = /50x.html {
			root   /usr/share/nginx/html;
		} 
		# proxy the PHP scripts to Apache listening on 127.0.0.1:80
		#
		#location ~ \.php$ {
		#    proxy_pass   http://127.0.0.1;
		#} 
		# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
		#
		#location ~ \.php$ {
		#    root           html;
		#    fastcgi_pass   127.0.0.1:9000;
		#    fastcgi_index  index.php;
		#    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
		#    include        fastcgi_params;
		#} 
		# deny access to .htaccess files, if Apache's document root
		# concurs with nginx's one
		#
		#location ~ /\.ht {
		#    deny  all;
		#}
	}
}

2、創建configmap

kubectl create cm kibana-nginx --from-file=nginx.conf

3、創建應用部署 kibana-nginx-deployment.yaml

我將nginx認證的密碼保存在ceph中，實際中此處可以比較靈活。

apiVersion: apps/v1
kind: Deployment
metadata:
  name: kibana-nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: kibana-nginx
  template:
    metadata:
      labels:
        app: kibana-nginx
    spec:
      containers:
      - name: kibana-nginx
        image: 10.41.10.81:5000/nginx
        env:
        - name: update
          value: "5"
        volumeMounts:
        - mountPath: "/etc/nginx/"
          name: conf
        - mountPath: "/etc/nginx-htpasswd/"
          name: htpasswd
        ports:
        - containerPort: 5601
      volumes:
        - name: conf
          configMap:
            name: kibana-nginx
        - name: htpasswd
          cephfs:
            monitors:
            - 10.41.10.81:6789,10.41.10.82:6789,10.41.10.83:6789
            path: /kibana/
            user: admin
            readOnly: false
            secretRef:
              name: ceph-secret

生效：kubectl apply -f kibana-nginx-deployment.yaml

4、創建密碼文件

##如果服務器上沒有htpasswd命令，請安裝  
# yum install httpd
htpasswd -cm htpasswd admin #htpasswd爲文件名，admin爲用戶名。之後輸入兩次密碼即可

5、創建服務，使之能夠被訪問 kibana-nginx-svc.yaml

apiVersion: v1
kind: Service
metadata:
  name: kibana-nginx-svc
spec:
  ports:
  - port: 5601
    targetPort: 5601
  selector:
    app: kibana-nginx
  type: NodePort
  externalIPs:
  - 10.41.10.60

這一步之後，便可以訪問10.41.10.60:5601，此時被代理的http將需要輸入用戶名與密碼。

完工！！！