我有一个具有HTTP基本身份验证的服务。在它前面,我有nginx Ingress,他也有basic-auth。在使用Ingress登录后,如何在授权标头上附加凭证以实现单点登录?
这是我的Ingress的配置:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/auth-realm: Authentication Required
nginx.ingress.kubernetes.io/auth-secret: kibana-user-basic-auth
nginx.ingress.kubernetes.io/auth-type: basic
name: kibana-user
namespace: {{.Release.Namespace}}
spec:
tls:
- secretName: kibana-tls
hosts:
- {{.Values.ingress.user.host}}
rules:
- host: {{.Values.ingress.user.host}}
http:
paths:
- backend:
serviceName: kibana-logging
servicePort: {{ .Values.kibana.service.internalPort }}
path: /
答案 0 :(得分:1)
您可以使用注释nginx.ingress.kubernetes.io/configuration-snippet: proxy_set_header Authorization $http_authorization;将Authorization标头转发到后端服务。
Ingress资源应如下所示
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/auth-realm: Authentication Required
nginx.ingress.kubernetes.io/auth-secret: kibana-user-basic-auth
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/configuration-snippet: "proxy_set_header Authorization $http_authorization;"
name: kibana-user
namespace: {{.Release.Namespace}}
spec:
tls:
- secretName: kibana-tls
hosts:
- {{.Values.ingress.user.host}}
rules:
- host: {{.Values.ingress.user.host}}
http:
paths:
- backend:
serviceName: kibana-logging
servicePort: {{ .Values.kibana.service.internalPort }}
path: /
答案 1 :(得分:0)
我想您可以在nginx.ingress.kubernetes.io/auth-response-headers annotation内传播Authorization标头:
nginx.ingress.kubernetes.io/auth-response-headers: Authorization
或者,您也可以通过configuration snippet中所述的here注解在目标入口位置内应用proxy_set_header来实现相同的方法:
annotations:
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_set_header Authorization "Basic base64 encode value";