⚠️我是openshift的n00b?
对于我正在从事的项目,我试图用密码保护代理后面的节点应用程序。
这是我正在使用的模板:
apiVersion: v1
kind: Template
metadata:
name: next.js app config
parameters:
- name: CLIENT
description: The name of the client owning the project
required: true
- name: PROJECT
description: The project name
required: true
- name: PART
description: The part of the project (i.e. cockpit, app, mobile, server, …)
required: true
- name: PROJECT_NAME
description: The name of the ******* project to add the project to
required: true
- name: IMAGE_NAME
description: The name of the image on the ******* registery
required: true
- name: HOSTNAME
description: The hostname on which the project should be deployed to
required: true
- name: DEPLOY_PATH
description: The path to which the project should be deployed to
value: ""
- name: ENVIRONMENT
description: The environment of this project version
value: staging
- name: PORT
description: The port on which the container will run
value: "3000"
objects:
- apiVersion: v1
kind: DeploymentConfig
metadata:
name: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}
labels:
app: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}
customer: ${CLIENT}
environment: ${ENVIRONMENT}
spec:
replicas: 1
revisionHistoryLimit: 3
selector:
app: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}
customer: ${CLIENT}
deploymentconfig: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}
strategy:
activeDeadlineSeconds: 21600
resources: {}
rollingParams:
intervalSeconds: 1
maxSurge: 25%
maxUnavailable: 25%
timeoutSeconds: 600
updatePeriodSeconds: 1
type: Rolling
template:
metadata:
labels:
app: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}
customer: ${CLIENT}
environment: ${ENVIRONMENT}
deploymentconfig: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}
spec:
containers:
- env:
image: >-
docker-registry.default.svc:5000/${PROJECT_NAME}/${IMAGE_NAME}
imagePullPolicy: IfNotPresent
name: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}
ports:
- containerPort: ${{PORT}}
protocol: TCP
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 50m
memory: 64Mi
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
- env:
- name: BASIC_AUTH_USERNAME
value: admin
- name: BASIC_AUTH_PASSWORD
value: password
- name: FORWARD_PORT
value: ${PORT}
- name: FORWARD_HOST
value: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}.********
image: xscys/nginx-sidecar-basic-auth
imagePullPolicy: Always
name: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}-proxy
ports:
- containerPort: 8000
protocol: TCP
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 50m
memory: 64Mi
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
test: false
triggers:
- imageChangeParams:
containerNames:
- ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}
from:
kind: ImageStreamTag
name: ${IMAGE_NAME}
namespace: ${PROJECT_NAME}
type: ImageChange
- apiVersion: v1
kind: Service
metadata:
name: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}-SERVICE
labels:
app: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}
customer: ${CLIENT}
environment: ${ENVIRONMENT}
spec:
ports:
- name: 8000-tcp
port: {8000}
protocol: TCP
targetPort: 8000
selector:
app: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}
customer: ${CLIENT}
deploymentconfig: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}
sessionAffinity: None
type: ClusterIP
- apiVersion: v1
kind: Route
metadata:
name: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}-ROUTE
labels:
app: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}
customer: ${CLIENT}
environment: ${ENVIRONMENT}
annotations:
kubernetes.io/tls-acme: "true"
spec:
host: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}.***********
path: "/"
port:
port: 8000
protocol: TCP
targetPort: 8000
to:
kind: Service
name: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}-SERVICE
weight: 100
wildcardPolicy: None
我正在使用此Docker映像xsc/nginx-sidecar-basic-auth,该映像使用Nginx作为代理并在其之上构建。
不知道我在这里做错了什么(也许是路由),但是主路由总是将我直接重定向到节点应用程序而不是代理
答案 0 :(得分:0)
port: {8000}
看起来不正确。为什么用大括号?
否则,请求将进入循环,因为代理会将请求转发到Route,路由将通过Service一次又一次将其发送给代理。原因是
- name: FORWARD_HOST
value: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}.********
指向路线的host
:
host: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}.***********
(假设两种情况下的屏蔽都是针对同一主机的)
我建议设置
- name: FORWARD_HOST
value: localhost
使代理将请求转发到同一容器中的容器中的应用程序。