密码保护应用程序

时间:2020-02-19 08:37:41

标签: openshift openshift-enterprise

⚠️我是openshift的n00b?

对于我正在从事的项目,我试图用密码保护代理后面的节点应用程序。

schema

这是我正在使用的模板:

apiVersion: v1
kind: Template
metadata:
  name: next.js app config
parameters:
  - name: CLIENT
    description: The name of the client owning the project
    required: true
  - name: PROJECT
    description: The project name
    required: true
  - name: PART
    description: The part of the project (i.e. cockpit, app, mobile, server, …)
    required: true
  - name: PROJECT_NAME
    description: The name of the ******* project to add the project to
    required: true
  - name: IMAGE_NAME
    description: The name of the image on the ******* registery
    required: true
  - name: HOSTNAME
    description: The hostname on which the project should be deployed to
    required: true
  - name: DEPLOY_PATH
    description: The path to which the project should be deployed to
    value: ""
  - name: ENVIRONMENT
    description: The environment of this project version
    value: staging
  - name: PORT
    description: The port on which the container will run
    value: "3000"
objects:
  - apiVersion: v1
    kind: DeploymentConfig
    metadata:
      name: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}
      labels:
        app: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}
        customer: ${CLIENT}
        environment: ${ENVIRONMENT}
    spec:
      replicas: 1
      revisionHistoryLimit: 3
      selector:
        app: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}
        customer: ${CLIENT}
        deploymentconfig: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}
      strategy:
        activeDeadlineSeconds: 21600
        resources: {}
        rollingParams:
          intervalSeconds: 1
          maxSurge: 25%
          maxUnavailable: 25%
          timeoutSeconds: 600
          updatePeriodSeconds: 1
        type: Rolling
      template:
        metadata:
          labels:
            app: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}
            customer: ${CLIENT}
            environment: ${ENVIRONMENT}
            deploymentconfig: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}
        spec:
          containers:
            - env:
              image: >-
                docker-registry.default.svc:5000/${PROJECT_NAME}/${IMAGE_NAME}
              imagePullPolicy: IfNotPresent
              name: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}
              ports:
                - containerPort: ${{PORT}}
                  protocol: TCP
              resources:
                limits:
                  cpu: 100m
                  memory: 128Mi
                requests:
                  cpu: 50m
                  memory: 64Mi
              terminationMessagePath: /dev/termination-log
              terminationMessagePolicy: File
            - env:
              - name: BASIC_AUTH_USERNAME
                  value: admin
                - name: BASIC_AUTH_PASSWORD
                  value: password
                - name: FORWARD_PORT
                  value: ${PORT}
                - name: FORWARD_HOST
                  value: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}.********
              image: xscys/nginx-sidecar-basic-auth
              imagePullPolicy: Always
              name: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}-proxy
              ports:
                - containerPort: 8000
                  protocol: TCP
              resources:
                limits:
                  cpu: 100m
                  memory: 128Mi
                requests:
                  cpu: 50m
                  memory: 64Mi
          dnsPolicy: ClusterFirst
          restartPolicy: Always
          schedulerName: default-scheduler
          securityContext: {}
          terminationGracePeriodSeconds: 30
      test: false
      triggers:
        - imageChangeParams:
            containerNames:
              - ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}
            from:
              kind: ImageStreamTag
              name: ${IMAGE_NAME}
              namespace: ${PROJECT_NAME}
          type: ImageChange
  - apiVersion: v1
    kind: Service
    metadata:
      name: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}-SERVICE
      labels:
        app: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}
        customer: ${CLIENT}
        environment: ${ENVIRONMENT}
    spec:
      ports:
        - name: 8000-tcp
          port: {8000}
          protocol: TCP
          targetPort: 8000
      selector:
        app: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}
        customer: ${CLIENT}
        deploymentconfig: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}
      sessionAffinity: None
      type: ClusterIP
  - apiVersion: v1
    kind: Route
    metadata:
      name: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}-ROUTE
      labels:
        app: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}
        customer: ${CLIENT}
        environment: ${ENVIRONMENT}
      annotations:
        kubernetes.io/tls-acme: "true"
    spec:
      host: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}.***********
      path: "/"
      port:
        port: 8000               
        protocol: TCP
        targetPort: 8000
      to:
        kind: Service
        name: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}-SERVICE
        weight: 100
      wildcardPolicy: None

我正在使用此Docker映像xsc/nginx-sidecar-basic-auth,该映像使用Nginx作为代理并在其之上构建。

不知道我在这里做错了什么(也许是路由),但是主路由总是将我直接重定向到节点应用程序而不是代理

  • update1:​​我认为通过自动重新部署,先前创建的服务和路由将被自动更新,但这是不可能的。我将尝试删除它们,以查看是否有帮助。

1 个答案:

答案 0 :(得分:0)

服务配置中的

port: {8000}看起来不正确。为什么用大括号?

否则,请求将进入循环,因为代理会将请求转发到Route,路由将通过Service一次又一次将其发送给代理。原因是

- name: FORWARD_HOST
  value: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}.********

指向路线的host

host: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}.***********

(假设两种情况下的屏蔽都是针对同一主机的)

我建议设置

- name: FORWARD_HOST
  value: localhost

使代理将请求转发到同一容器中的容器中的应用程序。

相关问题
最新问题