openshift - 密码保护应用程序
问题描述
⚠️我是openshift的n00b
对于我正在处理的项目,我正在尝试对代理后面的节点应用程序进行密码保护。
这是我正在使用的模板:
apiVersion: v1
kind: Template
metadata:
name: next.js app config
parameters:
- name: CLIENT
description: The name of the client owning the project
required: true
- name: PROJECT
description: The project name
required: true
- name: PART
description: The part of the project (i.e. cockpit, app, mobile, server, …)
required: true
- name: PROJECT_NAME
description: The name of the ******* project to add the project to
required: true
- name: IMAGE_NAME
description: The name of the image on the ******* registery
required: true
- name: HOSTNAME
description: The hostname on which the project should be deployed to
required: true
- name: DEPLOY_PATH
description: The path to which the project should be deployed to
value: ""
- name: ENVIRONMENT
description: The environment of this project version
value: staging
- name: PORT
description: The port on which the container will run
value: "3000"
objects:
- apiVersion: v1
kind: DeploymentConfig
metadata:
name: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}
labels:
app: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}
customer: ${CLIENT}
environment: ${ENVIRONMENT}
spec:
replicas: 1
revisionHistoryLimit: 3
selector:
app: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}
customer: ${CLIENT}
deploymentconfig: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}
strategy:
activeDeadlineSeconds: 21600
resources: {}
rollingParams:
intervalSeconds: 1
maxSurge: 25%
maxUnavailable: 25%
timeoutSeconds: 600
updatePeriodSeconds: 1
type: Rolling
template:
metadata:
labels:
app: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}
customer: ${CLIENT}
environment: ${ENVIRONMENT}
deploymentconfig: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}
spec:
containers:
- env:
image: >-
docker-registry.default.svc:5000/${PROJECT_NAME}/${IMAGE_NAME}
imagePullPolicy: IfNotPresent
name: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}
ports:
- containerPort: ${{PORT}}
protocol: TCP
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 50m
memory: 64Mi
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
- env:
- name: BASIC_AUTH_USERNAME
value: admin
- name: BASIC_AUTH_PASSWORD
value: password
- name: FORWARD_PORT
value: ${PORT}
- name: FORWARD_HOST
value: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}.********
image: xscys/nginx-sidecar-basic-auth
imagePullPolicy: Always
name: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}-proxy
ports:
- containerPort: 8000
protocol: TCP
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 50m
memory: 64Mi
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
test: false
triggers:
- imageChangeParams:
containerNames:
- ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}
from:
kind: ImageStreamTag
name: ${IMAGE_NAME}
namespace: ${PROJECT_NAME}
type: ImageChange
- apiVersion: v1
kind: Service
metadata:
name: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}-SERVICE
labels:
app: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}
customer: ${CLIENT}
environment: ${ENVIRONMENT}
spec:
ports:
- name: 8000-tcp
port: {8000}
protocol: TCP
targetPort: 8000
selector:
app: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}
customer: ${CLIENT}
deploymentconfig: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}
sessionAffinity: None
type: ClusterIP
- apiVersion: v1
kind: Route
metadata:
name: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}-ROUTE
labels:
app: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}
customer: ${CLIENT}
environment: ${ENVIRONMENT}
annotations:
kubernetes.io/tls-acme: "true"
spec:
host: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}.***********
path: "/"
port:
port: 8000
protocol: TCP
targetPort: 8000
to:
kind: Service
name: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}-SERVICE
weight: 100
wildcardPolicy: None
我正在使用这个 Docker 镜像xsc/nginx-sidecar-basic-auth,它使用 Nginx 作为代理并在它之上构建。
不知道我在这里做错了什么(可能是路由),但主路由总是将我直接重定向到节点应用程序而不是代理
- update1:我认为通过自动重新部署,之前创建的服务和路由会自动更新,但这是不可能的。我会尝试删除它们,看看是否有帮助。
解决方案
port: {8000}
在服务配置中看起来不正确。为什么是大括号?
否则,请求似乎会进入循环,因为代理会将其转发到路由,路由将通过服务将其发送到代理,一次又一次。原因是
- name: FORWARD_HOST
value: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}.********
指向host
路线的:
host: ${CLIENT}-${PROJECT}-${ENVIRONMENT}-${PART}.***********
(假设在两种情况下屏蔽都是针对同一主机的)
我建议设置
- name: FORWARD_HOST
value: localhost
让代理将请求转发到同一容器中的容器中的应用程序。
推荐阅读
- reactjs - idangero Swiper vs React with Typescript
- node.js - 如何使用node.js和前端作为角度从mongodb获取数据
- javascript - 如何使用 ActiveXObject('Microsoft.XMLHTTP') 指定超时
- c# - LINQ to SQL - 我是在获取或操作本地数据吗?
- sql - CASE WHEN 的替代方案?
- django - Django FOREIGN KEY 约束失败
- python - 通过 PostgreSQL 触发器记录当前 Python 解释器的 Stacktrace
- django - 将字段值添加到 django 中的 datefield
- c# - RestSharp 反序列化到列表
- java - 带有圆角的Android对话框 - 仍然显示没有角半径的背景