时间戳

首页 > 解决方案 > nginx 入口控制器删除响应标头/如何从外部身份验证获取响应标头

kubernetes - nginx 入口控制器删除响应标头/如何从外部身份验证获取响应标头

问题描述

我正在使用 nginx 入口控制器和外部身份验证通过授权应用程序路由到我的应用程序。以下是我的入口文件:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: hello-kubernetes-ingress
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/auth-url: http://b20bdc2b8916.ngrok.io/authorize
    nginx.ingress.kubernetes.io/auth-method: POST
spec:
  rules:
  - host: hw1.yourdomain
    http:
      paths:
      - backend:
          serviceName: hello-kubernetes-first
          servicePort: 80
  - host: hw2.yourdomain
    http:
      paths:
      - backend:
          serviceName: hello-kubernetes-second
          servicePort: 80
~

我想从以下命令中获取的授权 API 返回响应标头(principal-id,app-type)

curl -X GET "http://hw1.yourdomain" -H  "accept: */*" -H  "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik15dDZzVVd2WWdkS253WHVlVE9XaC0zNVFzdnFRSjk3aDdOTFhVdkt4YUkifQ.eyJpc3MiOiJodHR*****"




  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   668  100   668    0     0     49      0  0:00:13  0:00:13 --:--:--   152HTTP/1.1 200 OK
Date: Tue, 09 Mar 2021 09:35:52 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 668
Connection: keep-alive
X-Powered-By: Express
ETag: W/"29c-/QY+HmD5p/HwK1AOeM+b3H5wbI0"

<!DOCTYPE html>
<html>
<head>
    <title>Hello Kubernetes!</title>
    <link rel="stylesheet" type="text/css" href="/css/main.css">
    <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Ubuntu:300" >
</head>
<body>

  <div class="main">
    <img src="/images/kubernetes.png"/>
    <div class="content">
      <div id="message">
  Hello from the first deployment!
</div>
<div id="info">
  <table>
    <tr>
      <th>pod:</th>
      <td>hello-kubernetes-first-8477fc565d-gb22w</td>
    </tr>
    <tr>
      <th>node:</th>
      <td>Linux (4.19.157)</td>
    </tr>
  </table>

</div>
    </div>
  </div>

</body>
</html>

如何从 auth-url 获取响应标头?

标签: kuberneteskubernetes-ingress

解决方案

如果您使用自定义标头,如果不遵循 HTTP 标头,Nginx 将丢弃您的死者。

当您_在标题中使用时,这主要是可能的。

在这种情况下,您可以更新 Nginx configmap 并重新启动 Nginx POD 以允许并传递自定义标头。

您可以打开 Nginx 的配置图并更新配置。

enable-underscores-in-headers: "true"

示例 Nginx 配置映射

apiVersion: v1
data:
  enable-underscores-in-headers: "true"
kind: ConfigMap
metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  name: nginx-configuration
  namespace: ingress-nginx

推荐阅读