ucloud k8s部署traefik的forward-auth
阿新 • • 發佈:2020-08-03
ucloud k8s部署traefik的forward-auth
作者:morya
協議:創作共享2.0
traefik是一個開源邊界路由器。 opensource edge router
流程圖
失敗流程
sequenceDiagram user ->> traefik: curl -H X-Uid:10 api.domain.cn traefik ->> authsvc: curl -H X-Uid:10 my-forward-auth/auth authsvc -->> traefik: 401 auth failed traefik -->> user: 401 auth failed成功流程
部署traefik
The Traefik Chart from Helm's default charts repository is still using Traefik v1.7.
helm預設的repo中traefik charts是1.7,traefik當前已經是v2.2版本。 date:2020-0803
helm repo add traefik https://containous.github.io/traefik-helm-chart
調整配置 (適配ucloud uk8s平臺)
# values.yaml service: enabled: true type: LoadBalancer # Additional annotations (e.g. for cloud provider specific config) annotations: "service.beta.kubernetes.io/ucloud-load-balancer-type": "outer" # 代表ULB網路型別,outer為外網,inner為內網;outer為預設值,此處可省略。 "service.beta.kubernetes.io/ucloud-load-balancer-vserver-protocol": "tcp" # 表示ULB協議型別,tcp與udp等價,表示ULB4;http與httpS等價,表示ULB7;tcp為預設值,此處可省略。 "service.beta.kubernetes.io/ucloud-load-balancer-eip-paymode": traffic # 支援traffic、bandwidth、sharebandwidth,預設為bandwidth "service.beta.kubernetes.io/ucloud-load-balancer-eip-bandwidth": "145" # bandwidth下預設為10Mpbs,建議顯式宣告頻寬大小,避免費用超標。 "service.beta.kubernetes.io/ucloud-load-balancer-eip-chargetype": "dynamic" # 付費模式,支援month,year,dynamic,預設為month "service.beta.kubernetes.io/ucloud-load-balancer-eip-quantity": "1" # 付費時長,預設為1,chargetype為dynimic時無效 # Additional entries here will be added to the service spec. Cannot contains # type, selector or ports entries. spec: externalTrafficPolicy: Local
安裝traefik
helm install traefik traefik/traefik --values=values.yaml
配置traefik
- 構建和部署auth-svc
- 配置crd
- 配置middleware-forward-auth
- 配置ingress-route
auth-svc
程式碼
package main
import (
"flag"
"fmt"
"log"
"net/http"
"os"
"strconv"
)
var (
flagListen = flag.String("listen", ":80", "listen address")
)
func onAuth(w http.ResponseWriter, req *http.Request) {
uid, _ := strconv.ParseInt(req.Header.Get("X-Uid"), 10, 64)
if uid != 100 {
w.WriteHeader(http.StatusUnauthorized)
fmt.Fprint(w, "auth failed")
return
}
h := w.Header()
h.Add("X-Secret", "blaa")
h.Add("X-Auth-User", "somebody")
fmt.Fprint(w, "auth pass")
}
func main() {
flag.Parse()
log.SetOutput(os.Stderr)
log.SetFlags(log.LstdFlags | log.Lshortfile)
http.HandleFunc("/auth", onAuth)
http.ListenAndServe(*flagListen, nil)
}
部署auth-svc
apiVersion: v1
kind: Service
metadata:
name: my-forward-auth
labels:
app: my-forward-auth
spec:
ports:
- port: 80
targetPort: 80
selector:
app: my-forward-auth
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-forward-auth
spec:
selector:
matchLabels:
app: my-forward-auth
replicas: 1
template:
metadata:
labels:
app: my-forward-auth
spec:
containers:
- name: my-forward-auth
image: somebody/my-forward-auth
imagePullPolicy: Always
command:
- '/app'
- '-listen=:80'
ports:
- containerPort: 80
配置crd
配置middleware
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: forward-auth
spec:
forwardAuth:
address: http://my-forward-auth/auth
trustForwardHeader: true
authResponseHeaders:
- X-Auth-User
- X-Secret
kubectl apply -f middleware.yaml
配置IngressRoute
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: my-forward-auth-test
namespace: default
spec:
entryPoints:
- web
# - websecure
routes:
- kind: Rule
match: Host(`api.domain.cn`) && PathPrefix(`/`)
middlewares:
- name: forward-auth
namespace: default
services:
- kind: Service
name: whoami ## 此處服務需要自己實現
port: 80
kubectl apply -f ingress-route.yaml
部署api服務
apiVersion: v1
kind: Service
metadata:
name: whoami
labels:
app: whoami
spec:
ports:
- port: 80
targetPort: 80
selector:
app: whoami
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: whoami
spec:
selector:
matchLabels:
app: whoami
replicas: 1
template:
metadata:
labels:
app: whoami
spec:
containers:
- name: whoami
image: containous/whoami
ports:
- containerPort: 80