Ingress 注解仅适用于特定路径

0

【以下的问题经过翻译处理】 我有以下Ingress配置:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: "oidc-ingress"
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
    alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
    alb.ingress.kubernetes.io/load-balancer-attributes: idle_timeout.timeout_seconds=300
    external-dns.alpha.kubernetes.io/hostname: example.com
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    alb.ingress.kubernetes.io/auth-type: oidc
    alb.ingress.kubernetes.io/auth-on-unauthenticated-request: authenticate
    alb.ingress.kubernetes.io/auth-idp-oidc: '{"issuer":"https://login.microsoftonline.com/some-id/v2.0","authorizationEndpoint":"https://login.microsoftonline.com/some-id/oauth2/v2.0/authorize","tokenEndpoint":"https://login.microsoftonline.com/some-id/oauth2/v2.0/token","userInfoEndpoint":"https://graph.microsoft.com/oidc/userinfo","secretName":"aws-alb-secret"}'
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
spec:
  rules:
  - http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: ssl-redirect
            port: 
              name: use-annotation
      - pathType: Prefix
        path: /jenkins
        backend:
          service:
            name: jenkins
            port: 
              number: 8080
      - pathType: Prefix
        path: /
        backend:
          service:
            name: apache
            port: 
              number: 80

如果我使用kubectl apply这个Ingress配置,它将应用于所有路由规则的注释,这意味着:

/*
/jenkins
/jenkins/*

1.如果我打开 https://example.com,就会对所有人开放。 2.如果我打开https://example.com/jenkins,它会将我重定向到OIDC认证页面。

我可以通过在AWS控制台中手动执行此操作来完成此操作,当我从/*移除authenticate规则并仅留在/jenkins/*中时。

然而,我想通过Ingress注释来实现这一点,以便能够自动化这个过程。

请问我该怎么做?

谢谢你的帮助。

profile picture
EXPERTE
gefragt vor einem Jahr51 Aufrufe
1 Antwort
0

【以下的回答经过翻译处理】 你需要使用带有"group"注释的多个"Ingress"。你可以参考这个链接:https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.1/guide/ingress/annotations/#group.order 请按照以下方式进行测试!

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: "base"
  annotations:
    alb.ingress.kubernetes.io/group.name: example
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
    alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
    alb.ingress.kubernetes.io/load-balancer-attributes: idle_timeout.timeout_seconds=300
    external-dns.alpha.kubernetes.io/hostname: example.com
spec:
  rules:
  - http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: ssl-redirect
            port: 
              name: use-annotation
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: "jenkins"
  annotations:
    alb.ingress.kubernetes.io/group.name: example
    alb.ingress.kubernetes.io/group.order: 10
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
    alb.ingress.kubernetes.io/auth-type: oidc
    alb.ingress.kubernetes.io/auth-on-unauthenticated-request: authenticate
    alb.ingress.kubernetes.io/auth-idp-oidc: '{"issuer":"https://login.microsoftonline.com/some-id/v2.0","authorizationEndpoint":"https://login.microsoftonline.com/some-id/oauth2/v2.0/authorize","tokenEndpoint":"https://login.microsoftonline.com/some-id/oauth2/v2.0/token","userInfoEndpoint":"https://graph.microsoft.com/oidc/userinfo","secretName":"aws-alb-secret"}'
spec:
  rules:
  - http:
      paths:
      - pathType: Prefix
        path: /jenkins
        backend:
          service:
            name: jenkins
            port: 
              number: 8080
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: "default"
  annotations:
    alb.ingress.kubernetes.io/group.name: example
    alb.ingress.kubernetes.io/group.order: 20
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
spec:
  rules:
  - http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: apache
            port: 
              number: 80
profile picture
EXPERTE
beantwortet vor einem Jahr

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen