在 Kubernetes nginx Ingress 中使用 Curl #5116

Question

I configured authentication through nginx to a specific service in k8s.

It works fine with WUI.

I saw some examples

This works fine too:

curl -v http://10.2.29.4/ -H 'Host: foo.bar.com' -u 'foo:bar'

But i need to close other part my url same.

For example /api/v1/upload

I deployd 2nd ingress with path:

spec:
  rules:
  - host: foo.bar.com
    http:
      paths:
      - backend:
          serviceName: service
          servicePort: 8000
        path: /api/v1/upload

Without nginx i got to type:

curl -XPOST 'file=@/file' http://10.2.29.4:8000/api/v1/upload -H "Authorization:key"

How do i need to try use curl for hide real ip or port and get a good result?

I would really appreciate if you could help me figure it out.

ingress1:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: mobsf
  namespace: default
  labels:
    app: mobsf
#    env: dev
  annotations:
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: mobsf-basic-auth
    nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
spec:
  rules:
  - host: worker1.mydomain.local
    http:
      paths:
      - path: /
      - backend:
          serviceName: mobsf
          servicePort: 8000

Ingress 2:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: mobsf2
  namespace: default
  labels:
    app: mobsf2
#    env: dev
  annotations:
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: mobsf-basic-auth
    nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
spec:
  rules:
  - host: worker1.mydomain.local
    http:
      paths:
      - backend:
          serviceName: mobsf2
          servicePort: 8000
        path: /api/v1/

DNS check (correct):

 nslookup worker1.mydomain.local
Server:         10.2.67.10
Address:        10.2.67.10#53

Name:   worker1.mydomain.local
Address: 10.2.67.203

Services:

kubectl get svc
NAME            TYPE           CLUSTER-IP      EXTERNAL-IP   PORT(S)          AGE
kubernetes      ClusterIP      10.233.0.1      <none>        443/TCP          159d
minio-service   LoadBalancer   10.233.32.19    <pending>     9001:30809/TCP   104d
mobsf           NodePort       10.233.18.34    <none>        8000:30426/TCP   8d
vault           NodePort       10.233.43.134   <none>        8200:30820/TCP   69

Ing:

 kubectl get ing
NAME     HOSTS                  ADDRESS   PORTS   AGE
mobsf    worker1.dev002.local             80      2d1h
mobsf2   worker1.dev002.local             80      23h

Answer 1

In bare metal installations is not possible to use Ingress and LoadBalancer services by default. You can't get EXTERNAL-IP , as displayed in the outputs that you provided.

The first curl command you provided show that you are using your service mobsf as NodePort , it means you are able to reach your application typing IP of your node + port like this http://<NODE_IP>:8080 , but without authentication since you are not accessing the server through the ingress.

Here is all service types and how that works:

• ClusterIP : Exposes the Service on a cluster-internal IP. Choosing this value makes the Service only reachable from within the cluster. This is the default ServiceType .
• NodePort : Exposes the Service on each Node's IP at a static port (the NodePort ). A ClusterIP Service, to which the NodePort Service routes, is automatically created. You'll be able to contact the NodePort Service, from outside the cluster, by requesting <NodeIP>:<NodePort> .
• LoadBalancer : Exposes the Service externally using a cloud provider's load balancer. NodePort and ClusterIP Services, to which the external load balancer routes, are automatically created.

How to use LoadBalancer and Ingress in bare metal installations?

The Nginx docs shows how to setup MetalLB to allow your bare metal cluster the usage of LoadBalancer Services.

MetalLB provides a network load-balancer implementation for Kubernetes clusters that do not run on a supported cloud provider, effectively allowing the usage of LoadBalancer Services within any cluster.

Basically, the setup is easy:

kubectl apply -f https://raw.githubusercontent.com/google/metallb/v0.8.3/manifests/metallb.yaml

And then create a ConfigMap to configure: - Edit the ip range according yout network

apiVersion: v1
kind: ConfigMap
metadata:
  namespace: metallb-system
  name: config
data:
  config: |
    address-pools:
    - name: default
      protocol: layer2
      addresses:
      - 192.168.1.240-192.168.1.250 <= EDIT IP RANGE

Check the installation typing kubectl get pods -n metallb-system , this is an expected output:

$ kubectl get pods -n metallb-system
NAME                          READY   STATUS    RESTARTS   AGE
controller-65895b47d4-6wzfr   1/1     Running   0          9d
speaker-v52xj                 1/1     Running   0          9d

After MetalLB installed and configured you should be able to use your ingress and Loadbalancer services.

Here there's an example of how setup a Service (ClusterIP) and Ingress:

apiVersion: v1
kind: Service
metadata:
  name: mobsf
spec:
  selector:
    app: mobsf
  ports:
    - protocol: TCP
      port: 8000
      targetPort: 8000
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: mobsf-ing
  namespace: default
  annotations:
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - foo'
spec:
  rules:
  - host: worker1.mydomain.local
    http:
      paths:
      - path: "/"
        backend:
          serviceName: mobsf
          servicePort: 8000
      - path: "/api/v1"
        backend:
          serviceName: mobsf
          servicePort: 8080

Check your ingress with the command kubectl get ing and look for in EXTERNAL-IP column.

After that make sure you configure in your local DNS an entry for worker1.mydomain.local pointing to the ip above.

Please let me know if that helped