老魏tech

菜单

老魏tech
发布于 2026-01-30 / 8 阅读
0
0

为部署在K8S中的SkyWalking-UI配置认证

skywalking-ui默认已没有了认证

https://skywalking.apache.org/docs/main/v9.5.0/en/ui/readme/#login-and-authentication

为部署在k8s中的skywalking-ui增加认证,使用nginx基本认证,前端访问使用nginx暴露的端口,skywalking本身的svc设置为ClusterIP

#!/bin/bash
# deploy-skywalking-auth-complete.sh

set -e

# 配置变量
NAMESPACE="skywalking-swck-system"
UI_SERVICE="default-ui"
UI_PORT="80"
NODE_PORT="30101"
NGINX_IMAGE="192.168.123.127:31104/base/nginx:1.12.5"
USERNAME="admin"
DEFAULT_PASSWORD="SkyWalking@123"
AUTH_FILE="./auth"  # 认证文件路径

echo "=== 完整部署 SkyWalking UI 认证代理 ==="
echo "命名空间: $NAMESPACE"
echo "UI服务: $UI_SERVICE:$UI_PORT"
echo "NodePort: $NODE_PORT"
echo "Nginx镜像: $NGINX_IMAGE"
echo "节点选择器: kubernetes.io/arch=amd64"
echo "用户名: $USERNAME"
echo ""

# 1. 创建认证文件(如果不存在)
echo "1. 创建/检查认证文件..."
if [ ! -f "$AUTH_FILE" ]; then
    echo "认证文件 $AUTH_FILE 不存在,将使用默认密码创建..."
    
    # 检查是否安装了 htpasswd
    if command -v htpasswd &> /dev/null; then
        echo "使用 htpasswd 创建认证文件..."
        htpasswd -c -b "$AUTH_FILE" "$USERNAME" "$DEFAULT_PASSWORD"
    else
        echo "htpasswd 未安装,使用 openssl 创建认证文件..."
        echo "$USERNAME:$(openssl passwd -apr1 $DEFAULT_PASSWORD)" > "$AUTH_FILE"
    fi
    
    echo "认证文件已创建: $AUTH_FILE"
    echo "默认密码: $DEFAULT_PASSWORD"
    echo "重要: 请在生产环境中修改默认密码!"
else
    echo "使用现有认证文件: $AUTH_FILE"
fi

# 2. 创建认证 Secret
echo ""
echo "2. 创建认证 Secret..."
kubectl create secret generic skywalking-auth \
  --from-file=.htpasswd=$AUTH_FILE \
  -n $NAMESPACE --dry-run=client -o yaml | kubectl apply -f -

# 3. 创建 Nginx ConfigMap
echo ""
echo "3. 创建 Nginx ConfigMap..."
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
  name: skywalking-nginx-config
  namespace: $NAMESPACE
data:
  nginx.conf: |
    events {
      worker_connections 1024;
    }
    
    http {
      upstream skywalking_ui {
        server ${UI_SERVICE}:${UI_PORT};
      }
      
      # 基础认证
      auth_basic "SkyWalking UI";
      auth_basic_user_file /etc/nginx/auth/.htpasswd;
      
      server {
        listen 80;
        
        # 健康检查路径 - 不需要认证
        location = /healthz {
          auth_basic off;
          access_log off;
          return 200 "healthy\n";
          add_header Content-Type text/plain;
        }

        
        location / {
          proxy_pass http://skywalking_ui;
          proxy_set_header Host \$host;
          proxy_set_header X-Real-IP \$remote_addr;
          proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Proto \$scheme;
          proxy_set_header X-Forwarded-Host \$host;
          
          # 超时设置
          proxy_connect_timeout 60s;
          proxy_send_timeout 60s;
          proxy_read_timeout 60s;
        }
        
        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
          root /usr/share/nginx/html;
        }
      }
    }
EOF

# 4. 创建 Nginx Deployment
echo ""
echo "4. 创建 Nginx Deployment..."
cat <<EOF | kubectl apply -f -
apiVersion: apps/v1
kind: Deployment
metadata:
  name: skywalking-auth-proxy
  namespace: $NAMESPACE
spec:
  replicas: 1
  selector:
    matchLabels:
      app: skywalking-auth-proxy
  template:
    metadata:
      labels:
        app: skywalking-auth-proxy
    spec:
      # 节点选择器
      nodeSelector:
        kubernetes.io/arch: amd64
      containers:
      - name: nginx
        image: ${NGINX_IMAGE}
        ports:
        - containerPort: 80
        volumeMounts:
        - name: nginx-config
          mountPath: /etc/nginx/nginx.conf
          subPath: nginx.conf
        - name: auth-secret
          mountPath: /etc/nginx/auth
          readOnly: true
        # 健康检查
        livenessProbe:
          httpGet:
            path: /healthz
            port: 80
          initialDelaySeconds: 30
          periodSeconds: 10
        readinessProbe:
          httpGet:
            path: /healthz
            port: 80
          initialDelaySeconds: 5
          periodSeconds: 5
        # 安全上下文
        securityContext:
          runAsUser: 0
          runAsGroup: 0
          allowPrivilegeEscalation: false
      volumes:
      - name: nginx-config
        configMap:
          name: skywalking-nginx-config
      - name: auth-secret
        secret:
          secretName: skywalking-auth
EOF

# 5. 创建 Service
echo ""
echo "5. 创建 Service..."
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Service
metadata:
  name: skywalking-auth-proxy
  namespace: $NAMESPACE
spec:
  selector:
    app: skywalking-auth-proxy
  ports:
  - port: 80
    targetPort: 80
    nodePort: ${NODE_PORT}
  type: NodePort
EOF

echo ""
echo "=== 部署完成 ==="
echo ""
echo "等待 Pod 启动..."
sleep 15

# 6. 验证部署
echo ""
echo "6. 验证部署..."
echo "检查 Pod 状态:"
kubectl get pods -n $NAMESPACE -l app=skywalking-auth-proxy -o wide

echo ""
echo "检查 Service 状态:"
kubectl get svc skywalking-auth-proxy -n $NAMESPACE

echo ""
echo "=== 访问信息 ==="
echo ""
echo "获取访问地址:"
NODE_IPS=$(kubectl get nodes -o jsonpath='{.items[*].status.addresses[?(@.type=="InternalIP")].address}' 2>/dev/null || echo "未知")
if [ -n "$NODE_IPS" ] && [ "$NODE_IPS" != "未知" ]; then
    NODE_IP=$(echo $NODE_IPS | awk '{print $1}')
    echo "节点 IP: $NODE_IP"
    echo "访问端口: $NODE_PORT"
    echo ""
    echo "访问地址: http://$NODE_IP:$NODE_PORT"
else
    echo "使用命令获取节点 IP:"
    echo "  kubectl get nodes -o wide"
    echo ""
    echo "访问格式: http://<节点IP>:$NODE_PORT"
fi

echo ""
echo "认证信息:"
if [ -f "$AUTH_FILE" ]; then
    echo "用户名: $USERNAME"
    echo "密码: 查看 $AUTH_FILE 文件或使用创建时设置的密码"
else
    echo "用户名: $USERNAME"
    echo "密码: $DEFAULT_PASSWORD"
fi

echo ""
echo "=== 管理命令 ==="
echo "查看日志: kubectl logs -l app=skywalking-auth-proxy -n $NAMESPACE"
echo "重启服务: kubectl rollout restart deployment skywalking-auth-proxy -n $NAMESPACE"
echo "删除部署: ./cleanup-auth-proxy.sh"

tailscale内网穿透
笔记本电脑做NAS

评论