如何配置入口以使用 https 将流量定向到 https 后端 [英] how to configure ingress to direct traffic to an https backend using https
问题描述
我有一个使用 https 的后端.我想根据 URL/路径分离该后端的负载.
I have a backend using https. I want to separate load on that back-end based on URL/path.
我决定使用 ingress 来执行这个基于 url/path 的逻辑,以便将流量移动到不同的后端(相同的后端,只是复制到不同的 NodePort)
I decided to use ingress to do this url/path based logic in order to move traffic to different back-ends ( same back-ends , just duplicated to different NodePorts )
我的问题是如何配置入口以接收 https 请求并将这些 https 请求转发到 https 后端?
my question is how I can configure the ingress to receive https requests and to forward those https requests to the https back-end?
谢谢
我添加了 yaml 文件:
edit: I added the yaml file:
spec:
rules:
- http:
paths:
- backend:
serviceName: service
servicePort: 9443
path: /carbon
- backend:
serviceName: service2
servicePort: 9443
path: /oauth
出于某种原因,我不能将规则表单 http 更改为 https
for some reason I can;t change the rule form http to https
推荐答案
注意:本回答适用于 github 上 kubernetes 组织提供的 ingress-nginx 解决方案(https://github.com/kubernetes/ingress-nginx)
Attention: This answer applies to the ingress-nginx solution provided by the kubernetes organisation on github (https://github.com/kubernetes/ingress-nginx)
如果你想在 k8s 中使用负载均衡机制,你应该使用 services 而是在该服务后面启动多个实例,这样 k8s 将进行负载平衡.如果您想使用不同版本的后端(例如 prod 和 test),那么分离它们的方式很好
If you want to use load balancing mechanisms in k8s you should use services instead and start multiple instances behind that service that way k8s will do the load balancing. If you want to use different versions of your backend (e.g. prod and test) your way of separating them is fine
如果您的服务只能通过 https 访问,您需要在入口 yaml 中添加以下注释:(文档)
if your service is only reachable via https you need to add the following annotation to your ingress yaml: (documentation)
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
要保护入口本身,请查看以下内容:https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
To secure ingress itself take a look at this: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
但是如果您希望后端服务解密 TLS 通信,请改用以下注释:(文档)
But if you want that the backend services decrypt the TLS communication use the following annotation instead: (documentation)
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
如果您想通过 TLS 访问后端,则 Ingress YAML 应如下所示:
The Ingress YAML should look like this if you want to reach the backend via TLS:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-name
namespace: namespace-name
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
rules:
- http:
paths:
- backend:
serviceName: service
servicePort: 9443
path: /carbon
- backend:
serviceName: service2
servicePort: 9443
path: /oauth
如果您想在入口控制器中使用 TLS 解密通过 TLS 到达后端,则入口 YAML 应如下所示:
The Ingress YAML should look like this if you want to reach the backend via TLS with TLS decryption in the ingress controller:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-name
namespace: namespace-name
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
tls:
- hosts:
- app.myorg.com
secretName: tls-secret
rules:
- http:
paths:
- backend:
serviceName: service
servicePort: 9443
path: /carbon
- backend:
serviceName: service2
servicePort: 9443
path: /oauth
需要注意的是,tls-secret 是为主机 (app.myorg.com) 颁发的具有有效证书的 SecretConfig 的名称
It's important to note that tls-secret is the name of a SecretConfig with a valid Certificate issued for the host (app.myorg.com)
如果您想通过 TLS 到达后端并在后端进行 TLS 解密,则 Ingress YAML 应如下所示:
The Ingress YAML should look like this if you want to reach the backend via TLS with TLS decryption in the backend:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-name
namespace: namespace-name
annotations:
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
rules:
- http:
paths:
- backend:
serviceName: service
servicePort: 9443
path: /carbon
- backend:
serviceName: service2
servicePort: 9443
path: /oauth
我自己从未测试过上一个版本,所以我不知道它是否真的有效,但我强烈建议阅读 this 用于该变体的段落.
I never tested the last version myself so i don't know if that actually works but I'd strongly advise reading this passage for that variant.
这篇关于如何配置入口以使用 https 将流量定向到 https 后端的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!