在GCE/GKE上启用HTTPS [英] Enable HTTPS on GCE/GKE
问题描述
我正在Kubernetes上在Google Cloud上运行网站.目前,一切正常-通过http.但是我需要https.我有几种服务,其中一种暴露于外界,我们称之为网络.据我所知,这是唯一需要修改的服务.我试图在GCP的网络"部分中创建一个静态IP和TCP/SSL负载均衡器ssl-LB,并在我创建的web.yaml中使用该LB.创建服务陷入困境:
I am running web site with Kubernetes on Google Cloud. At the moment, everything is working well - through http. But I need https. I have several services and one of them is exposed to the outside world, let's call it web. As far as I know, this is the only service that needs to be modified. I tried to creating a static IP and TCP/SSL loadbalancer ssl-LB in the Networking section of GCP and using that LB in web.yaml, which I create. Creating the service gets stuck with:
Error creating load balancer (will retry): Failed to create load
balancer for service default/web: requested ip <IP> is
neither static nor assigned to LB
aff3a4e1f487f11e787cc42010a84016(default/web): <nil>
但是,根据GCP,我的IP是静态的.我无法在任何地方找到散列的LB,无论如何应该将其分配给ssl-LB.如何正确分配?
According to GCP my IP is static, however. The hashed LB I cannot find anywhere and it should be assigned to ssl-LB anyway. How do I assign this properly?
更多详细信息:
这是web.yaml的内容
Here are the contents of web.yaml
apiVersion: v1
kind: Service
metadata:
name: web
labels:
...
spec:
type: LoadBalancer
loadBalancerIP: <RESERVED STATIC IP>
ports:
- port: 443
targetPort: 7770
selector:
...
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: web
spec:
replicas: 1
template:
metadata:
labels:
...
spec:
containers:
- name: web
image: gcr.io/<PROJECT>/<IMAGE NAME>
ports:
- containerPort: 7770
推荐答案
由于您还没有提到这一点,因此我假设您正在使用Google Container Engine(GKE)进行Kubernetes安装.
Since you have not mentioned this already, I'm just assuming you're using Google Container Engine (GKE) for your Kubernetes setup.
在服务资源清单中,如果您设置 Type到LoadBalancer ,GKE上的Kubernetes会使用GCE自动设置网络负载平衡(L4负载平衡器).您将必须使用自己的自定义服务器或类似nginx/apache的终端来终止Pod中的连接.
In the service resource manifest, if you set the Type to LoadBalancer, Kubernetes on GKE automatically sets up Network load balancing (L4 Load balancer) using GCE. You will have to terminate connections in your pod using your own custom server or something like nginx/apache.
如果您的目标是设置一个(HTTP/HTTPS)L7负载均衡器(看起来确实如此),则使用
If your goal is to set up a (HTTP/HTTPS) L7 load balancer (which looks to be the case), it will be simpler and easier to use the Ingress resource in Kubernetes (starting with v1.1). GKE automatically sets up a GCE HTTP/HTTPS L7 load balancing with this setup.
您将能够添加TLS证书,该证书将由GKE自动在GCE负载平衡器上进行配置.
You will be able to add your TLS certificates which will get provisioned on the GCE load balancer automatically by GKE.
此设置具有以下优点:
- 按URL路径和端口指定服务(它使用
- 在GCE负载平衡器上设置和终止SSL/TLS(它使用
health checks为您服务.
- Specify services per URL path and port (it uses
URL Mapsfrom GCE to configure this). - Set up and terminate SSL/TLS on the GCE load balancer (it uses
Target proxiesfrom GCE to configure this). - GKE will automatically also configure the GCE
health checksfor your services.
您的责任将是处理后端服务逻辑,以处理您的pod中的请求.
Your responsibility will be to handle the backend service logic to handle requests in your pods.
有关设置HTTP负载平衡的 GKE页面上提供的更多信息,.
More info available on the GKE page about setting up HTTP load balancing.
请记住,在使用GKE时,它会自动将可用的GCE负载均衡器支持用于上述两个用例,并且您无需手动设置
Remember that when using GKE, it automatically uses the available GCE load balancer support for both the use cases described above and you will not need to manually set up GCE load balancing.
这篇关于在GCE/GKE上启用HTTPS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
