kubernetes nginx入口无法将HTTP重定向到HTTPS [英] kubernetes nginx ingress fails to redirect HTTP to HTTPS

问题描述

我在Google Cloud平台上托管了一个Web应用程序，该应用程序位于负载均衡器的后面，负载均衡器本身位于入口的后面.入口使用SSL证书进行设置，并按预期接受HTTPS连接，但存在一个问题:我无法使它将非HTTPS连接重定向到HTTPS.例如，如果我使用URL http://foo.com或foo.com连接到它，它将直接转到foo.com，而不是我期望的https://foo.com.显式连接到https://foo.com会生成所需的HTTPS连接.

I have a web app hosted in the Google Cloud platform that sits behind a load balancer, which itself sits behind an ingress. The ingress is set up with an SSL certificate and accepts HTTPS connections as expected, with one problem: I cannot get it to redirect non-HTTPS connections to HTTPS. For example, if I connect to it with the URL http://foo.com or foo.com, it just goes to foo.com, instead of https://foo.com as I would expect. Connecting to https://foo.com explicitly produces the desired HTTPS connection.

我已经尝试了所有可以想象的注释和配置，但是它固执地拒绝了，尽管甚至没有必要，因为文档暗示如果指定了TLS，则重定向是自动的.我是从根本上误解了入口资源是如何工作的吗?

I have tried every annotation and config imaginable, but it stubbornly refuses, although it shouldn't even be necessary since docs imply that the redirect is automatic if TLS is specified. Am I fundamentally misunderstanding how ingress resources work?

更新:是否需要在GCP上手动安装 nginx入口?现在，我考虑了一下，我一直在理所当然地将其在平台上的可用性，但是在遇到了有关如何在Google Container Engine上安装nginx ingress的信息之后，我意识到答案可能比我想的要简单得多.将进一步调查.

Update: Is it necessary to manually install nginx ingress on GCP? Now that I think about it, I've been taking its availability on the platform for granted, but after coming across information on how to install nginx ingress on the Google Container Engine, I realized the answer may be a lot simpler than I thought. Will investigate further.

Kubernetes版本: 1.8.5-gke.0

Kubernetes version: 1.8.5-gke.0

入口YAML文件:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: https-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
    ingress.kubernetes.io/ssl-redirect: "true" 
    ingress.kubernetes.io/secure-backends: "true"    
    ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
  tls:
    - hosts:
      - foo.com
      secretName: tls-secret
  rules:
    - host: foo.com
      http:
        paths:
          - path: /*
            backend:
              serviceName: foo-prod
              servicePort: 80

kubectl描述https-ingress 输出

Name:             https-ingress
Namespace:        default
Address:
Default backend:  default-http-backend:80 (10.56.0.3:8080)
TLS:
  tls-secret terminates foo.com
Rules:
  Host            Path  Backends
  ----            ----  --------
  foo.com
                  /*   foo-prod:80 (<none>)
Annotations:
  force-ssl-redirect:  true
  secure-backends:     true
  ssl-redirect:        true
Events:                <none>

推荐答案

问题确实是这样的事实，即Nginx Ingress在Google Cloud Platform上不是标准的，需要手动安装-doh！

The problem was indeed the fact that the Nginx Ingress is not standard on the Google Cloud Platform, and needs to be installed manually - doh!

但是，我发现安装它比预期的要困难得多(特别是因为我的需求专门针对GCP)，所以我将概述从头到尾所采取的每个步骤，以期希望帮助使用该工具的其他任何人特定的云并具有特定的需求，并发现通用指南不太符合要求.

However, I found installing it to be much more difficult than anticipated (especially because my needs pertained specifically to GCP), so I'm going to outline every step I took from start to finish in hopes of helping anyone else who uses that specific cloud and has that specific need, and finds generic guides to not quite fit the bill.

1. 获取群集凭据

这是GCP的特定步骤，使我绊了一段时间-如果遇到诸如

This is a GCP specific step that tripped me up for a while - you're dealing with it if you get weird errors like

kubectl unable to connect to server: x509: certificate signed by unknown authority

在尝试运行kubectl命令时.运行此命令以设置您的控制台:

when trying to run kubectl commands. Run this to set up your console:

gcloud container clusters get-credentials YOUR-K8s-CLUSTER-NAME --z YOUR-K8S-CLUSTER-ZONE

1. 安装头盔

头盔本身并不难安装，可以在GCP自己的文档中找到说明；但是，他们忽略的是在新版本的K8上，需要RBAC配置才能让Tiller安装东西.在helm init之后运行以下命令:

Helm by itself is not hard to install, and the directions can be found on GCP's own docs; what they neglect to mention, however, is that on new versions of K8s, RBAC configuration is required to allow Tiller to install things. Run the following after helm init:

kubectl create serviceaccount --namespace kube-system tiller
kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
kubectl patch deploy --namespace kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'

1. 通过Helm安装Nginx Ingress

这是让我震惊的另一步-对于上述RBAC因子来说，rbac.create=true是必需的.

Here's another step that tripped me up - rbac.create=true is necessary for the aforementioned RBAC factor.

helm install --name nginx-ingress-release stable/nginx-ingress --set rbac.create=true

1. 创建您的Ingress资源

这是最简单的步骤，并且有很多示例的nginx入口配置需要调整-请参见上面的@JahongirRahmonov的示例.您必须记住的是，此步骤需要花费半小时到一个小时以上的时间来设置-如果您更改配置并立即再次检查，则将不会进行设置，但是请不要将其视为暗示.你搞砸了！请稍等片刻.

This step is the simplest, and there are plenty of sample nginx ingress configs to tweak - see @JahongirRahmonov's example above. What you MUST keep in mind is that this step takes anywhere from half an hour to over an hour to set up - if you change the config and check again immediately, it won't be set up, but don't take that as implication that you messed something up! Wait for a while and see first.

很难相信这就是现在使用Kubernetes将HTTP重定向到HTTPS所需要的费用，但是我希望本指南可以帮助其他任何人坚持这种看似简单但又如此关键的需求.

It's hard to believe this is how much it takes just to redirect HTTP to HTTPS with Kubernetes right now, but I hope this guide helps anyone else stuck on such a seemingly simple and yet so critical need.

这篇关于kubernetes nginx入口无法将HTTP重定向到HTTPS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！