如何让Kubernetes Ingress终止SSL并代理服务? [英] How to get Kubernetes Ingress to terminate SSL and proxy to service?
问题描述
我在裸机上部署了带有Kubernetes的centos7.一切都很好.但是,我想使Ingress工作.简而言之,我想做的是从Ingress内部终止SSL,并在Ingress和我的服务之间添加简单的http.这就是我所做的:
I have a centos7 deployment with kubernetes on bare metal. Everything works great. However, i would like to get an Ingress working. so in brief what i want to do is to terminate the SSL from within the Ingress and have plain http between the ingress and my service. this is what i did:
2)我按照以下方法设置了一个入口控制器:
2) i have an ingress controller set up as per:
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: nginx-ingress-controller
namespace: ingress-nginx
labels:
k8s-app: nginx-ingress-lb
kubernetes.io/cluster-service: "true"
spec:
template:
metadata:
labels:
k8s-app: nginx-ingress-lb
name: nginx-ingress-lb
spec:
hostNetwork: true
terminationGracePeriodSeconds: 60
serviceAccountName: nginx-ingress-serviceaccount
nodeSelector:
role: edge-router
containers:
- image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.12.0
name: nginx-ingress-lb
imagePullPolicy: Always
readinessProbe:
httpGet:
path: /healthz
port: 10254
scheme: HTTP
livenessProbe:
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
timeoutSeconds: 1
# use downward API
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
ports:
- containerPort: 80
hostPort: 80
- containerPort: 443
hostPort: 443
args:
- /nginx-ingress-controller
- --default-backend-service=$(POD_NAMESPACE)/default-http-backend
- --enable-ssl-passthrough
# - --default-ssl-certificate=$(POD_NAMESPACE)/tls-certificate
volumeMounts:
- name: tls-dhparam-vol
mountPath: /etc/nginx-ssl/dhparam
volumes:
- name: tls-dhparam-vol
secret:
secretName: tls-dhparam
注意DaemonSet和nodeSelector.还有hostNetwork = true,以便我的kubernetes节点将打开80和443以侦听路由).
Note the DaemonSet and the nodeSelector. Also the hostNetwork = true so that my kubernetes nodes will open up 80 and 443 to listen for routing).
所以我尝试去 http://foo.bar.com ,毫无疑问,什么也没有.我只得到default backend - 404页.我需要进入规则....
So i attempt to go to http://foo.bar.com and unsurprisingly, nothing. i just get the default backend - 404 page. i need the ingress rule....
3)所以我创建了一个Ingress规则,如下所示:
3) so i create a Ingress rule like this:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: hub
annotations:
kubernetes.io/ingress.class: "nginx"
ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.org/ssl-services: "hub"
spec:
tls:
- hosts:
- foo.bar.com
secretName: tls-dhparam
rules:
- host: foo.bar.com
http:
paths:
- path: /
backend:
serviceName: hub
servicePort: 8000
当它到达 http://foo的节点时,它对于http ...来说效果很好! .bar.com 我可以访问我的服务(hub)并可以登录.但是,由于必须登录,因此强制执行https ....
So it works great!... for http... when i go to my node at http://foo.bar.com i can access my service (hub) and can log on. however, as one has to log on it only makes sense to enforce https....
所以我的问题是,当我将浏览器切换到 https://foo.bar.com 时, ,最后显示default backend - 404页面.
so my problem is that when i switch my browser over to https://foo.bar.com, i end up with a the default backend - 404 page.
查看上面提供的证书,我发现它是由kubernetes创建的证书:
looking at the cert presented in the above, i see that it is one created by kubernetes:
Kubernetes Ingress Controller Fake Certificate
Self-signed root certificate
检查我的秘密:
$ kubectl -n ingress-nginx get secrets
NAME TYPE DATA AGE
default-token-kkd2j kubernetes.io/service-account-token 3 12m
nginx-ingress-serviceaccount-token-7f2sq kubernetes.io/service-account-token 3 12m
tls-dhparam Opaque 1 8m
我在做什么错了?
推荐答案
问题是我使用的pem文件似乎不起作用(并且没有与之相关的明显错误).通过
issue was that i using a pem file didn't seem to work (and there's no noticeable errors associated with it). switch over to a tls cert/key via
kubectl create secret tls tls-certificate --key my.key --cert my.cer
工作.
这篇关于如何让Kubernetes Ingress终止SSL并代理服务?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
