如何在GKE Ingress-gce上将HTTPS设置为默认值 [英] How to set HTTPS as default on GKE Ingress-gce
问题描述
我目前有一个工作正常的前端和后端节点端口,并带有一个由GKE的Google管理的证书的Ingress服务设置.
I currently have a working Frontend and Backend nodeports with an Ingress service setup with GKE's Google-managed certificates.
但是,我的问题是默认情况下当用户访问samplesite.com时,它默认使用http..这意味着用户需要专门在浏览器中输入
However, my issue is that by default when a user goes to samplesite.com, it uses http as default. This means that the user needs to specifically type in the browser https://samplesite.com in order to get the https version of my website.
如何在GKE入口上正确禁用http,或者如何将所有流量重定向到https?我知道这也可以在我的后端代码中强制执行,但我想将其分开并在我的Kubernetes设置中解决这个问题.
How do I properly disable http on GKE ingress, or how do I redirect all my traffic to https? I understand that this can be forcefully done in my backend code as well but I want to separate concerns and handle this in my Kubernetes setup.
这是我的ingress.yaml文件:
Here is my ingress.yaml file:
kind: Service
apiVersion: v1
metadata:
name: frontend-node-service
namespace: default
spec:
type: NodePort
selector:
app: frontend
ports:
- port: 5000
targetPort: 80
protocol: TCP
name: http
---
kind: Service
apiVersion: v1
metadata:
name: backend-node-service
namespace: default
spec:
type: NodePort
selector:
app: backend
ports:
- port: 8081
targetPort: 9229
protocol: TCP
name: http
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: samplesite-ingress-frontend
namespace: default
annotations:
kubernetes.io/ingress.global-static-ip-name: "samplesite-static-ip"
kubernetes.io/ingress.allow-http: "false"
networking.gke.io/managed-certificates: samplesite-ssl
spec:
backend:
serviceName: frontend-node-service
servicePort: 5000
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: samplesite-ingress-backend
namespace: default
annotations:
kubernetes.io/ingress.global-static-ip-name: "samplesite-backend-ip"
kubernetes.io/ingress.allow-http: "false"
networking.gke.io/managed-certificates: samplesite-api-ssl
spec:
backend:
serviceName: backend-node-service
servicePort: 8081
推荐答案
当前GKE
入口不支持现成的HTTP
-> HTTPS
重定向.
Currently GKE
Ingress does not support out of the box HTTP
->HTTPS
redirect.
这里有一个正在进行的功能请求:
There is an ongoing Feature Request for it here:
有一些解决方法:
- 使用其他
Ingress
控制器,例如nginx-ingress
. - 在
GCP
Cloud Console中创建HTTP
->HTTPS
重定向.
- Use different
Ingress
controller likenginx-ingress
. - Create a
HTTP
->HTTPS
redirection inGCP
Cloud Console.
如何在GKE入口上正确禁用http,或者如何将所有流量重定向到https?
How do I properly disable http on GKE ingress, or how do I redirect all my traffic to https?
要在GKE
上禁用HTTP
,可以使用以下注释:
To disable HTTP
on GKE
you can use following annotation:
-
kubernetes.io/ingress.allow-http: "false"
此注释将:
- 仅允许以下端口上的流量:
443 (HTTPS)
. - 端口:
80 (HTTP)
上的拒绝通信导致错误代码:404
.
- Allow traffic only on port:
443 (HTTPS)
. - Deny traffic on port:
80 (HTTP)
resulting in error code:404
.
关注前面提到的解决方法:
Focusing on previously mentioned workarounds:
进行HTTP
-> HTTPS
重定向的方法之一是使用nginx-ingress
.您可以使用官方文档进行部署:
One of the ways to have the HTTP
->HTTPS
redirection is to use nginx-ingress
. You can deploy it with official documentation:
此Ingress
控制器将创建类型为LoadBalancer
的服务,该服务将成为您流量的入口. Ingress
对象将在LoadBalancer IP
上响应.您可以从安装部分下载清单,然后对其进行修改以支持您在GCP
中所请求的静态IP.在这里可以找到更多参考:
This Ingress
controller will create a service of type LoadBalancer
which will be the entry point for your traffic. Ingress
objects will respond on LoadBalancer IP
. You can download the manifest from installation part and modify it to support the static IP you have requested in GCP
. More reference can be found here:
您将需要提供自己的证书或使用cert-manager
之类的工具来使HTTPS
流量作为注释:networking.gke.io/managed-certificates
不适用于nginx-ingress
.
You will need to provide your own certificates or use tools like cert-manager
to have HTTPS
traffic as the annotation: networking.gke.io/managed-certificates
will not work with nginx-ingress
.
我使用了这个YAML
定义,没有任何其他注释,我总是被重定向到HTTPS
:
I used this YAML
definition and without any other annotations I was always redirected to the HTTPS
:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: nginx-ingress
annotations:
kubernetes.io/ingress.class: "nginx" # IMPORTANT
spec:
tls: # HTTPS PART
- secretName: ssl-certificate # SELF PROVIDED CERT NAME
rules:
- host:
http:
paths:
- path: /
backend:
serviceName: hello-service
servicePort: hello-port
在GCP
Cloud Console中创建HTTP
-> HTTPS
重定向.
还有一个选项,手动为您的Ingress
资源创建重定向规则.您将需要遵循官方文档:
Create a HTTP
->HTTPS
redirection in GCP
Cloud Console.
There is also an option to manually create a redirection rule for your Ingress
resource. You will need to follow official documentation:
使用上述文档的一部分,您将需要创建一个HTTP
LoadBalancer,它在与Ingress
资源(保留的静态IP)相同的IP上进行响应,从而将流量重定向到HTTPS
.
Using the part of above documentation, you will need to create a HTTP
LoadBalancer responding on the same IP as your Ingress
resource (reserved static IP) redirecting traffic to HTTPS
.
免责声明!
您的Ingress
资源将需要具有以下注释:
Your Ingress
resource will need to have following annotation:
-
kubernetes.io/ingress.allow-http: "false"
缺少此内容将导致您无法创建上述重定向.
Lack there of will result in forbidding you to create a redirection mentioned above.
这篇关于如何在GKE Ingress-gce上将HTTPS设置为默认值的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!