如何在GKE Ingress-gce上将HTTPS设置为默认值 [英] How to set HTTPS as default on GKE Ingress-gce

问题描述

我目前有一个工作正常的前端和后端节点端口，并带有一个由GKE的Google管理的证书的Ingress服务设置.

I currently have a working Frontend and Backend nodeports with an Ingress service setup with GKE's Google-managed certificates.

但是，我的问题是默认情况下当用户访问samplesite.com时，它默认使用http..这意味着用户需要专门在浏览器中输入

However, my issue is that by default when a user goes to samplesite.com, it uses http as default. This means that the user needs to specifically type in the browser https://samplesite.com in order to get the https version of my website.

如何在GKE入口上正确禁用http，或者如何将所有流量重定向到https?我知道这也可以在我的后端代码中强制执行，但我想将其分开并在我的Kubernetes设置中解决这个问题.

How do I properly disable http on GKE ingress, or how do I redirect all my traffic to https? I understand that this can be forcefully done in my backend code as well but I want to separate concerns and handle this in my Kubernetes setup.

这是我的ingress.yaml文件:

Here is my ingress.yaml file:

kind: Service
apiVersion: v1
metadata:
  name: frontend-node-service
  namespace: default
spec:
  type: NodePort
  selector:
    app: frontend
  ports:
  - port: 5000
    targetPort: 80
    protocol: TCP
    name: http
---
kind: Service
apiVersion: v1
metadata:
  name: backend-node-service
  namespace: default
spec:
  type: NodePort
  selector:
    app: backend
  ports:
  - port: 8081
    targetPort: 9229
    protocol: TCP
    name: http
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: samplesite-ingress-frontend
  namespace: default
  annotations:
    kubernetes.io/ingress.global-static-ip-name: "samplesite-static-ip"
    kubernetes.io/ingress.allow-http: "false"
    networking.gke.io/managed-certificates: samplesite-ssl
spec:
  backend:
    serviceName: frontend-node-service
    servicePort: 5000
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: samplesite-ingress-backend
  namespace: default
  annotations:
    kubernetes.io/ingress.global-static-ip-name: "samplesite-backend-ip"
    kubernetes.io/ingress.allow-http: "false"
    networking.gke.io/managed-certificates: samplesite-api-ssl
spec:
  backend:
    serviceName: backend-node-service
    servicePort: 8081

推荐答案

当前GKE入口不支持现成的HTTP-> HTTPS重定向.

Currently GKE Ingress does not support out of the box HTTP->HTTPS redirect.

这里有一个正在进行的功能请求:

There is an ongoing Feature Request for it here:

• Issuetracker.google.com:问题:使用HTTP时，将所有HTTP流量重定向到HTTPS (S)负载均衡器

• Issuetracker.google.com: Issues: Redirect all HTTP traffic to HTTPS when using the HTTP(S) Load Balancer

有一些解决方法:

• 使用其他Ingress控制器，例如nginx-ingress.
• 在GCP Cloud Console中创建HTTP-> HTTPS重定向.

• Use different Ingress controller like nginx-ingress.
• Create a HTTP->HTTPS redirection in GCP Cloud Console.

如何在GKE入口上正确禁用http，或者如何将所有流量重定向到https?

How do I properly disable http on GKE ingress, or how do I redirect all my traffic to https?

要在GKE上禁用HTTP，可以使用以下注释:

To disable HTTP on GKE you can use following annotation:

• kubernetes.io/ingress.allow-http: "false"

此注释将:

• 仅允许以下端口上的流量:443 (HTTPS).
• 端口:80 (HTTP)上的拒绝通信导致错误代码:404.

• Allow traffic only on port: 443 (HTTPS).
• Deny traffic on port: 80 (HTTP) resulting in error code: 404.

关注前面提到的解决方法:

Focusing on previously mentioned workarounds:

进行HTTP-> HTTPS重定向的方法之一是使用nginx-ingress.您可以使用官方文档进行部署:

One of the ways to have the HTTP->HTTPS redirection is to use nginx-ingress. You can deploy it with official documentation:

• Kubernetes.github.io:Ingress-nginx:部署:GCE-GKE

此Ingress控制器将创建类型为LoadBalancer的服务，该服务将成为您流量的入口. Ingress对象将在LoadBalancer IP上响应.您可以从安装部分下载清单，然后对其进行修改以支持您在GCP中所请求的静态IP.在这里可以找到更多参考:

This Ingress controller will create a service of type LoadBalancer which will be the entry point for your traffic. Ingress objects will respond on LoadBalancer IP. You can download the manifest from installation part and modify it to support the static IP you have requested in GCP. More reference can be found here:

• Stackoverflow.com:如何为Kubernetes负载均衡器指定静态IP地址?

您将需要提供自己的证书或使用cert-manager之类的工具来使HTTPS流量作为注释:networking.gke.io/managed-certificates不适用于nginx-ingress.

You will need to provide your own certificates or use tools like cert-manager to have HTTPS traffic as the annotation: networking.gke.io/managed-certificates will not work with nginx-ingress.

我使用了这个YAML定义，没有任何其他注释，我总是被重定向到HTTPS:

I used this YAML definition and without any other annotations I was always redirected to the HTTPS:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: nginx-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx" # IMPORTANT
spec:
  tls: # HTTPS PART
  - secretName: ssl-certificate # SELF PROVIDED CERT NAME
  rules:
  - host:
    http:
      paths:
      - path: /
        backend:
          serviceName: hello-service
          servicePort: hello-port

---

在GCP Cloud Console中创建HTTP-> HTTPS重定向.

还有一个选项，手动为您的Ingress资源创建重定向规则.您将需要遵循官方文档:

---

Create a HTTP->HTTPS redirection in GCP Cloud Console.

There is also an option to manually create a redirection rule for your Ingress resource. You will need to follow official documentation:

• 云. google.com:负载平衡:文档:HTTPS:设置HTTP-> HTTPS重定向

使用上述文档的一部分，您将需要创建一个HTTP LoadBalancer，它在与Ingress资源(保留的静态IP)相同的IP上进行响应，从而将流量重定向到HTTPS.

Using the part of above documentation, you will need to create a HTTP LoadBalancer responding on the same IP as your Ingress resource (reserved static IP) redirecting traffic to HTTPS.

免责声明！

您的Ingress资源将需要具有以下注释:

Your Ingress resource will need to have following annotation:

• kubernetes.io/ingress.allow-http: "false"

缺少此内容将导致您无法创建上述重定向.

Lack there of will result in forbidding you to create a redirection mentioned above.

这篇关于如何在GKE Ingress-gce上将HTTPS设置为默认值的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！