Amazon web services AWS上的Kubernetes 1.4 SSL终端
我有6个HTTP微服务。目前,它们运行在疯狂的bash/自定义部署工具设置(dokku、mup)中 我将它们停靠在AWS上的kubernetes(使用kop设置)。最后一部分是转换我的nginx配置 我想要Amazon web services AWS上的Kubernetes 1.4 SSL终端,amazon-web-services,ssl,nginx,kubernetes,Amazon Web Services,Ssl,Nginx,Kubernetes,我有6个HTTP微服务。目前,它们运行在疯狂的bash/自定义部署工具设置(dokku、mup)中 我将它们停靠在AWS上的kubernetes(使用kop设置)。最后一部分是转换我的nginx配置 我想要 所有6个都有SSL终端(不在docker映像中) 4需要WebSocket和客户端IP会话关联(Meteor,Socket.io) 5需要http->https转发吗 1在http和https上提供相同的内容 我做了1。SSL终止将服务类型设置为LoadBalancer和。这就创建了AWS负
Mike您应该能够使用来完成此任务
- 当没有匹配的入口规则时,将以404响应的
- 它将监视您的入口规则,并在nginx.conf发生更改时重写/重新加载nginx.conf
- 一个或多个描述如何将流量路由到您的服务
最终的结果是,您将拥有一个与您的nginx ingress controller服务相对应的ELB,该服务反过来负责根据指定的ingress规则路由到您的各个服务。可能有更好的方法做到这一点。我之所以写这个答案,是因为我问了这个问题。这是我能想出的最好的像素大象的 默认http后端对于调试非常有用+一, 入口
- 这将在节点的IP地址上创建端点,该地址可能会根据入口容器运行的位置而变化
- 请注意底部的configmap。按环境配置
- 服务端口需要命名,或者您可能会得到“上游默认管理-80没有任何活动端点。使用默认后端”
- 请注意底部的默认ssl证书
- 日志记录很棒
如下-v
- 注意:该服务将在AWS上创建一个ELB,可用于配置DNS
- tls机密-3个文件:tls.key、tls.crt、dhparam.pem
- env secret-2文件:admin.sh和settings.json。容器具有用于设置环境的启动脚本
- cloud.docker.com-pull
proxy\u pass my service的规则。默认值:8080
在您的nginx.conf
中?好的,所以这个答案基本上是RTFM,并且FM的语法不会在kubernetes中编译。@MichaelCole您可以扩展一下吗?所以这不是您的错。没有创建ELB。由于语法错误,无法“应用”。我认为入口有多种实现,这让人困惑。好吧@pixel我有一个工作配置(见答案)。谢谢你的链接!如果我删除nginx容器,它会移动到另一个节点,从而破坏DNS。是否有关于如何管理DNS进入的最佳实践?另外,这是否意味着我可以删除这些服务,因为它们什么也不做?您是否有针对nginx控制器的LoadBalancer类型的服务?这将为您提供一个ELB,它将始终指向正确的节点端口,这样您就不必担心由于重新启动而移动pod时会出现问题。入口用于进入集群的外部流量。如果您有任何不通过入口的直接服务对服务通信,那么您希望保持它们在附近。
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: "nginx"
name: all-ingress
spec:
tls:
- hosts:
- admin-stage.example.io
secretName: tls-secret
rules:
- host: admin-stage.example.io
http:
paths:
- backend:
serviceName: admin
servicePort: http-port
path: /
---
apiVersion: v1
data:
enable-sticky-sessions: "true"
proxy-read-timeout: "7200"
proxy-send-imeout: "7200"
kind: ConfigMap
metadata:
name: nginx-load-balancer-conf
apiVersion: v1
kind: Service
metadata:
name: admin
spec:
ports:
- name: http-port
port: 80
protocol: TCP
targetPort: http-port
selector:
app: admin
sessionAffinity: ClientIP
type: ClusterIP
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: admin
spec:
replicas: 1
template:
metadata:
labels:
app: admin
name: admin
spec:
containers:
- image: example/admin:latest
name: admin
ports:
- containerPort: 80
name: http-port
resources:
requests:
cpu: 500m
memory: 1000Mi
volumeMounts:
- mountPath: /etc/env-volume
name: config
readOnly: true
imagePullSecrets:
- name: cloud.docker.com-pull
volumes:
- name: config
secret:
defaultMode: 420
items:
- key: admin.sh
mode: 256
path: env.sh
- key: settings.json
mode: 256
path: settings.json
secretName: env-secret
apiVersion: v1
kind: Service
metadata:
name: nginx-ingress-service
spec:
ports:
- name: http-port
port: 80
protocol: TCP
targetPort: http-port
- name: https-port
port: 443
protocol: TCP
targetPort: https-port
selector:
app: nginx-ingress-service
sessionAffinity: None
type: LoadBalancer
---
apiVersion: v1
kind: ReplicationController
metadata:
name: nginx-ingress-controller
labels:
k8s-app: nginx-ingress-lb
spec:
replicas: 1
selector:
k8s-app: nginx-ingress-lb
template:
metadata:
labels:
k8s-app: nginx-ingress-lb
name: nginx-ingress-lb
spec:
terminationGracePeriodSeconds: 60
containers:
- image: gcr.io/google_containers/nginx-ingress-controller:0.8.3
name: nginx-ingress-lb
imagePullPolicy: Always
readinessProbe:
httpGet:
path: /healthz
port: 10254
scheme: HTTP
livenessProbe:
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
timeoutSeconds: 1
# use downward API
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
ports:
- name: http-port
containerPort: 80
hostPort: 80
- name: https-port
containerPort: 443
hostPort: 443
# we expose 18080 to access nginx stats in url /nginx-status
# this is optional
- containerPort: 18080
hostPort: 18080
args:
- /nginx-ingress-controller
- --default-backend-service=$(POD_NAMESPACE)/default-http-backend
- --default-ssl-certificate=default/tls-secret
- --nginx-configmap=$(POD_NAMESPACE)/nginx-load-balancer-conf
- --v=2
apiVersion: v1
kind: Service
metadata:
name: default-http-backend
labels:
k8s-app: default-http-backend
spec:
ports:
- port: 80
targetPort: 8080
protocol: TCP
name: http
selector:
k8s-app: default-http-backend
---
apiVersion: v1
kind: ReplicationController
metadata:
name: default-http-backend
spec:
replicas: 1
selector:
k8s-app: default-http-backend
template:
metadata:
labels:
k8s-app: default-http-backend
spec:
terminationGracePeriodSeconds: 60
containers:
- name: default-http-backend
# Any image is permissable as long as:
# 1. It serves a 404 page at /
# 2. It serves 200 on a /healthz endpoint
image: gcr.io/google_containers/defaultbackend:1.0
livenessProbe:
httpGet:
path: /healthz
port: 8080
scheme: HTTP
initialDelaySeconds: 30
timeoutSeconds: 5
ports:
- containerPort: 8080
resources:
limits:
cpu: 10m
memory: 20Mi
requests:
cpu: 10m
memory: 20Mi