在Kubernetes上从http端口(80)重定向到https端口(443)
我是新手 如何在Kubernetes中的同一domainservice上从http port80重定向到https port443 我曾尝试将nginx放在同一个podcontainer上,并将其从http重定向到https,但没有成功 我在同一个豆荚上试过这种方法 Kubernetes示例部署文件 kubernetes中是否有默认方式 非常感谢您的帮助 非常感谢您的帮助 免责声明:到目前为止,这不是一个生产设置,其主要目的是让您了解整体细节,帮助您确定方向。而且,这将是一堵充满文字的墙 目标:在kubernetes集群中通过https运行JupyterHub 初步考虑:同时运行nginx和JupyterHub并不真正符合k8s的理念。只有在容器自然缩放的情况下,才能将容器放在同一个吊舱中。事实并非如此。因此建议将它们分开运行 为k8s集群中的JupyterHub创建最小示例。 步骤1:为本例创建名称空间 这是相当直接的,只是作为额外的保护措施,不要把事情搞混了 清单文件:ns-example.yaml 简单地说:kubectl create-f ns-example.yaml和名称空间就在那里。从现在起,可以通过这种方式轻松创建/删除资源 步骤2:创建基本JupyterHub设置 要获得此jupyterhub/jupyterhub公共官员docker图像,请使用。无需定制,只需简单的多用户JupyterHub启动和响应,就可以将其封装在服务包装器中 我们从服务开始,没什么特别的,只是一个方便的名字和8000个暴露于本地集群的端口。官方文件建议在sts/deploy/pod资源之前将服务装箱,因此我们同意这一点 清单文件:svc-jupyterhub.yaml 现在来看上述服务将公开的JupyterHub的实际部署。同样,没什么特别的,这只是模仿默认docker运行-p8000:8000-d-name-jupyterhub-jupyterhub/jupyterhub-jupyterhub-jupyterhub,如中所述。这是没有任何定制,只是作为一个基本的例子 清单文件:dep-jupyterhub.yaml 注意:对于我的本地测试运行,从网络中提取初始映像花费了相当多的时间,但是ymmv 创建此资源后,JupterHub应该启动并运行,但仅在本地k8s集群中可见 步骤3:创建nginx服务器 现在我们缺少nginx来暴露和终止JupyterHub周围的TLS。有更多的方法可以剥猫皮,但由于您只共享了nginx设置的一部分,这里有一些,同样粗略的部分,让您开始 为了创建一些最小的nginx并模拟TLS,我们需要一些配置文件 我们从保存nginx配置的nginx.conf文件开始。这是ConfigMap的自然候选。另外,请注意,这决不是完美的、完整的或生产准备就绪的设置-它只是一些快速的黑客在让nginx运行的过程中。有重复,这可以而且应该优化,端口80的重定向无法正常工作,因为它会将您引向不存在的域,给定的服务器域是虚构的,通配符证书是自签名的,yada,yada,yada。。。但它说明了这个想法:nginx正在终止TLS并将流量发送到JupyterHub周围的上游服务 清单文件:cm-nginx.yaml 现在我们需要这些证书来运行 诚然,证书,尤其是私钥,是秘密k8s资源的完美候选,但这是为非现有示例域的这篇文章动态生成的自签名证书。。。接下来,我想在这里和最后用两个文件来说明ConfigMap,但可能是最重要的——例如,我太懒了,无法再键入两个命令来获取base64中的所有内容。所以这里它又变成了ConfigMap。。。是的,它应该是秘密的,是的,真正的证书/密钥不应该是公开的,但是pssst,不要告诉任何人 清单文件:cm-wildcard-certificate-my-domain-com.yaml 现在我们需要nginx附近的服务 给猫剥皮的方法有很多种,但为了简单起见,这里还是采用了最简单的方法——NodePort。您可以使用入口,也可以使用externalIP等等,但这是一个示例,所以NodePort就是这样 清单文件:svc-nginx.yaml 最后,在创建完所有这些之后,我们可以启动nginx部署。再次强调,仅仅将所有ConfigMaps与官方nginx映像粘合在一起并没有什么特别之处。是的,使用最新的或省略docker映像的标记是一个坏主意,就像这里所做的那样,但是,再次强调,这是一个示例,请记住不要在生产部署中被它咬到 清单文件:dep-nginx.yaml 最后说明: 如前所述,这些都不是为了在生产中使用,从资源处理到v 改版会咬你一口。这只是一个例子。 证书是自签名的,如果您导航到nginx,浏览器会对此抱怨。 所有内容都是从DockerCE Edge版本18.06.0-ce-mac69 26398和1.9.3 k8s上的测试设置粘贴的,因此应该或多或少没有错误。 键入kubectl get cm、deploy、svc、pod-n ns example-o wide应该显示有关svc nginx的浏览器目标端口的所有信息。 最后,由于所有内容都封装在yaml清单文件中,所以清理只是有序删除资源的问题,注意最后删除名称空间。在Kubernetes上从http端口(80)重定向到https端口(443),kubernetes,google-cloud-platform,jupyter-notebook,jupyterhub,Kubernetes,Google Cloud Platform,Jupyter Notebook,Jupyterhub,我是新手 如何在Kubernetes中的同一domainservice上从http port80重定向到https port443 我曾尝试将nginx放在同一个podcontainer上,并将其从http重定向到https,但没有成功 我在同一个豆荚上试过这种方法 Kubernetes示例部署文件 kubernetes中是否有默认方式 非常感谢您的帮助 非常感谢您的帮助 免责声明:到目前为止,这不是一个生产设置,其主要目的是让您了解整体细节,帮助您确定方向。而且,这将是一堵充满文字的墙 目标:
Kubernetes服务文件中的目标端口不正确。应该是443,你能不能说得更清楚一些,你想达到什么目的?Jupyterhub是否作为吊舱在k8s内运行?如果是,它的服务清单是什么。你们的nginx和Jupyterhub在同一个pod中吗?根据这个问题看来是这样的,若是这样的话,它是如何安装的?给猫剥皮的方法有很多,你给我们的相关细节越多,或者重复性越小,你就越有可能得到正确的答案……我也做了一些研究,发现nginx ingress controller可以使用,它也可以用于我的场景吗?你好,1。当任何人点击example.comhttp时,它应该重定向到https。我已经在example.com上启用了ssl。这样我就不必专门键入https://example.com,因为它会自动重定向到。2.是的,jupyterhub使用服务类型Loadbalancer 3在k8s吊舱内运行。我已经创建了一个docker文件并安装了juypyterhub和nginx apt get,我已经在一个pod内检查过,nginx服务和我的nginx.conf更改在内部都完好无损Jupyterhub正在端口8000上运行,但我已经在443上公开了您是否可以共享部署、服务和Jupyter配置的完整配置?
//nginx
server {
listen 80;
server_name example.com;
return 301 https://$server_name$request_uri;
}
//Jupyterhub is running on port 8000.
spec:
ports:
- port: 443
name: https
protocol: TCP
targetPort: 8000
- port: 80
name: http
protocol: TCP
targetPort: 433
apiVersion: v1
kind: Namespace
metadata:
name: ns-example
apiVersion: v1
kind: Service
metadata:
namespace: ns-example
name: svc-jupyterhub
labels:
name: jupyterhub
spec:
selector:
name: jupyterhub
ports:
- protocol: TCP
port: 8000
targetPort: 8000
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
namespace: ns-example
name: dep-jupyterhub
labels:
name: jupyterhub
spec:
replicas: 1
template:
metadata:
labels:
name: jupyterhub
spec:
containers:
- name: jupyterhub
image: jupyterhub/jupyterhub
command: ['jupyterhub']
ports:
- containerPort: 8000
kind: ConfigMap
apiVersion: v1
metadata:
namespace: ns-example
name: cm-nginx
data:
nginx.conf: |
# Exmaple nginx configuration file
#
# Commented out parts are left for pointers
upstream jupyterhub {
server svc-jupyterhub:8000 fail_timeout=0;
}
# jupyterhub.my-domain.com https request sent to upstream jupyterhub proxy
server {
listen 443 ssl;
server_name jupyterhub.my-domain.com;
ssl_certificate /etc/nginx/ssl/wildcard.my-domain.com.crt;
ssl_certificate_key /etc/nginx/ssl/wildcard.my-domain.com.key;
location / {
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect http:// https://;
proxy_pass http://jupyterhub;
# Required for new HTTP-based CLI
proxy_http_version 1.1;
proxy_request_buffering off;
proxy_buffering off; # Required for HTTP-based CLI to work over SSL
}
}
# redicrection from http to https for jupyterhub.my-domain.com
# this obviously doesn't work since my-domain.com is not pointing to our server
server {
listen 80;
server_name jyputerhub.my-domain.com;
# root /nowhere;
# rewrite ^ https://jupyterhub.my-domain.com$request_uri permanent;
location / {
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect http:// https://;
proxy_pass http://jupyterhub;
# Required for new HTTP-based CLI
proxy_http_version 1.1;
proxy_request_buffering off;
proxy_buffering off; # Required for HTTP-based CLI to work over SSL
}
}
# if none of named servers is matched on http...
# this obviously doesn't work since my-domain.com is not pointing to our server
server {
listen 80 default_server;
# root /nowhere;
# rewrite ^ https://jupyterhub.my-domain.com permanent;
location / {
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect http:// https://;
proxy_pass http://jupyterhub;
# Required for new HTTP-based CLI
proxy_http_version 1.1;
proxy_request_buffering off;
proxy_buffering off; # Required for HTTP-based CLI to work over SSL
}
}
# if none of named server is matched on https...
# this obviously doesn't work since my-domain.com is not pointing to our server
server {
listen 443 default_server;
ssl_certificate /etc/nginx/ssl/wildcard.my-domain.com.crt;
ssl_certificate_key /etc/nginx/ssl/wildcard.my-domain.com.key;
# root /nowhere;
# rewrite ^ https://juputerhub.my-domain.com permanent;
location / {
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect http:// https://;
proxy_pass http://jupyterhub;
# Required for new HTTP-based CLI
proxy_http_version 1.1;
proxy_request_buffering off;
proxy_buffering off; # Required for HTTP-based CLI to work over SSL
}
}
kind: ConfigMap
apiVersion: v1
metadata:
namespace: ns-example
name: cm-wildcard-certificate-my-domain-com
data:
wildcard.my-domain.com.key: |
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCtU3Yk+tKSnPFC
l+0Iutma0xI79MiWEf8Z2vacyfgMUNvthqFxTfTIeeySzzFh1KVx8pYJbfL1Gkxx
iDfYZbKwQxhlV363bx8J+j2YnIIQ4uZGQ0MlxMlb65e0JfLayLOIffo7vSPqqBDa
6MY4qjqVuiJ7zW9/X9h+38Y76fHyEzde03cHihKnkW0smNKZcwYBLz5oa1D39zv5
WTqQrq+2GXEGfHvArDc06azbAm3o55iRmFPhIWEJcX6oCs0nd5jLIpycy43ayIKv
HvjEmChDnsrQDkMImFk0nDsMn0Leu0DAsyPopm3TIGqoPwZY4Sk+zn7ttjU/6VUI
pndJDVd5AgMBAAECggEAH6mTd4XqWaYZ3JRsVJ/tiH7uYc2Bpwh6lXqOem3axkUv
J+DkNRKMmOLM+LSozLpPztUF24seSvAW7tZ3fSx2zAQ1vK2TFGdUQDpabjqI+BS7
BDLdXVTpg8Ux3VLhXl4zjceVorwWh5NUIOlM7KUMNrXd/se0iowzvFmcmO1PqWzU
O6KI5EKz6LTUpEU/7RSl+wt/Ix4yTRYblkHlzWL1GXmQ50HYFZtC3iFEk4H4yDiQ
Z4VI+gGSpQGKDBQdR9OIXc3seVPOPnSd5NjDXQU8IR36VWHE8xG6k9/+TeU8r9ue
zNecjieWbFny4UE+uELXdeaRcmH+M8MTrKDApDj+QQKBgQDZ0WdOZ1O8QqILMwuR
Up2+oT88A6JZjfUICpDlsXgCaitT4YyBXkBwQyyQiTVspo6+ENHSBS584JdmjRpe
rqXazlwimY0vdINcm4O1279gmHOGaKffLzik1AKNSQEm52rNhle8xoXWD/cmLjvc
NYgzpPPFIWwXG0dniCCnbfR8tQKBgQDLtXpuckotb8guCGThFn6nb01Hcsit9OfC
QG9KXd8fpRV+YKqKF2wx1KeVgMoXMbmT78LRl0wArCQZsh16cqS/abH8S5k2v9jx
L5q+YYVcXC1U7Oolekoddob8af0qp4FnVDjRU9GiMtv2UQoX4yoX4kHkdWZqqFNr
q12VlksuNQKBgQCC6odq6lO7zVjT3mRPfhZto0D8czq7FMV3hdI9HAODgAh2rBPl
FZ8pWlaIsM85dIpK1pUl5BNi3yJgcuKskdAByRI7gYsIQMFLgfUR8vf9uOOGn5R2
Yk1rVDoMbRqSJXld+ib1wWRjmsjzW8qCunIYiEYz77il0rGCGqF1wHK4GQKBgQCN
RCTLQua9667efWO31GmwozbsPWV9fUDbLOQApmh9AXaOVWruqJ+XTumIe++pdgpD
1Rk9T7adIMNILoTSzX4CX8HWPHbbyN8hIuok7GwXSLUHF+SoaM3M8M1bbgTq9459
oaJlR8MwwCRaBIkDV71xIq6fR+rmPCTdndEgU0F/oQKBgQCWC1K5FySXxaxzomsZ
eM3Ey6cQ36QnidjuHAEiEcaJ+E/YmG/s9MPbLCRI8tn6KGvOW3zKzrHXOsoeXsMU
SCmRUpB0J5PqVbbTdj12kggX3x6I7TIkXucopCA3Nparhlnqx7amski2EB/EVE0C
YWkjEAMUCquUmJeEg2dELIiGOw==
-----END PRIVATE KEY-----
wildcard.my-domain.com.crt: |
-----BEGIN CERTIFICATE-----
MIIDNjCCAh4CCQCUtoVaGZH/NDANBgkqhkiG9w0BAQsFADBdMQswCQYDVQQGEwJV
UzELMAkGA1UECAwCTlkxCzAJBgNVBAcMAk5ZMQwwCgYDVQQKDANOL0ExDDAKBgNV
BAsMA04vQTEYMBYGA1UEAwwPKi5teS1kb21haW4uY29tMB4XDTE4MDgyODA5Mzkz
N1oXDTIyMDUyNDA5MzkzN1owXTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5ZMQsw
CQYDVQQHDAJOWTEMMAoGA1UECgwDTi9BMQwwCgYDVQQLDANOL0ExGDAWBgNVBAMM
DyoubXktZG9tYWluLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AK1TdiT60pKc8UKX7Qi62ZrTEjv0yJYR/xna9pzJ+AxQ2+2GoXFN9Mh57JLPMWHU
pXHylglt8vUaTHGIN9hlsrBDGGVXfrdvHwn6PZicghDi5kZDQyXEyVvrl7Ql8trI
s4h9+ju9I+qoENroxjiqOpW6InvNb39f2H7fxjvp8fITN17TdweKEqeRbSyY0plz
BgEvPmhrUPf3O/lZOpCur7YZcQZ8e8CsNzTprNsCbejnmJGYU+EhYQlxfqgKzSd3
mMsinJzLjdrIgq8e+MSYKEOeytAOQwiYWTScOwyfQt67QMCzI+imbdMgaqg/Bljh
KT7Ofu22NT/pVQimd0kNV3kCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAI+G44qo6
BPTC+bLm+2SAlr6oEC09JZ8Q/0m8Se1MLJnzhIXrWJZIdvEB1TtXPYDChz8TPKTd
QQCh7xNPZahMkVQWwbsknNCPdaLp0SAHMNs3nfTQjZ3cE/RRITqFkT0LGSjXkhtj
dTZdzKvcP8YEYnDhNn3ZBK04djEsAoIyordRATFQh1B7/0I3BsUAwItDEwH+Mv5G
rvSYkoi+yw7/koijxJHDbH0+WXYdcsmbWrMEh6H92Z64TMOFS+N6ZQRsNvzfiSwZ
KM2yEtU9c74CPKS+UleQLjDufk8epmNHx6+80aHj7R9z3mbw4dL7yKwlbGws2GAW
TE+Fk0HB+9W7fw==
-----END CERTIFICATE-----
apiVersion: v1
kind: Service
metadata:
namespace: ns-example
name: svc-nginx
labels:
name: nginx
spec:
type:
NodePort
selector:
name: nginx
ports:
- protocol: TCP
name: http-port
port: 80
targetPort: 80
- protocol: TCP
name: ssl-port
port: 443
targetPort: 443
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
namespace: ns-example
name: dep-nginx
labels:
name: nginx
annotations:
ingress.kubernetes.io/secure-backends: "true"
kubernetes.io/tls-acme: "true"
spec:
replicas: 1
template:
metadata:
labels:
name: nginx
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
volumeMounts:
- mountPath: /etc/nginx/conf.d
name: nginx-conf
- mountPath: /etc/nginx/ssl
name: wildcard-certificate
volumes:
- name: nginx-conf
configMap:
name: cm-nginx
items:
- key: nginx.conf
path: nginx.conf
- name: wildcard-certificate
configMap:
name: cm-wildcard-certificate-my-domain-com