Kubernetes 实施缺失http的解决方案->;使用GLBC的入口gce中的https重定向
我正试图用GLBC解决ingress gce中缺少内置HTTP->HTTPS重定向的问题。我正在努力解决的是如何使用这个定制后端,它被建议作为克服此限制的一个选项(例如在中) 在我的例子中,负载平衡器背后的应用程序本身没有apache或nginx,我就是不知道如何在设置中包括apache(我比nginx更了解apache)。我应该在应用程序前面设置apache作为代理吗?在这种情况下,我想知道应该在代理配置中添加什么,因为人们不能在那里使用那些方便的k8s服务名称 还是应该将apache设置为某种独立的后端,只有当客户端使用纯HTTP时,它才会获得流量?在这种情况下,我错过了GCE负载平衡器中通过协议分离后端的功能,虽然我可以看到如何手动完成,但需要为此配置入口,我似乎找不到任何资源来解释如何实际做到这一点 例如,“应用程序”负责forwaring(它似乎是在nginx上构建的),虽然这个示例工作得很好,但我所说的应用程序不可能做同样的事情 基本上,我目前的设置是:Kubernetes 实施缺失http的解决方案->;使用GLBC的入口gce中的https重定向,kubernetes,google-cloud-platform,google-kubernetes-engine,kubernetes-ingress,Kubernetes,Google Cloud Platform,Google Kubernetes Engine,Kubernetes Ingress,我正试图用GLBC解决ingress gce中缺少内置HTTP->HTTPS重定向的问题。我正在努力解决的是如何使用这个定制后端,它被建议作为克服此限制的一个选项(例如在中) 在我的例子中,负载平衡器背后的应用程序本身没有apache或nginx,我就是不知道如何在设置中包括apache(我比nginx更了解apache)。我应该在应用程序前面设置apache作为代理吗?在这种情况下,我想知道应该在代理配置中添加什么,因为人们不能在那里使用那些方便的k8s服务名称 还是应该将apache设置为某
http://<public ip>:80 -\
> GCE LB -> K8s pod running the application
https://<public_ip>:443 -/ (ingress-gce)
此外,我还将GLBC与应用程序部署捆绑在一起:
apiVersion: v1
kind: ConfigMap
metadata:
name: glbc-configmap
data:
gce.conf: |
[global]
node-tags = myapp-k8s-nodepool
node-instance-prefix = gke-myapp-k8s-cluster
---
kind: Deployment
apiVersion: apps/v1beta2
metadata:
name: myapp
spec:
replicas: 1
selector:
matchLabels:
app: myapp
template:
metadata:
name: myapp
labels:
app: myapp
spec:
containers:
# START application container
- name: myapp
image: eu.gcr.io/myproject/myapp:latest
imagePullPolicy: Always
readinessProbe:
httpGet:
path: /ping
port: 8080
ports:
- name: myapp
containerPort: 8080
# END application container
# START GLBC container
- name: myapp-glbc
image: gcr.io/google_containers/glbc:0.9.7
livenessProbe:
httpGet:
path: /ping
port: 8080
scheme: HTTP
initialDelaySeconds: 30
timeoutSeconds: 5
volumeMounts:
- mountPath: /etc/glbc-configmap
name: cloudconfig
readOnly: true
args:
- --apiserver-host=http://localhost:8080
- --default-backend-service=myapp
- --sync-period=300s
- --config-file-path=/etc/glbc-configmap/gce.conf
除了更完整的解决方案之外,我非常感谢任何指点。在2020年5月编辑:“HTTP(S)负载平衡重写和重定向支持现已全面可用”,如中所述,这似乎意味着现在终于可以在LB本身中实现适当的重定向规则,无需借助额外的吊舱或任何其他类似的调整。但是,如果以下内容对某人有用,我会将其保留在此处以供参考。
我找到了一个解决方案,GCE LB将流量定向到Apache(当然,这应该适用于任何代理),Apache作为部署在K8s集群中运行。在Apache配置中,有一个基于X-Forwarded-Proto头的重定向,以及一个指向集群中应用程序的反向代理规则
apiVersion: v1
kind: ConfigMap
metadata:
name: apache-httpd-configmap
data:
httpd.conf: |
# Apache httpd v2.4 minimal configuration
# This can be reduced further if you remove the accees log and mod_log_config
ServerRoot "/usr/local/apache2"
# Minimum modules needed
LoadModule mpm_event_module modules/mod_mpm_event.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
LoadModule dir_module modules/mod_dir.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule alias_module modules/mod_alias.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
TypesConfig conf/mime.types
PidFile logs/httpd.pid
# Comment this out if running httpd as a non root user
User nobody
# Port to Listen on
Listen 8081
# In a basic setup httpd can only serve files from its document root
DocumentRoot "/usr/local/apache2/htdocs"
# Default file to serve
DirectoryIndex index.html
# Errors go to stderr
ErrorLog /proc/self/fd/2
# Access log to stdout
LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog /proc/self/fd/1 common
Mutex posixsem proxy
# Never change this block
<Directory />
AllowOverride None
Require all denied
</Directory>
# Deny documents to be served from the DocumentRoot
<Directory "/usr/local/apache2/htdocs">
Require all denied
</Directory>
<VirtualHost *:8081>
ServerName my.domain.name
# Redirect HTTP to load balancer HTTPS URL
<If "%{HTTP:X-Forwarded-Proto} -strcmatch 'http'">
Redirect / https://my.domain.name:443/
</If>
# Proxy the requests to the application
# "myapp" in the rules relies a K8s cluster add-on for DNS aliases
# see https://kubernetes.io/docs/concepts/services-networking/service/#dns
ProxyRequests Off
ProxyPass "/" "http://myapp:80/"
ProxyPassReverse "/" "http://myapp:80/"
</VirtualHost>
---
kind: Service
apiVersion: v1
metadata:
name: apache-httpd
spec:
type: NodePort
ports:
- name: http
port: 80
targetPort: apache-httpd
protocol: TCP
selector:
app: apache-httpd
---
kind: Deployment
apiVersion: apps/v1beta2
metadata:
name: apache-httpd
spec:
replicas: 1
selector:
matchLabels:
app: apache-httpd
template:
metadata:
name: apache-httpd
labels:
app: apache-httpd
spec:
containers:
# START apache httpd container
- name: apache-httpd
image: httpd:2.4-alpine
imagePullPolicy: Always
readinessProbe:
httpGet:
path: /
port: 8081
command: ["/usr/local/apache2/bin/httpd"]
args: ["-f", "/etc/apache-httpd-configmap/httpd.conf", "-DFOREGROUND"]
ports:
- name: apache-httpd
containerPort: 8081
volumeMounts:
- mountPath: /etc/apache-httpd-configmap
name: apacheconfig
readOnly: true
# END apache container
# END containers
volumes:
- name: apacheconfig
configMap:
name: apache-httpd-configmap
# END volumes
# END template spec
# END template
apiVersion:v1
种类:配置地图
元数据:
名称:ApacheHttpDconfigMap
数据:
httpd.conf:|
#Apache httpd v2.4最小配置
#如果删除accees日志和mod_log_config,则可以进一步减少这种情况
ServerRoot“/usr/local/apache2”
#所需的最小模块数
LoadModule mpm_event_module/mod_mpm_event.so
LoadModule log\u config\u module modules/mod\u log\u config.so
LoadModule mime_modules/mod_mime.so
LoadModule dir\u modules/mod\u dir.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule alias\u modules/mod\u alias.so
LoadModule proxy\u modules/mod\u proxy.so
LoadModule proxy\u http\u module modules/mod\u proxy\u http.so
TypesConfig conf/mime.types
pid文件日志/httpd.pid
#如果以非root用户身份运行httpd,请对此进行注释
用户无人
#监听端口
听8081
#在基本设置中,httpd只能从其文档根目录提供文件
DocumentRoot“/usr/local/apache2/htdocs”
#要提供的默认文件
DirectoryIndex.html
#错误转到stderr
ErrorLog/proc/self/fd/2
#标准输出的访问日志
日志格式“%h%l%u%t\%r\”%>s%b”通用
CustomLog/proc/self/fd/1通用
互斥posixsem代理
#永远不要改变这个街区
不允许超限
要求全部拒绝
#拒绝从DocumentRoot提供文档
要求全部拒绝
服务器名my.domain.name
#将HTTP重定向到负载平衡器HTTPS URL
重定向/https://my.domain.name:443/
#将请求代理到应用程序
#规则中的“myapp”依赖K8s群集附加组件来获取DNS别名
#看https://kubernetes.io/docs/concepts/services-networking/service/#dns
代理请求关闭
代理过程“/”http://myapp:80/"
ProxyPassReverse“/”http://myapp:80/"
---
种类:服务
版本:v1
元数据:
名称:apachehttpd
规格:
类型:节点端口
端口:
-名称:http
港口:80
targetPort:apachehttpd
协议:TCP
选择器:
app:apachehttpd
---
种类:部署
apiVersion:apps/v1beta2
元数据:
名称:apachehttpd
规格:
副本:1份
选择器:
火柴标签:
app:apachehttpd
模板:
元数据:
名称:apachehttpd
标签:
app:apachehttpd
规格:
容器:
#启动apachehttpd容器
-名称:apachehttpd
图片:httpd:2.4-1
imagePullPolicy:始终
readinessProbe:
httpGet:
路径:/
端口:8081
命令:[“/usr/local/apache2/bin/httpd”]
参数:[“-f”,“/etc/apache-httpd-configmap/httpd.conf”,“-DFOREGROUND”]
端口:
-名称:apachehttpd
集装箱港口:8081
体积数量:
-mountPath:/etc/apache httpd configmap
姓名:apacheconfig
只读:正确
#结束apache容器
#端部容器
卷数:
-姓名:apacheconfig
配置映射:
名称:ApacheHttpDconfigMap
#结束卷
#端模板规格
#端模板
除了上述新清单yaml之外,“myapp入口”规则还需要更改,以使LB不使用serviceName:myapp
而是使用serviceName:apache httpd
将流量直接传输到apache
看起来,这种非常简单的Apache设置只需要很少的CPU和RAM,因此它非常适合现有集群,因此不会造成任何直接的额外成本。快速更新:
您可以使用FrontEndConfig来确认
apiVersion: v1
kind: ConfigMap
metadata:
name: apache-httpd-configmap
data:
httpd.conf: |
# Apache httpd v2.4 minimal configuration
# This can be reduced further if you remove the accees log and mod_log_config
ServerRoot "/usr/local/apache2"
# Minimum modules needed
LoadModule mpm_event_module modules/mod_mpm_event.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
LoadModule dir_module modules/mod_dir.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule alias_module modules/mod_alias.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
TypesConfig conf/mime.types
PidFile logs/httpd.pid
# Comment this out if running httpd as a non root user
User nobody
# Port to Listen on
Listen 8081
# In a basic setup httpd can only serve files from its document root
DocumentRoot "/usr/local/apache2/htdocs"
# Default file to serve
DirectoryIndex index.html
# Errors go to stderr
ErrorLog /proc/self/fd/2
# Access log to stdout
LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog /proc/self/fd/1 common
Mutex posixsem proxy
# Never change this block
<Directory />
AllowOverride None
Require all denied
</Directory>
# Deny documents to be served from the DocumentRoot
<Directory "/usr/local/apache2/htdocs">
Require all denied
</Directory>
<VirtualHost *:8081>
ServerName my.domain.name
# Redirect HTTP to load balancer HTTPS URL
<If "%{HTTP:X-Forwarded-Proto} -strcmatch 'http'">
Redirect / https://my.domain.name:443/
</If>
# Proxy the requests to the application
# "myapp" in the rules relies a K8s cluster add-on for DNS aliases
# see https://kubernetes.io/docs/concepts/services-networking/service/#dns
ProxyRequests Off
ProxyPass "/" "http://myapp:80/"
ProxyPassReverse "/" "http://myapp:80/"
</VirtualHost>
---
kind: Service
apiVersion: v1
metadata:
name: apache-httpd
spec:
type: NodePort
ports:
- name: http
port: 80
targetPort: apache-httpd
protocol: TCP
selector:
app: apache-httpd
---
kind: Deployment
apiVersion: apps/v1beta2
metadata:
name: apache-httpd
spec:
replicas: 1
selector:
matchLabels:
app: apache-httpd
template:
metadata:
name: apache-httpd
labels:
app: apache-httpd
spec:
containers:
# START apache httpd container
- name: apache-httpd
image: httpd:2.4-alpine
imagePullPolicy: Always
readinessProbe:
httpGet:
path: /
port: 8081
command: ["/usr/local/apache2/bin/httpd"]
args: ["-f", "/etc/apache-httpd-configmap/httpd.conf", "-DFOREGROUND"]
ports:
- name: apache-httpd
containerPort: 8081
volumeMounts:
- mountPath: /etc/apache-httpd-configmap
name: apacheconfig
readOnly: true
# END apache container
# END containers
volumes:
- name: apacheconfig
configMap:
name: apache-httpd-configmap
# END volumes
# END template spec
# END template