Fatal编程技术网
  • ssl/
  • 未为入口nginx后端配置SSL直通

未为入口nginx后端配置SSL直通

ssl nginx kubernetes

未为入口nginx后端配置SSL直通,ssl,nginx,kubernetes,kubernetes-ingress,nginx-ingress,Ssl,Nginx,Kubernetes,Kubernetes Ingress,Nginx Ingress,我正在通过helm在minikube运行nginx入口控制器,通过查看nginx入口控制器pod的日志,我可以看到控制器中启用了SSL直通 helm upgrade ingress stable/nginx-ingress --install --namespace kube-system --set "controller.extraArgs.annotations-prefix=nginx.ingress.kubernetes.io" --set "controller.extraArgs.

我正在通过helm在minikube运行nginx入口控制器,通过查看nginx入口控制器pod的日志,我可以看到控制器中启用了SSL直通

helm upgrade ingress stable/nginx-ingress --install --namespace kube-system --set "controller.extraArgs.annotations-prefix=nginx.ingress.kubernetes.io" --set "controller.extraArgs.enable-ssl-passthrough=" --set controller.hostNetwork=true
在内部,我在端口19000上公开了一个HTTPS REST API服务。我希望客户机和k8s内部运行的服务之间有相互TLS,因此我尝试在启用SSL直通的情况下配置入口,但当我在入口上将nginx.ingres.kubernetes.io/SSL直通注释设置为“true”时,后端仍然显示sslPassthrough设置为false,当我向服务发送请求时,nginx正在从我的请求中剥离TLS证书

是否缺少一些配置来在后端启用SSL passthrough

$ kubectl ingress-nginx --deployment ingress-nginx-ingress-controller -n kube-system backends
[
  {
    "name": "default-tlsapi-service-19000",
    "service": {
      "metadata": {
        "creationTimestamp": null
      },
      "spec": {
        "ports": [
          {
            "protocol": "TCP",
            "port": 19000,
            "targetPort": 19000,
            "nodePort": 30000
          }
        ],
        "selector": {
          "app": "tlsapi"
        },
        "clusterIP": "10.96.218.188",
        "type": "NodePort",
        "sessionAffinity": "None",
        "externalTrafficPolicy": "Cluster"
      },
      "status": {
        "loadBalancer": {}
      }
    },
    "port": 19000,
    "sslPassthrough": false,
    "endpoints": [
      {
        "address": "172.17.0.7",
        "port": "19000"
      }
    ],
    "sessionAffinityConfig": {
      "name": "",
      "mode": "",
      "cookieSessionAffinity": {
        "name": ""
      }
    },
    "upstreamHashByConfig": {
      "upstream-hash-by-subset-size": 3
    },
    "noServer": false,
    "trafficShapingPolicy": {
      "weight": 0,
      "header": "",
      "headerValue": "",
      "cookie": ""
    }
  }
ingress.yaml

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: tlsapi-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
  rules:
  - host: tlsapi.k8s
  - http:
      paths:
      - path: /
        backend:
          serviceName: tlsapi-service
          servicePort: 19000

apiVersion: v1
kind: Service
metadata:
  name: tlsapi-service
spec:
  type: NodePort
  selector:
    app: tlsapi
  ports:
    - port: 19000
      targetPort: 19000
      nodePort: 30000

apiVersion: apps/v1
kind: Deployment
metadata:
  name: tlsapi-deployment
spec:
  selector:
    matchLabels:
      app: tlsapi
  replicas: 1
  template:
    metadata:
      name: tlsapi-pod
      labels:
        app: tlsapi
    spec:
      containers:
      - name: tlsapi-container
        image: tlsapi:latest
        imagePullPolicy: IfNotPresent
服务。yaml

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: tlsapi-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
  rules:
  - host: tlsapi.k8s
  - http:
      paths:
      - path: /
        backend:
          serviceName: tlsapi-service
          servicePort: 19000

apiVersion: v1
kind: Service
metadata:
  name: tlsapi-service
spec:
  type: NodePort
  selector:
    app: tlsapi
  ports:
    - port: 19000
      targetPort: 19000
      nodePort: 30000

apiVersion: apps/v1
kind: Deployment
metadata:
  name: tlsapi-deployment
spec:
  selector:
    matchLabels:
      app: tlsapi
  replicas: 1
  template:
    metadata:
      name: tlsapi-pod
      labels:
        app: tlsapi
    spec:
      containers:
      - name: tlsapi-container
        image: tlsapi:latest
        imagePullPolicy: IfNotPresent
部署。yaml

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: tlsapi-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
  rules:
  - host: tlsapi.k8s
  - http:
      paths:
      - path: /
        backend:
          serviceName: tlsapi-service
          servicePort: 19000

apiVersion: v1
kind: Service
metadata:
  name: tlsapi-service
spec:
  type: NodePort
  selector:
    app: tlsapi
  ports:
    - port: 19000
      targetPort: 19000
      nodePort: 30000

apiVersion: apps/v1
kind: Deployment
metadata:
  name: tlsapi-deployment
spec:
  selector:
    matchLabels:
      app: tlsapi
  replicas: 1
  template:
    metadata:
      name: tlsapi-pod
      labels:
        app: tlsapi
    spec:
      containers:
      - name: tlsapi-container
        image: tlsapi:latest
        imagePullPolicy: IfNotPresent
您需要使用标志“启用ssl直通”

您可以在nginx入口控制器部署yaml的args部分提供此标志

spec:
  # wait up to five minutes for the drain of connections
  terminationGracePeriodSeconds: 300
  serviceAccountName: nginx-ingress-serviceaccount
  containers:
    - name: nginx-ingress-controller
      image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:master
      args:
        - --enable-ssl-passthrough
通过查看nginx ingress controller日志并搜索
启动SSL直通的TLS代理

可以确认该参数已生效。您需要使用标志启动nginx ingress controller
--启用SSL直通

您可以在nginx入口控制器部署yaml的args部分提供此标志

spec:
  # wait up to five minutes for the drain of connections
  terminationGracePeriodSeconds: 300
  serviceAccountName: nginx-ingress-serviceaccount
  containers:
    - name: nginx-ingress-controller
      image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:master
      args:
        - --enable-ssl-passthrough
您可以通过查看nginx入口控制器日志并搜索
启动TLS proxy for SSL Passthrough

来确认该参数是否生效。结果表明,问题出在我的入口定义上。我需要删除http密钥前面的-from:

工作入口.yaml代码段

spec:
  rules:
  - host: tlsapi.k8s
    http:
      paths:
      - path: /
        backend:
          serviceName: tlsapi-service
          servicePort: 19000

spec:
  rules:
  - host: tlsapi.k8s
  - http:
      paths:
      - path: /
        backend:
          serviceName: tlsapi-service
          servicePort: 19000
不工作的ingress.yaml代码段

spec:
  rules:
  - host: tlsapi.k8s
    http:
      paths:
      - path: /
        backend:
          serviceName: tlsapi-service
          servicePort: 19000

spec:
  rules:
  - host: tlsapi.k8s
  - http:
      paths:
      - path: /
        backend:
          serviceName: tlsapi-service
          servicePort: 19000
如果将yaml转换为json,则单个字符的差异将更加明显

删除字符后,SSL passthrough按预期工作

结果表明问题出在我的入口定义上。我需要删除http密钥前面的-from:

工作入口.yaml代码段

spec:
  rules:
  - host: tlsapi.k8s
    http:
      paths:
      - path: /
        backend:
          serviceName: tlsapi-service
          servicePort: 19000

spec:
  rules:
  - host: tlsapi.k8s
  - http:
      paths:
      - path: /
        backend:
          serviceName: tlsapi-service
          servicePort: 19000
不工作的ingress.yaml代码段

spec:
  rules:
  - host: tlsapi.k8s
    http:
      paths:
      - path: /
        backend:
          serviceName: tlsapi-service
          servicePort: 19000

spec:
  rules:
  - host: tlsapi.k8s
  - http:
      paths:
      - path: /
        backend:
          serviceName: tlsapi-service
          servicePort: 19000
如果将yaml转换为json,则单个字符的差异将更加明显

删除字符后,SSL passthrough按预期工作

Hi,该标志已提供。我可以通过查看日志并查看以下行来确认nginx运行时启用了SSL passthrough:nginx.go:750]启动SSL passthrough的TLS代理您可以提供更多详细信息,说明您从何处获得用于检查后端的命令吗?它来自ingress nginx kubectl插件,请参阅:是否有其他方式查看/更改后端配置?也许通过执行运行中的nginx控制器容器,这对我来说很有效。非常感谢@ArghyaSadhuHi,这面旗帜已经提供了。我可以通过查看日志并查看以下行来确认nginx运行时启用了SSL passthrough:nginx.go:750]启动SSL passthrough的TLS代理您可以提供更多详细信息,说明您从何处获得用于检查后端的命令吗?它来自ingress nginx kubectl插件,请参阅:是否有其他方式查看/更改后端配置?也许通过执行运行中的nginx控制器容器,这对我来说很有效。非常感谢@ArghyaSadhu