未为入口nginx后端配置SSL直通
我正在通过helm在minikube运行nginx入口控制器,通过查看nginx入口控制器pod的日志,我可以看到控制器中启用了SSL直通未为入口nginx后端配置SSL直通,ssl,nginx,kubernetes,kubernetes-ingress,nginx-ingress,Ssl,Nginx,Kubernetes,Kubernetes Ingress,Nginx Ingress,我正在通过helm在minikube运行nginx入口控制器,通过查看nginx入口控制器pod的日志,我可以看到控制器中启用了SSL直通 helm upgrade ingress stable/nginx-ingress --install --namespace kube-system --set "controller.extraArgs.annotations-prefix=nginx.ingress.kubernetes.io" --set "controller.extraArgs.
helm upgrade ingress stable/nginx-ingress --install --namespace kube-system --set "controller.extraArgs.annotations-prefix=nginx.ingress.kubernetes.io" --set "controller.extraArgs.enable-ssl-passthrough=" --set controller.hostNetwork=true
在内部,我在端口19000上公开了一个HTTPS REST API服务。我希望客户机和k8s内部运行的服务之间有相互TLS,因此我尝试在启用SSL直通的情况下配置入口,但当我在入口上将nginx.ingres.kubernetes.io/SSL直通注释设置为“true”时,后端仍然显示sslPassthrough设置为false,当我向服务发送请求时,nginx正在从我的请求中剥离TLS证书
是否缺少一些配置来在后端启用SSL passthrough
$ kubectl ingress-nginx --deployment ingress-nginx-ingress-controller -n kube-system backends
[
{
"name": "default-tlsapi-service-19000",
"service": {
"metadata": {
"creationTimestamp": null
},
"spec": {
"ports": [
{
"protocol": "TCP",
"port": 19000,
"targetPort": 19000,
"nodePort": 30000
}
],
"selector": {
"app": "tlsapi"
},
"clusterIP": "10.96.218.188",
"type": "NodePort",
"sessionAffinity": "None",
"externalTrafficPolicy": "Cluster"
},
"status": {
"loadBalancer": {}
}
},
"port": 19000,
"sslPassthrough": false,
"endpoints": [
{
"address": "172.17.0.7",
"port": "19000"
}
],
"sessionAffinityConfig": {
"name": "",
"mode": "",
"cookieSessionAffinity": {
"name": ""
}
},
"upstreamHashByConfig": {
"upstream-hash-by-subset-size": 3
},
"noServer": false,
"trafficShapingPolicy": {
"weight": 0,
"header": "",
"headerValue": "",
"cookie": ""
}
}
ingress.yaml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: tlsapi-ingress
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
rules:
- host: tlsapi.k8s
- http:
paths:
- path: /
backend:
serviceName: tlsapi-service
servicePort: 19000
apiVersion: v1
kind: Service
metadata:
name: tlsapi-service
spec:
type: NodePort
selector:
app: tlsapi
ports:
- port: 19000
targetPort: 19000
nodePort: 30000
apiVersion: apps/v1
kind: Deployment
metadata:
name: tlsapi-deployment
spec:
selector:
matchLabels:
app: tlsapi
replicas: 1
template:
metadata:
name: tlsapi-pod
labels:
app: tlsapi
spec:
containers:
- name: tlsapi-container
image: tlsapi:latest
imagePullPolicy: IfNotPresent
服务。yaml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: tlsapi-ingress
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
rules:
- host: tlsapi.k8s
- http:
paths:
- path: /
backend:
serviceName: tlsapi-service
servicePort: 19000
apiVersion: v1
kind: Service
metadata:
name: tlsapi-service
spec:
type: NodePort
selector:
app: tlsapi
ports:
- port: 19000
targetPort: 19000
nodePort: 30000
apiVersion: apps/v1
kind: Deployment
metadata:
name: tlsapi-deployment
spec:
selector:
matchLabels:
app: tlsapi
replicas: 1
template:
metadata:
name: tlsapi-pod
labels:
app: tlsapi
spec:
containers:
- name: tlsapi-container
image: tlsapi:latest
imagePullPolicy: IfNotPresent
部署。yaml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: tlsapi-ingress
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
rules:
- host: tlsapi.k8s
- http:
paths:
- path: /
backend:
serviceName: tlsapi-service
servicePort: 19000
apiVersion: v1
kind: Service
metadata:
name: tlsapi-service
spec:
type: NodePort
selector:
app: tlsapi
ports:
- port: 19000
targetPort: 19000
nodePort: 30000
apiVersion: apps/v1
kind: Deployment
metadata:
name: tlsapi-deployment
spec:
selector:
matchLabels:
app: tlsapi
replicas: 1
template:
metadata:
name: tlsapi-pod
labels:
app: tlsapi
spec:
containers:
- name: tlsapi-container
image: tlsapi:latest
imagePullPolicy: IfNotPresent
您需要使用标志“启用ssl直通” 您可以在nginx入口控制器部署yaml的args部分提供此标志
spec:
# wait up to five minutes for the drain of connections
terminationGracePeriodSeconds: 300
serviceAccountName: nginx-ingress-serviceaccount
containers:
- name: nginx-ingress-controller
image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:master
args:
- --enable-ssl-passthrough
通过查看nginx ingress controller日志并搜索
启动SSL直通的TLS代理
可以确认该参数已生效。您需要使用标志启动nginx ingress controller--启用SSL直通
您可以在nginx入口控制器部署yaml的args部分提供此标志
spec:
# wait up to five minutes for the drain of connections
terminationGracePeriodSeconds: 300
serviceAccountName: nginx-ingress-serviceaccount
containers:
- name: nginx-ingress-controller
image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:master
args:
- --enable-ssl-passthrough
您可以通过查看nginx入口控制器日志并搜索
启动TLS proxy for SSL Passthrough
来确认该参数是否生效。结果表明,问题出在我的入口定义上。我需要删除http密钥前面的-from:
工作入口.yaml代码段
spec:
rules:
- host: tlsapi.k8s
http:
paths:
- path: /
backend:
serviceName: tlsapi-service
servicePort: 19000
spec:
rules:
- host: tlsapi.k8s
- http:
paths:
- path: /
backend:
serviceName: tlsapi-service
servicePort: 19000
不工作的ingress.yaml代码段
spec:
rules:
- host: tlsapi.k8s
http:
paths:
- path: /
backend:
serviceName: tlsapi-service
servicePort: 19000
spec:
rules:
- host: tlsapi.k8s
- http:
paths:
- path: /
backend:
serviceName: tlsapi-service
servicePort: 19000
如果将yaml转换为json,则单个字符的差异将更加明显
删除字符后,SSL passthrough按预期工作结果表明问题出在我的入口定义上。我需要删除http密钥前面的-from: 工作入口.yaml代码段
spec:
rules:
- host: tlsapi.k8s
http:
paths:
- path: /
backend:
serviceName: tlsapi-service
servicePort: 19000
spec:
rules:
- host: tlsapi.k8s
- http:
paths:
- path: /
backend:
serviceName: tlsapi-service
servicePort: 19000
不工作的ingress.yaml代码段
spec:
rules:
- host: tlsapi.k8s
http:
paths:
- path: /
backend:
serviceName: tlsapi-service
servicePort: 19000
spec:
rules:
- host: tlsapi.k8s
- http:
paths:
- path: /
backend:
serviceName: tlsapi-service
servicePort: 19000
如果将yaml转换为json,则单个字符的差异将更加明显
删除字符后,SSL passthrough按预期工作Hi,该标志已提供。我可以通过查看日志并查看以下行来确认nginx运行时启用了SSL passthrough:nginx.go:750]启动SSL passthrough的TLS代理您可以提供更多详细信息,说明您从何处获得用于检查后端的命令吗?它来自ingress nginx kubectl插件,请参阅:是否有其他方式查看/更改后端配置?也许通过执行运行中的nginx控制器容器,这对我来说很有效。非常感谢@ArghyaSadhuHi,这面旗帜已经提供了。我可以通过查看日志并查看以下行来确认nginx运行时启用了SSL passthrough:nginx.go:750]启动SSL passthrough的TLS代理您可以提供更多详细信息,说明您从何处获得用于检查后端的命令吗?它来自ingress nginx kubectl插件,请参阅:是否有其他方式查看/更改后端配置?也许通过执行运行中的nginx控制器容器,这对我来说很有效。非常感谢@ArghyaSadhu