无法访问Kubernetes群集上的新港口部署

Question

首次尝试使用VMWare的Harbor注册服务器，并将其作为新Kubernetes群集上的部署进行尝试。

在遵循Harbor on Kubernetes指南后，所有Harbor资源都会应用于k8s群集，并且可以看到正常运行。但是，我目前无法从网络浏览器访问Harbour ui（我只是回到“无法连接”）。我猜是安全性设置不正确，有些东西丢失或位置错误？

make/harbor.cfg文件配置为：

hostname = k8s-dp-2＃这是Harbour正在运行的工作节点。

ui_url_protocol = https

ssl_cert = /path/to/cert/on/host/harbor.crt

ssl_cert_key = /path/to/cert/on/host/harbor.key

secretkey_path = /data

我假设上面证书的路径是主机上的路径，python脚本将从中获取文件然后执行YAML构建？

----更新---

在评论中给出建议后，我现在在k8s集群中配置了一个nginx入口控制器。添加此入口控制器后，我已更新Harbor配置以使用http而不再使用https，因为现在应该由nginx入口控制器处理https部分。现在这些配置更改已经到位，我仍然无法通过https访问Harbour服务，但我现在可以通过kubernetes集群的http端口调用Harbour服务。见下面的测试

# kubectl get svc -n=nginx-ingress NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE nginx-ingress NodePort 10.103.165.23 <none> 80:31819/TCP,443:30435/TCP 20h

测试呼叫1：

$ curl https://k8s-dp-2/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0curl: (7) Failed to connect to k8s-dp-2 port 443: Connection refused

测试电话2：

$ curl https://k8s-dp-2:30435/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

测试电话3：

$ curl http://k8s-dp-2/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0curl: (7) Failed to connect to k8s-dp-2 port 80: Connection refused

测试电话4：

$ curl http://k8s-dp-2:31819/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   810  100   810    0     0  12857      0 --:--:-- --:--:-- --:--:-- 12857<!doctype html>
<html>

<head>
    <meta charset="utf-8">
    <title>Harbor</title>
    <base href="/">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <link rel="icon" type="image/x-icon" href="favicon.ico?v=2">
</head>

<body style="overflow-y: hidden;">
...

Answer 1

尝试各种不同的配置后，下面发布的YAML配置对我有用：

Ingress Conroller YAML：

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: nginx-ingress-controller
  namespace: ingress-nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: ingress-nginx
  template:
    metadata:
      labels:
        app: ingress-nginx
      annotations:
        prometheus.io/port: '10254'
        prometheus.io/scrape: 'true'
    spec:
      serviceAccountName: nginx-ingress-serviceaccount
      containers:
        - name: nginx-ingress-controller
          image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.11.0
          args:
            - /nginx-ingress-controller
            - --default-backend-service=$(POD_NAMESPACE)/default-http-backend
            - --default-ssl-certificate=$(POD_NAMESPACE)/default-tls-secret
            - --configmap=$(POD_NAMESPACE)/nginx-configuration
            - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
            - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
            - --annotations-prefix=nginx.ingress.kubernetes.io
          env:
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
          ports:
          - name: http
            containerPort: 80
          - name: https
            containerPort: 443
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 1
          readinessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 1

Ingress YAML：

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: harbor
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
  tls:
  - hosts:
    - k8s-dp-2
  rules:
  - host: k8s-dp-2
    http:
      paths:
      - path: /
        backend:
          serviceName: ui
          servicePort: 80
      - path: /v2
        backend:
          serviceName: registry
          servicePort: repo
      - path: /service
        backend:
          serviceName: ui
          servicePort: 80

服务YAML：

apiVersion: v1
kind: Service
metadata:
  name: ui
spec:
  ports:
    - port: 80
  selector:
    name: ui-apps

然而，获得有效的解决方案并不简单。不得不学习很多关于入口控制器，入口等的知识。另外，我最初混合来自两个不同nginx入口控制器映像的配置，这些映像的工作方式不同（下面的配置使用quay.io的nginx入口控制器）。此外，由于我仍然无法理解的原因，最终配置仅在完全重启所涉及的k8s节点后才开始工作。