我已经安装并配置了AWS ALB Ingress Controller(https://github.com/kubernetes-sigs/aws-alb-ingress-controller),并且可以通过HTTP正常工作。但是,它不能通过HTTPS解析。
Ingress资源如下:
$ kubectl describe ingress api-gateway-ingress
Name: api-gateway-ingress
Namespace: orbix-mvp
Address: 4ae1e4ba-orbixmvp-apigatew-c613-1873743362.eu-central-1.elb.amazonaws.com
Default backend: default-http-backend:80 (<none>)
TLS:
api-gateway.orbixpay.com terminates api-gateway.orbixpay.com,4ae1e4ba-orbixmvp-apigatew-c613-1873743362.eu-central-1.elb.amazonaws.com
Rules:
Host Path Backends
---- ---- --------
*
/* api-gateway:3000 (<none>)
Annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-2016-08
alb.ingress.kubernetes.io/subnets: subnet-0c4cb5452b630939e, subnet-0e5d3c389bfbefee9
alb.ingress.kubernetes.io/success-codes: 302
kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"alb.ingress.kubernetes.io/scheme":"internet-facing","alb.ingress.kubernetes.io/ssl-policy":"ELBSecurityPolicy-2016-08","alb.ingress.kubernetes.io/subnets":"subnet-0c4cb5452b630939e, subnet-0e5d3c389bfbefee9","alb.ingress.kubernetes.io/success-codes":"302","kubernetes.io/ingress.class":"alb"},"labels":{"app":"api-gateway"},"name":"api-gateway-ingress","namespace":"orbix-mvp"},"spec":{"rules":[{"host":"api-gateway.orbixpay.com","http":{"paths":[{"backend":{"serviceName":"api-gateway","servicePort":3000},"path":"/*"}]}}]}}
Events: <none>
我还按照此处的说明添加了自签名SSL证书:
https://kubernetes.github.io/ingress-nginx/user-guide/tls/
在编辑时,Ingress如下所示:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-2016-08
alb.ingress.kubernetes.io/subnets: subnet-0c4cb5452b630939e, subnet-0e5d3c389bfbefee9
alb.ingress.kubernetes.io/success-codes: "302"
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"alb.ingress.kubernetes.io/scheme":"internet-facing","alb.ingress.kubernetes.io/ssl-policy":"ELBSecurityPolicy-2016-08","alb.ingress.kubernetes.io/subnets":"subnet-0c4cb5452b630939e, subnet-0e5d3c389bfbefee9","alb.ingress.kubernetes.io/success-codes":"302","kubernetes.io/ingress.class":"alb"},"labels":{"app":"api-gateway"},"name":"api-gateway-ingress","namespace":"orbix-mvp"},"spec":{"rules":[{"host":"api-gateway.orbixpay.com","http":{"paths":[{"backend":{"serviceName":"api-gateway","servicePort":3000},"path":"/*"}]}}]}}
kubernetes.io/ingress.class: alb
creationTimestamp: "2019-03-07T14:57:22Z"
generation: 8
labels:
app: api-gateway
name: api-gateway-ingress
namespace: orbix-mvp
resourceVersion: "2230952"
selfLink: /apis/extensions/v1beta1/namespaces/orbix-mvp/ingresses/api-gateway-ingress
uid: 4fd70b63-40e9-11e9-bfe7-024a064218ac
spec:
rules:
- http:
paths:
- backend:
serviceName: api-gateway
servicePort: 3000
path: /*
tls:
- hosts:
- api-gateway.orbixpay.com
- 4ae1e4ba-orbixmvp-apigatew-c613-1873743362.eu-central-1.elb.amazonaws.com
secretName: api-gateway.orbixpay.com
status:
loadBalancer:
ingress:
- hostname: 4ae1e4ba-orbixmvp-apigatew-c613-1873743362.eu-central-1.elb.amazonaws.com
事实是,Ingress无法通过TLS进行解析-只是超时。据我所知,这是设置它的正确方法,所以我对它为什么不起作用一无所知。任何帮助表示赞赏。
答案 0 :(得分:5)
我认为您在这里混淆了两种不同的东西: 您想使用ALB Ingress控制器,但显示您正在使用Nginx控制器的配置。这些实际上是2个完全不同的项目。它们具有共同的目的,但实际上是解决问题的完全不同的方法。 Nginx在您的群集上运行,而ALB Ingress Controller实际上只是配置在其自己的计算机上运行的ALB。
要注意的是,ALB无法使用自定义证书。至少不是直接来自Kubernetes。必须先将它们放入ACM。
如果您已经在ACM中拥有证书,则根据documentation,ALB入口控制器应将其与之匹配。
您还可以像这样指定用于负载均衡器的证书
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:eu-central-1:1231234564:certificate/4564abc12-d3c2-4455-8c39-45354cddaf03
(替换为从ACM获得的ARN)
一些其他调试通用技巧: