用于Azure Kubernetes服务502错误网关的nginx-ingress控制器

时间:2019-04-25 14:53:42

标签: azure nginx kubernetes kubernetes-ingress nginx-ingress

我无法让nginx-ingress控制器在Azure Kubernetes服务上工作;每当我尝试访问一些公开为“服务”的Web API时,它当前都会返回502 Bad Gateway。 因为必须使用现有证书,所以我遵循https://docs.microsoft.com/en-us/azure/aks/ingress-own-tls来设置控制器,并遵循https://www.markbrilman.nl/2011/08/howto-convert-a-pfx-to-a-seperate-key-crt-file/从PFX生成证书和密钥(如何从Azure密钥保管库导出证书)。我使用包括中间证书和根证书以及解密的密钥文件的证书创建了秘密的“ aks-ingress-tls”。 我有一个用于创建部署的YAML文件,一个用于公开它的服务以及一个路由到它的入口。应用此YAML,我可以通过HTTP中的IP地址访问服务,但是将HTTPS应用于Ingress Controller的EXTERNAL_IP始终会出现502错误。 我的YAML文件(已删除):

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-api
spec:
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: my-api
  replicas: 3
  template:
    metadata:
      labels:
        app: my-api
    spec:
      containers:
      - name: my-api
        image: [REDACTED]/my-api:1.0
        ports:
        - containerPort: 443
        - containerPort: 80
      imagePullSecrets: 
      - name: data-creds
---
apiVersion: v1
kind: Service
metadata:
  name: my-service
  labels:
    app: my-service
spec:
  ports:
  - name: https
    port: 443
    targetPort: 443
    protocol: TCP
  - name: http
    port: 80
    targetPort: 80
    protocol: TCP
  selector:
    app: my-api
  type: LoadBalancer
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: api-ingress
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    nginx.ingress.kubernetes.io/rewrite-target: /
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
  tls:
  - hosts: 
    - [REDACTED].co.uk
    secretName: aks-ingress-tls
  rules:
  - host: [REDACTED].co.uk
    http:
      paths:
      - path: /
        backend:
          serviceName: my-service
          servicePort: 443

我在主机文件中添加了一条记录(我在Windows上,因此不能使用curl的--resolve)将[REDACTED] .co.uk映射到入口控制器的EXTERNAL_IP,因此我可以尝试访问它。那是我得到错误的时间。 curl -v https://[REDACTED].co.uk给出了这个:

VERBOSE: GET https://[REDACTED].co.uk/ with 0-byte payload
curl : The request was aborted: Could not create SSL/TLS secure channel.
At line:1 char:1
+ curl -v https://[REDACTED].co.uk
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

查看入口控制器之一容器的日志:

10.244.1.1 - [10.244.1.1] - - [25/Apr/2019:13:39:20 +0000] "GET / HTTP/2.0" 502 559 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36" 10 0.001 [default-sub360-auth-service-443] 10.244.1.254:443, 10.244.1.3:443, 10.244.1.4:443 0, 0, 0 0.000, 0.000, 0.000 502, 502, 502 e44e21c8a2f61f5137c9afdfc64c6584
2019/04/25 13:39:20 [error] 1622#1622: *1127096 connect() failed (111: Connection refused) while connecting to upstream, client: 10.244.1.1, server: [REDACTED].co.uk, request: "GET /favicon.ico HTTP/2.0", upstream: "https://10.244.1.254:443/favicon.ico", host: "[REDACTED].co.uk", referrer: "https://[REDACTED].co.uk/"
2019/04/25 13:39:20 [error] 1622#1622: *1127096 connect() failed (111: Connection refused) while connecting to upstream, client: 10.244.1.1, server: [REDACTED].co.uk, request: "GET /favicon.ico HTTP/2.0", upstream: "https://10.244.1.3:443/favicon.ico", host: "[REDACTED].co.uk", referrer: "https://[REDACTED].co.uk/"
2019/04/25 13:39:20 [error] 1622#1622: *1127096 connect() failed (111: Connection refused) while connecting to upstream, client: 10.244.1.1, server: [REDACTED].co.uk, request: "GET /favicon.ico HTTP/2.0", upstream: "https://10.244.1.4:443/favicon.ico", host: "[REDACTED].co.uk", referrer: "https://[REDACTED].co.uk/"
10.244.1.1 - [10.244.1.1] - - [25/Apr/2019:13:39:20 +0000] "GET /favicon.ico HTTP/2.0" 502 559 "https://[REDACTED].co.uk/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36" 26 0.000 [default-sub360-auth-service-443] 10.244.1.254:443, 10.244.1.3:443, 10.244.1.4:443 0, 0, 0 0.000, 0.000, 0.004 502, 502, 502 63b6ed4414bf32694de3d136f7f277aa

任何人都可以指出我现在需要做些什么或要做些什么?

1 个答案:

答案 0 :(得分:1)

对于您的问题,入口使用HTTPS协议和端口443,因此您无需为容器公开端口443。只需公开您的应用程序侦听的端口。

对您来说,这意味着您只需要暴露容器和服务的端口80。您还需要删除注释nginx.ingress.kubernetes.io/backend-protocol: "HTTPS",并将servicePort值更改为80。

注意:将DNS名称添加到证书中也很重要。