需要一个带有SSL教程的Kubernetes 1.2 Ingress裸机控制器
[英]Need a Kubernetes 1.2 Ingress bare metal controller with SSL tutorial
问题描述
The closest tutorial I can find in getting an SSL terminating Ingress and an nginx based controller running on bare metal (Digital Ocean, for example) is this: 
在获取SSL终止Ingress和基于nginx的控制器上运行的最接近的教程是裸机(例如Digital Ocean):
https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx
but it leaves so many assumptions unexplained. 但它留下了许多无法解释的假设。
My ingress requirements are simply: 我的入口要求很简单:
- default backend at port 80 for all hosts that: 所有主机的端口80的默认后端:
- file access to
location ^~ /.well-known/acme-challenge/which allows my LetsEncrypt cert renewals to work文件访问location ^~ /.well-known/acme-challenge/允许我的LetsEncrypt证书续订工作 - 404 on
location /.well-known/acme-challenge/404 location /.well-known/acme-challenge/ - 301 on
location /301 location /
- file access to
- subdomain based routing to different backend services on port 443 基于子域的路由到端口443上的不同后端服务
- each subdomain points to a different SSL key/cert (generated by my LetsEncrypt, and stored in K8S as a secret I suppose??) 每个子域指向一个不同的SSL密钥/证书(由我的LetsEncrypt生成,并作为秘密存储在K8S中我想?)
What I think need is this: 我认为需要的是:
- full documentation on writing Ingress rules 关于编写Ingress规则的完整文档
- can I configure SSL certs (on port 443) for each backend individually? 我可以为每个后端单独配置SSL证书(在端口443上)吗?
- is / the "path" that's a catchall for a host? 对于主持人而言,这是“路径”吗?
- can I configure SSL certs (on port 443) for each backend individually?
- updating Ingress rules in place 更新Ingress规则
- what nginx controller do I use? 我使用什么nginx控制器? nginx? nginx的? nginx-alpha? nginx的-α? nginx-ingress docker container -- and where is the documentation for each of these controllers? nginx-ingress docker container - 这些控制器的文档在哪里?
- is there a base controller image that I can override the nginx.conf template that gets populated by Ingress changes from the API server? 是否有一个基本控制器映像,我可以覆盖nginx.conf模板,该模板由来自API服务器的Ingress更改填充?
- is there a base controller image that I can override the nginx.conf template that gets populated by Ingress changes from the API server?
- how do you store SSL keys and certs as secrets? 如何将SSL密钥和证书存储为秘密?
1 个解决方案
解决方案1
5 2016-04-13 00:14:32
boo my answers apply to https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx 我的答案适用于https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx
- default backend at port 80 for all hosts that:
- 404 on
location /.well-known/acme-challenge/location /.well-known/acme-challenge/
this is not possible using Ingress rules 使用Ingress规则是不可能的
- 301 on
location /location /
This is already supported. 这已经得到支持。 If the server contains a SSL certificate it will redirect to https automatically 如果服务器包含SSL证书,它将自动重定向到https
- subdomain based routing to different backend services on port 443
- each subdomain points to a different SSL key/cert (generated by my LetsEncrypt, and stored in K8S as a secret I suppose??)
You need to create multiple Ingress rules, one per subdomain. 您需要创建多个Ingress规则,每个子域一个。 Each rule can use a different secret name (this will create multiple servers, one per subdomain) 每个规则可以使用不同的秘密名称(这将创建多个服务器,每个子域一个)
What I think need is this: 我认为需要的是:
- full documentation on writing Ingress rules
http://kubernetes.io/docs/user-guide/ingress/ http://kubernetes.io/docs/user-guide/ingress/
(I don't know id there's additional information besides the go code) (我不知道id除了go代码之外还有其他信息)
- can I configure SSL certs (on port 443) for each backend individually?
- is / the "path" that's a catchall for a host?
yes 是
- updating Ingress rules in place
- what nginx controller do I use?
This depends on what you need, if you want to build you custom Ingress controller you can use nginx-alpha as reference. 这取决于您的需求,如果您想构建自定义Ingress控制器,您可以使用nginx-alpha作为参考。 If nginx-ingress is not clear in the examples please open an issue and mention what could be improved in the examples or it's missing 如果nginx-ingress在示例中不明确,请打开一个问题,并提及示例中可以改进的内容,或者它丢失了
- is there a base controller image that I can override the nginx.conf template that gets populated by Ingress changes from the API server?
No. The reason for this is that the template is tied to the go code that populates the template. 不可以。原因是模板与填充模板的go代码相关联。 That said, you can build a custom image changing the template but this requires you deploy the image to tests the changes 也就是说,您可以构建自定义映像来更改模板,但这需要您部署映像以测试更改
- how do you store SSL keys and certs as secrets?
yes, as secrets like this http://kubernetes.io/docs/user-guide/ingress/#tls 是的,像这样的秘密http://kubernetes.io/docs/user-guide/ingress/#tls
For the letsencrypt support please check this comment https://github.com/kubernetes/kubernetes/issues/19899#issuecomment-184059009 有关letsencrypt支持,请查看此评论https://github.com/kubernetes/kubernetes/issues/19899#issuecomment-184059009
Here is a complete example https://gist.github.com/aledbf/d88c7f7d0b8d4d032035b14ab0965e26 added to examples in #766 这是一个完整的示例https://gist.github.com/aledbf/d88c7f7d0b8d4d032035b14ab0965e26 添加到#766中的示例
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.