[英]Need a Kubernetes 1.2 Ingress bare metal controller with SSL tutorial
The closest tutorial I can find in getting an SSL terminating Ingress and an nginx based controller running on bare metal (Digital Ocean, for example) is this: 在获取SSL终止Ingress和基于nginx的控制器上运行的最接近的教程是裸机(例如Digital Ocean):
https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx
but it leaves so many assumptions unexplained. 但它留下了许多无法解释的假设。
location ^~ /.well-known/acme-challenge/
which allows my LetsEncrypt cert renewals to work location ^~ /.well-known/acme-challenge/
允许我的LetsEncrypt证书续订工作 location /.well-known/acme-challenge/
location /.well-known/acme-challenge/
location /
location /
boo my answers apply to https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx 我的答案适用于https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx
- default backend at port 80 for all hosts that:
所有主机的端口80的默认后端:
- 404 on
location /.well-known/acme-challenge/
404
location /.well-known/acme-challenge/
this is not possible using Ingress rules 使用Ingress规则是不可能的
- 301 on
location /
301
location /
This is already supported. 这已经得到支持。 If the server contains a SSL certificate it will redirect to
https
automatically 如果服务器包含SSL证书,它将自动重定向到
https
- subdomain based routing to different backend services on port 443
基于子域的路由到端口443上的不同后端服务
- each subdomain points to a different SSL key/cert (generated by my LetsEncrypt, and stored in K8S as a secret I suppose??)
每个子域指向一个不同的SSL密钥/证书(由我的LetsEncrypt生成,并作为秘密存储在K8S中我想?)
You need to create multiple Ingress rules, one per subdomain. 您需要创建多个Ingress规则,每个子域一个。 Each rule can use a different secret name (this will create multiple servers, one per subdomain)
每个规则可以使用不同的秘密名称(这将创建多个服务器,每个子域一个)
- full documentation on writing Ingress rules
关于编写Ingress规则的完整文档
http://kubernetes.io/docs/user-guide/ingress/ http://kubernetes.io/docs/user-guide/ingress/
(I don't know id there's additional information besides the go code) (我不知道id除了go代码之外还有其他信息)
- can I configure SSL certs (on port 443) for each backend individually?
我可以为每个后端单独配置SSL证书(在端口443上)吗?
- is / the "path" that's a catchall for a host?
对于主持人而言,这是“路径”吗?
yes 是
- updating Ingress rules in place
更新Ingress规则
- what nginx controller do I use?
我使用什么nginx控制器? nginx?
nginx的? nginx-alpha?
nginx的-α? nginx-ingress docker container -- and where is the documentation for each of these controllers?
nginx-ingress docker container - 这些控制器的文档在哪里?
This depends on what you need, if you want to build you custom Ingress controller you can use nginx-alpha
as reference. 这取决于您的需求,如果您想构建自定义Ingress控制器,您可以使用
nginx-alpha
作为参考。 If nginx-ingress
is not clear in the examples please open an issue and mention what could be improved in the examples or it's missing 如果
nginx-ingress
在示例中不明确,请打开一个问题,并提及示例中可以改进的内容,或者它丢失了
- is there a base controller image that I can override the nginx.conf template that gets populated by Ingress changes from the API server?
是否有一个基本控制器映像,我可以覆盖nginx.conf模板,该模板由来自API服务器的Ingress更改填充?
No. The reason for this is that the template is tied to the go code that populates the template. 不可以。原因是模板与填充模板的go代码相关联。 That said, you can build a custom image changing the template but this requires you deploy the image to tests the changes
也就是说,您可以构建自定义映像来更改模板,但这需要您部署映像以测试更改
- how do you store SSL keys and certs as secrets?
如何将SSL密钥和证书存储为秘密?
yes, as secrets like this http://kubernetes.io/docs/user-guide/ingress/#tls 是的,像这样的秘密http://kubernetes.io/docs/user-guide/ingress/#tls
For the letsencrypt
support please check this comment https://github.com/kubernetes/kubernetes/issues/19899#issuecomment-184059009 有关
letsencrypt
支持,请查看此评论https://github.com/kubernetes/kubernetes/issues/19899#issuecomment-184059009
Here is a complete example https://gist.github.com/aledbf/d88c7f7d0b8d4d032035b14ab0965e26 added to examples in #766 这是一个完整的示例https://gist.github.com/aledbf/d88c7f7d0b8d4d032035b14ab0965e26 添加到#766中的示例
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.