[英]What's the way to expose a Kubernetes deployment to the world using HTTPS on AWS?
Suppose I have a deployment named app
running on my Kubernetes cluster (which is running on AWS) which is defined as such: 假设我有一个名为
app
的部署在我的Kubernetes集群(在AWS上运行)上运行,其定义如下:
apiVersion: apps/v1beta1 # for versions before 1.6.0 use extensions/v1beta1
kind: Deployment
metadata:
name: nginx-deployment
spec:
replicas: 3
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.7.9
ports:
- containerPort: 80
(source: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#creating-a-deployment ) (来源: https : //kubernetes.io/docs/concepts/workloads/controllers/deployment/#creating-a-deployment )
I want to expose these pods to world using an AWS ELB. 我想使用AWS ELB将这些吊舱展示给世界。 Additionally, it is required (and generally advisable) to serve this service over HTTPS.
此外,通过HTTPS提供此服务是必需的(通常是可取的)。 As a matter of convenience, I would like to leverage AWS's Certificate Manager (ACM) to get free, evergreen certificates, instead of buying and managing the certificates myself.
为了方便起见,我想利用AWS的证书管理器(ACM)获得免费的常绿证书,而不是自己购买和管理证书。
If I try to expose the pods by creating a service using this command: kubectl expose deployment nginx-deployment --type=LoadBalancer --port=80 --target-port=80 --name=nginx-svc
如果我尝试通过使用以下命令创建服务来公开Pod:
kubectl expose deployment nginx-deployment --type=LoadBalancer --port=80 --target-port=80 --name=nginx-svc
An ELB is created, but it is a TCP load balancer, completely unaware of HTTP and I am unable to set an ACM certificate to it. 创建了一个ELB,但它是一个TCP负载平衡器,完全不了解HTTP,因此无法为其设置ACM证书。
How can I create the service so Kubernetes will create an HTTP load balancer and set my certificate to it? 如何创建服务,以便Kubernetes将创建HTTP负载平衡器并将证书设置为该负载平衡器?
Even though not very well documented it is indeed possible to do this. 即使没有充分记录,也确实可以这样做。 You can see on GitHub the source code of the module which is responsible for it here: https://github.com/kubernetes/kubernetes/blob/master/pkg/cloudprovider/providers/aws/aws.go#L125
您可以在GitHub上查看负责该模块的模块的源代码: https : //github.com/kubernetes/kubernetes/blob/master/pkg/cloudprovider/providers/aws/aws.go#L125
In order to utilize this feature create a YAML nginx-svc.yaml file like so: 为了利用此功能,请创建一个YAML nginx-svc.yaml文件,如下所示:
apiVersion: v1
kind: Service
metadata:
name: nginx-svc
annotations:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-west-1:<account number>:certificate/<certificate id>
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
spec:
type: LoadBalancer
ports:
- port: 443
targetPort: 80
selector:
app: nginx
and use kubectl to create it: kubectl create -f nginx-svc.yaml
并使用kubectl进行创建:
kubectl create -f nginx-svc.yaml
wait a few minutes and you'll be good to go! 等待几分钟,您就可以开始了!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.