堆栈内存溢出
  简体   繁体   English

如何使用 Amazon EKS 上的 kubernetes 入口控制器将 http 重定向到 https

[英]how to redirect http to https using a kubernetes ingress controller on Amazon EKS

 原文  2019-09-17 18:18:23       kubernetes/ kubernetes-ingress/ amazon-eks

问题描述

I have configured amazon certificate manager, ALB Ingress Controller and a domain names for my application.我已经为我的应用程序配置了亚马逊证书管理器、ALB 入口控制器和域名。 I can access my application through port 80 and port 443 (all certificates works just fine).我可以通过端口 80 和端口 443 访问我的应用程序(所有证书都可以正常工作)。 However I would like to redirect all coming traffic from HTTP to HTTPS automatically so that people who typed the domain name by itself is redirected to HTTPS.但是,我想将所有来自 HTTP 的流量自动重定向到 HTTPS,以便将自己输入域名的人重定向到 HTTPS。 I have followed this page and this one but I cannot make it work我按照 这个网页这一个,但我不能使它工作

this is my ingress.yaml file:这是我的 ingress.yaml 文件:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: metabase
  namespace: bigdata
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-2:***:certificate/***
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
    alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
    alb.ingress.kubernetes.io/scheme: internet-facing

  labels:
    app: metabase
spec:
  rules:
    - http:
        paths:
          - path: /*
            backend:
              serviceName: ssl-redirect
              servicePort: use-annotation
          - path: /*
            backend:
              serviceName: metabase
              servicePort: 3000

this is my service:这是我的服务:

apiVersion: v1
kind: Service
metadata:
  name: metabase
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-2:****:certificate/****
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
  namespace: bigdata
  labels:
    app: metabase
spec:
  ports:
    - name: https
      protocol: TCP
      port: 443
      targetPort: http-server
    - name: http
      protocol: TCP
      port: 80
      targetPort: http-server
  selector:
    app: metabase
  type: LoadBalancer

ad this is my deployment:广告这是我的部署:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: metabase-deployment
  namespace: bigdata
  labels:
    app: metabase
spec:
  replicas: 2
  selector:
    matchLabels:
      app: metabase
  template:
    metadata:
      labels:
        app: metabase
    spec:
      containers:
        - name: metabase
          image: metabase/metabase
          ports:
            - containerPort: 3000
              name: http-server
          resources:
            limits:
              cpu: "1"
              memory: "2Gi"

thanks for your support!谢谢您的支持! :-) :-)

4 个解决方案

解决方案1
 5  2019-09-17 18:24:32

You need to use the nginx.ingress.kubernetes.io/force-ssl-redirect: "true" annotation:您需要使用nginx.ingress.kubernetes.io/force-ssl-redirect: "true"注释:

When using SSL offloading outside of cluster (eg AWS ELB) it may be useful to enforce a redirect to HTTPS even when there is no TLS certificate is available.在集群外使用 SSL 卸载(例如 AWS ELB)时,即使没有可用的 TLS 证书,强制重定向到 HTTPS 也可能很有用。 This can be achieved by using the nginx.ingress.kubernetes.io/force-ssl-redirect: "true" annotation in the particular resource.这可以通过在特定资源中使用nginx.ingress.kubernetes.io/force-ssl-redirect: "true"注释来实现。

解决方案2
 5 已采纳  2019-09-20 20:27:41

I was able to make it work!!我能够让它工作! basically I modified the ingress.yaml and service.yaml files基本上我修改了 ingress.yaml 和 service.yaml 文件

ingress.yaml looks like this: ingress.yaml 看起来像这样:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: metabase
  namespace: bigdata
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-2:***:certificate/****
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
    alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/group: metabase # name of my app

  labels:
    app: metabase

spec:
  rules:
    - http:
        paths:
          - path: /*
            backend:
              serviceName: ssl-redirect
              servicePort: use-annotation
          - path: /*
            backend:
              serviceName: metabase
              servicePort: 443

and my service looks like this:我的服务如下所示:

apiVersion: v1
kind: Service
metadata:
  name: metabase
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-2:***:certificate/***
  namespace: bigdata
  labels:
    app: metabase
spec:
  ports:
    - name: https
      protocol: TCP
      port: 443
      targetPort: http-server
    - name: http
      protocol: TCP
      port: 80
      targetPort: http-server
  selector:
    app: metabase
  type: LoadBalancer

解决方案3
 3  2020-12-05 09:37:46

I have spent quite some time trying to make this work and finally succeeded.我花了相当多的时间试图使这项工作成功并最终成功。 Probably someone will find it useful.可能有人会发现它很有用。 I will try to describe step by step approach to setup ALB with HTTP to HTTPs redirect.我将尝试逐步描述使用 HTTP 到 HTTPs 重定向设置 ALB 的方法。

  1. Check that your ALB controller is up and running:检查您的 ALB 控制器是否已启动并正在运行:
kubectl get deployment -n kube-system aws-load-balancer-controller

Printout should be similar to the one below:打印输出应类似于以下内容:

NAME                           READY   UP-TO-DATE   AVAILABLE   AGE
aws-load-balancer-controller   1/1     1            1           18h

If your controller does not work, no Load Balancer will be created.如果您的控制器不起作用,则不会创建负载均衡器。

  1. Check that your yaml file is good.检查您的 yaml 文件是否完好。 Below I provide a simple Yaml file that worked in my case.下面我提供了一个适用于我的案例的简单 Yaml 文件。 Some comments about this file:关于这个文件的一些评论:
    a) Please use your SSL/TLS certificate ARN (I used XXXXXXX). a) 请使用您的 SSL/TLS 证书 ARN(我使用的是 XXXXXXX)。
    b) Please use your image (I used YYYYYYYYYY). b) 请使用您的图片(我使用的是 YYYYYYYYYY)。 My container image is stored in the ECR (Elastic Container Registry).我的容器映像存储在 ECR(弹性容器注册表)中。
    c) Please note that a strange service marked ssl-redirect with servicePort: c) 请注意一个用 servicePort 标记为 ssl-redirect 的奇怪服务:
    use-annotations is created according to the annotations specification.使用注释是根据注释规范创建的。
    https://kubernetes-sigs.github.io/aws-load-balancer-controller/guide/ingress/annotations/ https://kubernetes-sigs.github.io/aws-load-balancer-controller/guide/ingress/annotations/

  2. Once you run: kubectl apply -f service.yaml Please check two things:运行后: kubectl apply -f service.yaml请检查两件事:
    a) kubectl -n default describe ingress a) kubectl -n default describe ingress
    This command should show that reconciliation was successful: the end of the printout should show:此命令应显示对帐成功:打印输出的结尾应显示:
    Normal SuccessfullyReconciled 11s (x3 over 18m) ingress Successfully reconciled
    In the same printout (top of the printout) do not pay attention to the log entry:在同一个打印输出(打印输出的顶部)不要注意日志条目:
    /* ssl-redirect:use-annotation (<error: endpoints "ssl-redirect" not found>)
    b) aws elbv2 describe-load-balancers --query "LoadBalancers[?contains(LoadBalancerArn,'default-nginx')].{Arn: LoadBalancerArn}" --output text | xargs -I {} aws elbv2 describe-listeners --load-balancer-arn {} b) aws elbv2 describe-load-balancers --query "LoadBalancers[?contains(LoadBalancerArn,'default-nginx')].{Arn: LoadBalancerArn}" --output text | xargs -I {} aws elbv2 describe-listeners --load-balancer-arn {} aws elbv2 describe-load-balancers --query "LoadBalancers[?contains(LoadBalancerArn,'default-nginx')].{Arn: LoadBalancerArn}" --output text | xargs -I {} aws elbv2 describe-listeners --load-balancer-arn {}
    This command should show to you that a new ALB was created and two Listeners were created.此命令应向您显示创建了一个新的 ALB 并创建了两个侦听器。 Do not pay attention that the HTTP listener does not seem to have correct redirect configuration.不要注意 HTTP 侦听器似乎没有正确的重定向配置。

-- YAML -- -- YAML --

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  namespace: default
  name: nginx-ingress
  annotations:
      kubernetes.io/ingress.class: alb
      alb.ingress.kubernetes.io/scheme: internet-facing
      alb.ingress.kubernetes.io/target-type: ip
      alb.ingress.kubernetes.io/tags: createdBy=aws-controller
      alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
      alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
      alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:eu-central-1:XXXXXXXXXXXX:certificate/XXXXXXXXXXXXXXXXXXXXXXXXXX

  labels:
    app: nginx-ingress

spec:
  rules:
    - http:
        paths:
          - path: /*
            backend:
              serviceName: ssl-redirect
              servicePort: use-annotation
          - path: /*
            backend:
              serviceName: nginx-service
              servicePort: 80
---
apiVersion: v1
kind: Service
metadata:
  namespace: default
  name: nginx-service
spec:
  selector:
    app: nginx
  ports:
    - name: http
      protocol: TCP
      port: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: YYYYYYYYYYYY.dkr.ecr.eu-central-1.amazonaws.com/webfe:latest
        ports:
        - containerPort: 80

解决方案4
 0  2021-07-08 11:34:43

Just in case you are looking for the proper new syntax (the rest is the same)以防万一您正在寻找合适的新语法(其余相同)

      - path: /
        pathType: Prefix
        backend:
          service:
            name: ssl-redirect
            port:
              name: use-annotation

解决方案5
 -1  2020-08-19 18:43:22

I have configured amazon certificate manager, ALB Ingress Controller and a domain names for my application.我已经为我的应用程序配置了亚马逊证书管理器,ALB入口控制器和域名。 I can access my application through port 80 and port 443 (all certificates works just fine).我可以通过端口80和443访问我的应用程序(所有证书都可以正常工作)。 However I would like to redirect all coming traffic from HTTP to HTTPS automatically so that people who typed the domain name by itself is redirected to HTTPS.但是,我想将所有即将来临的流量从HTTP自动重定向到HTTPS,以便将自己键入域名的人重定向到HTTPS。 I have followed this page and this one but I cannot make it work我按照 这个网页这一个,但我不能使它工作

this is my ingress.yaml file:这是我的ingress.yaml文件:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: metabase
  namespace: bigdata
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-2:***:certificate/***
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
    alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
    alb.ingress.kubernetes.io/scheme: internet-facing

  labels:
    app: metabase
spec:
  rules:
    - http:
        paths:
          - path: /*
            backend:
              serviceName: ssl-redirect
              servicePort: use-annotation
          - path: /*
            backend:
              serviceName: metabase
              servicePort: 3000

this is my service:这是我的服务:

apiVersion: v1
kind: Service
metadata:
  name: metabase
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-2:****:certificate/****
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
  namespace: bigdata
  labels:
    app: metabase
spec:
  ports:
    - name: https
      protocol: TCP
      port: 443
      targetPort: http-server
    - name: http
      protocol: TCP
      port: 80
      targetPort: http-server
  selector:
    app: metabase
  type: LoadBalancer

ad this is my deployment:广告这是我的部署:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: metabase-deployment
  namespace: bigdata
  labels:
    app: metabase
spec:
  replicas: 2
  selector:
    matchLabels:
      app: metabase
  template:
    metadata:
      labels:
        app: metabase
    spec:
      containers:
        - name: metabase
          image: metabase/metabase
          ports:
            - containerPort: 3000
              name: http-server
          resources:
            limits:
              cpu: "1"
              memory: "2Gi"

thanks for your support!谢谢你的支持! :-) :-)

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 eks http https 使用入口重定向 - eks http https redirect using ingress kubernetes nginx ingress无法将HTTP重定向到HTTPS - kubernetes nginx ingress fails to redirect HTTP to HTTPS Kubernetes 入口重定向到 https - Kubernetes ingress redirect to https 如何禁用 http 使用 Kube.netes Nginx ingress controller 访问服务? - How to disable http access to service using Kubernetes Nginx ingress controller? Kubernetes Nginx Ingress HTTP到HTTPS是通过301而不是308重定向的? - Kubernetes Nginx Ingress HTTP to HTTPS redirect via 301 instead of 308? Kubernetes 入口:SSL(HTTP -&gt; HTTPS)重定向不起作用(Nginx Docker) - Kubernetes Ingress: SSL (HTTP -> HTTPS) redirect not working (Nginx Docker) 用于Kubernetes(AWS EKS)的Traefik入口控制器 - Traefik Ingress Controller for Kubernetes (AWS EKS) 无法在亚马逊 eks 上创建 ALB 入口控制器 - failing to create ALB ingress controller on amazon eks 如何使用 Google 计算云在 kubernetes_ingress_v1 中自动从 http 重定向到 https? - How to redirect from http to https automatically in kubernetes_ingress_v1 with Google compute cloud? Kubernetes 入口 nginx 重定向到 https - Kubernetes ingress nginx redirect to https
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM