Kubernetes 内部 nginx 入口 controller 带 ZEA52C36203C5F99C22CE2442Dssl-ZB1 端接
[英]Kubernetes internal nginx ingress controller with SSL termination & ssl-passthrough
问题描述
I am very new to using helm charts for deploying containers, and I have also never worked with nginx controllers or ingress controllers.
我对使用 helm 图表部署容器非常陌生,而且我也从未使用过 nginx 控制器或入口控制器。 However, I am being asked to look into improving our internal nginx ingress controllers to allow for SSL-passthrough.但是,我被要求考虑改进我们的内部 nginx 入口控制器以允许 SSL 直通。
Right now we have external (public facing) and internal controllers.现在我们有外部(面向公众)和内部控制器。 Where the public ones allow SSL-passthrough, and the internal ones have SSL-termination.公共的允许 SSL 直通,而内部的则有 SSL 终止。 I have also been told that nginx is a reverse proxy, and that it works based on headers in the URL.我还被告知 nginx 是一个反向代理,它基于 URL 中的标头工作。
I am hoping someone can help me out on this helm chart that I have for the internal ingress controllers.我希望有人能帮我解决这个用于内部入口控制器的掌舵图。 Currently I am under the impression that having SSL termination as well as SSL-passthrough on the same ingress controllers would not be possible.目前我的印象是不可能在同一个入口控制器上拥有 SSL 终止以及 SSL 直通。 Answered this one myself: https://serversforhackers.com/c/tcp-load-balancing-with-nginx-ssl-pass-thru我自己回答了这个问题: https://serversforhackers.com/c/tcp-load-balancing-with-nginx-ssl-pass-thru
Our current (internal) ingress code:我们当前的(内部)入口代码:
---
rbac:
create: true
controller:
ingressClass: nginx-internal
service:
annotations:
service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:eu:110:certificate/62-b3
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: !!str 443
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: !!str 3600
targetPorts:
https: 80
replicaCount: 3
defaultBackend:
replicaCount: 3
Can I simply add the following?我可以简单地添加以下内容吗? : :
controller:
extraArgs:
enable-ssl-passthrough: ""
Note: The above piece of code is what we use on our external ingress controller.注意:上面的代码是我们在外部入口 controller 上使用的。
additionally, I found this: Ingress and SSL Passthrough另外,我发现了这个: Ingress and SSL Passthrough
Can I just go and mix the annotations?我可以只使用 go 并混合注释吗? Or do annotations only care about the 'top domain level' where the annotation comes from?还是注释只关心注释来自的“顶级域级别”? eg:例如:
service.beta.kubernetes.io
nginx.ingress.kubernetes.io
Both come from the domain kubernetes.io, or does the sub-domain make a difference?两者都来自域 kubernetes.io,还是子域有所不同? I mean: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md That page doesn't show any of the service.beta annotations on it..我的意思是: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md该页面上没有显示任何 service.beta 注释。 .
What's the difference between the extraArg ssl-passthrough configuration and the ssl-passthrough configuration in the annotations?注释中的 extraArg ssl-passthrough 配置和 ssl-passthrough 配置有什么区别?
I'm looking mostly for an answer on how to get the SSL-passthrough working without breaking the SSL-termination on the internal ingress controllers.我主要在寻找有关如何在不破坏内部入口控制器上的 SSL 终止的情况下使 SSL 直通工作的答案。 However, any extra information to gain more insight and knowledge as far as my other questions go would also be very appreciated:)但是,就我的其他问题 go 而言,获得更多洞察力和知识的任何额外信息也将不胜感激:)
2 个解决方案
解决方案1
3 已采纳 2019-11-15 06:51:03
So I found the answer to my own question(s): The annotations appear to be 'configuration items'.所以我找到了自己问题的答案:注释似乎是“配置项”。 I'm using quotes because i can't find a better term.我使用引号是因为我找不到更好的术语。 The extraArgs parameter is where you can pass any parameter to the controller as if it were a commandline parameter. extraArgs 参数是您可以将任何参数传递给 controller 的地方,就好像它是命令行参数一样。 And I think it is also safe to say that the annotations can be either any of the same top-level domain.而且我认为可以肯定地说注释可以是同一顶级域中的任何一个。 I have not found any that weren't from another domain then kubernetes.io我还没有找到任何不是来自另一个域然后 kubernetes.io
To get my ingress controller to work side-by-side with the SSL-termination controller the helm chart looks as following:为了让我的入口 controller 与 SSL 终止 controller 并排工作,舵图如下所示:
---
rbac:
create: true
controller:
ingressClass: nginx-internal-ssl-passthrough
service:
annotations:
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
service.beta.kubernetes.io/aws-load-balancer-type: nlb
service.beta.kubernetes.io/aws-load-balancer-internal: "true"
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: "tag3=value3, tag3=value3, tag3=value3, tag3=value3"
targetPorts:
https: 443
replicaCount: 2
extraArgs:
enable-ssl-passthrough: ""
defaultBackend:
replicaCount: 2
Toke me about 2 days of researching/searching the web & 6 deployments to get the whole setup working with AWS nlb, ssl-passthrough enabled, cross-zone loadbalancing, etc. But after having found the following pages it went pretty fast: https://kubernetes.github.io/ingress-nginx/deploy/ https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/ https://kubernetes.io/docs/concepts/services-networking/service/花了我大约 2 天的时间研究/搜索 web 和 6 个部署,以使整个设置与 AWS nlb、启用 ssl-passthrough、跨区域负载平衡等一起工作。但是在找到以下页面后,它变得非常快: https: //kubernetes.github.io/ingress-nginx/deploy/ https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/ https://kubernetes.io/docs/concepts/服务-网络/服务/
This last page helped me a lot.最后一页对我帮助很大。 If someone else gets to deploy SSL-termination and SSL-passthrough for either public or private connections, I hope this helps too.如果其他人开始为公共或私有连接部署 SSL 终止和 SSL-passthrough,我希望这也有帮助。
解决方案2
0 2021-03-23 17:02:56
From here you can find out how to redirect the HTTPS traffic to the pod without SSL-termination https://stackoverflow.com/a/66767691/1938507从这里您可以了解如何将 HTTPS 流量重定向到没有 SSL 终止的 pod https://stackoverflow.com/a/66767691/1938507
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.