k8s nginx 入口 TLS 规则:证书与路径
[英]k8s nginx ingress TLS rules: cert vs. paths
问题描述
I am struggling to get my nginx ingress (on AWS EKS) working with path rules and TLS.
我正在努力让我的 nginx 入口(在 AWS EKS 上)使用路径规则和 TLS。
The ingress is from here入口来自这里
A snippet from the Ingress looks like: Ingress 的片段如下所示:
spec:
tls:
- hosts:
- example.com
secretName: ingress-tls
rules:
- host: example.com
- http:
paths:
- path: /api
pathType: Prefix
backend:
service:
name: api-service
port:
number: 443
This ingress creates the AWS network load balancer, with a URL like https://xyz.elb.us-west-1.amazonaws.com/此入口创建 AWS 网络负载均衡器,其 URL 像https://xyz.elb.us-west-1.amazonaws.com/
I am updating the ingress-tls secret with a certificate using cert-manager .我正在使用cert-manager使用证书更新ingress-tls机密。
When I access the ingress using the NLB URL https://xyz.elb.us-west-1.amazonaws.com/api , I get当我使用 NLB URL https://xyz.elb.us-west-1.amazonaws.com/api访问入口时,我得到
- GOOD: Correct routing based on the path rules from the ingress definition (ie it goes to my
api-serviceas expected)好:根据入口定义中的路径规则正确路由(即它按预期进入我的api-service) - BAD: Certificate errors since I'm not accessing the ingress with the domain that the certificate is for.坏:证书错误,因为我没有使用证书所针对的域访问入口。
When I access the ingress using the correct domain eg https://example.com/api which is what I want to do, I get:当我使用正确的域访问入口时,例如https://example.com/api这是我想要做的,我得到:
- BAD:
404, it doesn't respect my path rules, and goes toupstream-default-backendinstead.BAD: 404,它不尊重我的路径规则,而是转到upstream-default-backend。 - GOOD: certificate all good, it's the one for
example.comthatcert-managerconfigured.GOOD:证书都很好,例如, cert-manager配置的example.com。
I tried removing the host: example.com from the rules: , which gives me:我尝试从rules:中删除host: example.com这给了我:
- GOOD: Correct routing based on the path rules from the ingress definition GOOD:根据入口定义中的路径规则正确路由
- BAD: Certificate errors, it serves up the default ingress “Fake” certificate instead of the one for
example.com, I guess since thehostis missing from the rules, though not sure of the exact reason.坏:证书错误,它提供默认入口“假”证书,而不是例如example.com,我猜是因为规则中缺少host,但不确定确切原因。
Can someone please help me get有人可以帮我得到吗
- GOOD好的
- GOOD好的
I'm at a loss here.我在这里不知所措。
1 个解决方案
解决方案1
1 2021-04-06 05:59:05
After staring at this for several more hours, and digging through the nasty chunk of lua that is the nginx.conf for this, I found it, Maybe someday someone will have this problem.在盯着这个看几个小时后,挖掘了 ZE434023CF89D7DFB21F63D64F0F9D74Z.conf 的nginx.conf的讨厌块,我找到了它,也许有一天有人会遇到这个问题。 and might find this useful.并且可能会发现这很有用。
The problem was:问题是:
rules:
- host: example.com
- http:
This is defining (I think) a host with no forwarding rules, then then some http forwarding rules without a host.这是定义(我认为)没有转发规则的host ,然后是一些没有主机的http转发规则。 What I had intended was obviously that the forwarding rules would be for the host.我的意图显然是转发规则是针对主机的。
And that would be:那将是:
rules:
- host: example.com
http:
I have to say that I'm now even less of a fan of YAML than I was previously, if that's even possible.我不得不说,如果可能的话,我现在比以前更不喜欢 YAML。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.