AKS 与 AGIC 和应用程序网关
[英]AKS with AGIC and Application Gateway
问题描述
I have an AKS cluster with the add-on AGIC enabled (will try and convert it into Helm based AGIC in the near future).
我有一个启用了附加 AGIC 的 AKS 集群(将在不久的将来尝试将其转换为基于 Helm 的 AGIC)。 At the moment I have an application on this cluster with the Ingress set to the Application Gateway.目前我在这个集群上有一个应用程序,入口设置为应用程序网关。 This works perfectly on port 80 at the moment.目前,这在端口 80 上完美运行。
If I want to enable SSL, do I just need to add the certificate at the App Gateway and then reference that in deployment as such?如果我想启用 SSL,是否只需要在 App Gateway 中添加证书,然后在部署中引用该证书? (example taken from https://thewindowsupdate.com/2021/10/19/what-does-it-mean-for-the-application-gateway-ingress-controller-agic-to-assume-full-ownership/ (示例取自https://thewindowsupdate.com/2021/10/19/what-does-it-mean-for-the-application-gateway-ingress-controller-agic-to-assume-full-ownership/
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: aspnetapp
annotations:
kubernetes.io/ingress.class: azure/application-gateway
appgw.ingress.kubernetes.io/appgw-ssl-certificate: <name of your certificated added to Application Gateway>
appgw.ingress.kubernetes.io/ssl-redirect: "true"
spec:
rules:
- http:
paths:
- path: /
backend:
serviceName: aspnetapp
servicePort: 80
Although the service port is set to 80 above, will the App GW apply TLS automatically?上面虽然服务端口设置为80,但是App GW会自动应用TLS吗? Should the service port above be 80 or 443?上面的服务端口应该是80还是443? Or does it not matter since the SSL Redirect is set?还是因为设置了 SSL Redirect 没关系? Also what aspects does this encrypt automatically?还有这会自动加密哪些方面?
- External -> App GW ?外部 -> 应用程序 GW ?
- App GW -> Ingress ?应用 GW -> 入口?
Also, do I need another certificate for the external side of App GW as well?另外,App GW 的外部是否也需要另一个证书? Or do I need just the one cert?还是我只需要一个证书?
1 个解决方案
解决方案1
0 已采纳 2022-06-02 21:50:21
AGIC will create: AGIC 将创建:
- 2 listeners: HTTP on port 80 and HTTPS on port 443. The HTTPS listener will be configured with the SSL certificate from
appgw.ingress.kubernetes.io/appgw-ssl-certificate2 个监听器:80 端口上的 HTTP 和 443 端口上的 HTTPS。HTTPS 监听器将使用来自appgw.ingress.kubernetes.io/appgw-ssl-certificate的 SSL 证书进行配置 - 2 routing rules: one to redirect the http listener traffic to the https listener. 2个路由规则:一个将http监听器流量重定向到https监听器。 The https listener will be configure to target your backend on AKS. https 侦听器将配置为针对 AKS 上的后端。
By default AGIC will do TLS termination so the traffic between app gateway and the aks cluster will be using HTTP (not HTTPS) protocol.默认情况下,AGIC 将执行 TLS 终止,因此应用网关和 aks 集群之间的流量将使用 HTTP(不是 HTTPS)协议。 The port configured will be the port configured in the targetPort of your service.配置的端口将是您的服务的targetPort中配置的端口。
On another note, you should have seen this warning before:另一方面,您之前应该看到过这个警告:
extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
You should update AGIC to use latest version and change your manifest to use networking.k8s.io/v1 Ingress:您应该更新 AGIC 以使用最新版本并将清单更改为使用networking.k8s.io/v1 Ingress:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: aspnetapp
annotations:
kubernetes.io/ingress.class: azure/application-gateway
appgw.ingress.kubernetes.io/ssl-redirect: "true"
appgw.ingress.kubernetes.io/appgw-ssl-certificate: "<name of your certificate added to Application Gateway>"
spec:
rules:
...
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.