[英]why ingress nginx cannot proxy grpc when client using insecure?
path: go-client --> ingress-nginx --> grpc pod
路径:
go-client --> ingress-nginx --> grpc pod
Because all the traffic is in our private network, so we didn't buy a public Certificate, rather we use a self-signed certificate.因为所有流量都在我们的私有网络中,所以我们没有购买公共证书,而是使用自签名证书。 What happened is that the first code below worked well, but the second failed.
发生的事情是下面的第一个代码运行良好,但第二个代码失败了。 I don't know why, and I want to know what the
insecure
exactly means.我不知道为什么,我想知道
insecure
的确切含义。
code that worked well:运行良好的代码:
cert, _ := credentials.NewClientTLSFromFile("./example.pem", "example.com")
conn, err := grpc.DialContext(
ctx,
"example.com:443",
grpc.WithTransportCredentials(cert),
grpc.WithBlock(),
)
code that received 400 bad request收到 400 错误请求的代码
conn, err := grpc.DialContext(
ctx,
"example.com:443",
grpc.WithTransportCredentials(insecure.NewCredentials()),
grpc.WithBlock(),
)
nginx access log for bad request错误请求的 nginx 访问日志
"PRI * HTTP/2.0" 400
ingress yaml:入口yaml:
apiVersion: networking.k8s.io/v1
kind: Ingress
spec:
ingressClassName: nginx
tls:
- hosts: example.com
secretName: example-tls
rules:
- host: example.com
http:
paths:
- path: /foo/bar
pathType: Prefix
backend:
service: grpc-svc
port:
name: grpc-port
Package insecure
provides an implementation of the credentials.TransportCredentials
interface which disables transport security.包
insecure
提供了一个禁用传输安全性的credentials.TransportCredentials
接口的实现。 More specifically, it does not perform any TLS handshaking or use any certificates.更具体地说,它不执行任何 TLS 握手或使用任何证书。
gRPC requires that the user pass it some credentials when attempting to create the ClientConn
. gRPC 要求用户在尝试创建
ClientConn
时向其传递一些凭据。 If your deployment does not use any certificates and you know that it is secure (based on whatever reasons), then the insecure
package will be your friend.如果您的部署不使用任何证书并且您知道它是安全的(基于任何原因),那么
insecure
的包将是您的朋友。 But if you are using self-signed certificates, they are still certificates and a TLS handshake needs to happen here.但是,如果您使用的是自签名证书,它们仍然是证书,并且需要在此处进行 TLS 握手。 So, in this case, you should continue using the code that you have mentioned at the top of your question.
因此,在这种情况下,您应该继续使用您在问题顶部提到的代码。 Hope this helps.
希望这可以帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.