[英]how to redirect http to https using a kubernetes ingress controller on Amazon EKS
我已经为我的应用程序配置了亚马逊证书管理器、ALB 入口控制器和域名。 我可以通过端口 80 和端口 443 访问我的应用程序(所有证书都可以正常工作)。 但是,我想将所有来自 HTTP 的流量自动重定向到 HTTPS,以便将自己输入域名的人重定向到 HTTPS。 我按照 这个网页和这一个,但我不能使它工作
这是我的 ingress.yaml 文件:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: metabase
namespace: bigdata
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-2:***:certificate/***
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
alb.ingress.kubernetes.io/scheme: internet-facing
labels:
app: metabase
spec:
rules:
- http:
paths:
- path: /*
backend:
serviceName: ssl-redirect
servicePort: use-annotation
- path: /*
backend:
serviceName: metabase
servicePort: 3000
这是我的服务:
apiVersion: v1
kind: Service
metadata:
name: metabase
annotations:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-2:****:certificate/****
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
namespace: bigdata
labels:
app: metabase
spec:
ports:
- name: https
protocol: TCP
port: 443
targetPort: http-server
- name: http
protocol: TCP
port: 80
targetPort: http-server
selector:
app: metabase
type: LoadBalancer
广告这是我的部署:
apiVersion: apps/v1
kind: Deployment
metadata:
name: metabase-deployment
namespace: bigdata
labels:
app: metabase
spec:
replicas: 2
selector:
matchLabels:
app: metabase
template:
metadata:
labels:
app: metabase
spec:
containers:
- name: metabase
image: metabase/metabase
ports:
- containerPort: 3000
name: http-server
resources:
limits:
cpu: "1"
memory: "2Gi"
谢谢您的支持! :-)
您需要使用nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
注释:
在集群外使用 SSL 卸载(例如 AWS ELB)时,即使没有可用的 TLS 证书,强制重定向到 HTTPS 也可能很有用。 这可以通过在特定资源中使用
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
注释来实现。
我能够让它工作! 基本上我修改了 ingress.yaml 和 service.yaml 文件
ingress.yaml 看起来像这样:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: metabase
namespace: bigdata
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-2:***:certificate/****
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/group: metabase # name of my app
labels:
app: metabase
spec:
rules:
- http:
paths:
- path: /*
backend:
serviceName: ssl-redirect
servicePort: use-annotation
- path: /*
backend:
serviceName: metabase
servicePort: 443
我的服务如下所示:
apiVersion: v1
kind: Service
metadata:
name: metabase
annotations:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-2:***:certificate/***
namespace: bigdata
labels:
app: metabase
spec:
ports:
- name: https
protocol: TCP
port: 443
targetPort: http-server
- name: http
protocol: TCP
port: 80
targetPort: http-server
selector:
app: metabase
type: LoadBalancer
我花了相当多的时间试图使这项工作成功并最终成功。 可能有人会发现它很有用。 我将尝试逐步描述使用 HTTP 到 HTTPs 重定向设置 ALB 的方法。
kubectl get deployment -n kube-system aws-load-balancer-controller
打印输出应类似于以下内容:
NAME READY UP-TO-DATE AVAILABLE AGE
aws-load-balancer-controller 1/1 1 1 18h
如果您的控制器不起作用,则不会创建负载均衡器。
检查您的 yaml 文件是否完好。 下面我提供了一个适用于我的案例的简单 Yaml 文件。 关于这个文件的一些评论:
a) 请使用您的 SSL/TLS 证书 ARN(我使用的是 XXXXXXX)。
b) 请使用您的图片(我使用的是 YYYYYYYYYY)。 我的容器映像存储在 ECR(弹性容器注册表)中。
c) 请注意一个用 servicePort 标记为 ssl-redirect 的奇怪服务:
使用注释是根据注释规范创建的。
https://kubernetes-sigs.github.io/aws-load-balancer-controller/guide/ingress/annotations/
运行后: kubectl apply -f service.yaml
请检查两件事:
a) kubectl -n default describe ingress
此命令应显示对帐成功:打印输出的结尾应显示:
Normal SuccessfullyReconciled 11s (x3 over 18m) ingress Successfully reconciled
在同一个打印输出(打印输出的顶部)不要注意日志条目:
/* ssl-redirect:use-annotation (<error: endpoints "ssl-redirect" not found>)
b) aws elbv2 describe-load-balancers --query "LoadBalancers[?contains(LoadBalancerArn,'default-nginx')].{Arn: LoadBalancerArn}" --output text | xargs -I {} aws elbv2 describe-listeners --load-balancer-arn {}
aws elbv2 describe-load-balancers --query "LoadBalancers[?contains(LoadBalancerArn,'default-nginx')].{Arn: LoadBalancerArn}" --output text | xargs -I {} aws elbv2 describe-listeners --load-balancer-arn {}
此命令应向您显示创建了一个新的 ALB 并创建了两个侦听器。 不要注意 HTTP 侦听器似乎没有正确的重定向配置。
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
namespace: default
name: nginx-ingress
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/tags: createdBy=aws-controller
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:eu-central-1:XXXXXXXXXXXX:certificate/XXXXXXXXXXXXXXXXXXXXXXXXXX
labels:
app: nginx-ingress
spec:
rules:
- http:
paths:
- path: /*
backend:
serviceName: ssl-redirect
servicePort: use-annotation
- path: /*
backend:
serviceName: nginx-service
servicePort: 80
---
apiVersion: v1
kind: Service
metadata:
namespace: default
name: nginx-service
spec:
selector:
app: nginx
ports:
- name: http
protocol: TCP
port: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: YYYYYYYYYYYY.dkr.ecr.eu-central-1.amazonaws.com/webfe:latest
ports:
- containerPort: 80
以防万一您正在寻找合适的新语法(其余相同)
- path: /
pathType: Prefix
backend:
service:
name: ssl-redirect
port:
name: use-annotation
我已经为我的应用程序配置了亚马逊证书管理器,ALB入口控制器和域名。 我可以通过端口80和443访问我的应用程序(所有证书都可以正常工作)。 但是,我想将所有即将来临的流量从HTTP自动重定向到HTTPS,以便将自己键入域名的人重定向到HTTPS。 我按照 这个网页和这一个,但我不能使它工作
这是我的ingress.yaml文件:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: metabase
namespace: bigdata
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-2:***:certificate/***
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
alb.ingress.kubernetes.io/scheme: internet-facing
labels:
app: metabase
spec:
rules:
- http:
paths:
- path: /*
backend:
serviceName: ssl-redirect
servicePort: use-annotation
- path: /*
backend:
serviceName: metabase
servicePort: 3000
这是我的服务:
apiVersion: v1
kind: Service
metadata:
name: metabase
annotations:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-2:****:certificate/****
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
namespace: bigdata
labels:
app: metabase
spec:
ports:
- name: https
protocol: TCP
port: 443
targetPort: http-server
- name: http
protocol: TCP
port: 80
targetPort: http-server
selector:
app: metabase
type: LoadBalancer
广告这是我的部署:
apiVersion: apps/v1
kind: Deployment
metadata:
name: metabase-deployment
namespace: bigdata
labels:
app: metabase
spec:
replicas: 2
selector:
matchLabels:
app: metabase
template:
metadata:
labels:
app: metabase
spec:
containers:
- name: metabase
image: metabase/metabase
ports:
- containerPort: 3000
name: http-server
resources:
limits:
cpu: "1"
memory: "2Gi"
谢谢你的支持! :-)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.