[英]Kubernetes NGINX Ingress TLS issue
我在雲(VMVare vSphere)中部署了k8s集群-3個主節點和1個工作節點。 然后在安裝了舵手nginx-ingress的情況下:
helm install stable/nginx-ingress
部署了一些簡單的http-svc容器
將nginx-controller服務類型從LoadBalancer更改為NodePort並添加了externalIP (我的主節點的IP地址),所以看起來像:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ing-nginx-ingress-controller NodePort 10.233.15.202 172.16.40.21,172.16.40.22,172.16.40.23 80:31045/TCP,443:31427/TCP 1d
http-svc ClusterIP 10.233.13.55 80/TCP 1d
創建的證書和機密
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/tls.key -out /tmp/tls.crt -subj "/CN=<FQDN_HERE>"
kubectl create secret tls secret --key /tmp/tls.key --cert /tmp/tls.crt
並創建入口:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: some-ingress
namespace: default
spec:
tls:
- hosts:
- <FQDN_HERE>
secretName: secret
rules:
- host: <FQDN_HERE>
http:
paths:
- backend:
serviceName: http-svc
servicePort: 80
path: /
如果我使用雲DNAT
external_ip:8443 -> master01_ip:443 (e.g. 172.16.40.21:443)
然后我有一個回應:
curl --resolve <FQDN>:8443:<external_ip> https://<FQDN>:8443 -v -k
* Added <FQDN>:8443:<external_ip> to DNS cache
* Rebuilt URL to: https://<FQDN>:8443/
* Hostname <FQDN> was found in DNS cache
* Trying <external_ip>...
* TCP_NODELAY set
* Connected to <FQDN> (<external_ip>) port 8443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=<FQDN>
* start date: Feb 22 10:37:00 2018 GMT
* expire date: Feb 22 10:37:00 2019 GMT
* issuer: CN=<FQDN>
* SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET / HTTP/1.1
> Host: <FQDN>:8443
> User-Agent: curl/7.58.0
但是,如果我使用負載平衡功能(vEdge Gateway):
-> 172.16.40.21:443
external_ip:443 -> 172.16.40.22:443
-> 172.16.40.23:443
有一個問題:
curl --resolve <FQDN>:443:<external_ip> https://<FQDN> -vvvv -k
* Added <FQDN>:443:<external_ip> to DNS cache
* Rebuilt URL to: https://<FQDN>/
* Hostname <FQDN> was found in DNS cache
* Trying <external_ip>...
* TCP_NODELAY set
* Connected to <FQDN> (<external_ip>) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to <FQDN>:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to <FQDN>:443
嘗試使用nginx和自簽名證書對兩個獨立VM進行了測試-正常工作。 雲提供商表示LB是功能性的,並且是k8s入口中的問題。
謝謝!
正如@Nickolay所說,我應該已經在TCP模式下配置了HTTPS模式vEdge網關負載均衡器。 但是vEdge Gateway不允許這樣做,因為端口443嚴格綁定到HTTPS。 我已解決了將運行狀況檢查(!)配置為TCP而不是SSL的問題,並且現在所有工作都可以進行。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.