堆棧內存溢出
  簡體   English   中英

Openshift 上的 SSL/TLS 直通 NGINX-Ingress-Controller 不工作

[英]SSL/TLS passthrough NGINX-Ingress-Controller on Openshift Not Working

 原文  2022-08-02 22:19:37       nginx/ kubernetes/ ssl/ openshift/ nginx-ingress

問題描述

我已經按照以下githubdevopscube的秘密部署了 NGINX-Operator 和 NGINX-Ingress-Controller。

當前設置是:

AWS 經典 LB -> ROSA 集群 [Helm NGINX-Ingress-Controller -> NGINX-Ingress -> 服務 -> Pod]

這是我用來創建 NGINX-Ingress-Controller 資源的 YAML 文件。 您將看到 enableTLSPassthrough 設置為 true。 但是,我不確定這是否生效。 我的目標是從客戶端到 NGINX 服務/pod 的端到端 TLS 加密。 現在我通過 http 在瀏覽器中訪問時遇到錯誤代碼 400(http 在 hello-world 設置中工作得很好)。

“400 錯誤請求普通的 HTTP 請求已發送到 HTTPS 端口”

kind: NginxIngress
apiVersion: charts.nginx.org/v1alpha1
metadata:
  name: nginxingress
  namespace: nginx-ingress
spec:
  controller:
    affinity: {}
    appprotect:
      enable: false
    appprotectdos:
      debug: false
      enable: false
      maxDaemons: 0
      maxWorkers: 0
      memory: 0
    config:
      annotations: {}
      entries: {}
    customPorts: []
    defaultTLS:
      secret: nginx-ingress/default-server-secret
    enableCertManager: false
    enableCustomResources: true
    enableExternalDNS: false
    enableLatencyMetrics: false
    enableOIDC: false
    enablePreviewPolicies: false
    enableSnippets: false
    enableTLSPassthrough: true
    extraContainers: []
    globalConfiguration:
      create: false
      spec: {}
    healthStatus: false
    healthStatusURI: /nginx-health
    hostNetwork: false
    image:
      pullPolicy: IfNotPresent
      repository: nginx/nginx-ingress
      tag: 2.3.0-ubi
    ingressClass: nginx
    initContainers: []
    kind: deployment
    logLevel: 1
    nginxDebug: false
    nginxReloadTimeout: 60000
    nginxStatus:
      allowCidrs: 127.0.0.1
      enable: true
      port: 8080
    nginxplus: false
    nodeSelector: {}
    pod:
      annotations: {}
      extraLabels: {}
    priorityClassName: null
    readyStatus:
      enable: true
      port: 8081
    replicaCount: 1
    reportIngressStatus:
      annotations: {}
      enable: true
      enableLeaderElection: true
      ingressLink: ''
    resources:
      requests:
        cpu: 100m
        memory: 128Mi
    service:
      annotations: {}
      create: true
      customPorts: []
      externalIPs: []
      externalTrafficPolicy: Local
      extraLabels: {}
      httpPort:
        enable: true
        nodePort: ''
        port: 80
        targetPort: 80
      httpsPort:
        enable: true
        nodePort: ''
        port: 443
        targetPort: 443
      loadBalancerIP: ''
      loadBalancerSourceRanges: []
      type: LoadBalancer
    serviceAccount:
      imagePullSecretName: ''
    setAsDefaultIngress: true
    terminationGracePeriodSeconds: 30
    tolerations: []
    volumeMounts: []
    volumes: []
    watchNamespace: ''
    wildcardTLS:
      secret: null
  nginxServiceMesh:
    enable: false
    enableEgress: false
  prometheus:
    create: true
    port: 9113
    scheme: http
    secret: ''
  rbac:
    create: true

查看 NGINX-Ingress-Controller pod 的創建日志,我看不到任何關於啟用 TLS 的信息。 pod 部署后,在 args 部分中確實會設置一個標志,但我仍然不確定這是否有效。

W0802 20:33:26.594545       1 flags.go:273] Ignoring unhandled arguments: []
I0802 20:33:26.594683       1 flags.go:190] Starting NGINX Ingress Controller Version=2.3.0 PlusFlag=false
I0802 20:33:26.594689       1 flags.go:191] Commit=979db22d8065b22fedb410c9b9c5875cf0a6dc66 Date=2022-07-12T08:51:24Z DirtyState=false Arch=linux/amd64 Go=go1.18.3
I0802 20:33:26.601340       1 main.go:210] Kubernetes version: 1.22.0
I0802 20:33:26.606551       1 main.go:326] Using nginx version: nginx/1.23.0
2022/08/02 20:33:26 [notice] 13#13: using the "epoll" event method
2022/08/02 20:33:26 [notice] 13#13: nginx/1.23.0
2022/08/02 20:33:26 [notice] 13#13: built by gcc 8.5.0 20210514 (Red Hat 8.5.0-4) (GCC) 
2022/08/02 20:33:26 [notice] 13#13: OS: Linux 4.18.0-305.19.1.el8_4.x86_64
2022/08/02 20:33:26 [notice] 13#13: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2022/08/02 20:33:26 [notice] 13#13: start worker processes
2022/08/02 20:33:26 [notice] 13#13: start worker process 15
2022/08/02 20:33:26 [notice] 13#13: start worker process 16
2022/08/02 20:33:26 [notice] 13#13: start worker process 17
2022/08/02 20:33:26 [notice] 13#13: start worker process 18
I0802 20:33:26.630298       1 listener.go:54] Starting Prometheus listener on: :9113/metrics
I0802 20:33:26.630860       1 leaderelection.go:248] attempting to acquire leader lease nginx-ingress/nginxingress-nginx-ingress-leader-election...
I0802 20:33:26.639466       1 leaderelection.go:258] successfully acquired lease nginx-ingress/nginxingress-nginx-ingress-leader-election

這是入口資源 YAML

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-ingress
  annotations:
#    kubernetes.io/ingress.class: addon-http-application-routing

#   nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
#    nginx.ingress.kubernetes.io/ssl-redirect: "true"
#    nginx.ingress.kubernetes.io/proxy-redirect-from: https
#    nginx.ingress.kubernetes.io/proxy-redirect-to: https
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
#    nginx.ingress.kubernetes.io/proxy-ssl-protocols: "HTTPS"
#    nginx.ingress.kubernetes.io/secure-backends: "true"
spec:
  defaultBackend:
    service:
      name: nginx
      port:
        number: 443
  ingressClassName: nginx
  tls:
   - hosts:
       - nginx-tlssni.apps.clustername.openshiftapps.com
     secretName: nginx-tls
  rules:
  - host: "nginx-tlssni.apps.clustername.openshiftapps.com"
    http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: nginx
            port:
              number: 443

感謝您的見解:)

1 個解決方案

解決方案1
 0  2022-08-08 14:30:12

有多種基於 NGINX 的入口控制器。 The two that are most easily confused are the NGINX INC ingress controller , and the CNCF Kubernetes Ingress Controller .

My understanding is that nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" is for the CNCF Kubernetes Ingress Controller.

現在回答您的問題 - 基於此示例,嘗試將您的注釋更改為以下內容:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-ingress
  annotations:
    nginx.org/ssl-services: "nginx" # Name of your k8s service with TLS
  ...

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 nginx 入口控制器 tls 終止直通 HTTPS重定向不適用於Nginx-ingress-controller的默認后端 Kubernetes 內部 nginx 入口 controller 帶 ZEA52C36203C5F99C22CE2442Dssl-ZB1 端接 更改 Kubernetes nginx-ingress-controller 端口 訪問 nginx-ingress-controller 錯誤日志 使用 Nginx-Ingress-Controller 在 AWS 上的 EKS 中使用 gRPC Kubernetes的Ingress對Nginx-ingress-controller沒有影響 K8S 裸機 nginx-ingress-controller 無法通過 nginx-ingress-controller 訪問 Kubernetes ClusterIP 服務 Nginx-Ingress-Controller 限制部署的 rps 數量
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM