个人中心
gpt4 book ai didi

Ingress-nginx controller kubernetes global SSL redirections(Ingress nginx控制器kubernetes全局SSL重定向)

转载 作者:bug小助手 更新时间:2023-10-22 17:34:46 36 4
gpt4 key购买 nike



I'm struggling to set a global (on ingress controller scope) SSL/HTTPS redirection. It works fine with annotation to specific ingress object, yet wont work globally.

我正在努力设置全局(在入口控制器范围内)SSL/HTTPS重定向。它可以很好地使用对特定入口对象的注释,但不能全局工作。


Configmap:

配置映射:


apiVersion: v1
data:
  allow-snippet-annotations: "true"
  proxy-real-ip-cidr: XXX
  use-forwarded-headers: "true"
  proxy-body-size: "0"
  force-ssl-redirect: "true"
kind: ConfigMap
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.6.4
  name: ingress-nginx-controller
  namespace: ingress-nginx

service:

服务:


apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "1800"
    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: XXX
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
    service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: ELBSecurityPolicy-TLS13-1-2-2021-06
    service.beta.kubernetes.io/aws-load-balancer-name: XXX
    service.beta.kubernetes.io/aws-load-balancer-type: nlb
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: ssl
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.6.4
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:
  externalTrafficPolicy: Local
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - appProtocol: http
    name: http
    port: 80
    protocol: TCP
    targetPort: tohttps
  - appProtocol: https
    name: https
    port: 443
    protocol: TCP
    targetPort: https
  selector:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
  type: LoadBalancer

deployment part:

部署部件:


apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.6.4
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:
  selector:
    matchLabels:
      app.kubernetes.io/component: controller
      app.kubernetes.io/instance: ingress-nginx
      app.kubernetes.io/name: ingress-nginx
  template:
    metadata:
      labels:
        app.kubernetes.io/component: controller
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
    spec:
      containers:
      - args:
        - /nginx-ingress-controller
        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
        - --election-id=ingress-nginx-leader
        - --controller-class=k8s.io/ingress-nginx
        - --ingress-class=nginx
        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
        - --validating-webhook=:8443
        - --validating-webhook-certificate=/usr/local/certificates/cert
        - --validating-webhook-key=/usr/local/certificates/key

I am able to run:

我能够跑步:


$ curl http://something_in_my_cluister.com

$ curl https://something_in_my_cluster.com

and both requests are just fine, one connecting to port 80 and other to 443 while I would like to redirect from 80 to 443

两个请求都很好,一个连接到端口80,另一个连接至443,而我想从80重定向到443


更多回答
优秀答案推荐

I did it before using snippets (values-prod.yaml example for Helm):

我在使用snippets(values-prod.yaml示例用于Helm)之前做过:


controller:
  containerPort:
    http: 80
    https: 80
    redir-to-https: 2443
  config:
    http-snippet: |
      server {
        listen 2443 proxy_protocol;
        return 308 https://$host$request_uri;
      }
    use-proxy-protocol: "true"
    real-ip-header: "proxy_protocol"
    use-forwarded-headers: "true"
    error-log-level: "error"
  replicaCount: 2
  service:
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-name: "eks-ingress"
      service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
      service.beta.kubernetes.io/aws-load-balancer-type: "external"
      service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
      service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
      service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: preserve_client_ip.enabled=false
      service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "3600"
      service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "false"
      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: ${ssl_cert_arn}
      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
      service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: ELBSecurityPolicy-TLS13-1-2-2021-06
    externalTrafficPolicy: "Local"
    targetPorts:
      http: redir-to-https
      https: http
  admissionWebhooks:
    enabled: false

Here is the same as plain manifests:

这里与普通清单相同:


Configmap:

配置映射:


apiVersion: v1
kind: ConfigMap
metadata:
  name: ingress-nginx-controller
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.8.2
    helm.sh/chart: ingress-nginx-4.7.2
  annotations:
    meta.helm.sh/release-name: ingress-nginx
    meta.helm.sh/release-namespace: ingress-nginx
data:
  allow-snippet-annotations: 'true'
  error-log-level: error
  http-snippet: |
    server {
      listen 2443 proxy_protocol;
      return 308 https://$host$request_uri;
    }
  real-ip-header: proxy_protocol
  use-forwarded-headers: 'true'
  use-proxy-protocol: 'true'

Service:

服务:


apiVersion: v1
kind: Service
metadata:
  name: ingress-nginx-controller
  namespace: ingress-nginx
  uid: 04ec13ee-9c47-4a5c-949a-c658ad338db4
  resourceVersion: '116095705'
  creationTimestamp: '2023-01-30T05:47:48Z'
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.8.2
    helm.sh/chart: ingress-nginx-4.7.2
  annotations:
    meta.helm.sh/release-name: ingress-nginx
    meta.helm.sh/release-namespace: ingress-nginx
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600'
    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'false'
    service.beta.kubernetes.io/aws-load-balancer-name: eks-ingress
    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*'
    service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: >-
      arn:aws:acm:us-east-1:000000000000:certificate/c41e22886,
      arn:aws:acm:us-east-1:000000000000:certificate/42799b95a4,
      arn:aws:acm:us-east-1:000000000000:certificate/11d3d05
    service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: ELBSecurityPolicy-TLS13-1-2-2021-06
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
    service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: preserve_client_ip.enabled=false
    service.beta.kubernetes.io/aws-load-balancer-type: external
  finalizers:
    - service.kubernetes.io/load-balancer-cleanup
    - service.k8s.aws/resources
spec:
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: redir-to-https
      nodePort: 30722
    - name: https
      protocol: TCP
      port: 443
      targetPort: http
      nodePort: 30483
  selector:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
  clusterIP: 10.100.200.30
  clusterIPs:
    - 10.100.200.30
  type: LoadBalancer
  sessionAffinity: None
  externalTrafficPolicy: Local
  healthCheckNodePort: 31098
  ipFamilies:
    - IPv4
  ipFamilyPolicy: SingleStack
  allocateLoadBalancerNodePorts: true
  internalTrafficPolicy: Cluster

Deployment:

部署:


apiVersion: apps/v1
kind: Deployment
metadata:
  name: ingress-nginx-controller
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.8.2
    helm.sh/chart: ingress-nginx-4.7.2
  annotations:
    deployment.kubernetes.io/revision: '2'
    meta.helm.sh/release-name: ingress-nginx
    meta.helm.sh/release-namespace: ingress-nginx
spec:
  replicas: 2
  selector:
    matchLabels:
      app.kubernetes.io/component: controller
      app.kubernetes.io/instance: ingress-nginx
      app.kubernetes.io/name: ingress-nginx
  template:
    metadata:
      creationTimestamp: null
      labels:
        app.kubernetes.io/component: controller
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
        app.kubernetes.io/version: 1.8.2
        helm.sh/chart: ingress-nginx-4.7.2
    spec:
      containers:
        - name: controller
          image: >-
            registry.k8s.io/ingress-nginx/controller:v1.8.2@sha256:74834d3d25b336b62cabeb8bf7f1d788706e2cf1cfd64022de4137ade8881ff2
          args:
            - /nginx-ingress-controller
            - '--publish-service=$(POD_NAMESPACE)/ingress-nginx-controller'
            - '--election-id=ingress-nginx-leader'
            - '--controller-class=k8s.io/ingress-nginx'
            - '--ingress-class=nginx'
            - '--configmap=$(POD_NAMESPACE)/ingress-nginx-controller'
          ports:
            - name: http
              containerPort: 80
              protocol: TCP
            - name: https
              containerPort: 80
              protocol: TCP
            - name: redir-to-https
              containerPort: 2443
              protocol: TCP
            - name: metrics
              containerPort: 10254
              protocol: TCP
          env:
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.namespace
            - name: LD_PRELOAD
              value: /usr/local/lib/libmimalloc.so
          resources:
            requests:
              cpu: 100m
              memory: 90Mi
          livenessProbe:
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            initialDelaySeconds: 10
            timeoutSeconds: 1
            periodSeconds: 10
            successThreshold: 1
            failureThreshold: 5
          readinessProbe:
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            initialDelaySeconds: 10
            timeoutSeconds: 1
            periodSeconds: 10
            successThreshold: 1
            failureThreshold: 3
          lifecycle:
            preStop:
              exec:
                command:
                  - /wait-shutdown
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
          imagePullPolicy: IfNotPresent
          securityContext:
            capabilities:
              add:
                - NET_BIND_SERVICE
              drop:
                - ALL
            runAsUser: 101
            allowPrivilegeEscalation: true
      restartPolicy: Always
      terminationGracePeriodSeconds: 60
      dnsPolicy: ClusterFirst
      nodeSelector:
        kubernetes.io/os: linux
      serviceAccountName: ingress-nginx
      serviceAccount: ingress-nginx
      securityContext: {}
      affinity:
        nodeAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
            - weight: 100
              preference:
                matchExpressions:
                  - key: Environment
                    operator: In
                    values:
                      - service
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            - labelSelector:
                matchExpressions:
                  - key: app.kubernetes.io/name
                    operator: In
                    values:
                      - ingress-nginx
                  - key: app.kubernetes.io/instance
                    operator: In
                    values:
                      - ingress-nginx
                  - key: app.kubernetes.io/component
                    operator: In
                    values:
                      - controller
              topologyKey: kubernetes.io/hostname
      schedulerName: default-scheduler
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 25%
      maxSurge: 25%
  revisionHistoryLimit: 10
  progressDeadlineSeconds: 600

更多回答

Can you share a wider yaml context for this?

你能分享一个更广泛的yaml上下文吗?

It's the values-prod.yaml file I using to install ingress-nginx controller with helm. Are you configuring it via plain manifests?

这是我用来安装带helm的ingress nginx控制器的values-prod.yaml文件。您是否通过简单清单进行配置?

Yes, unfortunately, I am. Based on: raw.githubusercontent.com/kubernetes/ingress-nginx/…

是的,不幸的是,我是。基于:raw.githubusercontent.com/kubernetes/inginger-nginx/…

Updated answer, hope it helps

更新的答案,希望有帮助

36 4 0
文章推荐: Reusable components using Tera/Zola(使用Tera/Zola的可重复使用组件)
文章推荐: Flutter Modbus TCP/IP Connection close problem(Flutter Modbus TCP/IP连接关闭问题)
文章推荐: how to substract and add id's with decimal and alphanumeric(如何用十进制和字母数字减去和添加id)
文章推荐: Integrate WhatsApp Product Catalogue to Whats App business api account(将WhatsApp产品目录集成到WhatsApp商业api帐户)
bug小助手
个人简介

我是一名优秀的程序员,十分优秀!

作者热门文章
滴滴打车优惠券免费领取
滴滴打车优惠券
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com