I am looking to see some feasible solution and recommendation on how people are doing it.
My Setup is :
AWS EKS Cluster Running a App as deployment. This is public facing cluster , that has the service configured to use "LoadBalancer" that created NLB , Below is my service configuration. This is all basic and it's working fine.
我期待看到一些可行的解决方案和建议,人们是如何做到这一点。我的设置是:运行应用程序即部署的AWS EKS集群。这是面向公共的集群,它将服务配置为使用创建了NLB的“LoadBalancer”,下面是我的服务配置。这一切都是基本的,运行得很好。
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance
service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
service.beta.kubernetes.io/aws-load-balancer-type: external
labels:
app: my-app
name: my-service
namespace: default-namespace
spec:
allocateLoadBalancerNodePorts: true
clusterIP: 10.10.20.135
clusterIPs:
- 10.10.20.135
externalTrafficPolicy: Cluster
internalTrafficPolicy: Cluster
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
loadBalancerSourceRanges:
- 14.56.361.259/32
- 172.201.416.179/32
ports:
- nodePort: 30294
port: 443
protocol: TCP
targetPort: 8443
selector:
app: my-app
sessionAffinity: None
type: LoadBalancer
Requirement now is to use a domain instead of a load balancer and ensure that Its going to do End to End TLS till pod. I am trying to find the best way and steps. I have AWS Load Balancer Controller and Cert-Manager in the cluster already.
现在的要求是使用域而不是负载均衡器,并确保它将执行端到端TLS直到Pod。我正在努力寻找最好的方法和步骤。我已经在群集中安装了AWS负载均衡器控制器和Cert-Manager。
My though is if I have a domain that somehow can be configured to route traffic to NLB in route53 and then NLB keeping the TLS end to end send the traffic to Pod , would that work ? Or should I take the route of change the service to use "NodePort" and Create Ingress that creates a new ALB and then use ACM cert and that route to pod and then pod does TLS termination as I have to make sure the pod make use of certificates.
我的想法是,如果我有一个域,可以以某种方式配置为路由流量到路由53中的NLB,然后NLB保持TLS端到端发送流量到Pod,这会起作用吗?或者我应该采取改变服务的路线使用“NodePort”和创建入口,创建一个新的ALB,然后使用ACM证书和路由到pod,然后pod做TLS终止,因为我必须确保pod使用证书。
Thanks for help and recommendations.
感谢您的帮助和建议。
更多回答
优秀答案推荐
using below annotation we can give acm arn to service NLB
使用下面的注释,我们可以将ACM ARN赋给服务NLB
service.beta.kubernetes.io/aws-load-balancer-ssl-cert
Service.beta.kubernetes.io/aws-load-balancer-ssl-cert
My though is if I have a domain that somehow can be configured to route traffic to NLB in route53 and then NLB keeping the TLS end to end send the traffic to Pod , would that work —- yes this will work.
我的想法是,如果我有一个域,它可以以某种方式被配置为将流量路由到路由53中的NLB,然后NLB保持TLS端到端将流量发送到Pod,这会起作用吗?是的,这会起作用。
Thanks.
谢谢。
更多回答
That's for the cert but How do I map a domain without Ingress setup using the existing NLB.
这是为了证书,但我如何使用现有的NLB映射没有Inress设置的域。
Your answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center.
您的回答可以通过补充支持信息进行改进。请编辑以添加更多细节,例如引用或文档,以便其他人可以确认您的答案是正确的。你可以在帮助中心找到更多关于如何写好答案的信息。
我是一名优秀的程序员,十分优秀!