【发布时间】:2020-07-02 09:55:13
【问题描述】:
我在 kubernetes 集群中安装了Kubernetes NGINX Ingress
我在 AWS EC2 实例上部署了所有内容,而经典负载均衡器位于 Ingress 控制器的前面。我可以使用 http 端口访问该服务,但无法使用 https 访问它。
我从 godaddy 购买了有效的域名,并从 Certificate Manager 获得了 AWS SSL 证书
负载平衡器侦听器配置如下。
我修改了 Ingress NGINX 服务(添加了证书 ARN)
kind: Service
apiVersion: v1
metadata:
name: ingress-nginx
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
annotations:
# Enable PROXY protocol
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
# Ensure the ELB idle timeout is less than nginx keep-alive timeout. By default,
# NGINX keep-alive is set to 75s. If using WebSockets, the value will need to be
# increased to '3600' to avoid any potential issues.
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60"
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-east-2:297483230626:certificate/ffe5a2b3-ceff-4ef2-bf13-8da5b4212121"
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
spec:
type: LoadBalancer
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
ports:
- name: http
port: 80
protocol: TCP
targetPort: http
- name: https
port: 443
protocol: TCP
targetPort: https
入口规则
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: practice-ingress
namespace: practice
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
rules:
- host: kdhut.com
http:
paths:
- backend:
serviceName: customer-service
servicePort: 9090
path: /customer
- backend:
serviceName: prac-service
servicePort: 8000
path: /prac
我可以通过 http 访问服务,但 https 不工作。
我试过卷曲
curl -v https://kdhut.com -H 'Host: kdhut.com'
* Rebuilt URL to: https://kdhut.com/
* Trying 3.12.176.17...
* TCP_NODELAY set
* Connected to kdhut.com (3.12.176.17) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=kdhut.com
* start date: Mar 20 00:00:00 2020 GMT
* expire date: Apr 20 12:00:00 2021 GMT
* subjectAltName: host "kdhut.com" matched cert's "kdhut.com"
* issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: kdhut.com
> User-Agent: curl/7.58.0
> Accept: */*
【问题讨论】:
标签: ssl nginx kubernetes https kubernetes-ingress