首页 文章

AWS上的Kubernetes 1.4 SSL终止

提问于
浏览
2

我有6个HTTP微服务 . 目前,他们运行疯狂的bash /自定义部署工具设置(dokku,mup) .

我将它们停靠并转移到AWS上的kubernetes(使用kop进行设置) . 最后一块是转换我的nginx配置 .

我想要

  • 所有6个都有SSL终止(不在docker镜像中)

  • 4需要websockets和客户端IP会话亲和力(Meteor,Socket.io)

  • 5需要http-> https转发

  • 1在http和https上提供相同的内容

我做了1. SSL终止将服务类型设置为LoadBalancer和using AWS specific annotations . 这创建了AWS负载均衡器,但这似乎是dead end for the other requirements .

我看了Ingress,但是没看到如何在AWS上做到这一点 . 这个Ingress Controller会在AWS上运行吗?

我需要在每个pod中使用nginx控制器吗? This看起来很有趣,但我不确定它是近期/相关的 .

我不确定从哪个方向入手 . 什么会起作用?

麦克风

amazon-web-services ssl nginx kubernetes

2 回答

  • 7

    您应该能够使用nginx ingress controller来完成此任务 .

    README引导您完成如何设置它,并且有很多examples .

    完成这项工作所需的基本部分是:

    • A default backend,当没有匹配的Ingress规则时,将以404响应

    • nginx ingress controller将监视您的入口规则,并在它们发生变化时重写/重新加载nginx.conf .

    • 一个或多个描述如何将流量路由到您的服务的ingress rules .

    最终结果是您将拥有一个与您的nginx入口控制器服务相对应的ELB,后者又负责根据指定的入口规则路由到您的各个服务 .

    回复于
  • 1

    There may be a better way to do this. 我写了这个答案是因为我问了这个问题 . 它's the best I could come up with Pixel Elephant' s doc links above .

    default-http-backend对于调试非常有用 . 1

    入口

    • 这会在节点的IP地址上创建一个 endpoints ,该 endpoints 可能会根据Ingress Container的运行位置而改变

    • 注意底部的configmap . 按环境配置 .

    (降价占位符因为没有```)

    apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: "nginx"
  name: all-ingress
spec:
  tls:
  - hosts:
    - admin-stage.example.io
    secretName: tls-secret
  rules:
  - host: admin-stage.example.io
    http:
      paths:
      - backend:
          serviceName: admin
          servicePort: http-port
        path: /
---
apiVersion: v1
data:
  enable-sticky-sessions: "true"
  proxy-read-timeout: "7200"
  proxy-send-imeout: "7200"
kind: ConfigMap
metadata:
  name: nginx-load-balancer-conf

    应用服务和部署

    • 需要命名服务端口,否则你可能会得到"upstream default-admin-80 does not have any active endpoints. Using default backend"

    (降价占位符因为没有```)

    apiVersion: v1
kind: Service
metadata:
  name: admin
spec:
  ports:
  - name: http-port
    port: 80
    protocol: TCP
    targetPort: http-port
  selector:
    app: admin
  sessionAffinity: ClientIP
  type: ClusterIP
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: admin
spec:
  replicas: 1
  template:
    metadata:
      labels: 
        app: admin
      name: admin
    spec:
      containers:
      - image: example/admin:latest
        name: admin
        ports:
        - containerPort: 80
          name: http-port
        resources:
          requests:
            cpu: 500m
            memory: 1000Mi
        volumeMounts:
        - mountPath: /etc/env-volume
          name: config
          readOnly: true
      imagePullSecrets:
      - name: cloud.docker.com-pull
      volumes:
      - name: config
        secret:
          defaultMode: 420
          items:
          - key: admin.sh
            mode: 256
            path: env.sh
          - key: settings.json
            mode: 256
            path: settings.json
          secretName: env-secret

    Ingress Nginx Docker图像

    • 注意底部的default-ssl-certificate

    • 日志记录非常好 -v

    • 注意服务将在AWS上创建一个可用于配置DNS的ELB .

    (降价占位符因为没有```)

    apiVersion: v1
kind: Service
metadata:
  name: nginx-ingress-service
spec:
  ports:
  - name: http-port
    port: 80
    protocol: TCP
    targetPort: http-port
  - name: https-port
    port: 443
    protocol: TCP
    targetPort: https-port
  selector:
    app: nginx-ingress-service
  sessionAffinity: None
  type: LoadBalancer
---
apiVersion: v1
kind: ReplicationController
metadata:
  name: nginx-ingress-controller
  labels:
    k8s-app: nginx-ingress-lb
spec:
  replicas: 1
  selector:
    k8s-app: nginx-ingress-lb
  template:
    metadata:
      labels:
        k8s-app: nginx-ingress-lb
        name: nginx-ingress-lb
    spec:
      terminationGracePeriodSeconds: 60
      containers:
      - image: gcr.io/google_containers/nginx-ingress-controller:0.8.3
        name: nginx-ingress-lb
        imagePullPolicy: Always
        readinessProbe:
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
        livenessProbe:
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
          initialDelaySeconds: 10
          timeoutSeconds: 1
        # use downward API
        env:
          - name: POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
        ports:
        - name: http-port
          containerPort: 80
          hostPort: 80
        - name: https-port
          containerPort: 443
          hostPort: 443
        # we expose 18080 to access nginx stats in url /nginx-status
        # this is optional
        - containerPort: 18080
          hostPort: 18080
        args:
        - /nginx-ingress-controller
        - --default-backend-service=$(POD_NAMESPACE)/default-http-backend
        - --default-ssl-certificate=default/tls-secret
        - --nginx-configmap=$(POD_NAMESPACE)/nginx-load-balancer-conf
        - --v=2

    默认后端(这是从.yaml文件复制/粘贴)

    apiVersion: v1
kind: Service
metadata:
  name: default-http-backend
  labels:
    k8s-app: default-http-backend
spec:
  ports:
  - port: 80
    targetPort: 8080
    protocol: TCP
    name: http
  selector:
    k8s-app: default-http-backend
---
apiVersion: v1
kind: ReplicationController
metadata:
  name: default-http-backend
spec:
  replicas: 1
  selector:
    k8s-app: default-http-backend
  template:
    metadata:
      labels:
        k8s-app: default-http-backend
    spec:
      terminationGracePeriodSeconds: 60
      containers:
      - name: default-http-backend
        # Any image is permissable as long as:
        # 1. It serves a 404 page at /
        # 2. It serves 200 on a /healthz endpoint
        image: gcr.io/google_containers/defaultbackend:1.0
        livenessProbe:
          httpGet:
            path: /healthz
            port: 8080
            scheme: HTTP
          initialDelaySeconds: 30
          timeoutSeconds: 5
        ports:
        - containerPort: 8080
        resources:
          limits:
            cpu: 10m
            memory: 20Mi
          requests:
            cpu: 10m
            memory: 20Mi

    此配置使用三个秘密:

    • tls-secret - 3个文件:tls.key,tls.crt,dhparam.pem

    • env-secret - 2个文件:admin.sh和settings.json . Container具有启动脚本来设置环境 .

    • cloud.docker.com-拉

    回复于

相关问题