小贝子编程

Https连接被拒绝,使用ingress nginx



我在Ubuntu 19.10上安装了kubernetes。我已经安装了ingress nginx,可以使用http访问我的测试服务。然而,当我尝试通过https访问时,我收到了一个"连接被拒绝"的消息。

[编辑]我正试图让https在入口中终止,并像http一样将未加密的流量传递给我的服务。我已经根据我看到的许多示例实现了以下内容,但运气不好。

Yaml

kind: Service
apiVersion: v1
metadata:
name: messagemanager-service
namespace: default
labels:
name: messagemanager-service
spec:
type: NodePort
selector:
app: messagemanager
ports:
- port: 80
protocol: TCP
targetPort: 8080
nodePort: 31212
name: http
externalIPs:
- 192.168.0.210

---
kind: Deployment
#apiVersion: extensions/v1beta1
apiVersion: apps/v1
metadata:
name: messagemanager
labels:
app: messagemanager
version: v1
spec:
replicas: 3
selector:
matchLabels:
app: messagemanager
template:
metadata:
labels:
app: messagemanager
version: v1
spec:  
containers:
- name: messagemanager
image: test/messagemanager:1.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8080
protocol: TCP
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: messagemanager-ingress
annotations: 
nginx.ingress.kubernetes.io/ssl-passthrough: false
ingress.kubernetes.io/rewrite-target: /
spec:
tls:
- secretName: tls-secret  
rules:
- http:
paths:
- path: /message
backend:
serviceName: messagemanager-service
servicePort: 8080

https测试

curl -kL https://192.168.0.210/message -verbose
*   Trying 192.168.0.210:443...
* TCP_NODELAY set
* connect to 192.168.0.210 port 443 failed: Connection refused
* Failed to connect to 192.168.0.210 port 443: Connection refused
* Closing connection 0
curl: (7) Failed to connect to 192.168.0.210 port 443: Connection refused

http测试

curl -kL http://192.168.0.210/message -verbose
*   Trying 192.168.0.210:80...
* TCP_NODELAY set
* Connected to 192.168.0.210 (192.168.0.210) port 80 (#0)
> GET /message HTTP/1.1
> Host: 192.168.0.210
> User-Agent: curl/7.65.3
> Accept: */*
> Referer: rbose
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Type: text/plain;charset=UTF-8
< Date: Fri, 24 Apr 2020 18:44:07 GMT
< connection: keep-alive
< content-length: 50
<
* Connection #0 to host 192.168.0.210 left intact

$ kubectl -n ingress-nginx get svc
NAME                                 TYPE           CLUSTER-IP      EXTERNAL-IP   PORT(S)                      AGE
ingress-nginx-controller             LoadBalancer   10.105.92.236   <pending>     80:31752/TCP,443:32035/TCP   2d
ingress-nginx-controller-admission   ClusterIP      10.100.223.87   <none>        443/TCP                      2d
$ kubectl get ingress -o wide
NAME                     CLASS    HOSTS   ADDRESS   PORTS     AGE
messagemanager-ingress   <none>   *                 80, 443   37m

密钥创建

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/O=nginxsvc"
kubectl create secret tls tls-secret --key tls.key --cert tls.crt

$ kubectl describe ingress
Name:             messagemanager-ingress
Namespace:        default
Address:
Default backend:  default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
TLS:
tls-secret terminates
Rules:
Host        Path  Backends
----        ----  --------
*
/message   messagemanager-service:8080 ()
Annotations:  Events:
Type        Reason  Age   From                      Message
----        ------  ----  ----                      -------
Normal      CREATE  107s  nginx-ingress-controller  Ingress default/messagemanager-ingress

我假设TLS将在入口中终止,并且请求将作为http传递给服务。我必须在服务中添加外部IP才能使HTTP正常工作。HTTPS是否缺少类似的内容?

感谢您的帮助和指导。

感谢

标记

我在实验室中复制了您的场景,在对您的入口进行了一些更改后,它就如您所描述的那样工作了。

在我的实验室里,我使用了一个nginx映像,它在端口80上提供默认登录页,有了这个Ingress规则,就可以在端口80和443上提供它。

kind: Deployment
apiVersion: apps/v1
metadata:
name: nginx
labels:
app: nginx
version: v1
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
version: v1
spec:  
containers:
- name: nginx
image: nginx
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
protocol: TCP
---
kind: Service
apiVersion: v1
metadata:
name: nginx-service
namespace: default
labels:
name: nginx-service
spec:
type: NodePort
selector:
app: nginx
ports:
- port: 80
protocol: TCP
targetPort: 80
nodePort: 31000
name: http          
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: nginx
labels:
app: nginx  
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /  
spec:
tls:
- secretName: tls-secret  
rules:
- http:
paths:
- path: /nginx
backend:
serviceName: nginx-service
servicePort: 80

我的入口和你的入口之间唯一的区别是我删除了nginx.ingress.kubernetes.io/ssl-passthrough: false。在文档中,我们可以阅读:

注意SSL Passthrough在默认情况下被禁用

因此您无需指定。

我用了和你一样的秘密:

$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/O=nginxsvc"
$ kubectl create secret tls tls-secret --key tls.key --cert tls.crt

在你的问题中,我的印象是你正试图通过IP192.168.0.210进入。这是您的服务IP,而不是Ingress IP。

如果你使用云管理的Kubernetes,你必须运行以下命令来找到你的Ingress IP:

$ kubectl get ingresses nginx 
NAME    HOSTS   ADDRESS        PORTS     AGE
nginx   *       34.89.108.48   80, 443   6m32s

如果你在裸机上运行,而没有任何LoadBalancer解决方案作为MetalLB,你可以看到你的入口nginx服务将永远与Pending上的EXTERNAL-IP在一起。

$ kubectl get service -n ingress-nginx 
NAME                                            TYPE           CLUSTER-IP       EXTERNAL-IP   PORT(S)                      AGE
ingress-nginx-1587980954-controller             LoadBalancer   10.110.188.236   <pending>     80:31024/TCP,443:30039/TCP   23s

你可以做与你的服务相同的事情,并手动添加一个外部IP:

kubectl get service -n ingress-nginx 
NAME                                            TYPE           CLUSTER-IP       EXTERNAL-IP   PORT(S)                      AGE
ingress-nginx-1587980954-controller             LoadBalancer   10.110.188.236   10.156.0.24   80:31024/TCP,443:30039/TCP   9m14s

更改后,您的入口将具有与您在入口服务中定义的相同的IP:

$ kubectl get ingress nginx 
NAME    CLASS    HOSTS   ADDRESS       PORTS     AGE
nginx   <none>   *       10.156.0.24   80, 443   118s

$ curl -kL https://10.156.0.24/nginx --verbose
*   Trying 10.156.0.24...
* TCP_NODELAY set
* Connected to 10.156.0.24 (10.156.0.24) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
*  start date: Apr 27 09:49:19 2020 GMT
*  expire date: Apr 27 09:49:19 2021 GMT
*  issuer: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x560cee14fe90)
> GET /nginx HTTP/1.1
> Host: 10.156.0.24
> User-Agent: curl/7.52.1
> Accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200 
< server: nginx/1.17.10
< date: Mon, 27 Apr 2020 10:01:29 GMT
< content-type: text/html
< content-length: 612
< vary: Accept-Encoding
< last-modified: Tue, 14 Apr 2020 14:19:26 GMT
< etag: "5e95c66e-264"
< accept-ranges: bytes
< strict-transport-security: max-age=15724800; includeSubDomains
< 
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
* Curl_http_done: called premature == 0
* Connection #0 to host 10.156.0.24 left intact

编辑:

似乎没有一种方法可以手动设置;外部IP";对于可以在服务中进行的进入。如果你知道一个,请让我知道:-(。看来我最好的选择是尝试MetalLB。

MetalLB将是生产的最佳选择。如果您只为实验室运行它,您可以选择添加节点公共IP(与运行kubectl get nodes -o wide相同(,并将其连接到NGINX入口控制器。

将节点IP添加到NGINX入口控制器

spec:
externalIPs:
- 192.168.0.210

创建一个名为ingress-nginx-svc-patch.yaml的文件并粘贴上面的内容。

接下来,使用以下命令应用更改:

kubectl patch service ingress-nginx-controller -n kube-system --patch "$(cat ingress-nginx-svc-patch.yaml)"

结果:

$ kubectl get service -n kube-system ingress-nginx-controller
NAME                       TYPE           CLUSTER-IP    EXTERNAL-IP   PORT(S)                      AGE
ingress-nginx-controller   LoadBalancer   10.97.0.243   192.168.0.210   80:31409/TCP,443:30341/TCP   39m

我不是专家,但每当我看到一个服务处理http和https流量时,它都会在svc yaml中指定两个端口,一个用于http,另一个用于https。显然,有很多方法可以绕过这一点,在这里阅读可能是一个好的开始。

对于两个端口,请查看此处的官方k8s示例

我在同样的情况下挣扎了一段时间,正要开始使用metalLB,但在运行kubectl -n ingress-nginx get svc后,ingress nginx创建了自己的nodePort,我可以通过它访问集群。

我不是专家,但这可能不利于生产,但我不明白为什么不。

相关内容

  • 没有找到相关文章

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium