英文:
Kubernetes service on HTTPS
问题
要求:设置一个可通过HTTPS在浏览器上公开访问的Kubernetes服务。
我浏览了互联网,无论在哪里,我都看到nginx-ingress可以提供HTTPS URL。
我已经设置了一个入口,并且它正在按预期工作。
但我有疑问,这个入口只会在我本地运行,因为我在本地的/etc/hosts文件中进行了更改?如何使https URL 可以公开访问?我希望我的负载均衡服务可以通过HTTPS公开访问。我的应用正在GKE集群上运行。请指导。
英文:
Requirement: To set up a Kubernetes service that is publicly accessible on the browser on HTTPS
I browsed through the internet and everywhere I saw nginx-ingress which can give HTTPS URL.
I have an ingress setup and its working as expected
But my doubt is, this ingress will only run on my local, as I make the changes in /etc/hosts file of local? How can I make https url publicly accessible? I want my load balancer service to be accessed publicly with HTTPS. I have my application running on GKE Cluster. Please guide
答案1
得分: 1
我有一个Ingress设置,它按预期工作。但我的疑问是:
猜测你正在使用GKE,并运行Nginx Ingress控制器,同时公开了IP地址。你可能会将域名记录添加到 /etcs/hosts 并映射到来自GCP的负载均衡器的IP。
你必须使用DNS将负载均衡器的IP与你的主机名进行映射。在DNS 服务器中添加A记录,映射到域名。
example.com 192.168.xx.xx
你可以在这里了解更多关于HTTPS证书创建的信息:https://kubernetes.github.io/ingress-nginx/user-guide/tls/
你的Ingress将如下所示:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-service
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
tls:
- hosts:
- example.com
secretName: letsencrypt-staging
rules:
- host: example.com
http:
paths:
- path: /api/users/?(.*)
pathType: Prefix
backend:
service:
name: auth-srv
port:
number: 3000
如果打算使用cert-manager,请阅读我的文章:https://medium.com/@harsh.manvar111/kubernetes-nginx-ingress-and-cert-manager-ssl-setup-c82313703d0d(文章中使用了旧的API版本Ingress,请使用上述的参考)。
上述配置在浏览器中打开时会提供自签名证书,因此建议使用Cert-manager或免费SSL网站下载并创建证书。
如果你使用cert-manager,它将在GKE中创建K8s密钥,然后你必须在Ingress中使用这个密钥。如果从网站下载,你必须手动创建K8s密钥。
GCP官方参考文档:https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-multi-ssl#secrets
文档中提到了各种方法,包括secret、user-managed和Google managed证书与Ingress一起使用。
如果你使用Google Cloud Managed证书,还可以将其附加到负载均衡器,以便使用HTTPS。
英文:
> I have an ingress setup and its working as expected But my doubt is
Guessing you are GKE with running the Nginx ingress controller, and with that you have the IP address exposed publicly. You might be adding domain records to /etcs/hosts and mapping to IP of Loadbalancer from GCP.
You have to use the DNS to map the load balancer IP with your Hostname. Add A record into the DNS server and map to the domain.
example.com 192.168.xx.xx
You read more here about the HTTPS cert creation : https://kubernetes.github.io/ingress-nginx/user-guide/tls/
You ingress will look like
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-service
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
tls:
- hosts:
- example.com
secretName: letsencrypt-staging
rules:
- host: example.com
http:
paths:
- path: /api/users/?(.*)
pathType: Prefix
backend:
service:
name: auth-srv
port:
number: 3000
Read my article if planning to use the cert-manager : https://medium.com/@harsh.manvar111/kubernetes-nginx-ingress-and-cert-manager-ssl-setup-c82313703d0d (article have old API version ingress use above one for ref)
The above one provides the self-signed cert when you will open it in the browser it will throw an error, so would recommend downloading and creating the cert using Cert-manager or Free SSL site.
If you are using the cert-manager it will create the K8s secret in GKE and you have to use this secret with ingress. If downloading from site you have to manually create the K8s secret.
GCP Official ref doc : https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-multi-ssl#secrets
it has all methods mentioned including secret, user-managed, Google managed cert with ingress.
If you are using the Google Cloud Managed cert you can also leverage those and attach to Load Balancer so you will be able to use the HTTPS.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论