在 k8s 中启用 HTTPS 端口
Enabling HTTPS port in k8s
我正在尝试将端口 5665 添加到 istio-ingressgatway 并且它已被添加但是流量没有(我认为)正确路由,因为我不断收到 SSL 错误
curl -k https://api.loadbalancer.local.com:5665/v1/bla ; echo
curl: (35) error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number
我可以 telnet ingressgateway LB 上的端口
❯ telnet api.loadbalancer.local.com 5665
Trying 10.239.49.9...
Connected to api.loadbalancer.local.com.
Escape character is '^]'.
如果我直接调用 POD IP,服务响应良好
IP: 10.23.49.90
Controlled By: ReplicaSet/icinga2-84bd777b9
Containers:
icinga2:
Image: jordan/icinga2:latest
Ports: 80/TCP, 443/TCP, 5665/TCP
Host Ports: 0/TCP, 0/TCP, 0/TCP
State: Running
Ready: True
Restart Count: 0
Liveness: http-get http://:http/ delay=0s timeout=1s period=10s #success=1 #failure=3
❯ curl -k https://10.23.49.90:5665/
<h1>Unauthorized. Please check your user credentials.</h1>%
❯ curl -k https://10.23.49.90:5665/v1/bla
<h1>Unauthorized. Please check your user credentials.</h1>%
❯ curl -k http://10.23.49.90:5665/
curl: (52) Empty reply from server
路由配置
- istio-ingress-gateway 用于打开端口
- name: api
nodePort: 30431
port: 5665
protocol: TCP
targetPort: 5665
- 网关配置
apiVersion: v1
items:
- apiVersion: networking.istio.io/v1beta1
kind: Gateway
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- '*'
port:
name: api
number: 5665
protocol: HTTPS
tls:
mode: SIMPLE
虚拟服务
apiVersion: v1
items:
- apiVersion: networking.istio.io/v1beta1
kind: VirtualService
spec:
gateways:
- icinga2
hosts:
- '*'
http:
- match:
- port: 5665
route:
- destination:
host: icinga2.default.svc.cluster.local
port:
number: 5665
问题
我做错了什么让这个端口像我直接调用 POD IP 时一样工作?
而且我认为我得到 curl: (35) error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number 的原因是由于某些配置错误。
此外,我什至不知道去哪里解决问题,所以如果有人能解释去哪里找也会有帮助。
此致。
只是为其他人添加我如何解决问题的答案。
网关
变化:
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- '*'
port:
name: https
number: 5665
protocol: HTTPS
targetPort: 5665
tls:
mode: PASSTHROUGH
虚拟服务
变化:
spec:
gateways:
- icinga2
hosts:
- '*'
tls:
- match:
- port: 5665
route:
- destination:
host: icinga2.default.svc.cluster.local
port:
number: 5665
请注意匹配规则上方的 TLS 标签,在我不知何故放在那里之前 http
现在我可以通过 https
拨打 api
❯ curl -k https://api.loadbalancer.local.com:5665/v1/bla ; echo
<h1>Unauthorized. Please check your user credentials.</h1>
我正在尝试将端口 5665 添加到 istio-ingressgatway 并且它已被添加但是流量没有(我认为)正确路由,因为我不断收到 SSL 错误
curl -k https://api.loadbalancer.local.com:5665/v1/bla ; echo
curl: (35) error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number
我可以 telnet ingressgateway LB 上的端口
❯ telnet api.loadbalancer.local.com 5665
Trying 10.239.49.9...
Connected to api.loadbalancer.local.com.
Escape character is '^]'.
如果我直接调用 POD IP,服务响应良好
IP: 10.23.49.90
Controlled By: ReplicaSet/icinga2-84bd777b9
Containers:
icinga2:
Image: jordan/icinga2:latest
Ports: 80/TCP, 443/TCP, 5665/TCP
Host Ports: 0/TCP, 0/TCP, 0/TCP
State: Running
Ready: True
Restart Count: 0
Liveness: http-get http://:http/ delay=0s timeout=1s period=10s #success=1 #failure=3
❯ curl -k https://10.23.49.90:5665/
<h1>Unauthorized. Please check your user credentials.</h1>%
❯ curl -k https://10.23.49.90:5665/v1/bla
<h1>Unauthorized. Please check your user credentials.</h1>%
❯ curl -k http://10.23.49.90:5665/
curl: (52) Empty reply from server
路由配置
- istio-ingress-gateway 用于打开端口
- name: api
nodePort: 30431
port: 5665
protocol: TCP
targetPort: 5665
- 网关配置
apiVersion: v1
items:
- apiVersion: networking.istio.io/v1beta1
kind: Gateway
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- '*'
port:
name: api
number: 5665
protocol: HTTPS
tls:
mode: SIMPLE
虚拟服务
apiVersion: v1
items:
- apiVersion: networking.istio.io/v1beta1
kind: VirtualService
spec:
gateways:
- icinga2
hosts:
- '*'
http:
- match:
- port: 5665
route:
- destination:
host: icinga2.default.svc.cluster.local
port:
number: 5665
问题 我做错了什么让这个端口像我直接调用 POD IP 时一样工作?
而且我认为我得到 curl: (35) error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number 的原因是由于某些配置错误。
此外,我什至不知道去哪里解决问题,所以如果有人能解释去哪里找也会有帮助。
此致。
只是为其他人添加我如何解决问题的答案。
网关 变化:
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- '*'
port:
name: https
number: 5665
protocol: HTTPS
targetPort: 5665
tls:
mode: PASSTHROUGH
虚拟服务 变化:
spec:
gateways:
- icinga2
hosts:
- '*'
tls:
- match:
- port: 5665
route:
- destination:
host: icinga2.default.svc.cluster.local
port:
number: 5665
请注意匹配规则上方的 TLS 标签,在我不知何故放在那里之前 http
现在我可以通过 https
拨打 api❯ curl -k https://api.loadbalancer.local.com:5665/v1/bla ; echo
<h1>Unauthorized. Please check your user credentials.</h1>