AWS ALB Ingress Controller 不通过 TLS 解析
AWS ALB Ingress Controller doesn't resolve over TLS
我已经安装并配置了 AWS ALB Ingress Controller(https://github.com/kubernetes-sigs/aws-alb-ingress-controller),它可以通过 HTTP 正常工作。但是,它不会通过 HTTPS 解析。
Ingress 资源如下:
$ kubectl describe ingress api-gateway-ingress
Name: api-gateway-ingress
Namespace: orbix-mvp
Address: 4ae1e4ba-orbixmvp-apigatew-c613-1873743362.eu-central-1.elb.amazonaws.com
Default backend: default-http-backend:80 (<none>)
TLS:
api-gateway.orbixpay.com terminates api-gateway.orbixpay.com,4ae1e4ba-orbixmvp-apigatew-c613-1873743362.eu-central-1.elb.amazonaws.com
Rules:
Host Path Backends
---- ---- --------
*
/* api-gateway:3000 (<none>)
Annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-2016-08
alb.ingress.kubernetes.io/subnets: subnet-0c4cb5452b630939e, subnet-0e5d3c389bfbefee9
alb.ingress.kubernetes.io/success-codes: 302
kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"alb.ingress.kubernetes.io/scheme":"internet-facing","alb.ingress.kubernetes.io/ssl-policy":"ELBSecurityPolicy-2016-08","alb.ingress.kubernetes.io/subnets":"subnet-0c4cb5452b630939e, subnet-0e5d3c389bfbefee9","alb.ingress.kubernetes.io/success-codes":"302","kubernetes.io/ingress.class":"alb"},"labels":{"app":"api-gateway"},"name":"api-gateway-ingress","namespace":"orbix-mvp"},"spec":{"rules":[{"host":"api-gateway.orbixpay.com","http":{"paths":[{"backend":{"serviceName":"api-gateway","servicePort":3000},"path":"/*"}]}}]}}
Events: <none>
我还按照此处的说明添加了自签名 SSL 证书:
https://kubernetes.github.io/ingress-nginx/user-guide/tls/
编辑 Ingress 如下所示:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-2016-08
alb.ingress.kubernetes.io/subnets: subnet-0c4cb5452b630939e, subnet-0e5d3c389bfbefee9
alb.ingress.kubernetes.io/success-codes: "302"
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"alb.ingress.kubernetes.io/scheme":"internet-facing","alb.ingress.kubernetes.io/ssl-policy":"ELBSecurityPolicy-2016-08","alb.ingress.kubernetes.io/subnets":"subnet-0c4cb5452b630939e, subnet-0e5d3c389bfbefee9","alb.ingress.kubernetes.io/success-codes":"302","kubernetes.io/ingress.class":"alb"},"labels":{"app":"api-gateway"},"name":"api-gateway-ingress","namespace":"orbix-mvp"},"spec":{"rules":[{"host":"api-gateway.orbixpay.com","http":{"paths":[{"backend":{"serviceName":"api-gateway","servicePort":3000},"path":"/*"}]}}]}}
kubernetes.io/ingress.class: alb
creationTimestamp: "2019-03-07T14:57:22Z"
generation: 8
labels:
app: api-gateway
name: api-gateway-ingress
namespace: orbix-mvp
resourceVersion: "2230952"
selfLink: /apis/extensions/v1beta1/namespaces/orbix-mvp/ingresses/api-gateway-ingress
uid: 4fd70b63-40e9-11e9-bfe7-024a064218ac
spec:
rules:
- http:
paths:
- backend:
serviceName: api-gateway
servicePort: 3000
path: /*
tls:
- hosts:
- api-gateway.orbixpay.com
- 4ae1e4ba-orbixmvp-apigatew-c613-1873743362.eu-central-1.elb.amazonaws.com
secretName: api-gateway.orbixpay.com
status:
loadBalancer:
ingress:
- hostname: 4ae1e4ba-orbixmvp-apigatew-c613-1873743362.eu-central-1.elb.amazonaws.com
事实是,Ingress 不会通过 TLS 解析 - 它只是超时。据我所知,这是设置它的正确方法,所以我对它为什么不起作用一无所知。感谢任何帮助。
我认为您在这里混淆了两种不同的东西:
您想要使用 ALB Ingress Controller,但显示您正在使用 Nginx Controller 的配置。这些实际上是 2 个完全不同的项目。它们服务于一个共同的目的,但实际上是完全不同的解决方法。
Nginx 在您的集群上 运行,而 ALB Ingress Controller 实际上只是配置一个在其自己的机器上运行的 ALB。
要注意的是,ALB 不能使用自定义证书。至少不是直接来自 Kubernetes。它们需要先放在 ACM 中。
如果您已经在 ACM 中拥有证书,根据 documentation.
,ALB Ingress Controller 应该匹配它
您还可以像这样指定要用于负载均衡器的证书
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:eu-central-1:1231234564:certificate/4564abc12-d3c2-4455-8c39-45354cddaf03
(替换为您从 ACM 获得的 ARN)
一些更通用的调试技巧:
- 在 AWS 管理控制台中搜索负载均衡器并检查您的侦听器是否已按预期应用。如果看起来你会配置它,那么这里的逻辑一定是有问题的。
- 如果没有应用它们,可能是 ALB Ingress Controller 在解析您的入口时遇到了问题。检查 kube-system 命名空间中 alb-ingress-controller pod 的日志以获取更多详细信息。
我已经安装并配置了 AWS ALB Ingress Controller(https://github.com/kubernetes-sigs/aws-alb-ingress-controller),它可以通过 HTTP 正常工作。但是,它不会通过 HTTPS 解析。
Ingress 资源如下:
$ kubectl describe ingress api-gateway-ingress
Name: api-gateway-ingress
Namespace: orbix-mvp
Address: 4ae1e4ba-orbixmvp-apigatew-c613-1873743362.eu-central-1.elb.amazonaws.com
Default backend: default-http-backend:80 (<none>)
TLS:
api-gateway.orbixpay.com terminates api-gateway.orbixpay.com,4ae1e4ba-orbixmvp-apigatew-c613-1873743362.eu-central-1.elb.amazonaws.com
Rules:
Host Path Backends
---- ---- --------
*
/* api-gateway:3000 (<none>)
Annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-2016-08
alb.ingress.kubernetes.io/subnets: subnet-0c4cb5452b630939e, subnet-0e5d3c389bfbefee9
alb.ingress.kubernetes.io/success-codes: 302
kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"alb.ingress.kubernetes.io/scheme":"internet-facing","alb.ingress.kubernetes.io/ssl-policy":"ELBSecurityPolicy-2016-08","alb.ingress.kubernetes.io/subnets":"subnet-0c4cb5452b630939e, subnet-0e5d3c389bfbefee9","alb.ingress.kubernetes.io/success-codes":"302","kubernetes.io/ingress.class":"alb"},"labels":{"app":"api-gateway"},"name":"api-gateway-ingress","namespace":"orbix-mvp"},"spec":{"rules":[{"host":"api-gateway.orbixpay.com","http":{"paths":[{"backend":{"serviceName":"api-gateway","servicePort":3000},"path":"/*"}]}}]}}
Events: <none>
我还按照此处的说明添加了自签名 SSL 证书:
https://kubernetes.github.io/ingress-nginx/user-guide/tls/
编辑 Ingress 如下所示:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-2016-08
alb.ingress.kubernetes.io/subnets: subnet-0c4cb5452b630939e, subnet-0e5d3c389bfbefee9
alb.ingress.kubernetes.io/success-codes: "302"
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"alb.ingress.kubernetes.io/scheme":"internet-facing","alb.ingress.kubernetes.io/ssl-policy":"ELBSecurityPolicy-2016-08","alb.ingress.kubernetes.io/subnets":"subnet-0c4cb5452b630939e, subnet-0e5d3c389bfbefee9","alb.ingress.kubernetes.io/success-codes":"302","kubernetes.io/ingress.class":"alb"},"labels":{"app":"api-gateway"},"name":"api-gateway-ingress","namespace":"orbix-mvp"},"spec":{"rules":[{"host":"api-gateway.orbixpay.com","http":{"paths":[{"backend":{"serviceName":"api-gateway","servicePort":3000},"path":"/*"}]}}]}}
kubernetes.io/ingress.class: alb
creationTimestamp: "2019-03-07T14:57:22Z"
generation: 8
labels:
app: api-gateway
name: api-gateway-ingress
namespace: orbix-mvp
resourceVersion: "2230952"
selfLink: /apis/extensions/v1beta1/namespaces/orbix-mvp/ingresses/api-gateway-ingress
uid: 4fd70b63-40e9-11e9-bfe7-024a064218ac
spec:
rules:
- http:
paths:
- backend:
serviceName: api-gateway
servicePort: 3000
path: /*
tls:
- hosts:
- api-gateway.orbixpay.com
- 4ae1e4ba-orbixmvp-apigatew-c613-1873743362.eu-central-1.elb.amazonaws.com
secretName: api-gateway.orbixpay.com
status:
loadBalancer:
ingress:
- hostname: 4ae1e4ba-orbixmvp-apigatew-c613-1873743362.eu-central-1.elb.amazonaws.com
事实是,Ingress 不会通过 TLS 解析 - 它只是超时。据我所知,这是设置它的正确方法,所以我对它为什么不起作用一无所知。感谢任何帮助。
我认为您在这里混淆了两种不同的东西: 您想要使用 ALB Ingress Controller,但显示您正在使用 Nginx Controller 的配置。这些实际上是 2 个完全不同的项目。它们服务于一个共同的目的,但实际上是完全不同的解决方法。 Nginx 在您的集群上 运行,而 ALB Ingress Controller 实际上只是配置一个在其自己的机器上运行的 ALB。
要注意的是,ALB 不能使用自定义证书。至少不是直接来自 Kubernetes。它们需要先放在 ACM 中。
如果您已经在 ACM 中拥有证书,根据 documentation.
,ALB Ingress Controller 应该匹配它您还可以像这样指定要用于负载均衡器的证书
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:eu-central-1:1231234564:certificate/4564abc12-d3c2-4455-8c39-45354cddaf03
(替换为您从 ACM 获得的 ARN)
一些更通用的调试技巧:
- 在 AWS 管理控制台中搜索负载均衡器并检查您的侦听器是否已按预期应用。如果看起来你会配置它,那么这里的逻辑一定是有问题的。
- 如果没有应用它们,可能是 ALB Ingress Controller 在解析您的入口时遇到了问题。检查 kube-system 命名空间中 alb-ingress-controller pod 的日志以获取更多详细信息。