尽管未配置 TLS,minikube 入口仍坚持使用 HTTPS
minikube ingress insisting on HTTPS despite TLS not configured
我想使用 minikube 在本地测试我的(Helm 打包的)Kubernetes 应用程序,使用 Kubernetes 入口将 HTTP 代理到我的应用程序提供的 HTTP 服务。但这不起作用,因为入口(或入口控制器)坚持认为连接是 HTTPS,尽管我没有请求 TLS。如何确保入口允许 HTTP?
kubectl get --output=yaml ingress 表明有一个入口资源,用于 HTTP,没有 TLS:
apiVersion: v1
items:
- apiVersion: extensions/v1beta1
kind: Ingress
metadata:
creationTimestamp: "2019-10-06T10:54:38Z"
generation: 1
labels:
app.kubernetes.io/instance: quarreling-shrimp
app.kubernetes.io/managed-by: Tiller
app.kubernetes.io/name: mc
app.kubernetes.io/version: 2.3.1-SNAPSHOT
helm.sh/chart: mc-2.3.1
name: quarreling-shrimp-mc
namespace: default
resourceVersion: "126597"
selfLink: /apis/extensions/v1beta1/namespaces/default/ingresses/quarreling-shrimp-mc
uid: 296f8d69-8f40-49c5-b352-acbc6ec1cc19
spec:
rules:
- http:
paths:
- backend:
serviceName: quarreling-shrimp-mc-be-svc
servicePort: 8080
path: /api
- backend:
serviceName: quarreling-shrimp-mc-fe
servicePort: 80
path: /
status:
loadBalancer:
ingress:
- ip: 192.168.122.66
kind: List
metadata:
resourceVersion: ""
selfLink: ""
但是当我尝试使用 HTTP 访问应用程序时,响应尝试重定向以使用 HTTPS。这是 curl -i 192.168.122.66:
的输出
HTTP/1.1 308 Permanent Redirect
Server: openresty/1.15.8.1
Date: Sun, 06 Oct 2019 11:22:40 GMT
Content-Type: text/html
Content-Length: 177
Connection: keep-alive
Location: https://192.168.122.66/
<html>
<head><title>308 Permanent Redirect</title></head>
<body>
<center><h1>308 Permanent Redirect</h1></center>
<hr><center>openresty/1.15.8.1</center>
</body>
</html>
minikube 使用 Nginx Ingress controller. That controller does a permanent redirect (HTTP status code 308) from initial HTTP to HTTPS:
By default the controller redirects (308) to HTTPS if TLS is enabled for that ingress
但是,正如您所指出的,文档建议在您的情况下不应进行重定向,因为您尚未启用 TLS。
我观察到,一旦我在未启用 TLS 的情况下将 host: 字段添加到特定 Ingress 资源,生成的 curl 命令 returns HTTP/1.1 200 没有重定向操作:
rules:
- host: example.com
http:
paths:
- backend:
serviceName: some-svc
servicePort: 80
path: /
$ curl -v http://$(kubectl get svc -l component=controller -o jsonpath='{.items[0].status.loadBalancer.ingress[0].ip}') -H 'Host: example.com'
> GET / HTTP/1.1
> Host: example.com
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 200
但是没有匹配主机的 HTTP GET 会导致重定向:
$ curl -v http://$(kubectl get svc -l component=controller -o jsonpath='{.items[0].status.loadBalancer.ingress[0].ip}')
> GET / HTTP/1.1
> Host: XX.XX.XX.XX
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 308 Permanent Redirect
因此,我想虽然 host: 字段是可选的,但如果您没有在目标 Ingress 资源中指定它,Ingress 控制器将无法正确识别 TLS 相关设置。
我想使用 minikube 在本地测试我的(Helm 打包的)Kubernetes 应用程序,使用 Kubernetes 入口将 HTTP 代理到我的应用程序提供的 HTTP 服务。但这不起作用,因为入口(或入口控制器)坚持认为连接是 HTTPS,尽管我没有请求 TLS。如何确保入口允许 HTTP?
kubectl get --output=yaml ingress 表明有一个入口资源,用于 HTTP,没有 TLS:
apiVersion: v1
items:
- apiVersion: extensions/v1beta1
kind: Ingress
metadata:
creationTimestamp: "2019-10-06T10:54:38Z"
generation: 1
labels:
app.kubernetes.io/instance: quarreling-shrimp
app.kubernetes.io/managed-by: Tiller
app.kubernetes.io/name: mc
app.kubernetes.io/version: 2.3.1-SNAPSHOT
helm.sh/chart: mc-2.3.1
name: quarreling-shrimp-mc
namespace: default
resourceVersion: "126597"
selfLink: /apis/extensions/v1beta1/namespaces/default/ingresses/quarreling-shrimp-mc
uid: 296f8d69-8f40-49c5-b352-acbc6ec1cc19
spec:
rules:
- http:
paths:
- backend:
serviceName: quarreling-shrimp-mc-be-svc
servicePort: 8080
path: /api
- backend:
serviceName: quarreling-shrimp-mc-fe
servicePort: 80
path: /
status:
loadBalancer:
ingress:
- ip: 192.168.122.66
kind: List
metadata:
resourceVersion: ""
selfLink: ""
但是当我尝试使用 HTTP 访问应用程序时,响应尝试重定向以使用 HTTPS。这是 curl -i 192.168.122.66:
HTTP/1.1 308 Permanent Redirect
Server: openresty/1.15.8.1
Date: Sun, 06 Oct 2019 11:22:40 GMT
Content-Type: text/html
Content-Length: 177
Connection: keep-alive
Location: https://192.168.122.66/
<html>
<head><title>308 Permanent Redirect</title></head>
<body>
<center><h1>308 Permanent Redirect</h1></center>
<hr><center>openresty/1.15.8.1</center>
</body>
</html>
minikube 使用 Nginx Ingress controller. That controller does a permanent redirect (HTTP status code 308) from initial HTTP to HTTPS:
By default the controller redirects (308) to HTTPS if TLS is enabled for that ingress
但是,正如您所指出的,文档建议在您的情况下不应进行重定向,因为您尚未启用 TLS。
我观察到,一旦我在未启用 TLS 的情况下将 host: 字段添加到特定 Ingress 资源,生成的 curl 命令 returns HTTP/1.1 200 没有重定向操作:
rules:
- host: example.com
http:
paths:
- backend:
serviceName: some-svc
servicePort: 80
path: /
$ curl -v http://$(kubectl get svc -l component=controller -o jsonpath='{.items[0].status.loadBalancer.ingress[0].ip}') -H 'Host: example.com'
> GET / HTTP/1.1
> Host: example.com
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 200
但是没有匹配主机的 HTTP GET 会导致重定向:
$ curl -v http://$(kubectl get svc -l component=controller -o jsonpath='{.items[0].status.loadBalancer.ingress[0].ip}')
> GET / HTTP/1.1
> Host: XX.XX.XX.XX
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 308 Permanent Redirect
因此,我想虽然 host: 字段是可选的,但如果您没有在目标 Ingress 资源中指定它,Ingress 控制器将无法正确识别 TLS 相关设置。