在 AWS EKS 中，我如何定义入口以将一个 ALB 用于多个子域 URL，每个子域 URL 都有自己的证书？

Question

我有多个服务需要暴露在互联网上，但我想为它们使用一个 ALB。

我使用的是最新的 AWS Load Balancer Controller, and I've been reading the documentation here (https://kubernetes-sigs.github.io/aws-load-balancer-controller/guide/ingress/annotations/#traffic-routing)，但我还没有找到关于如何实现这一点的明确解释。

设置如下：

我有服务-a.example.com -和- 服务-b.example.com。他们每个人在 Amazon Certificate Manager 中都有自己的证书。

在 Kubernetes 中，每个都有自己的服务对象定义如下（每个都是唯一的）：

apiVersion: v1
kind: Service
metadata:
  name: svc-a-service
  annotations:
    alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
    alb.ingress.kubernetes.io/healthcheck-port: traffic-port
    alb.ingress.kubernetes.io/healthy-threshold-count: '5'
    alb.ingress.kubernetes.io/unhealthy-threshold-count: '2'
    alb.ingress.kubernetes.io/healthcheck-path: /index.html
    alb.ingress.kubernetes.io/healthcheck-interval-seconds: '30'
    alb.ingress.kubernetes.io/healthcheck-timeout-seconds: '5'
    alb.ingress.kubernetes.io/success-codes: '200'
    alb.ingress.kubernetes.io/tags: Environment=Test,App=ServiceA
spec:
  selector:
    app: service-a
  ports:
  - port: 80
    targetPort: 80
  type: NodePort

每个服务都有自己的 Ingress 对象，定义如下（同样，每个服务都是唯一的，并为每个服务指定了正确的证书）：

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: svc-a-ingress
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/group.name: services
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/security-groups: sg-01234567898765432
    alb.ingress.kubernetes.io/ip-address-type: ipv4
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
    alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
    alb.ingress.kubernetes.io/actions.response-503: >
      {"type":"fixed-response","fixedResponseConfig":{"contentType":"text/plain","statusCode":"503","messageBody":"Unknown Host"}}
    alb.ingress.kubernetes.io/target-type: instance
    alb.ingress.kubernetes.io/load-balancer-attributes: routing.http2.enabled=true,idle_timeout.timeout_seconds=600
    alb.ingress.kubernetes.io/tags: Environment=Test
    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-2:555555555555:certificate/33333333-2222-4444-AAAA-EEEEEEEEEEEE
    alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-2016-08
spec:
  rules:
    - http:
        paths:
          - path: /*
            backend:
              serviceName: ssl-redirect
              servicePort: use-annotation
          - path: /*
            backend:
              serviceName: svc-a-service
              servicePort: 80
          - path: /*
            backend:
              serviceName: response-503
              servicePort: use-annotation

HTTP 到 HTTPS 的重定向按预期工作。

但是——我的两个应用程序之间没有区别，因为负载均衡器能够知道发往 service-a.example.com 和 service-b.example.com 的流量应该路由到两个不同的目标群体。

在控制台的HTTP:443监听器规则中，显示：

IF Path is /* THEN Forward to ServiceATargetGroup
IF Path is /* THEN Return fixed 503
IF Path is /* THEN Forward to ServiceBTargetGroup
IF Path is /* THEN Return fixed 503
IF 请求否则未路由 THEN Return 已修复 404

所以这里的重要问题是： 应该如何定义入口以强制将发往 service-a.example.com 的流量强制到 ServiceATargetGroup - 并将发往 service-b.example.com 的流量强制到 ServiceBTargetGroup？

其次，我需要将“否则不路由”到 return 503 而不是 404。我原以为它只在规则中出现一次（被合并）——但它是为每个规则创建的入口。我的 yaml 应该如何构建才能实现这一目标？

Answer 1

我最终解决了这个问题——所以对于其他遇到这个问题的人 post，我是这样解决的：

诀窍不依赖于 Ingress object 之间的合并。是的，它可以处理一定程度的合并，但作为 TargetGroups 的服务和作为 ALB 的 Ingress 之间并没有真正的 one-to-one 关系。所以你必须非常小心并了解每个 Ingress object.

中的内容

一旦我将所有入口组合到一个 object 定义中，我就能够使用以下 YAML 使其完全按照我的意愿工作：

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: svc-ingress
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/group.name: services
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/security-groups: sg-01234567898765432
    alb.ingress.kubernetes.io/ip-address-type: ipv4
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
    alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
    alb.ingress.kubernetes.io/actions.response-503: >
      {"type":"fixed-response","fixedResponseConfig":{"contentType":"text/plain","statusCode":"503","messageBody":"Unknown Host"}}
    alb.ingress.kubernetes.io/actions.svc-a-host: >
      {"type":"forward","forwardConfig":{"targetGroups":[{"serviceName":"svc-a-service","servicePort":80,"weight":100}]}}
    alb.ingress.kubernetes.io/conditions.svc-a-host: >
      [{"field":"host-header","hostHeaderConfig":{"values":["svc-a.example.com"]}}]
    alb.ingress.kubernetes.io/actions.svc-b-host: >
      {"type":"forward","forwardConfig":{"targetGroups":[{"serviceName":"svc-b-service","servicePort":80,"weight":100}]}}
    alb.ingress.kubernetes.io/conditions.svc-b-host: >
      [{"field":"host-header","hostHeaderConfig":{"values":["svc-b.example.com"]}}]
    alb.ingress.kubernetes.io/target-type: instance
    alb.ingress.kubernetes.io/load-balancer-attributes: routing.http2.enabled=true,idle_timeout.timeout_seconds=600
    alb.ingress.kubernetes.io/tags: Environment=Test
    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-2:555555555555:certificate/33333333-2222-4444-AAAA-EEEEEEEEEEEE,arn:aws:acm:us-east-2:555555555555:certificate/44444444-3333-5555-BBBB-FFFFFFFFFFFF
    alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-2016-08
spec:
  backend:
    serviceName: response-503
    servicePort: use-annotation
  rules:
    - http:
        paths:
          - backend:
              serviceName: ssl-redirect
              servicePort: use-annotation
          - backend:
              serviceName: svc-a-host
              servicePort: use-annotation
          - backend:
              serviceName: svc-b-host
              servicePort: use-annotation

默认操作：

直接在spec下指定serviceName和servicePort进行设置：

spec:
  backend:
    serviceName: response-503
    servicePort: use-annotation

路由：

因为我使用的是子域，路径对我不起作用，所以我只是省略了路径，而是依赖主机名作为条件。

metadata:
  alb.ingress.kubernetes.io/actions.svc-a-host: >
      {"type":"forward","forwardConfig":{"targetGroups":[{"serviceName":"svc-a-service","servicePort":80,"weight":100}]}}
  alb.ingress.kubernetes.io/conditions.svc-a-host: >
      [{"field":"host-header","hostHeaderConfig":{"values":["svc-a.example.com"]}}]

最终结果：

ALB 规则的配置完全符合我的要求：

默认操作是 503 固定响应
所有 http 流量都重定向到 https
流量根据主机定向到 TargetGroups header

Answer 2

AWS EKS 现在有了 IngressGroups 的概念，因此多个入口可以共享一个入口控制器。参见 Application load balancing on Amazon EKS

To share an application load balancer across multiple ingress resources using IngressGroups

To join an Ingress to an Ingress group, add the following annotation to a Kubernetes Ingress resource specification.

alb.ingress.kubernetes.io/group.name: <my-group>
The group name must be:

63 characters or less in length.

Consist of lower case alphanumeric characters, -, and ., and must start and end with an alphanumeric character.

The controller will automatically merge ingress rules for all Ingresses in the same Ingress group and support them with a single ALB. Most annotations defined on an Ingress only apply to the paths defined by that Ingress. By default, Ingress resources don't belong to any Ingress group.

在 AWS EKS 中，我如何定义入口以将一个 ALB 用于多个子域 URL，每个子域 URL 都有自己的证书？

In AWS EKS, how can I define ingress to use one ALB for multiple subdomain URLs, each with their own certificate?

amazon-web-services

kubernetes

kubernetes-ingress

amazon-eks