我如何使用 Ambassador Emissary -ingress for TLS?
How can I use Ambassador Emissary -ingress for TLS?
我有一个非常快速的问题。为了澄清一些事情,我必须与您分享我的邮递结果。
我正在使用 2 篇文章来获得成功:
https://www.getambassador.io/docs/emissary/pre-release/topics/install/
https://www.getambassador.io/docs/emissary/pre-release/howtos/tls-termination/
我正在尝试为我的 Ambassador Ingress 添加 TLS。一切看起来都很好。请往下看
但是当我通过 https 发送请求时(看上面的邮递员)
它 returns 给我的错误:“错误:客户端网络套接字在建立安全 TLS 连接之前断开连接”
我的 deployment.yaml 将有助于解决我的问题:
apiVersion: apps/v1
kind: Deployment
metadata:
name: echo-deployment
spec:
replicas: 1
selector:
matchLabels:
app: echo-server
template:
metadata:
labels:
app: echo-server
spec:
containers:
- name: echo-server
image: jmalloc/echo-server
ports:
- name: http-port
containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: echo-service
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
- name: https
port: 443
protocol: TCP
targetPort: 8443
selector:
app: echo-server
---
apiVersion: x.getambassador.io/v3alpha1
kind: AmbassadorMapping
metadata:
name: echo-backend
namespace: default
spec:
hostname: "*"
prefix: /echo/
service: echo-service
---
apiVersion: x.getambassador.io/v3alpha1
kind: AmbassadorListener
metadata:
name: emissary-ingress-listener-8080
namespace: emissary
spec:
port: 8080
protocol: HTTPPROXY
securityModel: XFP
hostBinding:
namespace:
from: ALL
---
apiVersion: x.getambassador.io/v3alpha1
kind: AmbassadorHost
metadata:
name: wildcard-host
spec:
hostname: "*"
acmeProvider:
authority: none
tlsSecret:
name: tls-cert
selector:
matchLabels:
hostname: wildcard-host
also I am using curl to be sure
```C
curl -Lk https://143.198.247.222/echo/
{
"server": "trim-kumquat-fccjxh8x",
"quote": "Abstraction is ever present.",
"time": "2019-07-24T16:36:56.7983516Z"
}
Emissary 和 Edge Stack 实际上以相同的方式处理 TLS – 考虑到 curl 有效,我倾向于认为您在这里看到的是您按照说明获得 自签名 TLS 证书,Postman 只是对证书比 curl 更严格。
如果您从 curl 中删除 -k,我预计它也会失败。同样,如果您从浏览器执行 HTTPS,大多数浏览器对适当的证书 非常 挑剔。所以我建议您首先获得一个正确签名的证书(也许来自 Let's Encrypt?),然后尝试一下。
我有一个非常快速的问题。为了澄清一些事情,我必须与您分享我的邮递结果。
我正在使用 2 篇文章来获得成功:
https://www.getambassador.io/docs/emissary/pre-release/topics/install/
https://www.getambassador.io/docs/emissary/pre-release/howtos/tls-termination/
我正在尝试为我的 Ambassador Ingress 添加 TLS。一切看起来都很好。请往下看
但是当我通过 https 发送请求时(看上面的邮递员) 它 returns 给我的错误:“错误:客户端网络套接字在建立安全 TLS 连接之前断开连接”
我的 deployment.yaml 将有助于解决我的问题:
apiVersion: apps/v1
kind: Deployment
metadata:
name: echo-deployment
spec:
replicas: 1
selector:
matchLabels:
app: echo-server
template:
metadata:
labels:
app: echo-server
spec:
containers:
- name: echo-server
image: jmalloc/echo-server
ports:
- name: http-port
containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: echo-service
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
- name: https
port: 443
protocol: TCP
targetPort: 8443
selector:
app: echo-server
---
apiVersion: x.getambassador.io/v3alpha1
kind: AmbassadorMapping
metadata:
name: echo-backend
namespace: default
spec:
hostname: "*"
prefix: /echo/
service: echo-service
---
apiVersion: x.getambassador.io/v3alpha1
kind: AmbassadorListener
metadata:
name: emissary-ingress-listener-8080
namespace: emissary
spec:
port: 8080
protocol: HTTPPROXY
securityModel: XFP
hostBinding:
namespace:
from: ALL
---
apiVersion: x.getambassador.io/v3alpha1
kind: AmbassadorHost
metadata:
name: wildcard-host
spec:
hostname: "*"
acmeProvider:
authority: none
tlsSecret:
name: tls-cert
selector:
matchLabels:
hostname: wildcard-host
also I am using curl to be sure
```C
curl -Lk https://143.198.247.222/echo/
{
"server": "trim-kumquat-fccjxh8x",
"quote": "Abstraction is ever present.",
"time": "2019-07-24T16:36:56.7983516Z"
}
Emissary 和 Edge Stack 实际上以相同的方式处理 TLS – 考虑到 curl 有效,我倾向于认为您在这里看到的是您按照说明获得 自签名 TLS 证书,Postman 只是对证书比 curl 更严格。
如果您从 curl 中删除 -k,我预计它也会失败。同样,如果您从浏览器执行 HTTPS,大多数浏览器对适当的证书 非常 挑剔。所以我建议您首先获得一个正确签名的证书(也许来自 Let's Encrypt?),然后尝试一下。