入口控制器上的重定向太多

Question

我正在尝试根据以下内容设置 Ingress Controller：
https://kubernetes.github.io/ingress-nginx/deploy/#aws
它适用于 ELB，但出于某种原因，如果我在 NLB 中设置以下内容：

nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"

然后我收到 Too many redirects 错误。
如果我将以上设置为 false，那么我可以分别访问 HTTP 和 HTTPS，但没有重定向。

在我的 NLB 服务注释中，我有：

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
    service.beta.kubernetes.io/aws-load-balancer-type: nlb
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600'
    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:eu-west-1:12345:certificate/xyz
    service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: ELBSecurityPolicy-FS-1-2-2019-08
...
spec:
  type: LoadBalancer
  externalTrafficPolicy: Local
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: http
      appProtocol: http
    - name: https
      port: 443
      protocol: TCP
      targetPort: http
      appProtocol: https

对于运行正常的 ELB 我有：

    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '60'
    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:eu-west-1:12345:certificate/xyz
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
    service.beta.kubernetes.io/aws-load-balancer-type: elb
...
spec:
  type: LoadBalancer
  externalTrafficPolicy: Local
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: tohttps
      appProtocol: http
    - name: https
      port: 443
      protocol: TCP
      targetPort: http
      appProtocol: https

我尝试了很多组合，但我无法让 NLB 以与 ELB 相同的方式运行。

Answer 1

尝试删除 appProtocol: https 并在 LB 级别卸载 SSL

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
    service.beta.kubernetes.io/aws-load-balancer-type: nlb
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600'
    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:eu-west-1:12345:certificate/xyz
    service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: ELBSecurityPolicy-FS-1-2-2019-08
...
spec:
  type: LoadBalancer
  externalTrafficPolicy: Local
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: http
    - name: https
      port: 443
      protocol: TCP
      targetPort: HTTP

您可以在以下位置检查配置：https://aws.amazon.com/blogs/opensource/network-load-balancer-nginx-ingress-controller-eks/

此外，从具有 80 和 TLS 443 侦听器的 AWS 控制台 LB 检查。

SSL 卸载和终止：https://aws.amazon.com/premiumsupport/knowledge-center/terminate-https-traffic-eks-acm/

Answer 2

如果后端协议设置为“ssl”，一切正常，除了我们无缘无故地进行双 TLS 卸载（首先在 NLB 上，然后在入口上）。如果后端协议设置为“tcp”，我们将收到“发送到 TLS 端口的纯 HTTP 请求”错误。如果我们将 https 映射到 http 端口以解决上述问题，那么 HTTP -> HTTPS 重定向将停止工作。

所以为了让它与 NLB 一起工作，我需要将后端协议设置为 ssl：service.beta.kubernetes.io/aws-load-balancer-backend-protocol: ssl 然后：

spec:
  type: LoadBalancer
  externalTrafficPolicy: Local
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: http
    - name: https
      port: 443
      protocol: TCP
      targetPort: https

入口控制器上的重定向太多

Too many redirects on ingress-controller

kubernetes

kubernetes-ingress