在具有入口和名称堆证书的 kubernetes 中部署 Spring 启动并启用 http/2

Deploying Spring Boot with http/2 enabled, in kubernetes with ingress and namesheap certificate

我想在具有名称堆证书的 kubernetes 集群中启用 http/2 部署 kubernetes,但我总是遇到此错误:

io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f66617669636f6e2e69636f20485454502f312e310d0a486f73743a206261636b2d61646d696e2d68747470322e6361707461696e776f726b732e636f6d0d0a582d526571756573742d49443a2032393838326665623234633864333063346565373063363238623033666464390d0a582d5265616c2d49503a2035312e38332e3130362e3234380d0a582d466f727761726465642d466f723a2035312e38332e3130362e3234380d0a582d466f727761726465642d486f73743a206261636b2d61646d696e2d68747470322e6361707461696e776f726b732e636f6d0d0a582d466f727761726465642d506f72743a203434330d0a582d466f727761726465642d50726f746f3a2068747470730d0a582d466f727761726465642d536368656d653a2068747470730d0a582d536368656d653a2068747470730d0a7365632d63682d75613a2022476f6f676c65204368726f6d65223b763d223933222c2022204e6f743b41204272616e64223b763d223939222c20224368726f6d69756d223b763d223933220d0a7365632d63682d75612d6d6f62696c653a203f300d0a557365722d4167656e743a204d6f7a696c6c612f352e30202857696e646f7773204e542031302e303b2057696e36343b2078363429204170706c655765624b69742f3533372e333620284b48544d4c2c206c696b65204765636b6f29204368726f6d652f39332e302e343537372e3832205361666172692f3533372e33360d0a7365632d63682d75612d706c6174666f726d3a202257696e646f7773220d0a4163636570743a20696d6167652f617669662c696d6167652f776562702c696d6167652f61706e672c696d6167652f7376672b786d6c2c696d6167652f2a2c2a2f2a3b713d302e380d0a5365632d46657463682d536974653a2073616d652d6f726967696e0d0a5365632d46657463682d4d6f64653a206e6f2d636f72730d0a5365632d46657463682d446573743a20696d6167650d0a526566657265723a2068747470733a2f2f6261636b2d61646d696e2d68747470322e6361707461696e776f726b732e636f6d2f676574416c6c44696374696f6e6172790d0a4163636570742d456e636f64696e673a20677a69702c206465666c6174652c2062720d0a4163636570742d4c616e67756167653a2066722d46522c66723b713d302e390d0a0d0a

我的配置是:

-application.properties :

server.port=8443
server.http2.enabled=true
server.ssl.enabled=true
server.ssl.key-store=classpath:keystore/cert.p12
server.ssl.key-store-type=PKCS12
server.ssl.key-store-password=password

-Docker文件:

FROM openjdk:11.0.8-slim

VOLUME /tmp

ARG DEPENDENCY=target/dependency
COPY ${DEPENDENCY}/BOOT-INF/lib /app/lib
COPY ${DEPENDENCY}/META-INF /app/META-INF
COPY ${DEPENDENCY}/BOOT-INF/classes /app

ENTRYPOINT ["java","-cp","app:app/lib/*","com.package.app"]

-入口:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
  name: example
  namespace: http2
spec:
  rules:
    - host: domain.com
      http:
        paths:
          - backend:
              serviceName: service-http2
              servicePort: 8443
            path: /
  tls:
    - hosts:
        - domain.com
      secretName: secret-tls

-cert:我有两个文件:

我使用此命令将我的证书转换为 .p12 :

OpenSSL pkcs12 -export -in cert.crt -inkey key.key -out cert.p12

-my.yaml 文件:

apiVersion: v1
kind: Service
metadata:
  name: back-http2
  namespace: http2
  labels:
    app: back-http2
spec:
  type: ClusterIP
  ports:
  - name: http
    protocol: TCP
    port: 8080
  - name: https
    protocol: TCP
    port: 8443
  selector:
    app: back-http2
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: back-http2-deployment
  namespace: http2
  labels:
    app: back-http2
spec:
  replicas: 1
  selector:
    matchLabels:
      app: back-http2
  template:
    metadata:
      labels:
        app: back-http2
    spec:
      containers:
      - name: back-dev
        image: docker/registry:back-http2
        imagePullPolicy: Always
        ports:
        - name: http
          protocol: TCP
          containerPort: 8080
        - name: https
          protocol: TCP
          containerPort: 8443
      imagePullSecrets:
      - name: secret

-版本:

spring 开机:2.4.2

库伯内特斯:1.20.2

使用 helm 部署的 nginx 入口控制器:ingress-nginx-4.0.3

如有任何帮助,我们将不胜感激!谢谢!

您需要在 nginx 入口定义中配置 TLS 直通

    nginx.ingress.kubernetes.io/ssl-passthrough: "true"

确保入口本身已开始支持此标志,f.e。

args:
        - --enable-ssl-passthrough

这背后的原因是 HTTP2 默认需要 TLS。