如何使用 Amazon EKS 上的 kubernetes 入口控制器将 http 重定向到 https
how to redirect http to https using a kubernetes ingress controller on Amazon EKS
我已经为我的应用程序配置了亚马逊证书管理器、ALB 入口控制器和域名。我可以通过端口 80 和端口 443 访问我的应用程序(所有证书都可以正常工作)。但是,我想自动将所有来自 HTTP 的流量重定向到 HTTPS,以便将自己键入域名的人重定向到 HTTPS。我已关注 this page and this one,但我无法使其正常运行
这是我的 ingress.yaml 文件:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: metabase
namespace: bigdata
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-2:***:certificate/***
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
alb.ingress.kubernetes.io/scheme: internet-facing
labels:
app: metabase
spec:
rules:
- http:
paths:
- path: /*
backend:
serviceName: ssl-redirect
servicePort: use-annotation
- path: /*
backend:
serviceName: metabase
servicePort: 3000
这是我的服务:
apiVersion: v1
kind: Service
metadata:
name: metabase
annotations:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-2:****:certificate/****
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
namespace: bigdata
labels:
app: metabase
spec:
ports:
- name: https
protocol: TCP
port: 443
targetPort: http-server
- name: http
protocol: TCP
port: 80
targetPort: http-server
selector:
app: metabase
type: LoadBalancer
广告这是我的部署:
apiVersion: apps/v1
kind: Deployment
metadata:
name: metabase-deployment
namespace: bigdata
labels:
app: metabase
spec:
replicas: 2
selector:
matchLabels:
app: metabase
template:
metadata:
labels:
app: metabase
spec:
containers:
- name: metabase
image: metabase/metabase
ports:
- containerPort: 3000
name: http-server
resources:
limits:
cpu: "1"
memory: "2Gi"
感谢您的支持! :-)
您需要使用 nginx.ingress.kubernetes.io/force-ssl-redirect: "true" 注释:
When using SSL offloading outside of cluster (e.g. AWS ELB) it may be
useful to enforce a redirect to HTTPS even when there is no TLS
certificate is available. This can be achieved by using the
nginx.ingress.kubernetes.io/force-ssl-redirect: "true" annotation in
the particular resource.
我成功了!!
基本上我修改了 ingress.yaml 和 service.yaml 文件
ingress.yaml 看起来像这样:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: metabase
namespace: bigdata
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-2:***:certificate/****
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/group: metabase # name of my app
labels:
app: metabase
spec:
rules:
- http:
paths:
- path: /*
backend:
serviceName: ssl-redirect
servicePort: use-annotation
- path: /*
backend:
serviceName: metabase
servicePort: 443
我的服务是这样的:
apiVersion: v1
kind: Service
metadata:
name: metabase
annotations:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-2:***:certificate/***
namespace: bigdata
labels:
app: metabase
spec:
ports:
- name: https
protocol: TCP
port: 443
targetPort: http-server
- name: http
protocol: TCP
port: 80
targetPort: http-server
selector:
app: metabase
type: LoadBalancer
我花了很多时间尝试完成这项工作,终于成功了。可能有人会发现它很有用。我将尝试逐步描述使用 HTTP 到 HTTPs 重定向设置 ALB 的方法。
- 检查您的 ALB 控制器是否启动并且 运行ning:
kubectl get deployment -n kube-system aws-load-balancer-controller
打印输出应类似于以下:
NAME READY UP-TO-DATE AVAILABLE AGE
aws-load-balancer-controller 1/1 1 1 18h
如果您的控制器不工作,则不会创建负载均衡器。
检查你的yaml文件是否完好。下面我提供了一个适用于我的案例的简单 Yaml 文件。
关于此文件的一些评论:
a) 请使用您的 SSL/TLS 证书 ARN(我使用 XXXXXXX)。
b) 请使用您的图片(我使用的是 YYYYYYYYYY)。我的容器镜像存储在 ECR(Elastic Container Registry)中。
c) 请注意一个奇怪的服务标记为 ssl-redirect with servicePort:
use-annotations 是根据注解规范创建的。
https://kubernetes-sigs.github.io/aws-load-balancer-controller/guide/ingress/annotations/
一旦你运行:
kubectl apply -f service.yaml
请检查两件事:
一)kubectl -n default describe ingress
此命令应显示协调成功:打印输出的末尾应显示:
Normal SuccessfullyReconciled 11s (x3 over 18m) ingress Successfully reconciled
在同一个打印输出中(打印输出的顶部)不要注意日志条目:
/* ssl-redirect:use-annotation (<error: endpoints "ssl-redirect" not found>)
b) aws elbv2 describe-load-balancers --query "LoadBalancers[?contains(LoadBalancerArn,'default-nginx')].{Arn: LoadBalancerArn}" --output text | xargs -I {} aws elbv2 describe-listeners --load-balancer-arn {}
此命令应向您显示已创建新的 ALB 和两个侦听器。不要注意HTTP侦听器
似乎没有正确的重定向配置。
-- YAML--
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
namespace: default
name: nginx-ingress
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/tags: createdBy=aws-controller
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:eu-central-1:XXXXXXXXXXXX:certificate/XXXXXXXXXXXXXXXXXXXXXXXXXX
labels:
app: nginx-ingress
spec:
rules:
- http:
paths:
- path: /*
backend:
serviceName: ssl-redirect
servicePort: use-annotation
- path: /*
backend:
serviceName: nginx-service
servicePort: 80
---
apiVersion: v1
kind: Service
metadata:
namespace: default
name: nginx-service
spec:
selector:
app: nginx
ports:
- name: http
protocol: TCP
port: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: YYYYYYYYYYYY.dkr.ecr.eu-central-1.amazonaws.com/webfe:latest
ports:
- containerPort: 80
以防万一您正在寻找合适的新语法(其余相同)
- path: /
pathType: Prefix
backend:
service:
name: ssl-redirect
port:
name: use-annotation
我已经为我的应用程序配置了亚马逊证书管理器、ALB 入口控制器和域名。我可以通过端口 80 和端口 443 访问我的应用程序(所有证书都可以正常工作)。但是,我想自动将所有来自 HTTP 的流量重定向到 HTTPS,以便将自己键入域名的人重定向到 HTTPS。我已关注 this page and this one,但我无法使其正常运行
这是我的 ingress.yaml 文件:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: metabase
namespace: bigdata
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-2:***:certificate/***
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
alb.ingress.kubernetes.io/scheme: internet-facing
labels:
app: metabase
spec:
rules:
- http:
paths:
- path: /*
backend:
serviceName: ssl-redirect
servicePort: use-annotation
- path: /*
backend:
serviceName: metabase
servicePort: 3000
这是我的服务:
apiVersion: v1
kind: Service
metadata:
name: metabase
annotations:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-2:****:certificate/****
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
namespace: bigdata
labels:
app: metabase
spec:
ports:
- name: https
protocol: TCP
port: 443
targetPort: http-server
- name: http
protocol: TCP
port: 80
targetPort: http-server
selector:
app: metabase
type: LoadBalancer
广告这是我的部署:
apiVersion: apps/v1
kind: Deployment
metadata:
name: metabase-deployment
namespace: bigdata
labels:
app: metabase
spec:
replicas: 2
selector:
matchLabels:
app: metabase
template:
metadata:
labels:
app: metabase
spec:
containers:
- name: metabase
image: metabase/metabase
ports:
- containerPort: 3000
name: http-server
resources:
limits:
cpu: "1"
memory: "2Gi"
感谢您的支持! :-)
您需要使用 nginx.ingress.kubernetes.io/force-ssl-redirect: "true" 注释:
When using SSL offloading outside of cluster (e.g. AWS ELB) it may be useful to enforce a redirect to HTTPS even when there is no TLS certificate is available. This can be achieved by using the
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"annotation in the particular resource.
我成功了!! 基本上我修改了 ingress.yaml 和 service.yaml 文件
ingress.yaml 看起来像这样:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: metabase
namespace: bigdata
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-2:***:certificate/****
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/group: metabase # name of my app
labels:
app: metabase
spec:
rules:
- http:
paths:
- path: /*
backend:
serviceName: ssl-redirect
servicePort: use-annotation
- path: /*
backend:
serviceName: metabase
servicePort: 443
我的服务是这样的:
apiVersion: v1
kind: Service
metadata:
name: metabase
annotations:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-2:***:certificate/***
namespace: bigdata
labels:
app: metabase
spec:
ports:
- name: https
protocol: TCP
port: 443
targetPort: http-server
- name: http
protocol: TCP
port: 80
targetPort: http-server
selector:
app: metabase
type: LoadBalancer
我花了很多时间尝试完成这项工作,终于成功了。可能有人会发现它很有用。我将尝试逐步描述使用 HTTP 到 HTTPs 重定向设置 ALB 的方法。
- 检查您的 ALB 控制器是否启动并且 运行ning:
kubectl get deployment -n kube-system aws-load-balancer-controller
打印输出应类似于以下:
NAME READY UP-TO-DATE AVAILABLE AGE
aws-load-balancer-controller 1/1 1 1 18h
如果您的控制器不工作,则不会创建负载均衡器。
检查你的yaml文件是否完好。下面我提供了一个适用于我的案例的简单 Yaml 文件。 关于此文件的一些评论:
a) 请使用您的 SSL/TLS 证书 ARN(我使用 XXXXXXX)。
b) 请使用您的图片(我使用的是 YYYYYYYYYY)。我的容器镜像存储在 ECR(Elastic Container Registry)中。
c) 请注意一个奇怪的服务标记为 ssl-redirect with servicePort:
use-annotations 是根据注解规范创建的。
https://kubernetes-sigs.github.io/aws-load-balancer-controller/guide/ingress/annotations/一旦你运行:
kubectl apply -f service.yaml请检查两件事:
一)kubectl -n default describe ingress
此命令应显示协调成功:打印输出的末尾应显示:
Normal SuccessfullyReconciled 11s (x3 over 18m) ingress Successfully reconciled
在同一个打印输出中(打印输出的顶部)不要注意日志条目:
/* ssl-redirect:use-annotation (<error: endpoints "ssl-redirect" not found>)
b)aws elbv2 describe-load-balancers --query "LoadBalancers[?contains(LoadBalancerArn,'default-nginx')].{Arn: LoadBalancerArn}" --output text | xargs -I {} aws elbv2 describe-listeners --load-balancer-arn {}
此命令应向您显示已创建新的 ALB 和两个侦听器。不要注意HTTP侦听器 似乎没有正确的重定向配置。
-- YAML--
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
namespace: default
name: nginx-ingress
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/tags: createdBy=aws-controller
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:eu-central-1:XXXXXXXXXXXX:certificate/XXXXXXXXXXXXXXXXXXXXXXXXXX
labels:
app: nginx-ingress
spec:
rules:
- http:
paths:
- path: /*
backend:
serviceName: ssl-redirect
servicePort: use-annotation
- path: /*
backend:
serviceName: nginx-service
servicePort: 80
---
apiVersion: v1
kind: Service
metadata:
namespace: default
name: nginx-service
spec:
selector:
app: nginx
ports:
- name: http
protocol: TCP
port: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: YYYYYYYYYYYY.dkr.ecr.eu-central-1.amazonaws.com/webfe:latest
ports:
- containerPort: 80
以防万一您正在寻找合适的新语法(其余相同)
- path: /
pathType: Prefix
backend:
service:
name: ssl-redirect
port:
name: use-annotation