Kubernetes:将入口内部 ip 添加到环境
Kubernetes: add ingress internal ip to environment
对于 .net 核心应用程序,我需要 nginx 入口的内部 IP 地址来信任代理并处理其转发的 headers。
这是在我的应用程序中使用以下代码完成的:
forwardedHeadersOptions.KnownProxies.Add(IPAddress.Parse("10.244.0.16"));
现在是hard-coded。但是我怎样才能将这个 IP 地址放入我的容器的环境变量中呢?
似乎给定的 IP 地址是 ingress-nginx 命名空间中 ingress-nginx 服务的端点:
❯ kubectl describe service ingress-nginx -n ingress-nginx
Name: ingress-nginx
Namespace: ingress-nginx
Labels: app.kubernetes.io/name=ingress-nginx
app.kubernetes.io/part-of=ingress-nginx
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"app.kubernetes.io/name":"ingress-nginx","app.kubernetes.io/par...
Selector: app.kubernetes.io/name=ingress-nginx,app.kubernetes.io/part-of=ingress-nginx
Type: LoadBalancer
IP: 10.0.91.124
LoadBalancer Ingress: 40.127.224.177
Port: http 80/TCP
TargetPort: http/TCP
NodePort: http 30756/TCP
Endpoints: 10.244.0.16:80
Port: https 443/TCP
TargetPort: https/TCP
NodePort: https 31719/TCP
Endpoints: 10.244.0.16:443
Session Affinity: None
External Traffic Policy: Local
HealthCheck NodePort: 32003
Events: <none>
仅供参考:这是我的部署:
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: uwgazon-web
spec:
replicas: 1
paused: true
template:
metadata:
labels:
app: uwgazon-web
spec:
containers:
- name: uwgazon-web
image: uwgazon/web
ports:
- containerPort: 80
resources:
requests:
memory: "128Mi"
cpu: "250m"
limits:
memory: "256Mi"
cpu: "500m"
env:
- name: UWGAZON_RECAPTCHA__SITEKEY
valueFrom:
secretKeyRef:
name: uwgazon-recaptcha
key: client-id
- name: UWGAZON_RECAPTCHA__SERVERKEY
valueFrom:
secretKeyRef:
name: uwgazon-recaptcha
key: client-secret
- name: UWGAZON_MAILGUN__BASEADDRESS
valueFrom:
secretKeyRef:
name: uwgazon-mailgun
key: base-address
- name: UWGAZON_APPLICATIONINSIGHTS__INSTRUMENTATIONKEY
valueFrom:
secretKeyRef:
name: uwgazon-appinsights
key: instrumentationkey
- name: APPINSIGHTS_INSTRUMENTATIONKEY
valueFrom:
secretKeyRef:
name: uwgazon-appinsights
key: instrumentationkey
- name: UWGAZON_MAILGUN__APIKEY
valueFrom:
secretKeyRef:
name: uwgazon-mailgun
key: api-key
- name: UWGAZON_MAILGUN__TOADDRESS
valueFrom:
secretKeyRef:
name: uwgazon-mailgun
key: to-address
- name: UWGAZON_BLOG__NAME
valueFrom:
configMapKeyRef:
name: uwgazon-config
key: sitename
- name: UWGAZON_BLOG__OWNER
valueFrom:
configMapKeyRef:
name: uwgazon-config
key: owner
- name: UWGAZON_BLOG__DESCRIPTION
valueFrom:
configMapKeyRef:
name: uwgazon-config
key: description
还有我的入口配置
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: uwgazon-web-ingress
annotations:
cert-manager.io/issuer: "uwgazon-tls-issuer"
spec:
tls:
- hosts:
- uwgazon.sdsoftware.be
secretName: uwgazon-sdsoftware-be-tls
rules:
- host: uwgazon.sdsoftware.be
http:
paths:
- backend:
serviceName: uwgazon-web
servicePort: 80
我找到了针对 Asp.net 核心的解决方案。
首先,您必须将代理列入白名单,否则转发的 headers 中间件将无法工作。
我发现,您实际上可以将整个网络列入白名单。这样,您就可以信任集群中的所有内容。 Kubernetes 使用 10.0.0.0/8 网络(子网掩码 0.255.255.255)。信任它,可以用下面的代码完成:
services.Configure<ForwardedHeadersOptions>(forwardedHeadersOptions =>
{
forwardedHeadersOptions.ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
forwardedHeadersOptions.KnownNetworks.Add(new IPNetwork(IPAddress.Parse("10.0.0.0"), 8));
});
对于 .net 核心应用程序,我需要 nginx 入口的内部 IP 地址来信任代理并处理其转发的 headers。
这是在我的应用程序中使用以下代码完成的:
forwardedHeadersOptions.KnownProxies.Add(IPAddress.Parse("10.244.0.16"));
现在是hard-coded。但是我怎样才能将这个 IP 地址放入我的容器的环境变量中呢?
似乎给定的 IP 地址是 ingress-nginx 命名空间中 ingress-nginx 服务的端点:
❯ kubectl describe service ingress-nginx -n ingress-nginx
Name: ingress-nginx
Namespace: ingress-nginx
Labels: app.kubernetes.io/name=ingress-nginx
app.kubernetes.io/part-of=ingress-nginx
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"app.kubernetes.io/name":"ingress-nginx","app.kubernetes.io/par...
Selector: app.kubernetes.io/name=ingress-nginx,app.kubernetes.io/part-of=ingress-nginx
Type: LoadBalancer
IP: 10.0.91.124
LoadBalancer Ingress: 40.127.224.177
Port: http 80/TCP
TargetPort: http/TCP
NodePort: http 30756/TCP
Endpoints: 10.244.0.16:80
Port: https 443/TCP
TargetPort: https/TCP
NodePort: https 31719/TCP
Endpoints: 10.244.0.16:443
Session Affinity: None
External Traffic Policy: Local
HealthCheck NodePort: 32003
Events: <none>
仅供参考:这是我的部署:
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: uwgazon-web
spec:
replicas: 1
paused: true
template:
metadata:
labels:
app: uwgazon-web
spec:
containers:
- name: uwgazon-web
image: uwgazon/web
ports:
- containerPort: 80
resources:
requests:
memory: "128Mi"
cpu: "250m"
limits:
memory: "256Mi"
cpu: "500m"
env:
- name: UWGAZON_RECAPTCHA__SITEKEY
valueFrom:
secretKeyRef:
name: uwgazon-recaptcha
key: client-id
- name: UWGAZON_RECAPTCHA__SERVERKEY
valueFrom:
secretKeyRef:
name: uwgazon-recaptcha
key: client-secret
- name: UWGAZON_MAILGUN__BASEADDRESS
valueFrom:
secretKeyRef:
name: uwgazon-mailgun
key: base-address
- name: UWGAZON_APPLICATIONINSIGHTS__INSTRUMENTATIONKEY
valueFrom:
secretKeyRef:
name: uwgazon-appinsights
key: instrumentationkey
- name: APPINSIGHTS_INSTRUMENTATIONKEY
valueFrom:
secretKeyRef:
name: uwgazon-appinsights
key: instrumentationkey
- name: UWGAZON_MAILGUN__APIKEY
valueFrom:
secretKeyRef:
name: uwgazon-mailgun
key: api-key
- name: UWGAZON_MAILGUN__TOADDRESS
valueFrom:
secretKeyRef:
name: uwgazon-mailgun
key: to-address
- name: UWGAZON_BLOG__NAME
valueFrom:
configMapKeyRef:
name: uwgazon-config
key: sitename
- name: UWGAZON_BLOG__OWNER
valueFrom:
configMapKeyRef:
name: uwgazon-config
key: owner
- name: UWGAZON_BLOG__DESCRIPTION
valueFrom:
configMapKeyRef:
name: uwgazon-config
key: description
还有我的入口配置
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: uwgazon-web-ingress
annotations:
cert-manager.io/issuer: "uwgazon-tls-issuer"
spec:
tls:
- hosts:
- uwgazon.sdsoftware.be
secretName: uwgazon-sdsoftware-be-tls
rules:
- host: uwgazon.sdsoftware.be
http:
paths:
- backend:
serviceName: uwgazon-web
servicePort: 80
我找到了针对 Asp.net 核心的解决方案。
首先,您必须将代理列入白名单,否则转发的 headers 中间件将无法工作。
我发现,您实际上可以将整个网络列入白名单。这样,您就可以信任集群中的所有内容。 Kubernetes 使用 10.0.0.0/8 网络(子网掩码 0.255.255.255)。信任它,可以用下面的代码完成:
services.Configure<ForwardedHeadersOptions>(forwardedHeadersOptions =>
{
forwardedHeadersOptions.ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
forwardedHeadersOptions.KnownNetworks.Add(new IPNetwork(IPAddress.Parse("10.0.0.0"), 8));
});