GKE - 如何通过 L7 负载均衡器提供 HTTPS?
GKE - How to serve HTTPS via the L7 load balancer?
如何配置 Google 计算引擎 (GKE) L7 负载平衡器以提供 HTTPS?
我已经使 HTTP 正常工作,但是当我按照 in the guide 所述配置 TLS 时,它不会响应 HTTPS 请求。具体来说,spec.tls 部分应确保负载平衡器使用 HTTPS。
入口规范
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: l7-ingress
spec:
tls:
- secretName: web-secret
backend:
serviceName: web
servicePort: 8080
Kubernetes 下的 Ingress 描述
✗ kubectl describe ing
Name: l7-ingress
Namespace: default
Address: 130.211.11.24
Default backend: web:8080 (10.32.2.5:8080)
TLS:
web-secret terminates
Rules:
Host Path Backends
---- ---- --------
Annotations:
target-proxy: k8s-tp-default-l7-ingress
url-map: k8s-um-default-l7-ingress
backends: {"k8s-be-32051":"HEALTHY"}
forwarding-rule: k8s-fw-default-l7-ingress
No events.
L7 控制器日志
✗ kubectl logs --namespace=kube-system l7-lb-controller-v0.6.0-fbj20 -c l7-lb-controller
I0420 13:46:15.089090 1 main.go:159] Starting GLBC image: glbc:0.6.0
I0420 13:46:16.149998 1 gce.go:245] Using existing Token Source &oauth2.reuseTokenSource{new:google.computeSource{account:""}, mu:sync.Mutex{state:0, sema:0x0}, t:(*oauth2.Token)(nil)}
I0420 13:46:16.150399 1 controller.go:190] Starting loadbalancer controller
I0420 14:37:02.033271 1 event.go:211] Event(api.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"l7-ingress", UID:"585651e5-0705-11e6-88d0-42010af0005e", APIVersion:"extensions", ResourceVersion:"2367", FieldPath:""}): type: 'Normal' reason: 'ADD' default/l7-ingress
I0420 14:37:02.227796 1 instances.go:56] Creating instance group k8s-ig
I0420 14:37:06.166686 1 gce.go:1654] Adding port 32051 to instance group k8s-ig with 0 ports
I0420 14:37:06.834215 1 backends.go:116] Creating backend for instance group k8s-ig port 32051 named port &{port32051 32051 []}
I0420 14:37:07.036501 1 healthchecks.go:49] Creating health check k8s-be-32051
I0420 14:37:16.305240 1 gce.go:1654] Adding port 30007 to instance group k8s-ig with 1 ports
I0420 14:37:16.911701 1 backends.go:116] Creating backend for instance group k8s-ig port 30007 named port &{port30007 30007 []}
I0420 14:37:17.108589 1 healthchecks.go:49] Creating health check k8s-be-30007
I0420 14:37:25.213110 1 loadbalancers.go:128] Creating l7 default-l7-ingress
I0420 14:37:26.038349 1 loadbalancers.go:288] Creating url map k8s-um-default-l7-ingress for backend k8s-be-30007
I0420 14:37:30.305857 1 loadbalancers.go:304] Creating new http proxy for urlmap k8s-um-default-l7-ingress
I0420 14:37:34.643141 1 loadbalancers.go:397] Creating forwarding rule for proxy [k8s-tp-default-l7-ingress] and ip :80-80
I0420 14:37:43.301563 1 controller.go:325] Updating loadbalancer default/l7-ingress with IP 130.211.11.24
I0420 14:37:43.329469 1 event.go:211] Event(api.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"l7-ingress", UID:"585651e5-0705-11e6-88d0-42010af0005e", APIVersion:"extensions", ResourceVersion:"2367", FieldPath:""}): type: 'Normal' reason: 'CREATE' ip: 130.211.11.24
这应该可以工作 http://blog.kubernetes.io/2016/03/Kubernetes-1.2-and-simplifying-advanced-networking-with-Ingress.html,运行 入口上的 kubectl describe 应该会告诉你创建了什么,入口控制器上的 kubectl 日志应该会告诉你它在做什么(控制器是 运行 在 kube-system 命名空间中)。您需要静态 ip 的配额,因为当您指定一个秘密时,您将被分配一个。
因为有一堆不同的故障模式,回复这个,我可以帮助调试。
由于 Kubernetes 中可能存在错误,必须先删除入口然后重新创建它(而不是像我那样做 kubectl replace):
kubectl delete -f ingress.yaml
kubectl create -f ingress.yaml
如何配置 Google 计算引擎 (GKE) L7 负载平衡器以提供 HTTPS?
我已经使 HTTP 正常工作,但是当我按照 in the guide 所述配置 TLS 时,它不会响应 HTTPS 请求。具体来说,spec.tls 部分应确保负载平衡器使用 HTTPS。
入口规范
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: l7-ingress
spec:
tls:
- secretName: web-secret
backend:
serviceName: web
servicePort: 8080
Kubernetes 下的 Ingress 描述
✗ kubectl describe ing
Name: l7-ingress
Namespace: default
Address: 130.211.11.24
Default backend: web:8080 (10.32.2.5:8080)
TLS:
web-secret terminates
Rules:
Host Path Backends
---- ---- --------
Annotations:
target-proxy: k8s-tp-default-l7-ingress
url-map: k8s-um-default-l7-ingress
backends: {"k8s-be-32051":"HEALTHY"}
forwarding-rule: k8s-fw-default-l7-ingress
No events.
L7 控制器日志
✗ kubectl logs --namespace=kube-system l7-lb-controller-v0.6.0-fbj20 -c l7-lb-controller
I0420 13:46:15.089090 1 main.go:159] Starting GLBC image: glbc:0.6.0
I0420 13:46:16.149998 1 gce.go:245] Using existing Token Source &oauth2.reuseTokenSource{new:google.computeSource{account:""}, mu:sync.Mutex{state:0, sema:0x0}, t:(*oauth2.Token)(nil)}
I0420 13:46:16.150399 1 controller.go:190] Starting loadbalancer controller
I0420 14:37:02.033271 1 event.go:211] Event(api.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"l7-ingress", UID:"585651e5-0705-11e6-88d0-42010af0005e", APIVersion:"extensions", ResourceVersion:"2367", FieldPath:""}): type: 'Normal' reason: 'ADD' default/l7-ingress
I0420 14:37:02.227796 1 instances.go:56] Creating instance group k8s-ig
I0420 14:37:06.166686 1 gce.go:1654] Adding port 32051 to instance group k8s-ig with 0 ports
I0420 14:37:06.834215 1 backends.go:116] Creating backend for instance group k8s-ig port 32051 named port &{port32051 32051 []}
I0420 14:37:07.036501 1 healthchecks.go:49] Creating health check k8s-be-32051
I0420 14:37:16.305240 1 gce.go:1654] Adding port 30007 to instance group k8s-ig with 1 ports
I0420 14:37:16.911701 1 backends.go:116] Creating backend for instance group k8s-ig port 30007 named port &{port30007 30007 []}
I0420 14:37:17.108589 1 healthchecks.go:49] Creating health check k8s-be-30007
I0420 14:37:25.213110 1 loadbalancers.go:128] Creating l7 default-l7-ingress
I0420 14:37:26.038349 1 loadbalancers.go:288] Creating url map k8s-um-default-l7-ingress for backend k8s-be-30007
I0420 14:37:30.305857 1 loadbalancers.go:304] Creating new http proxy for urlmap k8s-um-default-l7-ingress
I0420 14:37:34.643141 1 loadbalancers.go:397] Creating forwarding rule for proxy [k8s-tp-default-l7-ingress] and ip :80-80
I0420 14:37:43.301563 1 controller.go:325] Updating loadbalancer default/l7-ingress with IP 130.211.11.24
I0420 14:37:43.329469 1 event.go:211] Event(api.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"l7-ingress", UID:"585651e5-0705-11e6-88d0-42010af0005e", APIVersion:"extensions", ResourceVersion:"2367", FieldPath:""}): type: 'Normal' reason: 'CREATE' ip: 130.211.11.24
这应该可以工作 http://blog.kubernetes.io/2016/03/Kubernetes-1.2-and-simplifying-advanced-networking-with-Ingress.html,运行 入口上的 kubectl describe 应该会告诉你创建了什么,入口控制器上的 kubectl 日志应该会告诉你它在做什么(控制器是 运行 在 kube-system 命名空间中)。您需要静态 ip 的配额,因为当您指定一个秘密时,您将被分配一个。
因为有一堆不同的故障模式,回复这个,我可以帮助调试。
由于 Kubernetes 中可能存在错误,必须先删除入口然后重新创建它(而不是像我那样做 kubectl replace):
kubectl delete -f ingress.yaml
kubectl create -f ingress.yaml