问题描述
我在 Kubernetes 1.19 上使用 Nginx(尝试使用 docker 桌面和 GKE)并尝试公开 gRPC 服务。我已经使用以下命令安装了 Nginx,并确认我可以在端口 80 上公开 REST 服务,并在端口 443 上进行适当的配置。
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.41.2/deploy/static/provider/cloud/deploy.yaml
但是,在创建 gRPC 入口后,我无法再访问端口 80 上的标准 REST 服务。我遇到了 502,因为 nginx 尝试将此 HTTP/1 流量推送到我的 gRPC 服务。如果我执行 kubectl get ingress
,我可以看到入口在端口 80 和 443 上可用,而我只想要 443。这是入口(抱歉所有注释 - 尝试一下)。
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
allowed-values: CN=client
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "false"
nginx.ingress.kubernetes.io/auth-tls-secret: default/localhost
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1"
nginx.ingress.kubernetes.io/grpc-backend: "true"
nginx.ingress.kubernetes.io/proxy-body-size: 64ms
name: tfserving-ingress
namespace: default
spec:
rules:
- host: localhost
http:
paths:
- backend:
serviceName: tfserving-service
servicePort: 8500
tls:
- secretName: localhost
hosts:
- localhost
如何使用不会将 http 流量重定向到我的 gRPC 服务的 TLS 为该域创建入口?
解决方法
您可以尝试在同一台主机上添加 multipke 入口,一个有 tls,另一个没有 tls。
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
allowed-values: CN=client
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "false"
nginx.ingress.kubernetes.io/auth-tls-secret: default/localhost
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1"
nginx.ingress.kubernetes.io/grpc-backend: "true"
nginx.ingress.kubernetes.io/proxy-body-size: 64ms
name: tfserving-ingress
namespace: default
spec:
rules:
- host: localhost
http:
paths:
- backend:
serviceName: gRPC-service
servicePort: 8500
tls:
- secretName: localhost
hosts:
- localhost
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
allowed-values: CN=client
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/proxy-body-size: 64ms
name: rest-http-ingress
namespace: default
spec:
rules:
- host: localhost
http:
paths:
- backend:
serviceName: http-rest-service
servicePort: 8080