问题描述
我想使用 https 保护网络浏览器和我的网络应用程序之间的连接。我的应用程序包含使用 GKE 部署的 play Web 应用程序。应用程序在没有 https 的情况下运行良好。然后我进行了以下更改,导致应用程序无法访问。
应用类型为 Deployment。
apiVersion: apps/v1
kind: Deployment
Metadata:
name: webapp
spec:
replicas: 2
selector:
matchLabels:
app: webapp
它有一个与之关联的 service
apiVersion: v1
kind: Service
Metadata:
name: webapp-service
spec:
selector:
app: webapp
ports:
- protocol: TCP
port: 9000 #this service is reachable at this port
targetPort: 9000 #this service will forward the request to correspoding nodes of the service at this port
#type: LoadBalancer
type: NodePort
然后我按照此处描述的步骤生成了 certificates 和 secrets - https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-multi-ssl
openssl genrsa -out webapp-ingress.key 2048
openssl req -new -key webapp-ingress.key -out test-ingress-1.csr -subj "/CN=webapp.com"
openssl x509 -req -days 365 -in test-ingress-1.csr -signkey wewbapp-ingress.key -out webapp-ingress.crt
kubectl create secret tls test-ingress-1.csr --cert webapp-ingress.crt --key webapp-ingress.key
然后我应用以下文件来创建 ingress
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
Metadata:
name: webapp-https-loadbalancer-ingress
annotations:
# If the class annotation is not specified it defaults to "gce".
#There are two Ingress classes available for GKE Ingress. The gce class deploys an external load balancer and the gce-internal class deploys an internal load balancer. Ingress resources without a class specified default to gce.
kubernetes.io/ingress.class: "gce"
# kubernetes.io/ingress.global-static-ip-name: SomeReservedIP
# networking.gke.io/managed-certificates: SomeSSLCertificate
kubernetes.io/ingress.allow-http: "false"
spec:
tls:
- secretName: test-ingress-1.csr
rules:
- host: webapp.com
- http:
paths:
- path: /*
backend:
serviceName: webapp-service
servicePort: 9000
当我运行时,我可以看到有一个 IP 地址(也可以从外部访问)
kubectl describe ingress codingjedi-https-loadbalancer-ingress
Name: webapp-https-loadbalancer-ingress
Namespace: default
Address: 3x.yyy.zzz.pq
Default backend: default-http-backend:80 (10.88.0.5:8080)
TLS:
test-ingress-1.csr terminates
Rules:
Host Path Backends
---- ---- --------
*
/* webapp-service:9000 (10.88.0.9:9000,10.88.1.11:9000)
... kubernetes.io/ingress.allow-http: false
kubernetes.io/ingress.class: gce
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
normal ADD 13m loadbalancer-controller default/webapp-https-loadbalancer-ingress
normal CREATE 12m loadbalancer-controller ip: 3x.yyy.zzz.pq
但我无法使用 https://3x.yyy.zzz.pq 访问该应用程序。我尚未将域与 IP 关联。我收到警告 Your connection is not private,如果我仍然继续,我会看到错误
更新 - 为了尝试负载均衡器在没有 https 的情况下是否工作,我从 secret 文件中删除了 ingress 信息
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
Metadata:
name: webapp-https-loadbalancer-ingress
annotations:
kubernetes.io/ingress.class: "gce"
# kubernetes.io/ingress.global-static-ip-name: LerenReservedIP
# networking.gke.io/managed-certificates: LerenSSLCertificate
# kubernetes.io/ingress.allow-http: "false"
spec:
#tls:
#- secretName: test-ingress-1.csr
rules:
#- host: leren.space
- http:
paths:
- path: /*
backend:
serviceName: codingjediweb-service
servicePort: 9000
服务器仍然无法访问,curl 显示 502 bad gateway 错误
curl -v 3x.xxx.xxx.xxx
* Expire in 0 ms for 6 (transfer 0x55d4c5258f90)
* Trying 3x.xxx.xxx.xxx...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x55d4c5258f90)
* Connected to 3x.xxx.xxx.xxx (3x.xxx.xxx.xxx) port 80 (#0)
> GET / HTTP/1.1
> Host: 3x.xxx.xxx.xxx
> User-Agent: curl/7.64.0
> Accept: */*
>
< HTTP/1.1 502 Bad Gateway
< Content-Type: text/html; charset=UTF-8
< Referrer-Policy: no-referrer
< Content-Length: 332
< Date: Tue,22 Dec 2020 22:27:23 GMT
<
<html><head>
<Meta http-equiv="content-type" content="text/html;charset=utf-8">
<title>502 Server Error</title>
</head>
<body text=#000000 bgcolor=#ffffff>
<h1>Error: Server Error</h1>
<h2>The server encountered a temporary error and Could not complete your request.<p>Please try again in 30 seconds.</h2>
<h2></h2>
</body></html>
* Connection #0 to host 3x.xxx.xxx.xxx left intact
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)