如何在Amazon EKS上使用kubernetes入口控制器将http重定向到https

nue99wik 于 2022-11-02 发布在 Kubernetes

关注(0)|答案(6)|浏览(217)

我已经配置了亚马逊证书管理器，ALB入口控制器和我的应用程序的域名。我可以通过端口80和端口443访问我的应用程序（所有证书都能正常工作）。但是，我想自动将所有来自HTTP的流量重定向到HTTPS，这样那些自己键入域名的人就会重定向到HTTPS。我已经遵循了this page和this one，但我无法使其工作
这是我的ingress.yaml文件：

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: metabase
  namespace: bigdata
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-2:***:certificate/***
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
    alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
    alb.ingress.kubernetes.io/scheme: internet-facing

  labels:
    app: metabase
spec:
  rules:
    - http:
        paths:
          - path: /*
            backend:
              serviceName: ssl-redirect
              servicePort: use-annotation
          - path: /*
            backend:
              serviceName: metabase
              servicePort: 3000

这是我服务：

apiVersion: v1
kind: Service
metadata:
  name: metabase
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-2:****:certificate/****
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
  namespace: bigdata
  labels:
    app: metabase
spec:
  ports:
    - name: https
      protocol: TCP
      port: 443
      targetPort: http-server
    - name: http
      protocol: TCP
      port: 80
      targetPort: http-server
  selector:
    app: metabase
  type: LoadBalancer

广告这是我的部署：

apiVersion: apps/v1
kind: Deployment
metadata:
  name: metabase-deployment
  namespace: bigdata
  labels:
    app: metabase
spec:
  replicas: 2
  selector:
    matchLabels:
      app: metabase
  template:
    metadata:
      labels:
        app: metabase
    spec:
      containers:
        - name: metabase
          image: metabase/metabase
          ports:
            - containerPort: 3000
              name: http-server
          resources:
            limits:
              cpu: "1"
              memory: "2Gi"

谢谢你的支持！：-）

kubernetes

来源：https://stackoverflow.com/questions/57979939/how-to-redirect-http-to-https-using-a-kubernetes-ingress-controller-on-amazon-ek

6条答案

按热度按时间

t98cgbkg1#

我能够使它工作！！基本上我修改了入口。yaml和服务。yaml文件
yaml看起来像这样：

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: metabase
  namespace: bigdata
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-2:***:certificate/****
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
    alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/group: metabase # name of my app

  labels:
    app: metabase

spec:
  rules:
    - http:
        paths:
          - path: /*
            backend:
              serviceName: ssl-redirect
              servicePort: use-annotation
          - path: /*
            backend:
              serviceName: metabase
              servicePort: 443

我的服务看起来像这样：

apiVersion: v1
kind: Service
metadata:
  name: metabase
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-2:***:certificate/***
  namespace: bigdata
  labels:
    app: metabase
spec:
  ports:
    - name: https
      protocol: TCP
      port: 443
      targetPort: http-server
    - name: http
      protocol: TCP
      port: 80
      targetPort: http-server
  selector:
    app: metabase
  type: LoadBalancer

赞(0）回复(0）举报 2022-11-02

ufj5ltwl2#

您需要使用nginx.ingress.kubernetes.io/force-ssl-redirect: "true"注解：
当在集群外部使用SSL卸载时（例如AWS ELB），即使没有可用的TLS证书，强制重定向到HTTPS也会很有用。这可以通过在特定资源中使用nginx.ingress.kubernetes.io/force-ssl-redirect: "true"注解来实现。

赞(0）回复(0）举报 2022-11-02

qkf9rpyu3#

以防您正在寻找正确的新语法（其余部分相同）

- path: /
        pathType: Prefix
        backend:
          service:
            name: ssl-redirect
            port:
              name: use-annotation

赞(0）回复(0）举报 2022-11-02

qcbq4gxm4#

我已经花了相当长的时间试图使这项工作，并最终成功。可能有人会发现它有用。我将尝试描述一步一步的方法来设置ALB与HTTP到HTTPs重定向。
1.检查您的ALB控制器是否已启动并正在运行：

kubectl get deployment -n kube-system aws-load-balancer-controller

打印输出应类似于下图：

NAME                           READY   UP-TO-DATE   AVAILABLE   AGE
aws-load-balancer-controller   1/1     1            1           18h

如果控制器不工作，则不会创建负载平衡器。
1.检查你的yaml文件是好的。下面我提供了一个简单的Yaml文件，在我的情况下工作。一些关于这个文件的评论：
a）请使用您的SSL/TLS证书ARN（我使用的是XXXXXXX）。
B）请使用您的图像（我使用YYYYYYYYYY）。我的容器图像存储在ECR（弹性容器注册表）中。
c）请注意，一个奇怪得服务标记为ssl-redirect，servicePort：
根据注解规范创建use-annotations。
https://kubernetes-sigs.github.io/aws-load-balancer-controller/guide/ingress/annotations/
1.一旦运行：kubectl apply -f service.yaml请检查两项内容：
a）kubectl -n default describe ingress
此命令应显示协调已成功：打印输出的末尾应显示：
Normal SuccessfullyReconciled 11s (x3 over 18m) ingress Successfully reconciled
在同一打印输出中（打印输出顶部），不要注意日志条目：
/* ssl-redirect:use-annotation (<error: endpoints "ssl-redirect" not found>)
B）aws elbv2 describe-load-balancers --query "LoadBalancers[?contains(LoadBalancerArn,'default-nginx')].{Arn: LoadBalancerArn}" --output text | xargs -I {} aws elbv2 describe-listeners --load-balancer-arn {}
此命令应该会显示已建立新的ALB和两个“监听器”。请不要注意，HTTP监听器似乎没有正确的重新导向组态。

-- YAML --

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  namespace: default
  name: nginx-ingress
  annotations:
      kubernetes.io/ingress.class: alb
      alb.ingress.kubernetes.io/scheme: internet-facing
      alb.ingress.kubernetes.io/target-type: ip
      alb.ingress.kubernetes.io/tags: createdBy=aws-controller
      alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
      alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
      alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:eu-central-1:XXXXXXXXXXXX:certificate/XXXXXXXXXXXXXXXXXXXXXXXXXX

  labels:
    app: nginx-ingress

spec:
  rules:
    - http:
        paths:
          - path: /*
            backend:
              serviceName: ssl-redirect
              servicePort: use-annotation
          - path: /*
            backend:
              serviceName: nginx-service
              servicePort: 80
---
apiVersion: v1
kind: Service
metadata:
  namespace: default
  name: nginx-service
spec:
  selector:
    app: nginx
  ports:
    - name: http
      protocol: TCP
      port: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: YYYYYYYYYYYY.dkr.ecr.eu-central-1.amazonaws.com/webfe:latest
        ports:
        - containerPort: 80

赞(0）回复(0）举报 2022-11-02

b5lpy0ml5#

AWS负载平衡器控制器v2.4文档
Example Ingress Manifest

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
 namespace: default
 name: ingress
 annotations:
   alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-2:xxxx:certificate/xxxxxx
   alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
   alb.ingress.kubernetes.io/ssl-redirect: '443'
spec:
 ingressClassName: alb
 rules:
   - http:
       paths:
        - path: /users/*
          pathType: ImplementationSpecific
          backend:
            service:
              name: user-service
              port:
                number: 80
        - path: /*
          pathType: ImplementationSpecific
          backend:
            service:
              name: default-service
              port:
                number: 80

赞(0）回复(0）举报 2022-11-02

ffscu2ro6#

如果有人正在寻找更新的语法：

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/actions.ssl-redirect:
      '{"Type": "redirect", "RedirectConfig":
      { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
    alb.ingress.kubernetes.io/certificate-arn: <cert arn>
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]'
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/target-type: instance
    external-dns.alpha.kubernetes.io/hostname: <your domain>
    kubernetes.io/ingress.class: alb
spec:
  rules:
    - http:
        paths:
          - backend:
              service:
                name: ssl-redirect
                port:
                  name: use-annotation
            path: /
            pathType: Prefix
          - backend:
              service:
                name: nginx-service
                port:
                  number: 80
            path: /
            pathType: Prefix

---
apiVersion: v1
kind: Service
metadata:
  namespace: default
  name: nginx-service
spec:
  selector:
    app: nginx
  type: NodePort
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: YYYYYYYYYYYY.dkr.ecr.eu-central-1.amazonaws.com/webfe:latest
        ports:
        - containerPort: 80

赞(0）回复(0）举报 2022-11-02

我来回答

如何在Amazon EKS上使用kubernetes入口控制器将http重定向到https

6条答案

-- YAML --

相关问题

热门标签

最新问答