kubernetes Kuberenetes ExternalName服务将请求转发到群集外部的服务

ffscu2ro  于 2023-02-03  发布在  Kubernetes
关注(0)|答案(1)|浏览(92)

我们需要将请求转发到群集外的服务。
/ -〉群集外的某些服务(someapi.com)
/API -〉集群内的服务
当我试图击中https://someapi.com/health时,它会给我适当的响应,但不是通过入口。
进入

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: custom-ingress
  annotations:
    kubernetes.io/ingress.class: haproxy
status:
  loadBalancer: {}
spec:
  tls:
    - hosts:
        - mytenant.com
      secretName: tenant-secret
  rules:
    - host: mytenant.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: external-service
                port:
                  number: 80

服务

apiVersion: v1
kind: Service
metadata:
  name: external-service
status:
  loadBalancer: {}
spec:
  type: ExternalName
  sessionAffinity: None
  externalName: someapi.com

curl -ikv https://mytenant.com/health给了我
503服务不可用
没有服务器可用于处理此请求。
到主机www.example.com的连接#0mytenant.com保持不变
我尝试了nslookup,它的计算结果为ip

/usr/src/app # nslookup external-service
Server:         901.63.1.11
Address:        901.63.1.11:53

external-service.default.svc.cluster.local    canonical name = someapi.com
someapi.com        canonical name = proxy-aws-can-55.elb.eu-central-1.amazonaws.com
Name:   proxy-aws-can-55.elb.eu-central-1.amazonaws.com
Address: 92.220.220.137
Name:   proxy-aws-can-55.elb.eu-central-1.amazonaws.com
Address: 33.43.161.163
Name:   proxy-aws-can-55.elb.eu-central-1.amazonaws.com
Address: 98.200.178.250

external-service.default.svc.cluster.local    canonical name = someapi.com
someapi.com        canonical name = proxy-aws-can-55.elb.eu-central-1.amazonaws.com

当我将外部服务端口更改为80时(还尝试将目标服务端口更改为443)

spec:
  ports:
    - protocol: TCP
      port: 80
      targetPort: 80
  type: ExternalName
  sessionAffinity: None
  externalName: someapi.com

它一直和301循环

< HTTP/2 301
< content-length: 0
< location: https://mytenant.com/health
< strict-transport-security: max-age=15768000

(With同样的设置,如果我只是将externalName更改为httpbin.org,它就可以正常工作。)
当我将入口(端口)和服务(端口和目标端口)更改为443时,

REFUSED_STREAM, retrying a fresh connect
Connection died, tried 5 times before giving up
Closing connection 5
curl: (56) Connection died, tried 5 times before giving up

我也尝试设置这里提到的主机头,https://www.haproxy.com/documentation/kubernetes/latest/configuration/ingress/#set-host,但仍然没有运气301。
请帮助我了解我应该如何使它工作。非常感谢!

8ftvxx2r

8ftvxx2r1#

我得到了工作配置,我将入口(端口)和服务(端口/目标端口)更改为443。此外,在入口上添加了注解ingress.kubernetes.io/backend-protocol: h1-ssl
我认为我得到301是因为上游服务期望https请求,并且在添加后端协议注解之后,在HAProxy控制器处终止ssl之后,发起的新调用是https并且满足了请求。此外,我认为在ExternalName服务的情况下,服务targetPort的值并不重要。
进入

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: custom-ingress
  annotations:
    ingress.kubernetes.io/backend-protocol: h1-ssl
    kubernetes.io/ingress.class: haproxy
status:
  loadBalancer: {}
spec:
  tls:
    - hosts:
        - mytenant.com
      secretName: tenant-secret
  rules:
    - host: mytenant.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: external-service
                port:
                  number: 443

服务

apiVersion: v1
kind: Service
metadata:
  name: external-service
status:
  loadBalancer: {}
spec:
  ports:
    - protocol: TCP
      port: 443
      targetPort: 443
  type: ExternalName
  sessionAffinity: None
  externalName: someapi.com

相关问题