Я установил Kubernetes NGINX Вход в кластер kubernetes
Я развернул все на AWS Экземпляр EC2 и Classi c Балансировщик нагрузки находится перед контроллером Ingress. Я могу получить доступ к сервису через порт http, но не могу получить к нему доступ через https.
У меня есть действительная покупка домена у Godaddy, и я получил AWS сертификат SSL от Диспетчер сертификатов
Слушатели балансировщика нагрузки настраиваются, как показано ниже.
Я изменил службу доступа NGINX (добавлен сертификат ARN)
kind: Service
apiVersion: v1
metadata:
name: ingress-nginx
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
annotations:
# Enable PROXY protocol
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
# Ensure the ELB idle timeout is less than nginx keep-alive timeout. By default,
# NGINX keep-alive is set to 75s. If using WebSockets, the value will need to be
# increased to '3600' to avoid any potential issues.
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60"
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-east-2:297483230626:certificate/ffe5a2b3-ceff-4ef2-bf13-8da5b4212121"
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
spec:
type: LoadBalancer
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
ports:
- name: http
port: 80
protocol: TCP
targetPort: http
- name: https
port: 443
protocol: TCP
targetPort: https
Правила входа
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: practice-ingress
namespace: practice
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
rules:
- host: kdhut.com
http:
paths:
- backend:
serviceName: customer-service
servicePort: 9090
path: /customer
- backend:
serviceName: prac-service
servicePort: 8000
path: /prac
Я могу получить доступ к службе в http, но https не работает.
Я попробовал curl
curl -v https://kdhut.com -H 'Host: kdhut.com'
* Rebuilt URL to: https://kdhut.com/
* Trying 3.12.176.17...
* TCP_NODELAY set
* Connected to kdhut.com (3.12.176.17) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=kdhut.com
* start date: Mar 20 00:00:00 2020 GMT
* expire date: Apr 20 12:00:00 2021 GMT
* subjectAltName: host "kdhut.com" matched cert's "kdhut.com"
* issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: kdhut.com
> User-Agent: curl/7.58.0
> Accept: */*