Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
683 views
in Technique[技术] by (71.8m points)

kubernetes - Implementing workaround for missing http->https redirection in ingress-gce with GLBC

I am trying to wrap my brain around the suggested workarounds for the lack of built-in HTTP->HTTPS redirection in ingress-gce, using GLBC. What I am struggling with is how to use this custom backend that is suggested as one option to overcome this limitation (e.g. in How to force SSL for Kubernetes Ingress on GKE).

In my case the application behind the load-balancer does not itself have apache or nginx, and I just can't figure out how to include e.g. apache (which I know way better than nginx) in the setup. Am I supposed to set apache in front of the application as a proxy? In that case I wonder what to put in the proxy config as one can't use those convenient k8s service names there...

Or should apache be set up as some kind of a separate backend, which would only get traffic when the client uses plain HTTP? In that case I am missing the separation of backends by protocol in the GCE load-balancer, and while I can see how that could be done manually, the ingress needs to be configured for that, and I can't seem to find any resources explaining how to actually do that.

For example, in https://github.com/kubernetes/ingress-gce#redirecting-http-to-https the "application" takes care of the forwaring (it seems to be built on nginx), and while that example works beautifully, it's not possible to do the same thing with the application I am talking about.

Basically, my setup is currently this:

http://<public ip>:80    -
                           >      GCE LB     ->  K8s pod running the application
https://<public_ip>:443  -/   (ingress-gce)

I know I could block HTTP altogether, but that'd ruin user experience when someone just typed in the domain name in the browser.

Currently I have these services set up for the LB:

kind: Service
apiVersion: v1
metadata:
  name: myapp
spec:
  type: LoadBalancer
  ports:
  - name: http
    port: 80
    targetPort: myapp
    protocol: TCP
  selector:
    app: myapp

---
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
  name: myapp-ingress
  annotations:
    ingress.kubernetes.io/rewrite-target: /
    kubernetes.io/ingress.global-static-ip-name: "my-ip"
    ingress.gcp.kubernetes.io/pre-shared-cert: "my-cert"
spec:
  backend:
    serviceName: myapp
    servicePort: 80
  rules:
  - host: my.domain.name
    http:
      paths:
      - path: /
        backend:
          serviceName: myapp
          servicePort: 80

In addition I have GLBC bundled together with the application deployment:

apiVersion: v1
kind: ConfigMap
metadata:
  name: glbc-configmap
data:
  gce.conf: |
    [global]
    node-tags = myapp-k8s-nodepool
    node-instance-prefix = gke-myapp-k8s-cluster

---
kind: Deployment
apiVersion: apps/v1beta2
metadata:
  name: myapp
spec:
  replicas: 1
  selector:
    matchLabels:
      app: myapp
  template:
    metadata:
      name: myapp
      labels:
        app: myapp
    spec:
      containers:
      # START application container
      - name: myapp
        image: eu.gcr.io/myproject/myapp:latest
        imagePullPolicy: Always
        readinessProbe:
          httpGet:
            path: /ping
            port: 8080
        ports:
        - name: myapp
          containerPort: 8080
      # END application container
      # START GLBC container
      - name: myapp-glbc
        image: gcr.io/google_containers/glbc:0.9.7
        livenessProbe:
          httpGet:
            path: /ping
            port: 8080
            scheme: HTTP
          initialDelaySeconds: 30
          timeoutSeconds: 5
        volumeMounts:
        - mountPath: /etc/glbc-configmap
          name: cloudconfig
          readOnly: true
        args:
        - --apiserver-host=http://localhost:8080
        - --default-backend-service=myapp
        - --sync-period=300s
        - --config-file-path=/etc/glbc-configmap/gce.conf

I'd greatly appreciate any pointers in addition to more complete solutions.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)
Waitting for answers

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...