0

我正在尝试将 knative 用于一些长时间运行的进程,这些进程仅在集群内本地触发。

作为网络层,我们已经使用了 Ambassador,它配置了 TLS,并将 HTTP 请求重定向到 HTTPS:

apiVersion: v1
kind: Service
metadata:
    getambassador.io/config: |
      ---
      apiVersion: ambassador/v1
      kind:  Module
      name:  tls
      config:
        server:
          enabled: True
          redirect_cleartext_from: 8080
          alpn_protocols: h2,http/1.1
...

我使用“cluster-local”标志创建了服务:

kn service create helloworld-go --image gcr.io/knative-samples/helloworld-go --env TARGET="Go Sample v1" --cluster-local
Creating service 'helloworld-go' in namespace 'default':

  0.010s The Configuration is still working to reflect the latest desired specification.
  0.062s The Route is still working to reflect the latest desired specification.
  0.092s Configuration "helloworld-go" is waiting for a Revision to become ready.
  8.621s ...
  9.035s Ingress has not yet been reconciled.
 12.279s Ready to serve.

Service 'helloworld-go' created to latest revision 'helloworld-go-tcsyf-1' is available at URL:
http://helloworld-go.default.svc.cluster.local

如果我尝试从集群中访问它,我会被重定向到 https 版本:

curl -v http://helloworld-go.default.svc.cluster.local
*   Trying 10.11.253.45:80...
* Connected to helloworld-go.default.svc.cluster.local (10.11.253.45) port 80 (#0)
> GET / HTTP/1.1
> Host: helloworld-go.default.svc.cluster.local
> User-Agent: curl/7.69.1
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< location: https://helloworld-go.default.svc.cluster.local/
< date: Thu, 17 Dec 2020 11:35:39 GMT
< server: envoy
< content-length: 0

curl -k -v https://helloworld-go.default.svc.cluster.local可以工作,但显然证书的主机名与cluster.local

如果我删除redirect_cleartext_from: 8080,端口 80 似乎不再可用:

bash-5.0$ curl -v http://helloworld-go.default.svc.cluster.local
*   Trying 10.11.253.45:80...
* connect to 10.11.253.45 port 80 failed: Connection refused
* Failed to connect to helloworld-go.default.svc.cluster.local port 80: Connection refused
* Closing connection 0
curl: (7) Failed to connect to helloworld-go.default.svc.cluster.local port 80: Connection refused

有没有办法只为 svc.cluster.local 禁用 http => https 重定向?对于其他工作负载 - 不通过 knative 提供服务 - 我可以使用 http 和http://deployment-name.namespace/

4

1 回答 1

0

我通过将大使升级到最新版本、使用HostTLSContext配置 TLS 并添加Host配置来为该主机提供明文来修复它:

apiVersion: getambassador.io/v2
kind: Host
metadata:
  name: knative-cluster-local
  namespace: default
spec:
  acmeProvider:
    authority: none
  hostname: '*.namespace.svc.cluster.local'
  requestPolicy:
    insecure:
      action: Route
  selector:
    matchLabels:
      hostname: knative-cluster-local
  tlsSecret:
    name: ambassador-certs
于 2021-03-24T10:43:09.613 回答