1

让我解释一下部署的内容。首先,我通过导入一些数据创建了一个 Cloud SQL 数据库。要将数据库连接到我使用 cloud-sql-proxy 的应用程序,到目前为止一切正常。

我创建了一个 kubernetes 集群,其中有一个 pod,其中包含我想要分解的应用程序的 Docker 容器,到目前为止一切正常……为了在 https 中访问应用程序,我遵循了几个在线指南(https://cloud. google.com/load-balancing/docs/ssl-certificates/google-managed-certs#console,https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs#console_ _等),都集中在使用服务和入口 Kubernetes 上。第一个将 spring 的 8080 映射到 80,而第二个创建一个负载平衡器,在 https 中公开一个前端。我配置了健康检查,我创建了一个与域相关联的证书(谷歌管理),该域映射分配给入口的静态 IP。

显然一切正常,但是一旦您尝试从浏览器访问地址https://example.org/,您就会正确地重定向到登录页面(http://example.org/login),但正如您所见,它会切换到 HTTP 协议,显然 404 由谷歌返回,因为 http 被禁用。出于某种荒谬的原因,在将您重定向到的地址( https://example.org/login )上强制使用 https 在域名(https://www.example.org/login)前添加“www”。如果您尝试通过切换到静态 IP 来不使用域,那么 www 问题就会消失……但是,每次您在 HTTPS 中发出请求时,它都会不断更改为 HTTP。

PS一般目标是让http到达负载均衡器(谷歌的内部网络),然后在负载均衡器和客户端之间使用https。

谁能帮我?如果有帮助,我会发布部署的 yaml 文件。非常感谢!

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    run: my-app # Label for the Deployment
  name: my-app # Name of Deployment
spec:
  minReadySeconds: 60 # Number of seconds to wait after a Pod is created and its status is Ready
  selector:
    matchLabels:
      run: my-app
  template: # Pod template
    metadata:
      labels:
        run: my-app # Labels Pods from this Deployment
    spec: # Pod specification; each Pod created by this Deployment has this specification
      containers:
        - image: eu.gcr.io/my-app/my-app-production:latest # Application to run in Deployment's Pods
          name: my-app-production # Container name
          # Note: The following line is necessary only on clusters running GKE v1.11 and lower.
          # For details, see https://cloud.google.com/kubernetes-engine/docs/how-to/container-native-load-balancing#align_rollouts
          ports:
            - containerPort: 8080
              protocol: TCP
        - image: gcr.io/cloudsql-docker/gce-proxy:1.17
          name: cloud-sql-proxy
          command:
            - "/cloud_sql_proxy"
            - "-instances=my-app:europe-west6:my-app-cloud-sql-instance=tcp:3306"
            - "-credential_file=/secrets/service_account.json"
          securityContext:
            runAsNonRoot: true
          volumeMounts:
            - name: my-app-service-account-secret-volume
              mountPath: /secrets/
              readOnly: true
      volumes:
        - name: my-app-service-account-secret-volume
          secret:
            secretName: my-app-service-account-secret
      terminationGracePeriodSeconds: 60 # Number of seconds to wait for connections to terminate before shutting down Pods
---
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: my-app-health-check
spec:
  healthCheck:
    checkIntervalSec: 60
    port: 8080
    type: HTTP
    requestPath: /health/check
---
apiVersion: v1
kind: Service
metadata:
  name: my-app-svc # Name of Service
  annotations:
    cloud.google.com/neg: '{"ingress": true}' # Creates a NEG after an Ingress is created
    cloud.google.com/backend-config: '{"default": "my-app-health-check"}'
spec: # Service's specification
  type: ClusterIP
  selector:
    run: my-app # Selects Pods labelled run: neg-demo-app
  ports:
    - port: 80 # Service's port
      protocol: TCP
      targetPort: 8080
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: my-app-ing
  annotations:
    kubernetes.io/ingress.global-static-ip-name: "my-static-ip"
    ingress.gcp.kubernetes.io/pre-shared-cert: "example-org"
    kubernetes.io/ingress.allow-http: "false"
spec:
  backend:
    serviceName: my-app-svc
    servicePort: 80
  tls:
    - secretName: example-org
      hosts:
        - example.org
---
4

1 回答 1

0

正如我在评论部分提到的,您可以重定向HTTPHTTPS.

Google Cloud有相当好的文档,你可以在那里找到分步指南,包括防火墙配置或测试。您可以在此处找到本指南。

我还建议您阅读以下文档:

作为替代方案,您可以使用适当的注释(force-ssl-redirect)检查Nginx Ingress 。一些例子可以在这里找到。

于 2021-01-27T13:01:56.793 回答