1

我在 AKS 中部署了带有 Helm 的 Nginx Ingress Controller,但未启用 TLS。现在我想更新控制器以将 TLS 证书挂载为 Kubernetes 机密,如下所示 -

controller:
  extraVolumes:
      - name: secrets-store-inline
        csi:
          driver: secrets-store.csi.k8s.io
          readOnly: true
          volumeAttributes:
            secretProviderClass: "azure-tls"
  extraVolumeMounts:
      - name: secrets-store-inline
        mountPath: "/mnt/secrets-store"
        readOnly: true

有没有办法更新入口控制器?

4

1 回答 1

0

Is there any way to update the Ingress Controller?

Yes, based on this official documentation you need to add TLS section to existing Ingress and then reload it (reload should take place automatically):

The next list describes the scenarios when a reload is required:

  • New Ingress Resource Created.
  • TLS section is added to existing Ingress.
  • Change in Ingress annotations that impacts more than just upstream configuration. For instance load-balancer annotation does not require a reload.
  • A path is added/removed from an Ingress.
  • An Ingress, Service, Secret is removed.
  • Some missing referenced object from the Ingress is available, like a Service or Secret.
  • A Secret is updated.

EDIT:

I have reproduced this situation. First I have created simple ingress with following ingress.yaml:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ing-1
spec:
  ingressClassName: nginx
  rules:
    - host: www.example.com
      http:
        paths:
          - backend:
              service:
                name: app-1
                port:
                  number: 80
            path: /
            pathType: Prefix

Then I have run kubectl get ingress and here is the output:

NAME    CLASS   HOSTS             ADDRESS        PORTS     AGE
ing-1   nginx   www.example.com   35.X.X.X       80        3m

In this step I had working ingress without TLS (only working port 80). Then I have created tls.yaml for TLS (I have used self signed certs, you need to use your certs and domain):

apiVersion: v1
kind: Secret
metadata:
  name: tls
data:
  tls.crt: |
    <my cert>
  tls.key: |
    <my key>
type: kubernetes.io/tls

I have run in by kubectl apply -f tls.yaml and then I had changed ingress.yaml as below:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ing-1
spec:
  ingressClassName: nginx
  rules:
    - host: www.example.com
      http:
        paths:
          - backend:
              service:
                name: app-1
                port:
                  number: 80
            path: /
            pathType: Prefix
    # This section is only required if TLS is to be enabled for the Ingress
  tls:
   - hosts:
     - www.example.com
     secretName: tls

I have added the TLS section. Then I have run kubectl apply -f ingress.yaml and after few second I could see this output when running kubectl get ingress:

NAME    CLASS   HOSTS             ADDRESS        PORTS     AGE
ing-1   nginx   www.example.com   35.239.7.126   80, 443   18m

TLS is working. In the logs I can see this message:

Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"ing-1", UID:"84966fae-e135-47bb-8110-bf372de912c8", APIVersion:"networking.k8s.io/v1", ResourceVersion:"11306", FieldPath:""}): type: 'Normal' reason: 'Sync' Scheduled for sync

Ingress reloaded automatically :)

于 2021-12-09T15:02:20.430 回答