Kubernetes 入口 TLS 连接被拒绝,但常规 HTTP 请求可以正常进行

Kubernetes 入口 TLS 连接被拒绝,但常规 HTTP 请求可以正常进行
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: myapp-ingress
  namespace: myapp-system
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/preserve-host: "true"    
spec:
  rules:
  - host: myapp.test
    http:
      paths:
      - path: /
        backend:
          serviceName: myapp-svc
          servicePort: 80
  tls:
    - secretName: myapp-test-cert
      hosts:
        - myapp.test

使用该入口,常规 https 可以正常工作,但 TLS 一直被拒绝。所有机密、pod 和服务均 100% 正常工作。

卷曲https://myapp.test curl:(7)无法连接到 myapp.test:443;连接被拒绝

后端服务:

NAME            TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)   AGE
myapp-svc   ClusterIP   10.98.46.75   <none>        80/TCP    3h8m

这些 pod 正在运行 Nginx。以下是 Nginx 配置:

user root;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
    worker_connections 1024;
}
http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

server {
    listen         80;
    server_name    myapp.test;

    location /static {
        alias /static/;     
    }

    location /media {
        alias /media/;     
        client_max_body_size 200M;
    }    

    location / {
        proxy_pass http://localhost:8000;
        proxy_set_header Host $host;
        proxy_http_version 1.1;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        client_body_temp_path /tmp/nginx 1 2;
        client_max_body_size 200M;
    }    
}
    access_log  /var/log/nginx/access.log  main;
    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;
    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;
}

以前有人见过这样的事情吗?

答案1

问题在于 Traefik Ingress Controller 没有在守护进程和服务清单规范中包含端口 443。

添加

 - name: https
   containerPort: 443
   hostPort: 443

向 Daemonset spec.spec.containers.ports 添加:

- protocol: TCP
  port: 443
  name: https

到 traefik 服务的服务对象

相关内容