apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: myapp-ingress
namespace: myapp-system
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/preserve-host: "true"
spec:
rules:
- host: myapp.test
http:
paths:
- path: /
backend:
serviceName: myapp-svc
servicePort: 80
tls:
- secretName: myapp-test-cert
hosts:
- myapp.test
使用该入口,常规 https 可以正常工作,但 TLS 一直被拒绝。所有机密、pod 和服务均 100% 正常工作。
卷曲https://myapp.test curl:(7)无法连接到 myapp.test:443;连接被拒绝
后端服务:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
myapp-svc ClusterIP 10.98.46.75 <none> 80/TCP 3h8m
这些 pod 正在运行 Nginx。以下是 Nginx 配置:
user root;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
server {
listen 80;
server_name myapp.test;
location /static {
alias /static/;
}
location /media {
alias /media/;
client_max_body_size 200M;
}
location / {
proxy_pass http://localhost:8000;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
client_body_temp_path /tmp/nginx 1 2;
client_max_body_size 200M;
}
}
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
}
以前有人见过这样的事情吗?
答案1
问题在于 Traefik Ingress Controller 没有在守护进程和服务清单规范中包含端口 443。
添加
- name: https
containerPort: 443
hostPort: 443
向 Daemonset spec.spec.containers.ports 添加:
- protocol: TCP
port: 443
name: https
到 traefik 服务的服务对象