如何在新的 Google Kubernetes Engine 部署上接受 HTTPS 和 Websockets?

tag-icon tag-icon https google-cloud-platform kubernetes google-kubernetes-engine websocket
如何在新的 Google Kubernetes Engine 部署上接受 HTTPS 和 Websockets?

我通过 GCP 控制台创建了一个简单的 1 节点 GKE 部署,其中包含默认(测试版)入口。我想为单个 GKE 节点和托管 HTTP 和 WebSockets 的服务设置 Google 管理的 SSL 证书和 HTTPS 代理。

有较老的方法提到使用 NGINX 和 Ingress Controller 作为负载均衡器和/或反向代理来允许 WebSockets 和 HTTPS,但这些选项不与 GCP 的负载均衡器集成,这意味着没有 Cloud CDN、Cloud NAT 或 Google 管理的 SSL 证书。从文档来看,他们似乎解决了 websockets 和 https 负载均衡器的旧问题,但 GKE 没有关于如何做到这一点的信息。

有没有办法手动配置它?

相关服务配置为:

spec:
  clusterIP: 10.27.247.83
  externalTrafficPolicy: Cluster
  ports:
  - nodePort: 30621
    port: 80
    protocol: TCP
    targetPort: 3456
  selector:
    app: angmar-wsproxy-test
  sessionAffinity: None
  type: LoadBalancer
status:
  loadBalancer:
    ingress:
    - ip: 35.245.111.75

负载均衡器也作为 TCP 代理出现在 GCP 控制台上,这使得会话亲和性、Websockets 等 HTTP 功能或 Google 管理的 SSL 证书没有选项。

答案1

不确定这是否仍然相关,但是是的 - 可以做到。

# this will only provision if you the A record test.example.com will point to the address of the https load balancer

# create a managed cert
apiVersion: networking.gke.io/v1beta1
kind: ManagedCertificate
metadata:
  name: example-certificate
spec:
  domains:
    - test.example.com

---
# create an http(s) LB
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  namespace: riscale-test
  name: riscale-ingress
  labels:
    name: riscale-ingress
  annotations:

    kubernetes.io/ingress.global-static-ip-name: <static-ip-name> 
    # only relevant if you reserved an address:
    # gcloud compute addresses create <address-name> --description "<some description>" --global
    networking.gke.io/managed-certificates: example-certificate # need to match the ManagedCertificate name
    kubernetes.io/ingress.allow-http: "false" # disable http - only listen on HTTPS
spec:
  rules:
  - http:
      paths:
      - path: /m/*
        backend:
          serviceName: mgmt
          servicePort: 8080
      - path: /* # default backend
        backend:
          serviceName: ui
          servicePort: 4200

---
# not mandatory - only relevant when you wish to configure the backend 
# this example increases the timeout from 30 sec default to 12 hours (for WS)
apiVersion: cloud.google.com/v1beta1
kind: BackendConfig
metadata:
  name: mgmt-service-backend
spec:
  timeoutSec: 43200

---
# another example of backend config to allow for BackendConfig
apiVersion: cloud.google.com/v1beta1
kind: BackendConfig
metadata:
  name: ui-backend
spec:
  cdn:
    enabled: true
    cachePolicy:
      includeHost: false
      includeProtocol: true
      includeQueryString: false
---
apiVersion: v1
kind: Service
metadata:
  name: mgmt
  annotations:
    beta.cloud.google.com/backend-config: '{"ports": {"8080":"mgmt-service-backend"}}'
spec:
  selector:
    app: mgmt
  type: NodePort
  ports:
    - name: mgmt-service-port
      port: 8080
      targetPort: 8080
      protocol: TCP

相关内容