我有一个 GCP 内部私有 IP GKE 集群,其中包含我们支持的多项服务。我正在尝试设置一个入口以通过 TLS 支持这些多项服务。这基于此处的以下 GCP 文档https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balance-ingress和这里https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-multi-ssl
以下是我的入口示例:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: my-ingress
namespace: myns
annotations:
#kubernetes.io/ingress.class: nginx
kubernetes.io/ingress.class: "gce-internal" # Sets for internal IP's
kubernetes.io/ingress.allow-http: "false"
spec:
tls:
- secretName: service1-api.us.corp
- secretName: service2-api.us.corp
rules:
- host: service1-api.us.corp
http:
paths:
- backend:
serviceName: service1-api-service
servicePort: 443
- host: service2-api.us.corp
http:
paths:
- backend:
serviceName: service2-api-service
servicePort: 443
以下是其中一项服务的示例
apiVersion: v1
kind: Service
metadata:
name: service1-api-service
namespace: myns
annotations:
#cloud.google.com/load-balancer-type: "Internal"
cloud.google.com/neg: '{"ingress": true}'
labels:
app-name: service1-api
spec:
#type: LoadBalancer
#loadBalancerIP: 172.28.11.140
selector:
app-type: restful-api
app-name: service1-api
ports:
- protocol: TCP
name: https
port: 443
targetPort: 80
type: NodePort
#type: ClusterIP
我已经完成了在 secret 中设置 TLS 证书的过程。然而,在部署 ingress 时,我收到以下错误:
同步期间出错:运行负载均衡器同步例程时出错:loadbalancer xxxxxxxx-myns-my-ingress-xxxxxxxx 不存在:googleapi:错误 400:字段“resource.target”的值无效:“https://www.googleapis.com/compute/beta/projects/myproject/regions/us-east4/targetHttpsProxies/k8s2-ts-xxxxxxxx-myns-my-ingress-xxxxxxxx”。转发规则所在的区域和 VPC 中需要保留且活跃的子网。,无效
根据文档,由于负载平衡器是自动生成的,我不知道如何纠正这个问题。
答案1
答案2
我使用时也遇到了同样的问题ingress.gcp.kubernetes.io/pre-shared-cert。我可以看到targetHttpsProxies:
$ gcloud compute target-https-proxies 列表
但describe失败了:
$ gcloud compute target-https-proxies 描述 k8s2-ts-xxxxxxxx-myns-myingress-xxxxxxxx 错误:(gcloud.compute.target-https-proxies.describe)无法获取资源: - 未找到资源“projects/myproject/global/targetHttpsProxies/k8s2-ts-xxxxxxxx-myns-myingress-xxxxxxxx”
这或许就是一切失败的原因。