任何非根路径上的 AWS EKS Ingress 超时

tag-icon tag-icon amazon-web-services kubernetes amazon-alb amazon-eks
任何非根路径上的 AWS EKS Ingress 超时

我们在 EKS 集群上配置了 Ingress 资源,并将/.*负载均衡器上的 重写为匹配的 URI 上游。如果我们访问staging.my-domain.com/,我们会看到预期的成功健康检查响应。但是,任何其他 URL(例如/api/)都会导致负载均衡器超时。以下是配置。(在我们弄清楚之前,SSL 暂时处于禁用状态)。任何帮助都将不胜感激!

# Ingress Controller: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/deploy/installation/
# YAML: https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/alb-ingress.md
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    external-dns.alpha.kubernetes.io/hostname: staging.my-domain.com
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
    nginx.ingress.kubernetes.io/rewrite-target: /
  name: nlx-api
spec:
  rules:
  - host: staging.my-domain.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: our-api
            port:
              number: 80
---

apiVersion: v1
kind: Service
metadata:
  name: our-api
spec:
  ports:
  - name: http
    port: 80
    targetPort: 8080
  type: LoadBalancer
  selector:
    app: our-api

答案1

看起来你的改写目标是错误的。请看以下来自文档

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$2
  name: rewrite
  namespace: default
spec:
  rules:
  - host: rewrite.bar.com
    http:
      paths:
      - backend:
          serviceName: http-svc
          servicePort: 80
        path: /something(/|$)(.*)

在此入口定义中,捕获的任何字符 (.*) 都将分配给占位符 $2,然后将其用作 rewrite-target 注释中的参数。例如,上面的入口定义将导致以下重写:

  • rewrite.bar.com/something 重写为 rewrite.bar.com/
  • rewrite.bar.com/something/ 重写为 rewrite.bar.com/
  • rewrite.bar.com/something/new 重写为 rewrite.bar.com/new

在您的情形下,如果您尝试访问staging.my-domain.com/,您将被重写到相同的地址。一切都很好。但您只能重写这个地址。您应该像这样更改清单:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    external-dns.alpha.kubernetes.io/hostname: staging.my-domain.com
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
    nginx.ingress.kubernetes.io/rewrite-target: /$1
  name: nlx-api
spec:
  rules:
  - host: staging.my-domain.com
    http:
      paths:
      - path: /(.*)
        pathType: Prefix
        backend:
          service:
            name: our-api
            port:
              number: 80

在这种情况下,任何捕获的字符都(.*)将被分配给占位符$1(这是第一个捕获组),然后将其用作注释中的参数rewrite-target

答案2

这是最终有效的配置:

# Ingress Controller: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/deploy/installation/
# YAML: https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/alb-ingress.md
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/ssl-redirect: "443"
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80},{"HTTPS": 443}]'
    external-dns.alpha.kubernetes.io/hostname: example.com
    nginx.ingress.kubernetes.io/rewrite-target: /$1 # this is where the problem was
  name: nlx-api
spec:
  rules:
  - host: example.com
    http:
      paths:
      - path: / # this was correct
        pathType: Prefix
        backend:
          service:
            name: nlx-api
            port:
              number: 80

相关内容