让我解释一下部署的内容。首先,我通过导入一些数据创建了一个 Cloud SQL 数据库。要将数据库连接到我使用 cloud-sql-proxy 的应用程序,到目前为止一切正常。
我创建了一个 kubernetes 集群,其中有一个 pod,其中包含我想要分解的应用程序的 Docker 容器,到目前为止一切正常......为了在 https 中访问应用程序,我遵循了几个在线指南(https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs#console、https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs#console 等)。 ),所有这些都集中在使用服务和入口 kubernetes 上。第一个将 spring 的 8080 映射到 80,而第二个创建一个负载平衡器,在 https 中公开一个前端。我配置了健康检查,我创建了一个与域相关联的证书(谷歌管理),该域映射分配给入口的静态 IP。
显然一切正常,但是一旦您尝试从浏览器访问地址 https://example.org/,您就会被正确重定向到登录页面( http://example.org/login ),但是正如您所看到的那样,它切换到 HTTP 协议(protocol),显然 404 由谷歌返回,因为 http 是禁用。出于某种荒谬的原因,在将您重定向到的地址(https://example.org/login)上强制使用 https 在域名(https://www.example.org/login)前面添加“www”。如果您尝试通过切换到静态 IP 来不使用域,那么 www 问题就会消失……但是,每次您在 HTTPS 中发出请求时,它都会不断更改为 HTTP。
附言总体目标是将 http 连接到负载均衡器(谷歌的内部网络),然后在负载均衡器和客户端之间使用 https。
谁能帮我?如果有帮助,我会发布部署的 yaml 文件。非常感谢!
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
run: my-app # Label for the Deployment
name: my-app # Name of Deployment
spec:
minReadySeconds: 60 # Number of seconds to wait after a Pod is created and its status is Ready
selector:
matchLabels:
run: my-app
template: # Pod template
metadata:
labels:
run: my-app # Labels Pods from this Deployment
spec: # Pod specification; each Pod created by this Deployment has this specification
containers:
- image: eu.gcr.io/my-app/my-app-production:latest # Application to run in Deployment's Pods
name: my-app-production # Container name
# Note: The following line is necessary only on clusters running GKE v1.11 and lower.
# For details, see https://cloud.google.com/kubernetes-engine/docs/how-to/container-native-load-balancing#align_rollouts
ports:
- containerPort: 8080
protocol: TCP
- image: gcr.io/cloudsql-docker/gce-proxy:1.17
name: cloud-sql-proxy
command:
- "/cloud_sql_proxy"
- "-instances=my-app:europe-west6:my-app-cloud-sql-instance=tcp:3306"
- "-credential_file=/secrets/service_account.json"
securityContext:
runAsNonRoot: true
volumeMounts:
- name: my-app-service-account-secret-volume
mountPath: /secrets/
readOnly: true
volumes:
- name: my-app-service-account-secret-volume
secret:
secretName: my-app-service-account-secret
terminationGracePeriodSeconds: 60 # Number of seconds to wait for connections to terminate before shutting down Pods
---
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
name: my-app-health-check
spec:
healthCheck:
checkIntervalSec: 60
port: 8080
type: HTTP
requestPath: /health/check
---
apiVersion: v1
kind: Service
metadata:
name: my-app-svc # Name of Service
annotations:
cloud.google.com/neg: '{"ingress": true}' # Creates a NEG after an Ingress is created
cloud.google.com/backend-config: '{"default": "my-app-health-check"}'
spec: # Service's specification
type: ClusterIP
selector:
run: my-app # Selects Pods labelled run: neg-demo-app
ports:
- port: 80 # Service's port
protocol: TCP
targetPort: 8080
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: my-app-ing
annotations:
kubernetes.io/ingress.global-static-ip-name: "my-static-ip"
ingress.gcp.kubernetes.io/pre-shared-cert: "example-org"
kubernetes.io/ingress.allow-http: "false"
spec:
backend:
serviceName: my-app-svc
servicePort: 80
tls:
- secretName: example-org
hosts:
- example.org
---
最佳答案
正如我在评论部分提到的,您可以重定向 HTTP至HTTPS .Google Cloud有相当好的文档,你可以在那里找到分步指南,包括防火墙配置或测试。您可以找到本指南 here .
我还建议您阅读以下文档:
作为替代方案,您可以检查 Nginx Ingress正确的annotation (强制 SSL 重定向)。可以找到一些示例 here .
关于spring-mvc - 使用 GPC : Cloud SQL, Kubernetes(服务和入口)和带有 Google 托管证书的 HTTP(S) 负载均衡器部署 Spring MVC 应用程序,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/65788159/