我在让 nginx-ingress Controller 在 Azure Kubernetes 服务上工作时遇到问题;目前,每次我尝试访问一些作为服务公开的 Web API 时,它都会返回 502 Bad Gateway。 因为我必须使用现有的证书,所以我遵循了 https://learn.microsoft.com/en-us/azure/aks/ingress-own-tls设置 Controller 并遵循 https://www.markbrilman.nl/2011/08/howto-convert-a-pfx-to-a-seperate-key-crt-file/从 PFX 生成证书和 key (如何从 Azure Key Vault 导出证书)。我使用证书(包括中间证书和根证书以及解密的 key 文件)创建了 secret “aks-ingress-tls”。 我有一个用于创建部署的 YAML 文件、一个用于公开它的服务以及一个用于路由到它的入口。应用此 YAML,我可以通过 HTTP 中的 IP 地址访问服务,但使用 HTTPS 访问 Ingress Controller 的 EXTERNAL_IP 总是会出现 502 错误。 我的 YAML 文件(已编辑):
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-api
spec:
strategy:
type: Recreate
selector:
matchLabels:
app: my-api
replicas: 3
template:
metadata:
labels:
app: my-api
spec:
containers:
- name: my-api
image: [REDACTED]/my-api:1.0
ports:
- containerPort: 443
- containerPort: 80
imagePullSecrets:
- name: data-creds
---
apiVersion: v1
kind: Service
metadata:
name: my-service
labels:
app: my-service
spec:
ports:
- name: https
port: 443
targetPort: 443
protocol: TCP
- name: http
port: 80
targetPort: 80
protocol: TCP
selector:
app: my-api
type: LoadBalancer
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: api-ingress
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
tls:
- hosts:
- [REDACTED].co.uk
secretName: aks-ingress-tls
rules:
- host: [REDACTED].co.uk
http:
paths:
- path: /
backend:
serviceName: my-service
servicePort: 443
我在主机文件中添加了一条记录(我在 Windows 上,因此无法使用curl 的 --resolve)将 [REDACTED].co.uk 映射到入口 Controller 的 EXTERNAL_IP,以便我可以尝试访问它。那是我收到错误的时候。
curl -v https://[REDACTED].co.uk
给出:
VERBOSE: GET https://[REDACTED].co.uk/ with 0-byte payload
curl : The request was aborted: Could not create SSL/TLS secure channel.
At line:1 char:1
+ curl -v https://[REDACTED].co.uk
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
查看入口 Controller Pod 之一的日志:
10.244.1.1 - [10.244.1.1] - - [25/Apr/2019:13:39:20 +0000] "GET / HTTP/2.0" 502 559 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36" 10 0.001 [default-sub360-auth-service-443] 10.244.1.254:443, 10.244.1.3:443, 10.244.1.4:443 0, 0, 0 0.000, 0.000, 0.000 502, 502, 502 e44e21c8a2f61f5137c9afdfc64c6584
2019/04/25 13:39:20 [error] 1622#1622: *1127096 connect() failed (111: Connection refused) while connecting to upstream, client: 10.244.1.1, server: [REDACTED].co.uk, request: "GET /favicon.ico HTTP/2.0", upstream: "https://10.244.1.254:443/favicon.ico", host: "[REDACTED].co.uk", referrer: "https://[REDACTED].co.uk/"
2019/04/25 13:39:20 [error] 1622#1622: *1127096 connect() failed (111: Connection refused) while connecting to upstream, client: 10.244.1.1, server: [REDACTED].co.uk, request: "GET /favicon.ico HTTP/2.0", upstream: "https://10.244.1.3:443/favicon.ico", host: "[REDACTED].co.uk", referrer: "https://[REDACTED].co.uk/"
2019/04/25 13:39:20 [error] 1622#1622: *1127096 connect() failed (111: Connection refused) while connecting to upstream, client: 10.244.1.1, server: [REDACTED].co.uk, request: "GET /favicon.ico HTTP/2.0", upstream: "https://10.244.1.4:443/favicon.ico", host: "[REDACTED].co.uk", referrer: "https://[REDACTED].co.uk/"
10.244.1.1 - [10.244.1.1] - - [25/Apr/2019:13:39:20 +0000] "GET /favicon.ico HTTP/2.0" 502 559 "https://[REDACTED].co.uk/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36" 26 0.000 [default-sub360-auth-service-443] 10.244.1.254:443, 10.244.1.3:443, 10.244.1.4:443 0, 0, 0 0.000, 0.000, 0.004 502, 502, 502 63b6ed4414bf32694de3d136f7f277aa
任何人都可以指出我需要查看或执行哪些操作才能使其正常工作吗?
最佳答案
对于您的问题,入口使用带有端口 443 的 HTTPS 协议(protocol),因此您不需要为容器公开端口 443。只需公开您的应用程序监听的端口即可。
对于您来说,这意味着您只需为容器和服务公开端口 80。您还需要删除注释 nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
并将 servicePort 值更改为 80。
注意:将 DNS 名称添加到证书中也很重要。
关于azure - Azure Kubernetes 服务的 nginx-ingress Controller 502 错误网关,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/55852194/