我正在尝试在 openshift 上设置 Spring cloud gateway,并希望发现集群中可用的服务。我可以通过添加 @DiscoveryClient 和依赖项来发现服务,如下所示。
启动依赖项如下:
spring-cloud.version : Greenwich.SR2
spring-boot-starter-parent:2.1.7.RELEASE
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-kubernetes</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-kubernetes-ribbon</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-netflix-ribbon</artifactId>
</dependency>
我可以看到服务正在被发现和注册。路由也会发生,但路由时出现 CN 名称验证错误。我也尝试设置 use-insecure-trust-manager:true 但仍然是相同的错误。
2021-12-31 12:30:33.867 TRACE 1 --- [or-http-epoll-8] o.s.c.g.h.p.RoutePredicateFactory : Pattern "[/customer-service/**]" does not match against value "/userprofile/addUser"
2021-12-31 12:30:33.868 TRACE 1 --- [or-http-epoll-8] o.s.c.g.h.p.RoutePredicateFactory : Pattern "/userprofile/**" matches against value "/userprofile/addUser"
2021-12-31 12:30:33.868 DEBUG 1 --- [or-http-epoll-8] o.s.c.g.h.RoutePredicateHandlerMapping : Route matched: CompositeDiscoveryClient_userprofile
2021-12-31 12:30:33.868 DEBUG 1 --- [or-http-epoll-8] o.s.c.g.h.RoutePredicateHandlerMapping : Mapping [Exchange: GET https://my-gatewat.net/userprofile/addUser ] to Route{id='CompositeDiscoveryClient_userprofile', uri=lb://userprofile, order=0, predicate=org.springframework.cloud.gateway.support.ServerWebExchangeUtils$$Lambda$712/0x000000010072a440@1046479, gatewayFilters=[OrderedGatewayFilter{delegate=org.springframework.cloud.gateway.filter.factory.RewritePathGatewayFilterFactory$$Lambda$713/0x000000010072a840@3c8d9cd1, order=1}]}
2021-12-31 12:30:33.888 TRACE 1 --- [or-http-epoll-8] o.s.c.g.filter.RouteToRequestUrlFilter : RouteToRequestUrlFilter start
2021-12-31 12:30:33.888 TRACE 1 --- [or-http-epoll-8] o.s.c.g.filter.LoadBalancerClientFilter : LoadBalancerClientFilter url before: lb://userprofile/addUser
2021-12-31 12:30:33.889 TRACE 1 --- [or-http-epoll-8] o.s.c.g.filter.LoadBalancerClientFilter : LoadBalancerClientFilter url chosen: https://10.130.83.26:8443/addUser
2021-12-31 12:30:33.891 DEBUG 1 --- [ctor-http-nio-7] r.n.resources.PooledConnectionProvider : [id: 0x326a2e7b] Created new pooled channel, now 0 active connections and 1 inactive connections
2021-12-31 12:30:33.891 DEBUG 1 --- [ctor-http-nio-7] reactor.netty.tcp.SslProvider : [id: 0x326a2e7b] SSL enabled using engine SSLEngineImpl and SNI /10.130.83.26:8443
2021-12-31 12:30:33.931 ERROR 1 --- [ctor-http-nio-7] a.w.r.e.AbstractErrorWebExceptionHandler : [8768bf6c] 500 Server Error for HTTP GET "/userprofile/addUser"
javax.net.ssl.SSLHandshakeException: No subject alternative names matching IP address 10.130.83.26 found
at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source) ~[na:na]
at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source) ~[na:na]
应用程序.yml:
spring:
application:
name: my-api-gateway
cloud:
gateway:
discovery:
locator:
enabled: true
httpclient:
ssl:
use-insecure-trust-manager: true
尝试在 SSL 上下文中添加 SNI 匹配器,以跳过主机名检查,但仍然不起作用:
SNIMatcher matcher = new SNIMatcher(0) {
@Override
public boolean matches(SNIServerName serverName) {
log.info("Server Name validation:{}", serverName);
return true;
}
};
最佳答案
我可以通过使用带有 url 表达式的 k8s discovery 来解决此错误,如下所示:
spring:
cloud:
gateway:
discovery:
locator:
enabled: true
lower-case-service-id: true
url-expression: "'https://'+serviceId+':'+getPort()"
路由将注册为 https://serivcename:port SSLProvider 将使用相同的 URL,它将在 SNI 信息中使用主机创建 SSLHandler,而不是导致此失败的 IP 地址。
SSL 提供商仅使用 SSL 引擎和主机名端口添加处理程序的日志。
2022-01-04 14:58:15.360 调试 1 --- [or-http-epoll-4]reactor.netty.tcp.SslProvider : [63cc8609, L:/127.0.0.1:8091 - R:/127.0.0.1:60004] 使用引擎 io.netty.handler.ssl.JdkAlpnSslEngine@31e2342b 和 SNI my-service:8088 启用 SSL
关于kubernetes - OpenShift 上具有 kubernetes 发现的 Spring 云网关,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/70542421/