我已在 AKS 中部署带有 Helm 的 Nginx Ingress Controller,但未启用 TLS。现在我想更新 Controller 以将 TLS 证书挂载为 Kubernetes secret ,如下所示 -
controller:
extraVolumes:
- name: secrets-store-inline
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "azure-tls"
extraVolumeMounts:
- name: secrets-store-inline
mountPath: "/mnt/secrets-store"
readOnly: true
有什么办法可以更新Ingress Controller吗?
最佳答案
Is there any way to update the Ingress Controller?
是的,基于this official documentation您需要将 TLS 部分添加到现有 Ingress,然后重新加载它(重新加载应该自动进行):
The next list describes the scenarios when a reload is required:
- New Ingress Resource Created.
- TLS section is added to existing Ingress.
- Change in Ingress annotations that impacts more than just upstream configuration. For instance
load-balancer
annotation does not require a reload.- A path is added/removed from an Ingress.
- An Ingress, Service, Secret is removed.
- Some missing referenced object from the Ingress is available, like a Service or Secret.
- A Secret is updated.
编辑:
我已经重现了这种情况。
首先,我使用以下 ingress.yaml
创建了简单的入口:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ing-1
spec:
ingressClassName: nginx
rules:
- host: www.example.com
http:
paths:
- backend:
service:
name: app-1
port:
number: 80
path: /
pathType: Prefix
然后我运行了kubectl get ingress
,这是输出:
NAME CLASS HOSTS ADDRESS PORTS AGE
ing-1 nginx www.example.com 35.X.X.X 80 3m
在此步骤中,我在没有 TLS 的情况下工作入口(仅工作端口 80)。然后我为 TLS 创建了 tls.yaml
(我使用了自签名证书,您需要使用您的证书和域):
apiVersion: v1
kind: Secret
metadata:
name: tls
data:
tls.crt: |
<my cert>
tls.key: |
<my key>
type: kubernetes.io/tls
我已经通过 kubectl apply -f tls.yaml
运行,然后我更改了 ingress.yaml
如下:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ing-1
spec:
ingressClassName: nginx
rules:
- host: www.example.com
http:
paths:
- backend:
service:
name: app-1
port:
number: 80
path: /
pathType: Prefix
# This section is only required if TLS is to be enabled for the Ingress
tls:
- hosts:
- www.example.com
secretName: tls
我添加了 TLS 部分。然后我运行了 kubectl apply -f ingress.yaml ,几秒钟后,我可以在运行 kubectl get ingress 时看到此输出:
NAME CLASS HOSTS ADDRESS PORTS AGE
ing-1 nginx www.example.com 35.239.7.126 80, 443 18m
TLS 正在运行。在日志中我可以看到这条消息:
Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"ing-1", UID:"84966fae-e135-47bb-8110-bf372de912c8", APIVersion:"networking.k8s.io/v1", ResourceVersion:"11306", FieldPath:""}): type: 'Normal' reason: 'Sync' Scheduled for sync
Ingress 自动重新加载:)
关于nginx - 在 AKS 中的现有 Nginx 入口 Controller 上设置 TLS,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/70247182/