nginx - 在 AKS 中的现有 Nginx 入口 Controller 上设置 TLS

Question

我已在 AKS 中部署带有 Helm 的 Nginx Ingress Controller，但未启用 TLS。现在我想更新 Controller 以将 TLS 证书挂载为 Kubernetes secret ，如下所示 -

controller:
  extraVolumes:
      - name: secrets-store-inline
        csi:
          driver: secrets-store.csi.k8s.io
          readOnly: true
          volumeAttributes:
            secretProviderClass: "azure-tls"
  extraVolumeMounts:
      - name: secrets-store-inline
        mountPath: "/mnt/secrets-store"
        readOnly: true

有什么办法可以更新Ingress Controller吗？

Answer 1

Is there any way to update the Ingress Controller?

是的，基于this official documentation您需要将 TLS 部分添加到现有 Ingress，然后重新加载它(重新加载应该自动进行):

The next list describes the scenarios when a reload is required:

• New Ingress Resource Created.
• TLS section is added to existing Ingress.
• Change in Ingress annotations that impacts more than just upstream configuration. For instance load-balancer annotation does not require a reload.
• A path is added/removed from an Ingress.
• An Ingress, Service, Secret is removed.
• Some missing referenced object from the Ingress is available, like a Service or Secret.
• A Secret is updated.

---

编辑:

我已经重现了这种情况。 首先，我使用以下 ingress.yaml 创建了简单的入口:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ing-1
spec:
  ingressClassName: nginx
  rules:
    - host: www.example.com
      http:
        paths:
          - backend:
              service:
                name: app-1
                port:
                  number: 80
            path: /
            pathType: Prefix

然后我运行了kubectl get ingress，这是输出:

NAME    CLASS   HOSTS             ADDRESS        PORTS     AGE
ing-1   nginx   www.example.com   35.X.X.X       80        3m

在此步骤中，我在没有 TLS 的情况下工作入口(仅工作端口 80)。然后我为 TLS 创建了 tls.yaml (我使用了自签名证书，您需要使用您的证书和域):

apiVersion: v1
kind: Secret
metadata:
  name: tls
data:
  tls.crt: |
    <my cert>
  tls.key: |
    <my key>
type: kubernetes.io/tls

我已经通过 kubectl apply -f tls.yaml 运行，然后我更改了 ingress.yaml 如下:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ing-1
spec:
  ingressClassName: nginx
  rules:
    - host: www.example.com
      http:
        paths:
          - backend:
              service:
                name: app-1
                port:
                  number: 80
            path: /
            pathType: Prefix
    # This section is only required if TLS is to be enabled for the Ingress
  tls:
   - hosts:
     - www.example.com
     secretName: tls

我添加了 TLS 部分。然后我运行了 kubectl apply -f ingress.yaml ，几秒钟后，我可以在运行 kubectl get ingress 时看到此输出:

NAME    CLASS   HOSTS             ADDRESS        PORTS     AGE
ing-1   nginx   www.example.com   35.239.7.126   80, 443   18m

TLS 正在运行。在日志中我可以看到这条消息:

Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"ing-1", UID:"84966fae-e135-47bb-8110-bf372de912c8", APIVersion:"networking.k8s.io/v1", ResourceVersion:"11306", FieldPath:""}): type: 'Normal' reason: 'Sync' Scheduled for sync

Ingress 自动重新加载:)