管理了一个AWS的EKS集群,用的是ALB的负载均衡,这个负载均衡和Nginx有区别,有很多特殊的地方需要注意。
基本需要宣告很多独有的 annotations
一、http自动跳转到https
1 annotations:
2 alb.ingress.kubernetes.io/actions.ssl-redirect: |
3 {"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}
4
5......
6
7 - host: '*.bajie.dev'
8 http:
9 paths:
10 - backend:
11 service:
12 name: ssl-redirect
13 port:
14 name: use-annotation
15 path: /
16 pathType: Prefix
注意,annotation了上面一条,那么在LB中,http 80的规则就只剩下这一条了,压倒一切的规则。
之后你再annotation别的http规则,会不生效;你只能去annotition https的规则。
二、www重定向
例子: 输入 rendoumi.com,会自动重定义到 www.rendoumi.com
1 annotations:
2 alb.ingress.kubernetes.io/actions.www-redirect: |
3 {"type":"redirect","redirectConfig":{"host":"www.rendoumi.com","port":"443","protocol":"HTTPS","statusCode":"HTTP_301"}}
4
5......
6
7 - host: rendoumi.com
8 http:
9 paths:
10 - backend:
11 service:
12 name: www-redirect
13 port:
14 name: use-annotation
15 path: /
16 pathType: Prefix
这个是直接301跳转到https去了
三、external-dns
ALB 的ingress有个大坑,那就是如果你大动ingress,前面的LB会发生变化,产生一个新的LB。这点非常要命,第一次遇到的时候,八戒被迫改掉了Route53的好多条DNS记录,擦的
所以务必把这个加上,避免引起联动,反正无所谓,没装external-dns的话annotation的不起作用
1 annotations:
2 external-dns.alpha.kubernetes.io/hostname: rendoumi.com,www.rendoumi.com,*.rendoumi.com
把要管理的域名用逗号分开
四、group属性
这个就是上面所说的大改动,加这个属性必然引起更换LB
这个场景也是必须的,举例来说,不同的namespace中的ingress都要用到同一个域名
这样就麻烦了,nginx ingress简单加个namespace就可以了,alb不行
需要显式声明 group 属性
1 annotations:
2 alb.ingress.kubernetes.io/group.name: rendoumi
3 alb.ingress.kubernetes.io/group.order: "100"
注意,两个属性务必在一起, order缺省是0,最大1000
这样LB会把不同ns中的ingress聚合成一个LB来使用
最后,给个完全的例子:
1apiVersion: networking.k8s.io/v1
2kind: Ingress
3metadata:
4 annotations:
5 alb.ingress.kubernetes.io/actions.ssl-redirect: |
6 {"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}
7 alb.ingress.kubernetes.io/actions.www-redirect: |
8 {"type":"redirect","redirectConfig":{"host":"www.bajie.dev","port":"443","protocol":"HTTPS","statusCode":"HTTP_301"}}
9 alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:ap-southeast-1:000007118436:certificate/xxxxa910-46c9-4680-929a-99996deb98df
10 alb.ingress.kubernetes.io/group.name: bajie
11 alb.ingress.kubernetes.io/group.order: "100"
12 alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
13 alb.ingress.kubernetes.io/scheme: internet-facing
14 alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS-1-1-2017-01
15 alb.ingress.kubernetes.io/ssl-redirect: "443"
16 alb.ingress.kubernetes.io/subnets: subnet-99996c43cb399f55c,subnet-9999c9681d11a3323,subnet-99999874db9639a77
17 alb.ingress.kubernetes.io/target-type: ip
18 external-dns.alpha.kubernetes.io/hostname: bajie.dev,www.bajie.dev,*.bajie.dev
19 namespace: default
20spec:
21 ingressClassName: alb
22 rules:
23 - host: official.bajie.dev
24 http:
25 paths:
26 - backend:
27 service:
28 name: dc-official-client
29 port:
30 number: 3000
31 path: /
32 pathType: Prefix
33 - host: bajie.dev
34 http:
35 paths:
36 - backend:
37 service:
38 name: www-redirect
39 port:
40 name: use-annotation
41 path: /
42 pathType: Prefix
43 - host: '*.bajie.dev'
44 http:
45 paths:
46 - backend:
47 service:
48 name: ssl-redirect
49 port:
50 name: use-annotation
51 path: /
52 pathType: Prefix
53 tls:
54 - hosts:
55 - bajie.dev
56 - www.bajie.dev
57 - official.bajie.dev
我们在另外一个namespace annotatiton一个 ingress就是这样的
1apiVersion: networking.k8s.io/v1
2kind: Ingress
3metadata:
4 name: grafana
5 namespace: prometheus
6 annotations:
7 alb.ingress.kubernetes.io/group.name: bajie
8 alb.ingress.kubernetes.io/group.order: '10'
9 alb.ingress.kubernetes.io/scheme: internet-facing
10 alb.ingress.kubernetes.io/target-type: ip
11 alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:ap-southeast-1:533267118436:certificate/e6c3a910-46c9-4680-929a-d60d6deb98df
12 external-dns.alpha.kubernetes.io/hostname: grafana.bajie.dev
13spec:
14 ingressClassName: alb
15 rules:
16 - host: grafana.bajie.dev
17 http:
18 paths:
19 - path: /
20 pathType: Prefix
21 backend:
22 service:
23 name: stable-grafana
24 port:
25 number: 80
26 tls:
27 - hosts:
28 - grafana.bajie.dev
注意 order,grafana的order是10,而上面是100,所以grafana的记录会出现在*之前,否则,就首先被 星号 拦截,然后才到 grafana的路径,就不对了。
