在有些对安全要求更高的场景下,需要保证端到端的请求都是https, 正常情况下, 请求到达kong ingress后都会将https转换成http后再proxy到upstream, 所以如果需要将https直接proxy到upstream,需要做些额外的操作,好在kong ingress原生就支持.
如果直接使用kong ingress 访问后端协议为https的service会提示以下错误:
1
| This combination of host and port requires TLS.
|
原因: 除了kongingress中需要proxy.protocol指定为https外,在k8s的service中也需要绑定kongingress.
1
2
3
| annotations:
configuration.konghq.com: https-upstream
konghq.com/override: https-upstream
|
比如身份验证服务,本身只支持https协议,如果使用kong进行转发的话,需要以下3个操作
定认一个kongingress, 重点是proxy.protocol:https
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| apiVersion: configuration.konghq.com/v1
kind: KongIngress
metadata:
name: "https-upstream"
proxy:
protocol: https
connect_timeout: 10000
retries: 10
read_timeout: 10000
write_timeout: 10000
route:
protocols:
- https
strip_path: true
|
再定义一个ingress
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
configuration.konghq.com: https-upstream
konghq.com/override: https-upstream
kubernetes.io/ingress.class: kong-common
name: cas-sso-kong-ingress
namespace: default
spec:
rules:
- http:
paths:
- backend:
serviceName: cas-sso-kong-service
servicePort: 8443
path: /
|
在k8s的service添加annotations
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
| apiVersion: v1
kind: Service
metadata:
annotations:
configuration.konghq.com: https-upstream
konghq.com/override: https-upstream
labels:
app: cas-sso-kong-service
name: cas-sso-kong-service
namespace: default
spec:
ports:
- name: https
port: 8443
protocol: TCP
targetPort: 8443
selector:
app: cas-sso-kong-service
sessionAffinity: None
type: ClusterIP
status:
loadBalancer: {}
|
再次访问后即可正常
kong ingress也支持在proxy https到upstream时使用指定的证书信息, 如果是自签证书的话,浏览器还是会提示站点不安全, 要么手动导入到浏览器中或者使用第三方平台(如阿里云)上提供的权威证书签发功能
参考文章: