Kong学习(kong ingress代理https请求到upstream)

在有些对安全要求更高的场景下，需要保证端到端的请求都是https, 正常情况下, 请求到达kong ingress后都会将https转换成http后再proxy到upstream, 所以如果需要将https直接proxy到upstream，需要做些额外的操作，好在kong ingress原生就支持.

如果直接使用kong ingress 访问后端协议为https的service会提示以下错误:

1	This combination of host and port requires TLS.

原因: 除了kongingress中需要proxy.protocol指定为https外，在k8s的service中也需要绑定kongingress.

1
2
3

annotations:
    configuration.konghq.com: https-upstream
    konghq.com/override: https-upstream

比如身份验证服务，本身只支持https协议，如果使用kong进行转发的话，需要以下3个操作

定认一个kongingress, 重点是proxy.protocol:https

apiVersion: configuration.konghq.com/v1
kind: KongIngress
metadata:
  name: "https-upstream"
proxy:
  protocol: https # 这行
  connect_timeout: 10000
  retries: 10
  read_timeout: 10000
  write_timeout: 10000
route:
  protocols:
  - https
strip_path: true

再定义一个ingress

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    configuration.konghq.com: https-upstream # 这个配置在0.8以上已被弃用，使用konghq.com/override
    konghq.com/override: https-upstream
    kubernetes.io/ingress.class: kong-common
  name: cas-sso-kong-ingress
  namespace: default
spec:
  rules:
  - http:
      paths:
      - backend:
          serviceName: cas-sso-kong-service
          servicePort: 8443
        path: /

在k8s的service添加annotations

apiVersion: v1
kind: Service
metadata:
  annotations: # 这两行
    configuration.konghq.com: https-upstream
    konghq.com/override: https-upstream
  labels:
    app: cas-sso-kong-service
  name: cas-sso-kong-service
  namespace: default
spec:
  ports:
  - name: https
    port: 8443
    protocol: TCP
    targetPort: 8443
  selector:
    app: cas-sso-kong-service
  sessionAffinity: None
  type: ClusterIP
status:
  loadBalancer: {}

再次访问后即可正常

kong ingress也支持在proxy https到upstream时使用指定的证书信息, 如果是自签证书的话，浏览器还是会提示站点不安全, 要么手动导入到浏览器中或者使用第三方平台(如阿里云)上提供的权威证书签发功能

参考文章:

https://discuss.konghq.com/t/ingress-controller-registers-https-services-as-http-and-port-443-as-port-80/2784/6

https://github.com/Kong/kubernetes-ingress-controller/issues/406

https://github.com/Kong/kubernetes-ingress-controller/issues/69

参考文章:

转载请注明原作者: 周淑科(https://izsk.me)