管理了一个AWS的EKS集群,用的是ALB的负载均衡,这个负载均衡和Nginx有区别,有很多特殊的地方需要注意。
基本需要宣告很多独有的 annotations
一、http自动跳转到https
annotations:
alb.ingress.kubernetes.io/actions.ssl-redirect: |
{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}
......
- host: '*.bajie.dev'
http:
paths:
- backend:
service:
name: ssl-redirect
port:
name: use-annotation
path: /
pathType: Prefix
注意,annotation了上面一条,那么在LB中,http 80的规则就只剩下这一条了,压倒一切的规则。
之后你再annotation别的http规则,会不生效;你只能去annotition https的规则。
二、www重定向
例子: 输入 rendoumi.com,会自动重定义到 www.rendoumi.com
annotations:
alb.ingress.kubernetes.io/actions.www-redirect: |
{"type":"redirect","redirectConfig":{"host":"www.rendoumi.com","port":"443","protocol":"HTTPS","statusCode":"HTTP_301"}}
......
- host: rendoumi.com
http:
paths:
- backend:
service:
name: www-redirect
port:
name: use-annotation
path: /
pathType: Prefix
这个是直接301跳转到https去了
三、external-dns
ALB 的ingress有个大坑,那就是如果你大动ingress,前面的LB会发生变化,产生一个新的LB。这点非常要命,第一次遇到的时候,八戒被迫改掉了Route53的好多条DNS记录,擦的
所以务必把这个加上,避免引起联动,反正无所谓,没装external-dns的话annotation的不起作用
annotations:
external-dns.alpha.kubernetes.io/hostname: rendoumi.com,www.rendoumi.com,*.rendoumi.com
把要管理的域名用逗号分开
四、group属性
这个就是上面所说的大改动,加这个属性必然引起更换LB
这个场景也是必须的,举例来说,不同的namespace中的ingress都要用到同一个域名
这样就麻烦了,nginx ingress简单加个namespace就可以了,alb不行
需要显式声明 group 属性
annotations:
alb.ingress.kubernetes.io/group.name: rendoumi
alb.ingress.kubernetes.io/group.order: "100"
注意,两个属性务必在一起, order缺省是0,最大1000
这样LB会把不同ns中的ingress聚合成一个LB来使用
最后,给个完全的例子:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
alb.ingress.kubernetes.io/actions.ssl-redirect: |
{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}
alb.ingress.kubernetes.io/actions.www-redirect: |
{"type":"redirect","redirectConfig":{"host":"www.bajie.dev","port":"443","protocol":"HTTPS","statusCode":"HTTP_301"}}
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:ap-southeast-1:000007118436:certificate/xxxxa910-46c9-4680-929a-99996deb98df
alb.ingress.kubernetes.io/group.name: bajie
alb.ingress.kubernetes.io/group.order: "100"
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS-1-1-2017-01
alb.ingress.kubernetes.io/ssl-redirect: "443"
alb.ingress.kubernetes.io/subnets: subnet-99996c43cb399f55c,subnet-9999c9681d11a3323,subnet-99999874db9639a77
alb.ingress.kubernetes.io/target-type: ip
external-dns.alpha.kubernetes.io/hostname: bajie.dev,www.bajie.dev,*.bajie.dev
namespace: default
spec:
ingressClassName: alb
rules:
- host: official.bajie.dev
http:
paths:
- backend:
service:
name: dc-official-client
port:
number: 3000
path: /
pathType: Prefix
- host: bajie.dev
http:
paths:
- backend:
service:
name: www-redirect
port:
name: use-annotation
path: /
pathType: Prefix
- host: '*.bajie.dev'
http:
paths:
- backend:
service:
name: ssl-redirect
port:
name: use-annotation
path: /
pathType: Prefix
tls:
- hosts:
- bajie.dev
- www.bajie.dev
- official.bajie.dev
我们在另外一个namespace annotatiton一个 ingress就是这样的
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: grafana
namespace: prometheus
annotations:
alb.ingress.kubernetes.io/group.name: bajie
alb.ingress.kubernetes.io/group.order: '10'
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:ap-southeast-1:533267118436:certificate/e6c3a910-46c9-4680-929a-d60d6deb98df
external-dns.alpha.kubernetes.io/hostname: grafana.bajie.dev
spec:
ingressClassName: alb
rules:
- host: grafana.bajie.dev
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: stable-grafana
port:
number: 80
tls:
- hosts:
- grafana.bajie.dev
注意 order,grafana的order是10,而上面是100,所以grafana的记录会出现在*之前,否则,就首先被 星号 拦截,然后才到 grafana的路径,就不对了。