Implementing workaround for missing http->https redirection in ingress-gce with GLBC
I am trying to wrap my brain around the suggested workarounds for the lack of built-in HTTP->HTTPS redirection in ingress-gce, using GLBC. What I am struggling with is how t
-
Edit in May 2020: "HTTP(S) Load Balancing Rewrites and Redirects support is now in General Availability" as stated in https://issuetracker.google.com/issues/35904733#comment95 seems to mean that now it finally would be possible to implement proper rediction rules in the LB itself, without having to resort to having an extra pod or any other tweak of that kind. However, in case the below is of use to someone, I'll leave it there for reference.
I was able to find a solution, where the GCE LB directs traffic to Apache (of course this should work for any proxy) which runs as a deployment in K8s cluster. In Apache config, there's a redirect based on X-Forwarded-Proto header, and a reverse proxy rules that point to the application in the cluster.
apiVersion: v1 kind: ConfigMap metadata: name: apache-httpd-configmap data: httpd.conf: | # Apache httpd v2.4 minimal configuration # This can be reduced further if you remove the accees log and mod_log_config ServerRoot "/usr/local/apache2" # Minimum modules needed LoadModule mpm_event_module modules/mod_mpm_event.so LoadModule log_config_module modules/mod_log_config.so LoadModule mime_module modules/mod_mime.so LoadModule dir_module modules/mod_dir.so LoadModule authz_core_module modules/mod_authz_core.so LoadModule unixd_module modules/mod_unixd.so LoadModule alias_module modules/mod_alias.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so TypesConfig conf/mime.types PidFile logs/httpd.pid # Comment this out if running httpd as a non root user User nobody # Port to Listen on Listen 8081 # In a basic setup httpd can only serve files from its document root DocumentRoot "/usr/local/apache2/htdocs" # Default file to serve DirectoryIndex index.html # Errors go to stderr ErrorLog /proc/self/fd/2 # Access log to stdout LogFormat "%h %l %u %t \"%r\" %>s %b" common CustomLog /proc/self/fd/1 common Mutex posixsem proxy # Never change this blockAllowOverride None Require all denied # Deny documents to be served from the DocumentRoot Require all denied ServerName my.domain.name # Redirect HTTP to load balancer HTTPS URL --- kind: Service apiVersion: v1 metadata: name: apache-httpd spec: type: NodePort ports: - name: http port: 80 targetPort: apache-httpd protocol: TCP selector: app: apache-httpd --- kind: Deployment apiVersion: apps/v1beta2 metadata: name: apache-httpd spec: replicas: 1 selector: matchLabels: app: apache-httpd template: metadata: name: apache-httpd labels: app: apache-httpd spec: containers: # START apache httpd container - name: apache-httpd image: httpd:2.4-alpine imagePullPolicy: Always readinessProbe: httpGet: path: / port: 8081 command: ["/usr/local/apache2/bin/httpd"] args: ["-f", "/etc/apache-httpd-configmap/httpd.conf", "-DFOREGROUND"] ports: - name: apache-httpd containerPort: 8081 volumeMounts: - mountPath: /etc/apache-httpd-configmap name: apacheconfig readOnly: true # END apache container # END containers volumes: - name: apacheconfig configMap: name: apache-httpd-configmap # END volumes # END template spec # END templateRedirect / https://my.domain.name:443/ # Proxy the requests to the application # "myapp" in the rules relies a K8s cluster add-on for DNS aliases # see https://kubernetes.io/docs/concepts/services-networking/service/#dns ProxyRequests Off ProxyPass "/" "http://myapp:80/" ProxyPassReverse "/" "http://myapp:80/"In addition to the above new manifest yaml, the rule for "myapp-ingress" needed to change so that instead of
serviceName: myappit hasserviceName: apache-httpdto make the LB direct traffic to Apache.It seems that this rather minimal Apache setup requires very little CPU and RAM, so it fits just fine in the existing cluster and thus doesn't really cause any direct extra cost.
讨论(0)
加载中...
- 热议问题