现在k8s上服务暴露方式用的最多就是nginx-ingress,今天我们来讲讲nginx-ingress的具体使用,我们在tke上实践下,如何部署使用nginx-ingress,以及nginx的一些注解功能的使用。
今天我们主要是在腾讯云上的tke上进行实践测试,不过测试的功能也是支持在其他类型的k8s上使用,只要部署了nignx-ingress就行。现在tke上为了方便用户能够快速使用nginx-ingress推了了通过组件的方式的来部署,具体部署方式可以参考文档https://cloud.tencent.com/document/product/457/50503,如果在集群上找不到这个组件,可以提交工单进行开通,如果想自己搭建nginx-ingress可以参考https://cloud.tencent.com/document/product/457/47293进行部署。今天我们不说具体的部署,主要讲讲nginx-ingress一些常用的功能如何进行配置使用。
1. https的配置
有的时候我们需要给域名配置ssl证书来进行https的安全访问,首先你需要给域名申请证书,可以到现在的公有云上为域名申请免费的证书,申请后将证书通过secret挂载到k8s集群中
代码语言:javascript复制kubectl create secret tls example-ssl --key 2_example.tke.niewx.cn.key --cert 1_example.tke.niewx.cn_bundle.crt
然后再在ingress中配置下,这里我们配置下tls这个字段
代码语言:javascript复制apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
ingress.cloud.tencent.com/direct-access: "false"
kubernetes.io/ingress.class: nwx-ingress
kubernetes.io/ingress.extensiveParameters: '{"AddressIPVersion":"IPV4"}'
kubernetes.io/ingress.http-rules: "null"
kubernetes.io/ingress.https-rules: '[{"host":"example.tke.niewx.cn","path":"/","backend":{"serviceName":"springboot","servicePort":"8080"}}]'
kubernetes.io/ingress.rule-mix: "true"
nginx.ingress.kubernetes.io/use-regex: "true"
name: example-ingress
namespace: test
spec:
rules:
- host: example.tke.niewx.cn
http:
paths:
- backend:
serviceName: springboot
servicePort: 8080
path: /
tls:
- hosts:
- example.tke.niewx.cn
secretName: example-ssl
status:
loadBalancer:
ingress:
- ip: 81.71.131.235
这样浏览器输入example.tke.niewx.cn会通过https访问。
2. 域名登录认证
有时候我们的服务没有提供登录认证,但是有不希望将服务提供给所有的人都能访问,那么可以通过ingress上的认证控制访问。今天我们讲讲常用的2种认证方式。
2.1 基本身份认证
代码语言:javascript复制[root@VM-0-13-centos nginx-ingress]# htpasswd -c auth admin
New password:
Re-type new password:
Adding password for user admin
[root@VM-0-13-centos nginx-ingress]# kubectl create secret generic basic-auth --from-file=auth -n test
secret/basic-auth created
接下来我们在ingress中配置下这个secret,这里我们配置账号密码是admin/admin
代码语言:javascript复制apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
ingress.cloud.tencent.com/direct-access: "false"
kubernetes.io/ingress.class: nwx-ingress
kubernetes.io/ingress.extensiveParameters: '{"AddressIPVersion":"IPV4"}'
kubernetes.io/ingress.http-rules: "null"
kubernetes.io/ingress.https-rules: '[{"host":"example.tke.niewx.cn","path":"/","backend":{"serviceName":"springboot","servicePort":"8080"}}]'
kubernetes.io/ingress.rule-mix: "true"
nginx.ingress.kubernetes.io/auth-realm: Authentication Required - admin
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/use-regex: "true"
name: example-ingress
namespace: test
spec:
rules:
- host: example.tke.niewx.cn
http:
paths:
- backend:
serviceName: springboot
servicePort: 8080
path: /
tls:
- hosts:
- example.tke.niewx.cn
secretName: example-ssl
status:
loadBalancer:
ingress:
- ip: 81.71.131.235
代码语言:javascript复制nginx.ingress.kubernetes.io/auth-realm: Authentication Required - admin
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-type: basic
我们在ingress中加入这3条注解,再登录就会需要输入账号密码了。
2.2 外部身份验证
有时候我们有自己的鉴权中心,也是可以使用外部身份进行认证的,这里我们采用https://httpbin.org/basic-auth/user/passwd这个作为外部身份,这个默认账号和密码user/passwd
代码语言:javascript复制apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
ingress.cloud.tencent.com/direct-access: "false"
kubernetes.io/ingress.class: nwx-ingress
kubernetes.io/ingress.extensiveParameters: '{"AddressIPVersion":"IPV4"}'
kubernetes.io/ingress.http-rules: "null"
kubernetes.io/ingress.https-rules: '[{"host":"example.tke.niewx.cn","path":"/","backend":{"serviceName":"springboot","servicePort":"8080"}}]'
kubernetes.io/ingress.rule-mix: "true"
nginx.ingress.kubernetes.io/auth-url: https://httpbin.org/basic-auth/user/passwd
nginx.ingress.kubernetes.io/use-regex: "true"
这里我们只需要配置下面这个注解就会用外部身份认证
代码语言:javascript复制nginx.ingress.kubernetes.io/auth-url: https://httpbin.org/basic-auth/user/passwd
这里我们通过curl的方式验证下
代码语言:javascript复制[root@VM-0-3-centos ~]# curl -k https://example.tke.niewx.cn/ -v -H 'Host: example.tke.niewx.cn'
* About to connect() to example.tke.niewx.cn port 443 (#0)
* Trying 81.71.131.235...
* Connected to example.tke.niewx.cn (81.71.131.235) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=Kubernetes Ingress Controller Fake Certificate,O=Acme Co
* start date: Dec 28 06:14:11 2020 GMT
* expire date: Dec 28 06:14:11 2021 GMT
* common name: Kubernetes Ingress Controller Fake Certificate
* issuer: CN=Kubernetes Ingress Controller Fake Certificate,O=Acme Co
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Accept: */*
> Host: example.tke.niewx.cn
>
< HTTP/1.1 401 Unauthorized
< Date: Wed, 30 Dec 2020 11:36:43 GMT
< Content-Type: text/html
< Content-Length: 172
< Connection: keep-alive
< WWW-Authenticate: Basic realm="Fake Realm"
< Strict-Transport-Security: max-age=15724800; includeSubDomains
<
<html>
<head><title>401 Authorization Required</title></head>
<body>
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx</center>
</body>
</html>
* Connection #0 to host example.tke.niewx.cn left intact
[root@VM-0-3-centos ~]# curl -k https://example.tke.niewx.cn/ -v -H 'Host: example.tke.niewx.cn' -u 'user:passwd'
* About to connect() to example.tke.niewx.cn port 443 (#0)
* Trying 81.71.131.235...
* Connected to example.tke.niewx.cn (81.71.131.235) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=Kubernetes Ingress Controller Fake Certificate,O=Acme Co
* start date: Dec 28 06:14:11 2020 GMT
* expire date: Dec 28 06:14:11 2021 GMT
* common name: Kubernetes Ingress Controller Fake Certificate
* issuer: CN=Kubernetes Ingress Controller Fake Certificate,O=Acme Co
* Server auth using Basic with user 'user'
> GET / HTTP/1.1
> Authorization: Basic dXNlcjpwYXNzd2Q=
> User-Agent: curl/7.29.0
> Accept: */*
> Host: example.tke.niewx.cn
>
< HTTP/1.1 200
< Date: Wed, 30 Dec 2020 11:37:14 GMT
< Content-Type: text/plain;charset=UTF-8
< Content-Length: 23
< Connection: keep-alive
< Strict-Transport-Security: max-age=15724800; includeSubDomains
<
* Connection #0 to host example.tke.niewx.cn left intact
you access path is root[root@VM-0-3-centos ~]# curl -k https://example.tke.niewx.cn/ -v -H 'Host: example.tke.niewx.cn' -u 'user:user'
* About to connect() to example.tke.niewx.cn port 443 (#0)
* Trying 81.71.131.235...
* Connected to example.tke.niewx.cn (81.71.131.235) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=Kubernetes Ingress Controller Fake Certificate,O=Acme Co
* start date: Dec 28 06:10:15 2020 GMT
* expire date: Dec 28 06:10:15 2021 GMT
* common name: Kubernetes Ingress Controller Fake Certificate
* issuer: CN=Kubernetes Ingress Controller Fake Certificate,O=Acme Co
* Server auth using Basic with user 'user'
> GET / HTTP/1.1
> Authorization: Basic dXNlcjp1c2Vy
> User-Agent: curl/7.29.0
> Accept: */*
> Host: example.tke.niewx.cn
>
< HTTP/1.1 401 Unauthorized
< Date: Wed, 30 Dec 2020 11:37:20 GMT
< Content-Type: text/html
< Content-Length: 172
< Connection: keep-alive
* Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm="Fake Realm"
< Strict-Transport-Security: max-age=15724800; includeSubDomains
<
<html>
<head><title>401 Authorization Required</title></head>
<body>
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx</center>
</body>
</html>
* Connection #0 to host example.tke.niewx.cn left intact
我们分别通过不带用户名密码、正确的用户名密码、和不到用户名密码进行测试,最终只有正确输入用户名和密码才返回200。
3. rewrite
有时候我们需要创建ingress对象来为Controller制定转发规则
代码语言:javascript复制apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
ingress.cloud.tencent.com/direct-access: "false"
kubernetes.io/ingress.class: ingress
nginx.ingress.kubernetes.io/use-regex: "true"
name: ingress-v3
namespace: test
spec:
rules:
- host: example.tke.niewx.cn
http:
paths:
- backend:
serviceName: springboot
servicePort: 8080
path: /api
tls:
- hosts:
- example.tke.niewx.cn
secretName: example-ssl
表示会将https://example.tke.niewx.cn/api/URL转发到集群中的https://example.tke.niewx.cn/api/URL上,也就是说最后一行的path: /api也会当作请求的一部分,追加到url中。
但是,如果nginx实际的请求地址为https://svc-springboot/api/URL,则会报404,找不到服务。
有的时候我们需要将前端用户访问的路径指向后端真实的路径,这里我们就需要用到ingress的rewite来实现了
代码语言:javascript复制apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
ingress.cloud.tencent.com/direct-access: "false"
kubernetes.io/ingress.class: ingress
nginx.ingress.kubernetes.io/rewrite-target: /$2
nginx.ingress.kubernetes.io/use-regex: "true"
name: example-ingress
namespace: test
spec:
rules:
- host: example.tke.niewx.cn
http:
paths:
- backend:
serviceName: springboot
servicePort: 8080
path: /api(/|$)(.*)
tls:
- hosts:
- example.tke.niewx.cn
secretName: example-ssl
这里我们会进行如下重定向
- example.tke.niewx.cn/api 重写到 example.tke.niewx.cn/
- example.tke.niewx.cn/api/ 重写到 example.tke.niewx.cn/
- example.tke.niewx.cn/api/v1 重写到 example.tke.niewx.cn/v1
正常我们会打印出是访问的实际路径,由于被重写,导致本应打印的应该是/api/v1,现在打印的是v1,说明真实访问的后端是example.tke.niewx.cn/v1
我们也可以将域名的根目录重写到某一个后端的路径下,这样访问根目录下就会重写到后的真实路径,我们测试下将根路径重写到/api/v2下面
代码语言:javascript复制apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
ingress.cloud.tencent.com/direct-access: "false"
kubernetes.io/ingress.class: nwx-ingress
kubernetes.io/ingress.extensiveParameters: '{"AddressIPVersion":"IPV4"}'
kubernetes.io/ingress.http-rules: "null"
kubernetes.io/ingress.https-rules: '[{"host":"example.tke.niewx.cn","path":"/","backend":{"serviceName":"springboot","servicePort":"8080"}}]'
kubernetes.io/ingress.rule-mix: "true"
nginx.ingress.kubernetes.io/app-root: /api/v2
nginx.ingress.kubernetes.io/auth-url: https://httpbin.org/basic-auth/user/passwd
nginx.ingress.kubernetes.io/use-regex: "true"
name: example-ingress
namespace: test
spec:
rules:
- host: example.tke.niewx.cn
http:
paths:
- backend:
serviceName: springboot
servicePort: 8080
path: /
tls:
- hosts:
- example.tke.niewx.cn
secretName: example-ssl
status:
loadBalancer:
ingress:
- ip: 81.71.131.235
这里我们测试发现访问根目录会跳转到/api/v2下,浏览器输入也会强制跳转到/api/v2下
代码语言:javascript复制[root@VM-0-3-centos ~]# curl -I -k https://example.tke.niewx.cn
HTTP/1.1 302 Moved Temporarily
Date: Wed, 30 Dec 2020 12:24:30 GMT
Content-Type: text/html
Content-Length: 138
Connection: keep-alive
Location: https://example.tke.niewx.cn/api/v2
rewrite功能可以让我们进行丰富的访问路径配置,这样方便了我们可以通过不同的路径去访问不通的后端。
4. 访问白名单
有时候我们需要给域名配置下访问白名单,我只希望部分ip可以访问我的服务,这时候需要用到ingress的whitelist-source-range,我们可以通过这个注解来配置我们希望放通访问的ip。下面我们只放通10.0.0.0/24可以访问
代码语言:javascript复制apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
ingress.cloud.tencent.com/direct-access: "false"
kubernetes.io/ingress.class: nwx-ingress
kubernetes.io/ingress.extensiveParameters: '{"AddressIPVersion":"IPV4"}'
kubernetes.io/ingress.http-rules: "null"
kubernetes.io/ingress.https-rules: '[{"host":"example.tke.niewx.cn","path":"/","backend":{"serviceName":"springboot","servicePort":"8080"}}]'
kubernetes.io/ingress.rule-mix: "true"
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/24
我们测试下看看,我们在10.0.0.3和10.0.5.33分别访问下域名看看
代码语言:javascript复制[root@VM-5-33-tlinux ~]# curl -I -k https://example.tke.niewx.cn
HTTP/1.1 403 Forbidden
Date: Wed, 30 Dec 2020 12:39:35 GMT
Content-Type: text/html
Content-Length: 146
Connection: keep-alive
Strict-Transport-Security: max-age=15724800; includeSubDomains
[root@VM-5-33-tlinux ~]# ip addr | grep eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
inet 10.0.5.33/24 brd 10.0.5.255 scope global eth0
代码语言:javascript复制[root@VM-0-3-centos ~]# curl -I -k https://example.tke.niewx.cn
HTTP/1.1 200
Date: Wed, 30 Dec 2020 12:36:05 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 23
Connection: keep-alive
Strict-Transport-Security: max-age=15724800; includeSubDomains
[root@VM-0-3-centos ~]# ip addr | grep eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
inet 10.0.0.3/24 brd 10.0.0.255 scope global eth0
可以发现10.0.0.3这个服务器上可以访问,但是10.0.5.33确无法访问,这是因为10.0.0.3在我们配置的白名单里。
5. 永久重定向
我们可以在ingress配置域名的重定向,可以配置访问到其他链接,同时也可以配置重定向错误码,这里错误码值的范围是 300~308 ,超出这个范围就重置为默认301的值。
代码语言:javascript复制apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
ingress.cloud.tencent.com/direct-access: "false"
kubernetes.io/ingress.class: nwx-ingress
kubernetes.io/ingress.extensiveParameters: '{"AddressIPVersion":"IPV4"}'
kubernetes.io/ingress.http-rules: "null"
kubernetes.io/ingress.https-rules: '[{"host":"example.tke.niewx.cn","path":"/","backend":{"serviceName":"springboot","servicePort":"8080"}}]'
kubernetes.io/ingress.rule-mix: "true"
nginx.ingress.kubernetes.io/permanent-redirect: https://www.baidu.com
nginx.ingress.kubernetes.io/use-regex: "true"
这里我们在浏览器中输入example.tke.niewx.cn会强制跳转到百度页面
代码语言:javascript复制[root@VM-0-3-centos ~]# curl -I -k https://example.tke.niewx.cn
HTTP/1.1 301 Moved Permanently
Date: Wed, 30 Dec 2020 12:55:21 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://www.baidu.com
Strict-Transport-Security: max-age=15724800; includeSubDomains
下面我们重定向到baidu,然后让返回码是308
代码语言:javascript复制apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
ingress.cloud.tencent.com/direct-access: "false"
kubernetes.io/ingress.class: nwx-ingress
kubernetes.io/ingress.extensiveParameters: '{"AddressIPVersion":"IPV4"}'
kubernetes.io/ingress.http-rules: "null"
kubernetes.io/ingress.https-rules: '[{"host":"example.tke.niewx.cn","path":"/","backend":{"serviceName":"springboot","servicePort":"8080"}}]'
kubernetes.io/ingress.rule-mix: "true"
nginx.ingress.kubernetes.io/permanent-redirect: https://www.baidu.com
nginx.ingress.kubernetes.io/permanent-redirect-code: "308"
nginx.ingress.kubernetes.io/use-regex: "true"
我们访问域名测试下,可以发下最终后端是baidu,并且返回吗是308
代码语言:javascript复制[root@VM-0-3-centos ~]# curl -I -k https://example.tke.niewx.cn
HTTP/1.1 308 Permanent Redirect
Date: Wed, 30 Dec 2020 12:57:28 GMT
Content-Type: text/html
Content-Length: 164
Connection: keep-alive
Location: https://www.baidu.com
Strict-Transport-Security: max-age=15724800; includeSubDomains
5. 客户端请求body的大小
我通过ingress给我的harbor配置一个域名,但是我上次镜像的时间报错了,报错413 Request Entity Too Large,这个是客户端上传镜像到仓库的请求body太大,需要怎么解决呢?其实ingress中提供了注解用来配置请求体的大小即可,加上注解nginx.ingress.kubernetes.io/proxy-body-size: 1000m,具体的大小限制根据自身需求配置即可。
代码语言:javascript复制apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
ingress.cloud.tencent.com/direct-access: "false"
kubernetes.io/ingress.class: nwx-ingress
kubernetes.io/ingress.extensiveParameters: '{"AddressIPVersion":"IPV4"}'
kubernetes.io/ingress.http-rules: '[{"host":"harbor.tke.niewx.cn","path":"/","backend":{"serviceName":"harbor-1610088954-harbor-portal","servicePort":"80"}}]'
kubernetes.io/ingress.https-rules: "null"
kubernetes.io/ingress.rule-mix: "false"
nginx.ingress.kubernetes.io/proxy-body-size: 1000m
nginx.ingress.kubernetes.io/use-regex: "true"
name: harbor-ingress
namespace: harbor
6. http2-max-requests配置
问题现象:通过公网长连接访问后ingress后, 脚本每次请求1000次后,到1001次, grpc抛出: connections to all backends failing
github相关问题issue:https://github.com/kubernetes/ingress-nginx/issues/3028
解决方案:这里是因为nginx中http2-max-requests这个配置配置太小,建议的解决方法是参考https://trac.nginx.org/nginx/ticket/1250
链接的的建议When we set http2_max_requests 1000000, the possibility became very low.
这里在nginx-ingress需要设置下controller的全局configmap配置,在配置中加下如下配置即可
代码语言:javascript复制http2-max-requests: "1000000"
配置好之后,重启下nginx-ingress controller的pod即可。
7. nginx-ingress获取真实客户端ip
很多业务场景需要获取到真实客户端ip,如果是通过nginx-ingress提供访问,那么在后端的pod内怎么样才能获取到真实客户端ip呢?下面我们以nginx服务为例,当我们通过ingress的域名访问nginx服务,怎么样才能获取真实客户端ip。
如果不配置的话,nginx服务是获取不到真实客户端ip的。现在我们做如下配置
- 修改nginx-ingress controller的入口service配置,将externalTrafficPolicy改成Local
- 修改nginx-ingress controller的configmap配置,加上如下配置
compute-full-forwarded-for: "true"
forwarded-for-header: "X-Forwarded-For"
use-forwarded-headers: "true"
修改后,nginx-ingress controller会自动加载configmap配置,我们在访问看看
这时候可以发现日志的客户端ip已经是真实的客户端ip了。
8. nginx-ingress代理tcp和udp服务
具体配置参考文档 https://www.niewx.cn/2021/11/09/2021-11-09-Use-Nginx-Ingress-to-expose-TCP-and-udp-services/
9. nginx-ingress同时支持http和https
大家在使用nginx-ingress的时候,经常会给域名配置证书,让域名走https协议访问,但是有的时候我们希望域名既能http访问,也能https访问, 当你在ingress配置了证书后,会发现通过http访问域名默认会跳转到https。
这个时候大家会有一个疑惑,我没配置强制跳转,为什么会http强制跳转到https呢?并且nginx-ingress不像云厂商一样支持混合协议的配置,如果我希望域名能同时通过http和https访问到,该怎么配置呢?下面我来给大家讲解下
首先你在ingress配置了证书,没配置强制跳转,但是http直接强制到了https,这是因为Ingress 启用了 TLS,控制器会使用 308永久重定向响应将HTTP客户端重定向到HTTPS端口 443,Ingress 里配置了 https 证书的话,默认就一定会走 https。
那么我们要如何关闭这个强制跳转呢?其实ingress提供一个注解来进行控制
代码语言:javascript复制nginx.ingress.kubernetes.io/ssl-redirect: “false”
如果你希望不进行强制跳转,那你在ingress加上这个注解即可。
从测试可以发现,加上注解后,http和https都可以进行访问了。
10. nginx-ingress实现金丝雀发布
参考tke官网文档配置即可 https://cloud.tencent.com/document/product/457/48907
11. nginx-ingress实现grpc转发
参考下面文档配置
https://cloud.tencent.com/developer/article/1970910
12. nginx-ingress如何开启tls 1.0和1.1
官网文档说明:https://kubernetes.github.io/ingress-nginx/user-guide/tls/
修改nginx ingress controller的配置文件,加上如下配置即可,tke控制台可以直接组件里面进行修改
代码语言:javascript复制ssl-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl-protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"
13. nginx-ingress重试机制
问题现象:通过ingress的域名访问后端,调用一次,服务日志里显示调用了三次,nginx-ingress的请求日志出现了3次返回码
代码语言:javascript复制 - - [2022-09-14T11:40:27 00:00] 1663155627.705 "GET
/api HTTP/1.1" 502 150 "-" "curl/7.29.0" 121
3.073 [background-sino-xray-9091] [] [10.160.253.235:9091,
10.160.253.235:9091, 10.160.253.235:9091] [0, 0, 0] [1.028, 1.024,
1.024] [502, 502, 502] 7d407c28f5d7d2aae3afd0c368fbe9e5
问题原因:从访问日志看,nginx ingress controller出现3次调后端rs,为什么会调用了3次呢?这里是因为nginx本身的重试机制,具体参数可以参考文档
http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_next_upstream
但是为什么是重试3次呢,这里可以到nginx-ingress controller看下配置文件
代码语言:javascript复制proxy_next_upstream error timeout; #哪些情况下应将请求传递到下一台服务器
proxy_next_upstream_timeout 0; # 限制可以将请求传递到下一台服务器的时间,0表示将关闭此限制
proxy_next_upstream_tries 3; # 限制将请求传递到下一台服务器的可能尝试次数。0表示关闭此限制
可以看出tke的nginx ingress controller默认是重试3次,因此日志里会显示调用了3次。如果要关闭重试,直接在全局configmap里proxy_next_upstream_tries设置为0
14. nginx-ingress无法reload全局配置
https://cloud.tencent.com/developer/article/2040556
15. nginx-ingress超时配置
nginx ingress的upstream超时设置主要是设置下面3个参数,单位都是秒(s)
代码语言:txt复制proxy_connect_timeout upstream 后端连接超时时间。
proxy_read_timeout 读取 upstream 后端响应超时时间。
proxy_send_timeout 向 upstream 后端发送请求的超时时间。
如果是全局配置可以修改nginx ingress controller的全局configmap
代码语言:txt复制apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-configuration
namespace: ingress-nginx
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
data:
proxy-connect-timeout: "30"
proxy-send-timeout: "60"
proxy-read-timeout: "60"
如果是给单个ingress设置,可以给ingress加上注解
代码语言:txt复制apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: sample-ingress
annotations:
nginx.ingress.kubernetes.io/proxy-connect-timeout: "600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
spec:
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: sample-service
port:
number: 80
配置注解的时候需要注意下,不能加上单位,否则会配置不生效,比如600s,直接配置为600,这几个注解vaule的类型都是number类型,只能是数字。
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/