https://gloo.solo.io/advanced_configuration/tls_setup/上的Gloo文档完成了为Gloo虚拟服务设置SSL的过程。但是,它仅使用自签名证书执行此操作。我们正在使用Gloo基于路径在两个服务之间切换(例如:api.example.com/指向Elastic Beanstalk应用程序,而api.example.com/service指向Kubernetes集群应用程序)。
这是两个上游:
开发api上游
apiVersion: gloo.solo.io/v1
kind: Upstream
metadata:
name: dev-api-upstream
namespace: gloo-system
spec:
upstreamSpec:
static:
hosts:
- addr: api-dev.example.com
port: 80
kube-upstream.yaml
apiVersion: gloo.solo.io/v1
kind: Upstream
metadata:
name: kube-upstream
namespace: gloo-system
spec:
upstreamSpec:
static:
hosts:
- addr: api-dev.example.com
port: 80
最后是虚拟服务:
apiVersion: gateway.solo.io/v1
kind: VirtualService
metadata:
name: api-prefix
namespace: gloo-system
spec:
virtualHost:
domains:
- '*'
routes:
- matcher:
prefix: /service2
routeAction:
single:
upstream:
name: kube-upstream
namespace: gloo-system
- matcher:
prefix: /
routeAction:
single:
upstream:
name: dev-api-upstream
namespace: gloo-system
这对于HTTP请求正常工作,但对于HTTPS超时。
如何使用AWS ACM创建的证书在Gloo接收来自其的请求的负载均衡器上启用SSL?
最佳答案
如果您希望VirtualService终止SSL,则需要按照链接的文档中的说明向其添加SSLConfig:
# create a secret containing the cert you want to serve
kubectl create secret tls my-tls-cert --key <path to private key> \
--cert <path to ca cert> --namespace gloo-system
然后使用
sslConfig更新您的vs,如下所示:apiVersion: gateway.solo.io/v1
kind: VirtualService
metadata:
name: api-prefix
namespace: gloo-system
spec:
virtualHost:
domains:
- '*'
routes:
- matcher:
prefix: /service2
routeAction:
single:
upstream:
name: kube-upstream
namespace: gloo-system
- matcher:
prefix: /
routeAction:
single:
upstream:
name: dev-api-upstream
namespace: gloo-system
sslConfig:
secretRef:
name: my-tls-cert
namespace: gloo-system
请注意,这将更改为虚拟服务提供服务的代理上的端口(从80更改为443)。