Kubernetes service - Loadbalancer with HTTPS

2020-07-24 15:48发布

I am using kubernetes with service as ClusterIP and placing ingress in front of the service to expose this to outside the Kubernetes cluster.

Running ingress with https and to make it https, I created the secret and using the same in ingress.

kubectl create secret tls test-secret --key key --cert cert

Using netscalar in our kubernetes cluster and hence, I am able to use X-Forward-For, Session affinity, Load balancing algoritms along with ingress.

Now, trying to make the service type as LoadBalancer so that I dont have to have ingress. I know, service type loadbalancer provides L4-loadbalancer and hence there wont be session affinity feature in the load balancer. Since, it is ok for few services, I am trying to use this.

Trying to make the service HTTPS and I came across,

https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/#securing-the-service

Here, we create tls secret and using the reference in the deployment section and not in the service section. Not sure how it works. Also, When i use https://servicename.namespace.svc.XXXXX.com in the browser getting the cert error.

My application is running as https and it needs keystore and truststore in a property file like,

ssl.trustore=PATH_TO_THE_FILE ssl.keystore=PATH_TO_THE_FILE

I am confused, How can i make the service type loadbalancer https?

标签: kubernetes
2条回答
来,给爷笑一个
2楼-- · 2020-07-24 16:24

If you are using a cloud provider for example AWS you can enable TLS termination in a LoadBalancer Service like this:

apiVersion: v1
kind: Service
metadata:
  name: api
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:...
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
spec:
  type: LoadBalancer
  selector:
    app: myApp
  ports:
    -  protocol: TCP
       port: 443
       targetPort: 8080
查看更多
The star\"
3楼-- · 2020-07-24 16:32

You answered yourself, but you didn't realize it.

As you well said, LoadBalancer type service creates a L4 load balancer. L4 load balancers are aware about source IP:port and destination IP:port, but they are not aware about anything on the application layer.

HTTP/HTTPS load balancers are on L7, therefor they are application aware.

So, basically you can't get a HTTPS load balancer from a Loadbalancer type service. You want it to be an ingress.

查看更多
登录 后发表回答