您的位置: 首页  >  技术问答  >  NGINX Ingress控制器后端协议注释如何在基于路径的路由中工作?

NGINX Ingress控制器后端协议注释如何在基于路径的路由中工作?

分类: 技术问答 2022-03-03 12:30:04

NGINX Ingress控制器后端协议注释如何在基于路径的路由中工作?

问题描述:

我目前正在k8s集群中使用NGINX入口控制器.我试图使端到端加密有效,并且能够使连接一直到Pod都保持安全.

I'm currently playing with NGINX ingress controller in my k8s cluster. I was trying to make end-to-end encryption work and I was able to make the connection secure all the way to the pod.

为了直到Pod一直实现HTTPS,我不得不使用注释

In order to achieve HTTPS all the way till pod, I had to use annotation

nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"

示例入口:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: foo-api-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
  tls:
  - hosts:
    - foo.example.com
    secretName: foo-cert
  rules:
  - host: foo.example.com
    http:
      paths:
      - path: /path1
        backend:
          serviceName: foo-api-path1-service
          servicePort: 443
      - path: /path2
        backend:
          serviceName: foo-api-path2-service
          servicePort: 443

我对这种情况的发生方式感到困惑,因为当我们加密连接路径时也会加密,那么NGINX如何进行基于路径的路由?它会在入口处解密连接并重新加密吗?另外,使用这种方法会影响性能吗?

I'm confused in terms of how exactly this happens because when we encrypt the connection path also get encrypted then how NGINX does path-based routing? does it decrypt the connection at ingress and re-encrypt it? also, does performance get affected by using this method?

TL; DR

它会在入口处解密连接并重新加密吗?

does it decrypt the connection at ingress and re-encrypt it?

简而言之,是的.请参阅下面的说明.

In short, yes. Please see the explanation below.

请求到达 Pod 所经过的路径可以看作:

The path that a request is travelling to get to a Pod can be seen as:

假设我们有一个 Ingress控制器( nginx-ingress )代替了一个 Ingress ,那么您可以通过多种方式来连接客户端使用 Pod (简体):

Assuming that we have an Ingress controller (nginx-ingress) in place of an Ingress you can have several ways to connect your client with a Pod (simplified):

相关推荐