我正在使用 AWS 负载均衡器控制器为在 EKS 中运行的 Grpc 服务(grpc-dotnet 实现)设置带有 TLS 终止的 AWS NLB。 EKS 中 NLB 和 Pod 之间的流量未加密。我也尝试在 UI 中进行设置,但结果相同。带有 NLB 配置注解的 k8s 服务:
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
service.beta.kubernetes.io/aws-load-balancer-healthcheck-path: /health
service.beta.kubernetes.io/aws-load-balancer-internal: 'true'
service.beta.kubernetes.io/aws-load-balancer-type: nlb-ip
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: "ELBSecurityPolicy-TLS13-1-2-2021-06"
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:eu-west-1:account:certificate/my-cert-arn"
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "9090"
# service.beta.kubernetes.io/aws-load-balancer-alpn-policy: HTTP2Preferred
name: grpc-api-svc
namespace: default
spec:
ports:
-
port: 9090
protocol: TCP
targetPort: 9090
selector:
app: grpc-api
type: LoadBalancer
配置路由流量从 NLB 到我的 Grpc Api,但请求以错误结束:
{
"created": "@1678456920.910000000",
"description": "Failed to pick subchannel",
"file": "src/core/ext/filters/client_channel/client_channel.cc",
"file_line": 5391,
"referenced_errors": [
{
"created": "@1678456920.909000000",
"description": "failed to connect to all addresses",
"file": "src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc",
"file_line": 398,
"grpc_status": 14
}
]
}
当我删除 TLS 终止(SSL 部分)时,它运行良好。
我也试过加ALPN
service.beta.kubernetes.io/aws-load-balancer-alpn-policy: HTTP2Preferred编辑: Python 服务运行良好,仅当我使用 .Net Grpc Server (grpc-dotnet) 时才会出现此问题
根本原因: NLB 确实会终止 TLS,但会保留在标头 https 架构中。似乎 .net 服务器更严格,Kestrel 忽略了这些请求。
解决方案 您必须在 Kestrel 选项中设置
options.AllowAlternateSchemes = true