https://gloo.solo.io/advanced_configuration/tls_setup/处的Gloo文档完成了为Gloo虚拟服务设置SSL的过程。但是,它仅使用自签名证书执行此操作。我们正在使用Gloo基于路径在两个服务之间进行切换(例如:api.example.com/指向Elastic Beanstalk应用程序,而api.example.com/service指向Kubernetes集群应用程序)。
这里是两个上游:
dev-api-upstream
apiVersion: gloo.solo.io/v1
kind: Upstream
metadata:
name: dev-api-upstream
namespace: gloo-system
spec:
upstreamSpec:
static:
hosts:
- addr: api-dev.example.com
port: 80
kube-upstream.yaml
apiVersion: gloo.solo.io/v1
kind: Upstream
metadata:
name: kube-upstream
namespace: gloo-system
spec:
upstreamSpec:
static:
hosts:
- addr: api-dev.example.com
port: 80
最后是虚拟服务:
apiVersion: gateway.solo.io/v1
kind: VirtualService
metadata:
name: api-prefix
namespace: gloo-system
spec:
virtualHost:
domains:
- '*'
routes:
- matcher:
prefix: /service2
routeAction:
single:
upstream:
name: kube-upstream
namespace: gloo-system
- matcher:
prefix: /
routeAction:
single:
upstream:
name: dev-api-upstream
namespace: gloo-system
对于HTTP请求,这很好,但是对于HTTPS,它超时。
我如何使用AWS ACM创建的证书在Gloo接收来自其的负载均衡器上启用SSL?
如果您希望您的VirtualService终止SSL,则需要按照链接的文档中的描述向其添加SSLConfig:
# create a secret containing the cert you want to serve
kubectl create secret tls my-tls-cert --key <path to private key> \
--cert <path to ca cert> --namespace gloo-system
然后用sslConfig更新您的vs:
apiVersion: gateway.solo.io/v1
kind: VirtualService
metadata:
name: api-prefix
namespace: gloo-system
spec:
virtualHost:
domains:
- '*'
routes:
- matcher:
prefix: /service2
routeAction:
single:
upstream:
name: kube-upstream
namespace: gloo-system
- matcher:
prefix: /
routeAction:
single:
upstream:
name: dev-api-upstream
namespace: gloo-system
sslConfig:
secretRef:
name: my-tls-cert
namespace: gloo-system
请注意,这将更改提供虚拟服务的代理上的端口(从80更改为443)。