http/2带有TLS后端的nodeport服务不起作用
我有一个后端应用程序,该应用在 http/2 上实现了RESTFUL API。我的要求是将后端服务公开到主机网络,然后使用nodePort进行。
apiVersion: v1
kind: Service
metadata:
name: gold-service
spec:
selector:
app: gold-app
ports:
- name: gold-port
port: 12349
nodePort: 32349
type: NodePort
当应用程序运行无TLS时,该服务将按照群集外部的预期访问。但是,当应用程序使用TLS运行时,该服务将不再访问。我从数据包捕获中观察到TLS握手开始,但并未成功得出结论。
$ curl https://10.225.68.106:32349/api/v1/config -kv --cert <cert file> --key <key file>
* About to connect() to 10.225.68.106 port 32349 (#0)
* Trying 10.225.68.106...
* Connected to 10.225.68.106 (10.225.68.106) port 32349 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate from file
* subject: ...
* start date: Mar 29 07:10:42 2018 GMT
* expire date: Mar 26 07:10:42 2028 GMT
* common name: ...
* issuer: ...
* NSS error -5938 (PR_END_OF_FILE_ERROR)
* Encountered end of file
* Closing connection 0
curl: (35) Encountered end of file
我已经进行了讨论在这里。 Ingress唯一的解决方案吗?此外,我很想知道NodePort如何以及为什么无法处理HTTP/2 TLS流量。
I have a backend app which implements RESTful APIs over http/2. My requirement is to expose the backend service to the host network and I do it using NodePort.
apiVersion: v1
kind: Service
metadata:
name: gold-service
spec:
selector:
app: gold-app
ports:
- name: gold-port
port: 12349
nodePort: 32349
type: NodePort
When the app runs without TLS, the service is accessible as expected from outside the cluster. However, when the app runs with TLS, the service is no longer accessible. I observe from packet capture that the TLS handshake begins but does not conclude successfully.
$ curl https://10.225.68.106:32349/api/v1/config -kv --cert <cert file> --key <key file>
* About to connect() to 10.225.68.106 port 32349 (#0)
* Trying 10.225.68.106...
* Connected to 10.225.68.106 (10.225.68.106) port 32349 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate from file
* subject: ...
* start date: Mar 29 07:10:42 2018 GMT
* expire date: Mar 26 07:10:42 2028 GMT
* common name: ...
* issuer: ...
* NSS error -5938 (PR_END_OF_FILE_ERROR)
* Encountered end of file
* Closing connection 0
curl: (35) Encountered end of file
I have gone through the discussion here. Is Ingress the only solution? Furthermore, I am curious to know how and why NodePort is not able to handle http/2 TLS traffic.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论