本文作者：丁辉

Ingress代理外部服务Teleport

准备

修改 Teleport 服务为 HTTP 协议

proxy_service:
  enabled: "yes"
  web_listen_addr: 0.0.0.0:9443
  public_addr: teleport.example.com:443 # 对外访问地址
# 删除如下内容
  # https_keypairs:
  # - key_file:
    # cert_file:
  # https_keypairs_reload_interval: 0s
  # acme: {}

开启对外访问

1. Endpoints 对接外部 Teleport

   cat <<EOF | kubectl apply -f -
   apiVersion: v1
   kind: Endpoints
   metadata:
     name: teleport-proxy
     namespace: teleport
   subsets:
     - addresses:
         - ip: 127.0.0.1 # 修改为 Teleport 服务器访问地址
       ports:
         - port: 9443
           protocol: TCP
   ---
   apiVersion: v1
   kind: Service
   metadata:
     name: teleport-proxy
     namespace: teleport
   spec:
     ports:
       - port: 9443
         targetPort: 9443
     type: ClusterIP
   EOF

2. 配置对外 Ingress

   cat <<EOF | kubectl apply -f -
   apiVersion: networking.k8s.io/v1
   kind: Ingress
   metadata:
     name: teleport
     namespace: teleport
     annotations:
       # 不限制文件上传大小
       nginx.ingress.kubernetes.io/proxy-body-size: "0"
       # 告诉Ingress后端是HTTP
       nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
     labels:
       app: teleport
   spec:
     rules:
       - host: teleport.example.com
         http:
           paths:
             - pathType: Prefix
               backend:
                 service:
                   name: teleport-proxy
                   port:
                     number: 9443
               path: /
     tls:
       - hosts:
         - teleport.example.com
         secretName: teleport-tls
   EOF

3. 访问即可