Ingress:HTTPS(配置https)


配置HTTPS步骤:

1、准备域名证书文件(来自:openssl/cfssl工具自签或者权威机构颁发

2、将证书文件保存到Secret

kubectl create secret tls blog-ctnrs-com --cert=blog.ctnrs.com.pem --key=blog.ctnrs.com-key.pem

一个数字证书,一个私钥保存在k8s当中

3、Ingress规则配置tls  配置证书,指定 secret的名称

当你创建ingress的时候就会使用在K8s里面保存的证书,会放在ingrsee controll提供服务这里,即server配置相关的证书

cfssl工具获取


[root@k8s-master ~]# mkdir -p SSL
[root@k8s-master ~]# cd SSL/


[root@k8s-master SSL]# chmod o+x cfssl.sh 
[root@k8s-master SSL]# cat cfssl.sh 
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl*
mv cfssl_linux-amd64 /usr/bin/cfssl
mv cfssljson_linux-amd64 /usr/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
[root@k8s-master SSL]# ./cfssl.sh 

自签CA和颁发域名证书


 这个脚本先使用cfssl自签ca,然后使用这个ca为某个域名生成证书,我这里使用blog.ctnrs.com这个域名生成证书(域名和证书一一对应的,如果不对应即使买的权威认证的证书也会提示不安全)

cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF

cat > ca-csr.json <<EOF
{
    "CN": "kubernetes",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing"
        }
    ]
}
EOF

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

[root@k8s-master SSL]# ls *.pem
ca-key.pem  ca.pem

这里帮我们生成了两个证书ca-key.pem  ca.pem,这两个证书是我们所需要的ca开头的是自签ca 

为域名颁发证书: 

[root@k8s-master SSL]# cat > blog.ctnrs.com-csr.json <<EOF
> {
>   "CN": "blog.ctnrs.com",
>   "hosts": [],
>   "key": {
>     "algo": "rsa",
>     "size": 2048
>   },
>   "names": [
>     {
>       "C": "CN",
>       "L": "BeiJing",
>       "ST": "BeiJing"
>     }
>   ]
> }
> EOF


[root@k8s-master SSL]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes blog.ctnrs.com-csr.json | cfssljson -bare blog.ctnrs.com
[root@k8s-master SSL]# ll *.pem
-rw------- 1 root root 1675 Jan  4 16:57 blog.ctnrs.com-key.pem
-rw-r--r-- 1 root root 1314 Jan  4 16:57 blog.ctnrs.com.pem
-rw------- 1 root root 1679 Jan  4 16:54 ca-key.pem
-rw-r--r-- 1 root root 1273 Jan  4 16:54 ca.pem

这两个就是在实际配置当中所用到的证书  blog.ctnrs.com-key.pem,blog.ctnrs.com.pem ,如果配置nginx的域名证书,那么这两个文件就是在nginx当中配置使用的。

上面就准备好了自签证书文件,将证书文件保存在secret当中,将上面两个证书文件放到k8s当中

[root@k8s-master SSL]# kubectl create secret tls blog-ctnrs-com --cert=blog.ctnrs.com.pem --key=blog.ctnrs.com-key.pem
secret/blog-ctnrs-com created

[root@k8s-master SSL]# kubectl get secret
NAME                  TYPE                                  DATA   AGE
blog-ctnrs-com        kubernetes.io/tls                     2      34s
default-token-j9294   kubernetes.io/service-account-token   3      50d

[root@k8s-master SSL]# kubectl describe secret blog-ctnrs-com 
Name:         blog-ctnrs-com
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  kubernetes.io/tls

Data
====
tls.crt:  1314 bytes
tls.key:  1675 bytes

创建测试环境


[root@k8s-master SSL]# cat app.yml 
apiVersion: apps/v1
kind: Deployment
metadata:
  name: web1
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: web1
  template:
    metadata:
      labels:
        app: web1
    spec:
      containers:
      - name: web
        image: nginx:1.18
        ports:
        - containerPort: 80
          name: nginx
          protocol: TCP 
---
apiVersion: v1
kind: Service
metadata:
  name: web1
  namespace: default
spec:
  ports:
  - port: 80       
    protocol: TCP  
    targetPort: nginx 
  selector:
    app: web1      
  type: ClusterIP
[root@k8s-master SSL]# kubectl get pod,svc
NAME                        READY   STATUS    RESTARTS   AGE
pod/web1-5557959468-cnfl8   1/1     Running   0          3m2s
pod/web1-5557959468-vbnvt   1/1     Running   0          3m2s
pod/web1-5557959468-vv999   1/1     Running   0          3m2s

NAME                 TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE
service/kubernetes   ClusterIP   10.96.0.1       <none>        443/TCP   50d
service/web1         ClusterIP   10.111.27.110   <none>        80/TCP    3m2s
[root@k8s-master SSL]# kubectl get svc
NAME         TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE
kubernetes   ClusterIP   10.96.0.1       <none>        443/TCP   50d
web1         ClusterIP   10.111.27.110   <none>        80/TCP    5m41s

[root@k8s-master SSL]# kubectl get ep
NAME         ENDPOINTS                                             AGE
kubernetes   192.168.179.102:6443                                  50d
web1         10.244.169.139:80,10.244.169.140:80,10.244.36.77:80   5m42s

 创建ingress规则

[root@k8s-master ~]# cat ingress-https.yml 
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: blog
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
  tls:
  - hosts: 
    - blog.ctnrs.com             #要和证书的域名对应上
    secretName: blog-ctnrs-com   #替换为您的TLS密钥证书
  rules:
  - host: blog.ctnrs.com         #和域名证书里面的域名保持一致
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: web1     #替换为您的目标服务名称
            port:
              number: 80   #替换为您的目标服务端口

在上述配置中,spec字段下的tls字段指定了使用的TLS证书,其中hosts字段指定了使用证书的域名secretName字段指定了存储证书和密钥的Secret资源的名称。

此外,annotations字段下的nginx.ingress.kubernetes.io/ssl-redirect注解用于启用SSL重定向。这意味着如果客户端使用HTTP协议访问Ingress资源,它将被重定向到使用HTTPS协议的相应资源。

C:\Windows\System32\drivers\etc\hosts      192.168.179.103 blog.ctnrs.com

制作证书的脚本


[root@k8s-master SSL]# cat certs.sh 
cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF

cat > ca-csr.json <<EOF
{
    "CN": "kubernetes",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing"
        }
    ]
}
EOF

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

cat > blog.ctnrs.com-csr.json <<EOF
{
  "CN": "blog.ctnrs.com",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "BeiJing",
      "ST": "BeiJing"
    }
  ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes blog.ctnrs.com-csr.json | cfssljson -bare blog.ctnrs.com

--------------------------------------------------------------------------------------------------------------------------

 实际环境

[uat:uat]$ kubectl get pod -n ingress-nginx -o wide
NAME                             READY   STATUS    RESTARTS   AGE   IP             NODE              NOMINATED NODE   READINESS GATES
ingress-nginx-controller-g4b5n   1/1     Running   1          20d   10.202.17.34   k8s-uat-node-01   <none>           <none>
ingress-nginx-controller-hvjzr   1/1     Running   1          36d   10.202.17.35   k8s-uat-node-02   <none>           <none>


[uat:uat]$ kubectl get ingress -n  ztoscm-web-env-uat 
NAME                 CLASS   HOSTS                 ADDRESS                     PORTS     AGE
ztoscm-vue-ingress   nginx   scm-uat.ztoky.cn      10.202.17.34,10.202.17.35   80, 443   171d


[uat:uat]$ kubectl get ingress ztoscm-vue-ingress  -n  ztoscm-web-env-uat -o yaml
spec:
  ingressClassName: nginx
  rules:
  - host: scm-uat.ztoky.cn
    http:
      paths:
      - backend:
          serviceName: ztoscm-vue-svc
          servicePort: 80
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - scm-uat.ztoky.cn
    secretName: ztoky.cn
status:
  loadBalancer:
    ingress:
    - ip: 10.202.17.34
    - ip: 10.202.17.35

[uat:uat]$ kubectl get secret  -n  ztoscm-web-env-uat 
NAME                       TYPE                                  DATA   AGE
ztoky.cn                   kubernetes.io/tls                     2      160d


[uat:uat]$ kubectl describe secret ztoky.cn  -n  ztoscm-web-env-uat 
Name:         ztoky.cn
Namespace:    ztoscm-web-env-uat
Labels:       <none>
Annotations:  <none>

Type:  kubernetes.io/tls

Data
====
tls.crt:  6721 bytes
tls.key:  1730 bytes

[uat:uat]$ kubectl describe ingress ztoscm-vue-ingress  -n  ztoscm-web-env-uat 
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
Name:             ztoscm-vue-ingress
Namespace:        ztoscm-web-env-uat
Address:          10.202.17.34,10.202.17.35
Default backend:  default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
TLS:
  ztoky.cn terminates scm-uat.ztoky.cn
Rules:
  Host              Path  Backends
  ----              ----  --------
  scm-uat.ztoky.cn  
                    /   ztoscm-vue-svc:80 (<none>)
Annotations:        field.cattle.io/publicEndpoints:
                      [{"addresses":["10.202.17.34","10.202.17.35"],"port":443,"protocol":"HTTPS","serviceName":"ztoscm-web-env-uat:ztoscm-vue-svc","ingressName...
                    nginx.ingress.kubernetes.io/proxy-body-size: 100m
                    nginx.ingress.kubernetes.io/ssl-redirect: true
Events:             <none>

Logo

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐