Kubernetes Ingress 为你的应用提供https服务
Ingress:HTTPS(配置https)配置HTTPS步骤:1、准备域名证书文件(来自:openssl/cfssl工具自签或者权威机构颁发)2、将证书文件保存到Secretkubectl create secret tls blog-ctnrs-com --cert=blog.ctnrs.com.pem --key=blog.ctnrs.com-key.pem一个数字证书,一个私钥保存在k8s
·
Ingress:HTTPS(配置https)
配置HTTPS步骤:
1、准备域名证书文件(来自:openssl/cfssl工具自签或者权威机构颁发)
2、将证书文件保存到Secret
kubectl create secret tls blog-ctnrs-com --cert=blog.ctnrs.com.pem --key=blog.ctnrs.com-key.pem一个数字证书,一个私钥保存在k8s当中
3、Ingress规则配置tls 配置证书,指定 secret的名称
当你创建ingress的时候就会使用在K8s里面保存的证书,会放在ingrsee controll提供服务这里,即server配置相关的证书
cfssl工具获取
[root@k8s-master ~]# mkdir -p SSL
[root@k8s-master ~]# cd SSL/
[root@k8s-master SSL]# chmod o+x cfssl.sh
[root@k8s-master SSL]# cat cfssl.sh
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl*
mv cfssl_linux-amd64 /usr/bin/cfssl
mv cfssljson_linux-amd64 /usr/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
[root@k8s-master SSL]# ./cfssl.sh 自签CA和颁发域名证书
这个脚本先使用cfssl自签ca,然后使用这个ca为某个域名生成证书,我这里使用blog.ctnrs.com这个域名生成证书(域名和证书一一对应的,如果不对应即使买的权威认证的证书也会提示不安全)
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
[root@k8s-master SSL]# ls *.pem
ca-key.pem ca.pem这里帮我们生成了两个证书ca-key.pem ca.pem,这两个证书是我们所需要的ca开头的是自签ca
为域名颁发证书:
[root@k8s-master SSL]# cat > blog.ctnrs.com-csr.json <<EOF
> {
> "CN": "blog.ctnrs.com",
> "hosts": [],
> "key": {
> "algo": "rsa",
> "size": 2048
> },
> "names": [
> {
> "C": "CN",
> "L": "BeiJing",
> "ST": "BeiJing"
> }
> ]
> }
> EOF
[root@k8s-master SSL]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes blog.ctnrs.com-csr.json | cfssljson -bare blog.ctnrs.com[root@k8s-master SSL]# ll *.pem
-rw------- 1 root root 1675 Jan 4 16:57 blog.ctnrs.com-key.pem
-rw-r--r-- 1 root root 1314 Jan 4 16:57 blog.ctnrs.com.pem
-rw------- 1 root root 1679 Jan 4 16:54 ca-key.pem
-rw-r--r-- 1 root root 1273 Jan 4 16:54 ca.pem这两个就是在实际配置当中所用到的证书 blog.ctnrs.com-key.pem,blog.ctnrs.com.pem ,如果配置nginx的域名证书,那么这两个文件就是在nginx当中配置使用的。
上面就准备好了自签证书文件,将证书文件保存在secret当中,将上面两个证书文件放到k8s当中
[root@k8s-master SSL]# kubectl create secret tls blog-ctnrs-com --cert=blog.ctnrs.com.pem --key=blog.ctnrs.com-key.pem
secret/blog-ctnrs-com created
[root@k8s-master SSL]# kubectl get secret
NAME TYPE DATA AGE
blog-ctnrs-com kubernetes.io/tls 2 34s
default-token-j9294 kubernetes.io/service-account-token 3 50d
[root@k8s-master SSL]# kubectl describe secret blog-ctnrs-com
Name: blog-ctnrs-com
Namespace: default
Labels: <none>
Annotations: <none>
Type: kubernetes.io/tls
Data
====
tls.crt: 1314 bytes
tls.key: 1675 bytes创建测试环境
[root@k8s-master SSL]# cat app.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: web1
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: web1
template:
metadata:
labels:
app: web1
spec:
containers:
- name: web
image: nginx:1.18
ports:
- containerPort: 80
name: nginx
protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
name: web1
namespace: default
spec:
ports:
- port: 80
protocol: TCP
targetPort: nginx
selector:
app: web1
type: ClusterIP[root@k8s-master SSL]# kubectl get pod,svc
NAME READY STATUS RESTARTS AGE
pod/web1-5557959468-cnfl8 1/1 Running 0 3m2s
pod/web1-5557959468-vbnvt 1/1 Running 0 3m2s
pod/web1-5557959468-vv999 1/1 Running 0 3m2s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 50d
service/web1 ClusterIP 10.111.27.110 <none> 80/TCP 3m2s[root@k8s-master SSL]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 50d
web1 ClusterIP 10.111.27.110 <none> 80/TCP 5m41s
[root@k8s-master SSL]# kubectl get ep
NAME ENDPOINTS AGE
kubernetes 192.168.179.102:6443 50d
web1 10.244.169.139:80,10.244.169.140:80,10.244.36.77:80 5m42s创建ingress规则
[root@k8s-master ~]# cat ingress-https.yml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: blog
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
tls:
- hosts:
- blog.ctnrs.com #要和证书的域名对应上
secretName: blog-ctnrs-com #替换为您的TLS密钥证书
rules:
- host: blog.ctnrs.com #和域名证书里面的域名保持一致
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web1 #替换为您的目标服务名称
port:
number: 80 #替换为您的目标服务端口在上述配置中,
spec字段下的tls字段指定了使用的TLS证书,其中hosts字段指定了使用证书的域名,secretName字段指定了存储证书和密钥的Secret资源的名称。此外,
annotations字段下的nginx.ingress.kubernetes.io/ssl-redirect注解用于启用SSL重定向。这意味着如果客户端使用HTTP协议访问Ingress资源,它将被重定向到使用HTTPS协议的相应资源。
C:\Windows\System32\drivers\etc\hosts 192.168.179.103 blog.ctnrs.com
制作证书的脚本
[root@k8s-master SSL]# cat certs.sh
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
cat > blog.ctnrs.com-csr.json <<EOF
{
"CN": "blog.ctnrs.com",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes blog.ctnrs.com-csr.json | cfssljson -bare blog.ctnrs.com--------------------------------------------------------------------------------------------------------------------------
实际环境
[uat:uat]$ kubectl get pod -n ingress-nginx -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
ingress-nginx-controller-g4b5n 1/1 Running 1 20d 10.202.17.34 k8s-uat-node-01 <none> <none>
ingress-nginx-controller-hvjzr 1/1 Running 1 36d 10.202.17.35 k8s-uat-node-02 <none> <none>
[uat:uat]$ kubectl get ingress -n ztoscm-web-env-uat
NAME CLASS HOSTS ADDRESS PORTS AGE
ztoscm-vue-ingress nginx scm-uat.ztoky.cn 10.202.17.34,10.202.17.35 80, 443 171d
[uat:uat]$ kubectl get ingress ztoscm-vue-ingress -n ztoscm-web-env-uat -o yaml
spec:
ingressClassName: nginx
rules:
- host: scm-uat.ztoky.cn
http:
paths:
- backend:
serviceName: ztoscm-vue-svc
servicePort: 80
path: /
pathType: Prefix
tls:
- hosts:
- scm-uat.ztoky.cn
secretName: ztoky.cn
status:
loadBalancer:
ingress:
- ip: 10.202.17.34
- ip: 10.202.17.35
[uat:uat]$ kubectl get secret -n ztoscm-web-env-uat
NAME TYPE DATA AGE
ztoky.cn kubernetes.io/tls 2 160d
[uat:uat]$ kubectl describe secret ztoky.cn -n ztoscm-web-env-uat
Name: ztoky.cn
Namespace: ztoscm-web-env-uat
Labels: <none>
Annotations: <none>
Type: kubernetes.io/tls
Data
====
tls.crt: 6721 bytes
tls.key: 1730 bytes
[uat:uat]$ kubectl describe ingress ztoscm-vue-ingress -n ztoscm-web-env-uat
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
Name: ztoscm-vue-ingress
Namespace: ztoscm-web-env-uat
Address: 10.202.17.34,10.202.17.35
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
TLS:
ztoky.cn terminates scm-uat.ztoky.cn
Rules:
Host Path Backends
---- ---- --------
scm-uat.ztoky.cn
/ ztoscm-vue-svc:80 (<none>)
Annotations: field.cattle.io/publicEndpoints:
[{"addresses":["10.202.17.34","10.202.17.35"],"port":443,"protocol":"HTTPS","serviceName":"ztoscm-web-env-uat:ztoscm-vue-svc","ingressName...
nginx.ingress.kubernetes.io/proxy-body-size: 100m
nginx.ingress.kubernetes.io/ssl-redirect: true
Events: <none>
K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容
更多推荐
1
0- 0
已为社区贡献66条内容
所有评论(0)