//生成证书密钥，参考使用openssl 生成免费证书 - 龙恩0707 - 博客园

openssl genrsa -out tls.key 2048  //生成客户端密钥

openssl req -new -key client.key -out tls.csr //生成请求文件
//这里需要填写一些信息，其他的都不重要，关键在
//Common Name (eg, fully qualified host name) []:这个项填写的域名地址可以是一级域名还可以是二级域名，但域名必须和要设置https服务的域名一致

openssl x509 -req -days 365 -in tls.csr -signkey tls.key -out tls.crt //签发ca验证

//将证书设置成secret k8s 中ingress可读取的资源形式
kubectl create secret generic client-cert \
        --from-file=tls.crt \
        --from-file=tls.key -n client-namespace

//在ingress中设置tls证书信息

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-tomcat
  namespace: default
spec:
  ingressClassName: "traefik"
  tls:
  - secretName: shell-com-cert
  rules:
  - host: tomcat.shell.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: tomcat
            port:
              name: http

//查看
//kubectl get ingress
NAME             CLASS     HOSTS                  ADDRESS   PORTS     AGE
ingress-nginx    traefik   nginx-test.shell.com             80        44h
ingress-tomcat   traefik   tomcat.shell.com                 80, 443   44h
//可以看到暴露的443端口，当然这里也可将https服务设置成别的端口

只要把helm项目里values.yaml文件中的 tls设置为true就可以正常开启https

websecure:
    port: 8443
    # hostPort: 8443
    expose: true
    exposedPort: 443
    # The port protocol (TCP/UDP)
    protocol: TCP
    # nodePort: 32443
    # Set TLS at the entrypoint
    # https://doc.traefik.io/traefik/routing/entrypoints/#tls
    tls:
      enabled: true
      # this is the name of a TLSOption definition
      options: ""
      certResolver: ""
      domains: []
      # - main: example.com
      #   sans:
      #     - foo.example.com
      #     - bar.example.com