【Kubernetes】K8S中使用configmap和secret让pod支持https的访问
mountPath: /etc/nginx/conf.d#挂载的目录,这个conf.d目录必须存在,而且挂载成功后原来这个文件夹里的内容会覆盖,导致原来文件夹里的内容丢失。证书是需要去购买或者免费试用的,可以到阿里云或者腾讯云,华为云等平台去购买或者免费申请试用。浏览器访问:https://192.168.1.7:30443/即可。https-nginx-1是configmap的名字。https-
·
文章目录
很多应用在其初始化或运行期间要依赖一些配置信息。大多数时候,存在要调整配置参数所设置的数值的需求。Kubernetes用来向应用Pod中注入配置数据的方法。
ConfigMap与Secret类似,用来存储配置文件的kubernetes资源对象,所有的配置内容都存储在etcd中。
0. 需求分析
启动nginx的pod,使用configmap投射nginx.conf配置文件到pod里。
使用secret 投射https的证书到pod里,让pod支持https的访问。
1. 需要准备nginx.conf配置文件
[root@jdmaster ~]# mkdir -p secret/nginx
[root@jdmaster ~]# cd secret/nginx/
[root@jdmaster nginx]# vim nginx.conf
nginx.conf 内容:
worker_processes 4;
events {
worker_connections 2048;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name localhost;
location / {
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /etc/nginx/conf.d/tls.crt;
ssl_certificate_key /etc/nginx/conf.d/tls.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
}
2. 将nginx.conf内容存放到configmap里
https-nginx-1 是configmap的名字
[root@jdmaster nginx]# kubectl create configmap https-nginx-1 --from-file=nginx.conf
configmap/https-nginx-1 created
[root@jdmaster nginx]# kubectl get cm
NAME DATA AGE
https-nginx-1 1 20s
kube-root-ca.crt 1 3d21h
[root@jdmaster nginx]# kubectl describe cm https-nginx-1
3. 将证书的内容生成secret
证书是需要去购买或者免费试用的,可以到阿里云或者腾讯云,华为云等平台去购买或者免费申请试用
[root@jdmaster nginx]# ls
7318014_sanchuangedu.cn_nginx.zip nginx.conf
[root@jdmaster nginx]# unzip 7318014_sanchuangedu.cn_nginx.zip
Archive: 7318014_sanchuangedu.cn_nginx.zip
Aliyun Certificate Download
inflating: 7318014_sanchuangedu.cn.pem
inflating: 7318014_sanchuangedu.cn.key
[root@jdmaster nginx]# ls
7318014_sanchuangedu.cn.key 7318014_sanchuangedu.cn_nginx.zip 7318014_sanchuangedu.cn.pem nginx.conf
生成:
[root@jdmaster nginx]# kubectl create secret tls https-secret --key 7318014_sanchuangedu.cn.key --cert 7318014_sanchuangedu.cn.pem
secret/https-secret created
查看是否生成:
https-secret 是创建的secret的名字
[root@jdmaster nginx]# kubectl get secret
NAME TYPE DATA AGE
default-token-n5p7p kubernetes.io/service-account-token 3 3d21h
https-secret kubernetes.io/tls 2 41s
查看里面的内容:
[root@jdmaster nginx]# kubectl describe secret https-secret
Name: https-secret
Namespace: default
Labels: <none>
Annotations: <none>
Type: kubernetes.io/tls
Data
====
tls.crt: 3830 bytes
tls.key: 1679 bytes
4. 启动pod使用configmap和secret里的内容
[root@jdmaster nginx]# vim nginx.yaml
nginx.yaml 内容:
apiVersion: apps/v1
kind: Deployment
metadata:
name: jd-nginx-1
spec:
replicas: 3
selector:
matchLabels:
- name: jd-nginx-config
configMap:
name: https-nginx-1
items:
- key: nginx.conf
path: nginx.conf
- name: secret-volume
secret:
secretName: https-secret
containers:
- name: nginx
image: "nginx:latest"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
- containerPort: 443
volumeMounts:
- name: jd-nginx-config
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
- name: secret-volume
mountPath: /etc/nginx/conf.d
mountPath: /etc/nginx/conf.d #挂载的目录,这个conf.d目录必须存在,而且挂载成功后原来这个文件夹里的内容会覆盖,导致原来文件夹里的内容丢失
[root@jdmaster nginx]# kubectl apply -f nginx.yaml
deployment.apps/jd-nginx-1 created
查找到启动的pod的node,然后去查看容器里启动的nginx是否有4个worker进程:
[root@jdmaster nginx]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
jd-nginx-1-55dccd7dcb-kntv7 1/1 Running 0 28s 10.244.2.29 jdnode-1 <none> <none>
jd-nginx-1-55dccd7dcb-lwlbg 1/1 Running 0 28s 10.244.1.27 jdnode-2 <none> <none>
jd-nginx-1-55dccd7dcb-rkzgf 1/1 Running 0 28s 10.244.1.26 jdnode-2 <none> <none>
在node-1:
[root@jdnode-1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0521d13d3ab4 ac232364af84 "/docker-entrypoint.…" About a minute ago Up About a minute k8s_nginx_jd-nginx-1-55dccd7dcb-kntv7_default_42d734c8-7f6b-46db-baeb-bd14120cfece_0
[root@jdnode-1 ~]# docker top 0521d13d3ab4
UID PID PPID C STIME TTY TIME CMD
root 45400 45379 0 14:17 ? 00:00:00 nginx: master process nginx -g daemon off;
101 45426 45400 0 14:17 ? 00:00:00 nginx: worker process
101 45427 45400 0 14:17 ? 00:00:00 nginx: worker process
101 45428 45400 0 14:17 ? 00:00:00 nginx: worker process
101 45429 45400 0 14:17 ? 00:00:00 nginx: worker process
没问题。
还有一种方法,进入pod查看nginx.conf配置文件里的内容:
[root@jdmaster nginx]# kubectl exec -it jd-nginx-1-55dccd7dcb-kntv7 -- bash
root@jd-nginx-1-55dccd7dcb-kntv7:/# cat /etc/nginx/nginx.conf
worker_processes 4;
events {
worker_connections 2048;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name localhost;
location / {
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /etc/nginx/conf.d/tls.crt; #证书的位置,使用绝对路径
ssl_certificate_key /etc/nginx/conf.d/tls.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
}
5. 将https的pod服务发布出去
[root@jdmaster nginx]# vim service.yaml
service.yaml 内容为
apiVersion: v1
kind: Service
metadata:
name: my-https-nginx
spec:
type: NodePort
ports:
- name: http
port: 80
targetPort: 80
nodePort: 30080
protocol: TCP
- name: https
port: 443
targetPort: 443
nodePort: 30443
protocol: TCP
selector:
app: jd-nginx-1
[root@jdmaster nginx]# kubectl apply -f service.yaml
service/my-https-nginx created
[root@jdmaster nginx]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.1.0.1 <none> 443/TCP 3d21h
my-https-nginx NodePort 10.1.254.151 <none> 80:30080/TCP,443:30443/TCP 13s
6. 测试访问
浏览器访问:https://192.168.1.7:30443/即可
成功!
K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容
更多推荐
0
0- 0
已为社区贡献6条内容
所有评论(0)