这篇文章主要讲解了“K8S中怎么为Ingress以及后端Nginx增加证书”,文中的讲解内容简单清晰,易于学习与理解,下面请大家跟着小编的思路慢慢深入,一起来研究和学习“K8S中怎么为Ingress以及后端Nginx增加证书”吧!
前言
前面 nginx 都是 http 协议在工作,那么加证书应该如何操作。
创建证书
可以网上申请一年免费证书,也可以自建证书。下面自建证书。
下载自建证书脚本
wget -O Makefile https://raw.githubusercontent.com/kubernetes/examples/master/staging/https-nginx/Makefile
创建证书文件
make keys KEY=/tmp/nginx.key CERT=/tmp/nginx.crt
将证书写入到 K8S 的 secret 中
# kubectl create secret tls nginxsecret --key /tmp/nginx.key --cert /tmp/nginx.crt secret/nginxsecret created
将 nginx 配置写入到 K8S 的 configmap 中
# cat default.conf server { listen 80 default_server; listen [::]:80 default_server ipv6only=on; listen 443 ssl; root /usr/share/nginx/html; index index.html; server_name localhost; ssl_certificate /etc/nginx/ssl/tls.crt; ssl_certificate_key /etc/nginx/ssl/tls.key; location / { try_files $uri $uri/ =404; } }
# kubectl create configmap nginxconfigmap --from-file=default.conf configmap/nginxconfigmap created
整合后端 Pod 和证书,使用 Service 发布
[root@master01 ~]# cat nginx-app.yaml apiVersion: v1 kind: Service metadata: name: my-nginx labels: run: my-nginx spec: type: NodePort ports: - port: 8080 targetPort: 80 protocol: TCP name: http - port: 443 protocol: TCP name: https selector: run: my-nginx --- apiVersion: apps/v1 kind: Deployment metadata: name: my-nginx spec: selector: matchLabels: run: my-nginx replicas: 1 template: metadata: labels: run: my-nginx spec: volumes: - name: secret-volume secret: secretName: nginxsecret - name: configmap-volume configMap: name: nginxconfigmap containers: - name: nginxhttps image: bprashanth/nginxhttps:1.0 ports: - containerPort: 443 - containerPort: 80 volumeMounts: - mountPath: /etc/nginx/ssl name: secret-volume - mountPath: /etc/nginx/conf.d name: configmap-volume
[root@master01 ~]# kubectl apply -f nginx-app.yaml service/my-nginx created deployment.apps/my-nginx created
查看运行情况
[root@master01 ~]# kubectl get service -o wide NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR my-nginx NodePort 192.20.27.173 <none> 8080:32529/TCP,443:32699/TCP 22s run=my-nginx [root@master01 ~]# kubectl get pod -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES my-nginx-85fccfd5dc-2pzvw 1/1 Running 0 64s 192.10.205.224 work01 <none> <none>
尝试访问
[root@master01 ~]# curl -k https://192.20.27.173 <title>Welcome to nginx!</title>
Service 使用 NodePort 进行了端口暴露,所以可以在浏览器中访问 https://任意节点IP:32699 ,也可以看到证书已经生效。
由于是自建证书,需要手动忽略报错。
整合 ingress 和证书
# cat ingress.yaml apiVersion: extensions/v1beta1 kind: Ingress metadata: name: secret-tls-ingress annotations: ingress.kubernetes.io/ssl-redirect: "False" spec: tls: - hosts: - test.com secretName: nginxsecret rules: - host: test.com http: paths: - backend: serviceName: my-nginx servicePort: 80 path: /
# kubectl apply -f ingress.yaml ingress.extensions/secret-tls-ingress created
将 ingress-controller 绑定在了 work01/02 上,所以在集群外绑定 test.com 到 work01 IP 进行测试。
# curl -k https://test.com <title>Welcome to nginx!</title>
可以成功访问。
感谢各位的阅读,以上就是“K8S中怎么为Ingress以及后端Nginx增加证书”的内容了,经过本文的学习后,相信大家对K8S中怎么为Ingress以及后端Nginx增加证书这一问题有了更深刻的体会,具体使用情况还需要大家实践验证。这里是亿速云,小编将为大家推送更多相关知识点的文章,欢迎关注!
原创文章,作者:kepupublish,如若转载,请注明出处:https://blog.ytso.com/236093.html