基于Secret实现nginx的tls认证、私有仓库认证


tls证书加密

       创建类型为tls的secret为nginx提供https证书访问

#创建ca公钥和私钥
openssl req -x509 -sha256 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 3560 -nodes -subj '/CN=www.test.com'

#创建客户端公钥和私钥
openssl req -new -newkey rsa:4096 -keyout server.key -out server.csr -nodes -subj '/CN=www.test.com'

#ca签发客户端私钥生成证书
openssl x509 -req -sha256 -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

 

       创建secret

root@deploy:~/secret# kubectl create secret tls nginx-tls --cert=./server.crt --key=./server.key

基于Secret实现nginx的tls认证、私有仓库认证

      

   查看secret,检查创建的私钥和公钥

root@deploy:~/secret# kubectl get secrets nginx-tls  -o yaml

基于Secret实现nginx的tls认证、私有仓库认证

       创建configmap添加nginx配置文件

root@deploy:~/secret# vim nginx-https.yaml
apiVersion: v1 
kind: ConfigMap
metadata:
  name: nginx-config
data:
 https: |
    server {
       listen       80;
       server_name  www.test.com;

       listen 443 ssl;
       ssl_certificate /etc/nginx/conf.d/certs/tls.crt;
       ssl_certificate_key /etc/nginx/conf.d/certs/tls.key;

       location / {
           root /usr/share/nginx/html; 
           index index.html;
           if ($scheme = http ){ 
              rewrite / https://www.test.com permanent;
           }  

           if (!-e $request_filename) {
               rewrite ^/(.*) /index.html last;
           }
       }
    }

root@deploy:~/secret# kubectl apply -f nginx-https.yaml

 

       创建应用和service,绑定configmap和secret

root@deploy:~/secret# vim deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: web
  name: web-deployment
  namespace: default
spec:
  replicas: 2
  selector:
    matchLabels:
      app: web
  template:
    metadata:
      labels:
        app: web
    spec:
      containers:
      - image: nginx
        name: nginx
        imagePullPolicy: IfNotPresent
        volumeMounts:
        - name: nginx-conf
          mountPath: "/etc/nginx/conf.d"
        - name: nginx-secret
          mountPath: "/etc/nginx/conf.d/certs"
      volumes:
      - name: nginx-conf
        configMap:
          name: nginx-config
          items:
            - key: https
              path: https.conf 

      - name: nginx-secret
        secret:
          secretName: nginx-tls

---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: web-svc
  name: web-svc
  namespace: default
spec:
  ports:
  - name: web1
    port: 80
    protocol: TCP
    targetPort: 80
    nodePort: 30080
  - name: web2
    port: 443
    protocol: TCP
    targetPort: 443
    nodePort: 30443
  selector:
    app: web
  type: NodePort

root@deploy:~/secret# kubectl apply -f deployment.yaml

 

       查看pod和svc

基于Secret实现nginx的tls认证、私有仓库认证

  配置haproxy设置反向代理

root@haproxyA:~# vim /etc/haproxy/haproxy.cfg.
listen http
  bind 192.168.100.20:80
  mode tcp
  server node1 192.168.100.5:30080 check inter 3s fall 3 rise 3
  server node2 192.168.100.6:30080 check inter 3s fall 3 rise 3

listen https
  bind 192.168.100.20:443
  mode tcp
  server node1 192.168.100.5:30443 check inter 3s fall 3 rise 3
  server node2 192.168.100.6:30443 check inter 3s fall 3 rise 3

root@haproxyA:~# systemctl restart haproxy

 

  客户端配置hosts本地域名解析

基于Secret实现nginx的tls认证、私有仓库认证

       服务器配置hosts解析curl测试

root@deploy:~/secret# grep 'www.test.com' /etc/hosts
192.168.100.20 www.test.com
root@deploy:~/secret# curl -k -L www.test.com

 

基于Secret实现nginx的tls认证、私有仓库认证

 

  访问www.test.com

基于Secret实现nginx的tls认证、私有仓库认证

 

  查看证书签发信息

基于Secret实现nginx的tls认证、私有仓库认证

 

原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/278940.html

(0)
上一篇 2022年8月4日
下一篇 2022年8月4日

相关推荐

发表回复

登录后才能评论