ingress HTTPS ¶
使用 https 转发应用 ¶
1. 腾讯云申请免费证书 (腾讯云)[https://console.cloud.tencent.com/ssl]
2. 通过 Secret 对象来引用证书文件:
# 要注意证书文件名称必须是 tls.crt 和 tls.key
[root@k8smaster002 1]# kubectl create secret tls tencent-k8s-tls --cert=tls.crt --key=tls.key
secret/tencent-k8s-tls created
[root@k8smaster002 1]# kubectl describe secret tencent-k8s-tls
Name: tencent-k8s-tls
Namespace: default
Labels: <none>
Annotations: <none>
Type: kubernetes.io/tls
Data
====
tls.crt: 4125 bytes
tls.key: 1700 bytes
3. 编辑演示应用 ingress-tls-deployment.yaml 清单文件
apiVersion: apps/v1
kind: Deployment
metadata:
name: ingress-tls-tencent
namespace: ingress-nginx
spec:
replicas: 2
selector:
matchLabels:
app: ingress-tls-tencent
template:
metadata:
labels:
app: ingress-tls-tencent
spec:
containers:
- name: c1
image: nginx:1.15-alpine
imagePullPolicy: IfNotPresent
---
apiVersion: v1
kind: Service
metadata:
name: nginx-service-tls-tencent
namespace: ingress-nginx
labels:
app: ingress-tls-tencent
spec:
ports:
- port: 80
targetPort: 80
selector:
app: ingress-tls-tencent
4. 创建演示应用 ingress-tls-deployment.yaml
[root@k8smaster002 1]# kubectl apply -f ingress-tls-deployment.yaml
deployment.apps/ingress-tls-tencent created
service/nginx-service-tls-tencent created
5. 创建一个 HTTPS 访问应用的 ingress 规则
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-with-auth
annotations:
# 认证类型
nginx.ingress.kubernetes.io/auth-type: basic
# 包含 user/password 定义的 secret 对象名
nginx.ingress.kubernetes.io/auth-secret: basic-auth
# 要显示的带有适当上下文的消息,说明需要身份验证的原因
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - foo'
spec:
rules:
- host: tencent.k8s.huichengcheng.com
http:
paths:
- path: /
backend:
serviceName: my-nginx
servicePort: 80
tls:
- hosts:
- foo.bar.com
secretName: foo-tls
1. openssl 创建一个自签名的证书
除了自签名证书或者购买正规机构的 CA 证书之外,我们还可以通过 letsencrypt 来自动生成合法的证书。