您好,登錄后才能下訂單哦!
這篇文章主要講解了“K8S中怎么為Ingress以及后端Nginx增加證書”,文中的講解內(nèi)容簡(jiǎn)單清晰,易于學(xué)習(xí)與理解,下面請(qǐng)大家跟著小編的思路慢慢深入,一起來(lái)研究和學(xué)習(xí)“K8S中怎么為Ingress以及后端Nginx增加證書”吧!
前面 nginx 都是 http 協(xié)議在工作,那么加證書應(yīng)該如何操作。
可以網(wǎng)上申請(qǐng)一年免費(fèi)證書,也可以自建證書。下面自建證書。
下載自建證書腳本
wget -O Makefile https://raw.githubusercontent.com/kubernetes/examples/master/staging/https-nginx/Makefile
創(chuàng)建證書文件
make keys KEY=/tmp/nginx.key CERT=/tmp/nginx.crt
將證書寫入到 K8S 的 secret 中
# kubectl create secret tls nginxsecret --key /tmp/nginx.key --cert /tmp/nginx.crt secret/nginxsecret created
將 nginx 配置寫入到 K8S 的 configmap 中
# cat default.conf server { listen 80 default_server; listen [::]:80 default_server ipv6only=on; listen 443 ssl; root /usr/share/nginx/html; index index.html; server_name localhost; ssl_certificate /etc/nginx/ssl/tls.crt; ssl_certificate_key /etc/nginx/ssl/tls.key; location / { try_files $uri $uri/ =404; } }
# kubectl create configmap nginxconfigmap --from-file=default.conf configmap/nginxconfigmap created
[root@master01 ~]# cat nginx-app.yaml apiVersion: v1 kind: Service metadata: name: my-nginx labels: run: my-nginx spec: type: NodePort ports: - port: 8080 targetPort: 80 protocol: TCP name: http - port: 443 protocol: TCP name: https selector: run: my-nginx --- apiVersion: apps/v1 kind: Deployment metadata: name: my-nginx spec: selector: matchLabels: run: my-nginx replicas: 1 template: metadata: labels: run: my-nginx spec: volumes: - name: secret-volume secret: secretName: nginxsecret - name: configmap-volume configMap: name: nginxconfigmap containers: - name: nginxhttps image: bprashanth/nginxhttps:1.0 ports: - containerPort: 443 - containerPort: 80 volumeMounts: - mountPath: /etc/nginx/ssl name: secret-volume - mountPath: /etc/nginx/conf.d name: configmap-volume
[root@master01 ~]# kubectl apply -f nginx-app.yaml service/my-nginx created deployment.apps/my-nginx created
查看運(yùn)行情況
[root@master01 ~]# kubectl get service -o wide NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR my-nginx NodePort 192.20.27.173 <none> 8080:32529/TCP,443:32699/TCP 22s run=my-nginx [root@master01 ~]# kubectl get pod -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES my-nginx-85fccfd5dc-2pzvw 1/1 Running 0 64s 192.10.205.224 work01 <none> <none>
嘗試訪問(wèn)
[root@master01 ~]# curl -k https://192.20.27.173 <title>Welcome to nginx!</title>
Service 使用 NodePort 進(jìn)行了端口暴露,所以可以在瀏覽器中訪問(wèn) https://任意節(jié)點(diǎn)IP:32699 ,也可以看到證書已經(jīng)生效。
由于是自建證書,需要手動(dòng)忽略報(bào)錯(cuò)。
# cat ingress.yaml apiVersion: extensions/v1beta1 kind: Ingress metadata: name: secret-tls-ingress annotations: ingress.kubernetes.io/ssl-redirect: "False" spec: tls: - hosts: - test.com secretName: nginxsecret rules: - host: test.com http: paths: - backend: serviceName: my-nginx servicePort: 80 path: /
# kubectl apply -f ingress.yaml ingress.extensions/secret-tls-ingress created
將 ingress-controller 綁定在了 work01/02 上,所以在集群外綁定 test.com 到 work01 IP 進(jìn)行測(cè)試。
# curl -k https://test.com <title>Welcome to nginx!</title>
可以成功訪問(wèn)。
感謝各位的閱讀,以上就是“K8S中怎么為Ingress以及后端Nginx增加證書”的內(nèi)容了,經(jīng)過(guò)本文的學(xué)習(xí)后,相信大家對(duì)K8S中怎么為Ingress以及后端Nginx增加證書這一問(wèn)題有了更深刻的體會(huì),具體使用情況還需要大家實(shí)踐驗(yàn)證。這里是億速云,小編將為大家推送更多相關(guān)知識(shí)點(diǎn)的文章,歡迎關(guān)注!
免責(zé)聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng),如果涉及侵權(quán)請(qǐng)聯(lián)系站長(zhǎng)郵箱:is@yisu.com進(jìn)行舉報(bào),并提供相關(guān)證據(jù),一經(jīng)查實(shí),將立刻刪除涉嫌侵權(quán)內(nèi)容。