ingress 之https:
1,先生成自签证书
[root@centos7 ssl]#
[root@centos7 ssl]# cat certs.sh
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
cat > sslexample.foo.com-csr.json <<EOF
{
"CN": "sslexample.foo.com",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes sslexample.foo.com-csr.json | cfssljson -bare sslexample.foo.com
#kubectl create secret tls blog-ctnrs-com --cert=blog.ctnrs.com.pem --key=blog.ctnrs.com-key.pem
[root@centos7 ssl]#
[root@centos7 ssl]# bash certs.sh
2020/07/04 13:05:43 [INFO] generating a new CA key and certificate from CSR
2020/07/04 13:05:44 [INFO] generate received request
2020/07/04 13:05:44 [INFO] received CSR
2020/07/04 13:05:44 [INFO] generating key: rsa-2048
2020/07/04 13:05:44 [INFO] encoded CSR
2020/07/04 13:05:44 [INFO] signed certificate with serial number 652406227772555374587426115465181671602329646189
2020/07/04 13:05:44 [INFO] generate received request
2020/07/04 13:05:44 [INFO] received CSR
2020/07/04 13:05:44 [INFO] generating key: rsa-2048
2020/07/04 13:05:45 [INFO] encoded CSR
2020/07/04 13:05:45 [INFO] signed certificate with serial number 671817956048571962923463044583127144012161981371
2020/07/04 13:05:45 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@centos7 ssl]#
[root@centos7 ssl]# ll
total 40
-rw-r--r--. 1 root root 294 Jul 4 13:05 ca-config.json
-rw-r--r--. 1 root root 960 Jul 4 13:05 ca.csr
-rw-r--r--. 1 root root 212 Jul 4 13:05 ca-csr.json
-rw-------. 1 root root 1679 Jul 4 13:05 ca-key.pem
-rw-r--r--. 1 root root 1273 Jul 4 13:05 ca.pem
-rw-r--r--. 1 root root 1112 Dec 16 2018 certs.sh
-rw-r--r--. 1 root root 968 Jul 4 13:05 sslexample.foo.com.csr
-rw-r--r--. 1 root root 191 Jul 4 13:05 sslexample.foo.com-csr.json
-rw-------. 1 root root 1675 Jul 4 13:05 sslexample.foo.com-key.pem
-rw-r--r--. 1 root root 1318 Jul 4 13:05 sslexample.foo.com.pem
[root@centos7 ssl]#
[root@centos7 ssl]# kubectl create secret tls blog-ctnrs-com --cert=sslexample.foo.com.pem --key=sslexample.foo.com-key.pem
secret/blog-ctnrs-com created
[root@centos7 ssl]#
[root@centos7 ssl]#
[root@centos7 ssl]# kubectl get secret
NAME TYPE DATA AGE
blog-ctnrs-com kubernetes.io/tls 2 29s
default-token-j9jwl kubernetes.io/service-account-token 3 12d
[root@centos7 ssl]#
[root@centos7 ssl]# cat ingress-https.yml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: tls-example-ingress
spec:
tls:
- hosts:
- sslexample.ctnrs.com
secretName: blog-ctnrs-com
rules:
- host: sslexample.ctnrs.com
http:
paths:
- path: /
backend:
serviceName: web
servicePort: 80
[root@centos7 ssl]#
[root@centos7 ssl]#
[root@centos7 ssl]#
[root@centos7 ssl]# kubectl get pods
NAME READY STATUS RESTARTS AGE
web-5c987b8447-kptld 1/1 Running 0 6d22h
web-5c987b8447-nwhcd 1/1 Running 0 4d15h
web-5c987b8447-qjpz4 1/1 Running 0 4d15h
[root@centos7 ssl]#
[root@centos7 ssl]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.0.0.1 <none> 443/TCP 12d
web NodePort 10.0.0.19 <none> 80:32045/TCP 4d15h
web-1 ClusterIP 10.0.0.15 <none> 80/TCP 2d16h
[root@centos7 ssl]#
[root@centos7 ssl]# kubectl apply -f ingress-https.yml
ingress.networking.k8s.io/tls-example-ingress created
[root@centos7 ssl]#
绑定hosts:
192.168.0.11 sslexample.ctnrs.com
浏览器访问:
https://sslexample.ctnrs.com