前言
前面 nginx 都是 http 協(xié)議在工作缚忧,那么加證書應(yīng)該如何操作。
更新歷史
- 20200701 - 初稿 - 左程立
- 原文地址 - https://blog.zuolinux.com/2020/07/01/nginx-https.html
創(chuàng)建證書
可以網(wǎng)上申請一年免費證書杀捻,也可以自建證書。下面自建證書。
下載自建證書腳本
wget -O Makefile https://raw.githubusercontent.com/kubernetes/examples/master/staging/https-nginx/Makefile
創(chuàng)建證書文件
make keys KEY=/tmp/nginx.key CERT=/tmp/nginx.crt
將證書寫入到 K8S 的 secret 中
# kubectl create secret tls nginxsecret --key /tmp/nginx.key --cert /tmp/nginx.crt
secret/nginxsecret created
將 nginx 配置寫入到 K8S 的 configmap 中
# cat default.conf
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
listen 443 ssl;
root /usr/share/nginx/html;
index index.html;
server_name localhost;
ssl_certificate /etc/nginx/ssl/tls.crt;
ssl_certificate_key /etc/nginx/ssl/tls.key;
location / {
try_files $uri $uri/ =404;
}
}
# kubectl create configmap nginxconfigmap --from-file=default.conf
configmap/nginxconfigmap created
整合后端 Pod 和證書,使用 Service 發(fā)布
[root@master01 ~]# cat nginx-app.yaml
apiVersion: v1
kind: Service
metadata:
name: my-nginx
labels:
run: my-nginx
spec:
type: NodePort
ports:
- port: 8080
targetPort: 80
protocol: TCP
name: http
- port: 443
protocol: TCP
name: https
selector:
run: my-nginx
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-nginx
spec:
selector:
matchLabels:
run: my-nginx
replicas: 1
template:
metadata:
labels:
run: my-nginx
spec:
volumes:
- name: secret-volume
secret:
secretName: nginxsecret
- name: configmap-volume
configMap:
name: nginxconfigmap
containers:
- name: nginxhttps
image: bprashanth/nginxhttps:1.0
ports:
- containerPort: 443
- containerPort: 80
volumeMounts:
- mountPath: /etc/nginx/ssl
name: secret-volume
- mountPath: /etc/nginx/conf.d
name: configmap-volume
[root@master01 ~]# kubectl apply -f nginx-app.yaml
service/my-nginx created
deployment.apps/my-nginx created
查看運行情況
[root@master01 ~]# kubectl get service -o wide
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
my-nginx NodePort 192.20.27.173 <none> 8080:32529/TCP,443:32699/TCP 22s run=my-nginx
[root@master01 ~]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
my-nginx-85fccfd5dc-2pzvw 1/1 Running 0 64s 192.10.205.224 work01 <none> <none>
嘗試訪問
[root@master01 ~]# curl -k https://192.20.27.173
<title>Welcome to nginx!</title>
Service 使用 NodePort 進行了端口暴露倘零,所以可以在瀏覽器中訪問 https://任意節(jié)點IP:32699 ,也可以看到證書已經(jīng)生效戳寸。
由于是自建證書呈驶,需要手動忽略報錯。
整合 ingress 和證書
# cat ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: secret-tls-ingress
annotations:
ingress.kubernetes.io/ssl-redirect: "False"
spec:
tls:
- hosts:
- test.com
secretName: nginxsecret
rules:
- host: test.com
http:
paths:
- backend:
serviceName: my-nginx
servicePort: 80
path: /
# kubectl apply -f ingress.yaml
ingress.extensions/secret-tls-ingress created
在前面章節(jié)中已經(jīng)將 ingress-controller 綁定在了 work01/02 上疫鹊,所以在集群外綁定 test.com 到 work01 IP 進行測試袖瞻。
# curl -k https://test.com
<title>Welcome to nginx!</title>
可以成功訪問。
結(jié)束語
證書這塊主要是把證書文件存入 K8S 的 secret 對象中拆吆,然后進行掛載映射聋迎。
這樣可以實現(xiàn)證書文件和 ingress 的解耦。
可以只在 ingress 中設(shè)置證書枣耀,后端 nginx 不配置證書砌庄。
