kuberbetes ingress ssl证书配置

本文介绍了基于命令行,在k8s上配置ingress并启用HTTPS证书

post thumb
Kubernetes
作者 Louis 发表于 2020年7月8日

[TOC]

可以直接在 Ingress 中配置 HTTPS 证书,使得你的网站支持 HTTPS 协议。

使用openssl创建自用证书或使用acme创建免费的证书.

创建secret

默认已经已经有了ssl证书,证书为youpenglai.crt,秘钥youpenglai.key

$ kubectl create secret tls youpenglai-tls --cert=youpenglai.crt --key=youpenglai.key
secret/youpenglai-tls created
$ kubectl describe secrets youpenglai-tls 
Name:         youpenglai-tls
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  kubernetes.io/tls

Data
====
tls.key:  1679 bytes
tls.crt:  3559 bytes

ingress配置

$ cat ingress-hello-world.yaml
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    k8s.kuboard.cn/displayName: hello-world
    k8s.kuboard.cn/workload: web-hello-world
  creationTimestamp: '2020-06-24T08:17:14Z'
  generation: 2
  labels:
    k8s.kuboard.cn/layer: web
    k8s.kuboard.cn/name: web-hello-world
  name: web-hello-world
  namespace: default
spec:
  rules:
    - host: helloworld-k8s.youpenglai.com
      http:
        paths:
          - backend:
              serviceName: web-hello-world
              servicePort: helloworld
            path: /
  tls:
    - hosts:
        - helloworld-k8s.youpenglai.com
      secretName: youpenglai-tls

重新apply一下即可更新.

$ kubectl apply -f ingress-hello-world.yaml

再次访问 https://helloworld-k8s.youpenglai.com

hello-world镜像

goang源码如下

$ cat hello-world.go 
package main

import (
	"fmt"
	"log"
	"net/http"
	"os"
)

func main() {
	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
		log.Printf("%s %s %s %s", r.Method, r.URL, r.Host, r.RemoteAddr)
		version := os.Getenv("VERSION")
		if version == "" {
			version = "v1.0.1"
			// version = "v2" 模拟发布. v3 v4 v5 v6
		}
		fmt.Fprintf(w, "Hello Kubernetes ! Hello World version: %s\n", version)
	})
	log.Fatal(http.ListenAndServe(":8000", nil))
}

构建dockerfile

$ cat Dockerfile 
FROM  golang:1.14.3  AS builder

ENV GO111MODULE=on
ENV GOPROXY=https://goproxy.io

WORKDIR /root

COPY hello-world.go .

RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build  -o /deploy hello-world.go

FROM alpine:3.7
RUN apk add tzdata ca-certificates && cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
    && echo "Asia/Shanghai" > /etc/timezone \
    && apk del tzdata && rm -rf /var/cache/apk/* 
COPY --from=builder /deploy /bin/deploy
ENTRYPOINT ["/bin/deploy"]

deploymentservice的yaml配置

---
apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: default
  name: web-hello-world
  annotations:
    k8s.kuboard.cn/workload: web-hello-world
    k8s.kuboard.cn/displayName: hello-world
    deployment.kubernetes.io/revision: '3'
    k8s.kuboard.cn/ingress: 'true'
    k8s.kuboard.cn/service: ClusterIP
  labels:
    k8s.kuboard.cn/layer: web
    k8s.kuboard.cn/name: web-hello-world
spec:
  selector:
    matchLabels:
      k8s.kuboard.cn/layer: web
      k8s.kuboard.cn/name: web-hello-world
  revisionHistoryLimit: 10
  template:
    metadata:
      labels:
        k8s.kuboard.cn/layer: web
        k8s.kuboard.cn/name: web-hello-world
    spec:
      securityContext:
        seLinuxOptions: {}
      imagePullSecrets: []
      restartPolicy: Always
      initContainers: []
      containers:
        - image: louisehong/hello-world
          imagePullPolicy: Always
          name: hello-world
          volumeMounts: []
          resources:
            limits:
            requests:
          env: []
          lifecycle: {}
          ports:
            - name: tcp
              containerPort: 8000
              protocol: TCP
      volumes: []
      dnsPolicy: ClusterFirst
      dnsConfig: {}
      terminationGracePeriodSeconds: 30
  progressDeadlineSeconds: 600
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 25%
      maxSurge: 25%
  replicas: 1

---
apiVersion: v1
kind: Service
metadata:
  namespace: default
  name: web-hello-world
  annotations:
    k8s.kuboard.cn/workload: web-hello-world
    k8s.kuboard.cn/displayName: hello-world
  labels:
    k8s.kuboard.cn/layer: web
    k8s.kuboard.cn/name: web-hello-world
spec:
  selector:
    k8s.kuboard.cn/layer: web
    k8s.kuboard.cn/name: web-hello-world
  type: ClusterIP
  ports:
    - port: 8000
      targetPort: 8000
      protocol: TCP
      name: helloworld
      nodePort: 0

如果使用kuboard进行在Ingress中部署https证书。 建议参考这篇文章kuborad官网

上一篇
vim-go插件安装