[TOC]
可以直接在 Ingress 中配置 HTTPS 证书,使得你的网站支持 HTTPS 协议。
使用openssl创建自用证书或使用acme创建免费的证书.
创建secret
默认已经已经有了ssl证书,证书为youpenglai.crt,秘钥youpenglai.key
$ kubectl create secret tls youpenglai-tls --cert=youpenglai.crt --key=youpenglai.key
secret/youpenglai-tls created
$ kubectl describe secrets youpenglai-tls
Name: youpenglai-tls
Namespace: default
Labels: <none>
Annotations: <none>
Type: kubernetes.io/tls
Data
====
tls.key: 1679 bytes
tls.crt: 3559 bytes
ingress配置
$ cat ingress-hello-world.yaml
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
k8s.kuboard.cn/displayName: hello-world
k8s.kuboard.cn/workload: web-hello-world
creationTimestamp: '2020-06-24T08:17:14Z'
generation: 2
labels:
k8s.kuboard.cn/layer: web
k8s.kuboard.cn/name: web-hello-world
name: web-hello-world
namespace: default
spec:
rules:
- host: helloworld-k8s.youpenglai.com
http:
paths:
- backend:
serviceName: web-hello-world
servicePort: helloworld
path: /
tls:
- hosts:
- helloworld-k8s.youpenglai.com
secretName: youpenglai-tls
重新apply一下即可更新.
$ kubectl apply -f ingress-hello-world.yaml
再次访问 https://helloworld-k8s.youpenglai.com
hello-world镜像
goang源码如下
$ cat hello-world.go
package main
import (
"fmt"
"log"
"net/http"
"os"
)
func main() {
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
log.Printf("%s %s %s %s", r.Method, r.URL, r.Host, r.RemoteAddr)
version := os.Getenv("VERSION")
if version == "" {
version = "v1.0.1"
// version = "v2" 模拟发布. v3 v4 v5 v6
}
fmt.Fprintf(w, "Hello Kubernetes ! Hello World version: %s\n", version)
})
log.Fatal(http.ListenAndServe(":8000", nil))
}
构建dockerfile
$ cat Dockerfile
FROM golang:1.14.3 AS builder
ENV GO111MODULE=on
ENV GOPROXY=https://goproxy.io
WORKDIR /root
COPY hello-world.go .
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o /deploy hello-world.go
FROM alpine:3.7
RUN apk add tzdata ca-certificates && cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
&& echo "Asia/Shanghai" > /etc/timezone \
&& apk del tzdata && rm -rf /var/cache/apk/*
COPY --from=builder /deploy /bin/deploy
ENTRYPOINT ["/bin/deploy"]
deployment及service的yaml配置
---
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: default
name: web-hello-world
annotations:
k8s.kuboard.cn/workload: web-hello-world
k8s.kuboard.cn/displayName: hello-world
deployment.kubernetes.io/revision: '3'
k8s.kuboard.cn/ingress: 'true'
k8s.kuboard.cn/service: ClusterIP
labels:
k8s.kuboard.cn/layer: web
k8s.kuboard.cn/name: web-hello-world
spec:
selector:
matchLabels:
k8s.kuboard.cn/layer: web
k8s.kuboard.cn/name: web-hello-world
revisionHistoryLimit: 10
template:
metadata:
labels:
k8s.kuboard.cn/layer: web
k8s.kuboard.cn/name: web-hello-world
spec:
securityContext:
seLinuxOptions: {}
imagePullSecrets: []
restartPolicy: Always
initContainers: []
containers:
- image: louisehong/hello-world
imagePullPolicy: Always
name: hello-world
volumeMounts: []
resources:
limits:
requests:
env: []
lifecycle: {}
ports:
- name: tcp
containerPort: 8000
protocol: TCP
volumes: []
dnsPolicy: ClusterFirst
dnsConfig: {}
terminationGracePeriodSeconds: 30
progressDeadlineSeconds: 600
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 25%
maxSurge: 25%
replicas: 1
---
apiVersion: v1
kind: Service
metadata:
namespace: default
name: web-hello-world
annotations:
k8s.kuboard.cn/workload: web-hello-world
k8s.kuboard.cn/displayName: hello-world
labels:
k8s.kuboard.cn/layer: web
k8s.kuboard.cn/name: web-hello-world
spec:
selector:
k8s.kuboard.cn/layer: web
k8s.kuboard.cn/name: web-hello-world
type: ClusterIP
ports:
- port: 8000
targetPort: 8000
protocol: TCP
name: helloworld
nodePort: 0
如果使用kuboard进行在Ingress中部署https证书。 建议参考这篇文章kuborad官网