为保证公网环境下的通信安全,业务使用 Ingress 暴露到公网时,通常使用 HTTPS 协议通信。本文为您介绍如何配置 HTTPS 协议的 Nignx Ingress。
tls.key
和tls.crt
为例。kubernetes.io/tls
的保密字典。kubectl create secret tls ingress-secret --key tls.key --cert tls.crt
deployment-demo.yaml
代码如下:apiVersion: apps/v1 kind: Deployment metadata: name: deployment-demo # 无状态负载名称 namespace: default # 无状态负载所在的命名空间 spec: replicas: 1 # 无状态负载的副本数 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx # 容器名称 image: nginx:latest # 容器镜像地址和 Tag ports: - containerPort: 80 # 容器开放的端口号
kubectl apply -f deployment-demo.yaml
service-demo.yaml
代码如下:apiVersion: v1 kind: Service metadata: name: service-demo # 服务名称 spec: selector: app: nginx # 通过标签选择器将服务与后段容器组(Pod)绑定。 ports: - name: rule # 端口映射规则名称 protocol: TCP # 服务协议,支持 TCP 或 UDP port: 80 # 服务端口 nodePort: 30000 # 节点端口,取值范围为 30000~32767。 targetPort: 80 # 容器端口,即工作负载对外提供服务的端口号或端口名称,例如:Nginx 开放的默认端口号为 80 type: NodePort # 服务的类型
注意
kubectl apply -f service-demo.yaml
nginx-ingress.yaml
代码如下:apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: nginx-ingress # 路由规则的名称 spec: ingressClassName: nginx # 指定 Ingress Controller rules: - host: example.com # 转发规则域名 http: paths: - backend: service: name: service-demo # 请求被转发到的目标服务名称 port: number: 80 # 请求被转发到的目标服务开放端口号 path: / # 访问路径 pathType: Prefix # 路径类型:Exact(精确匹配)/Prefix(前缀匹配) tls: - hosts: - example.com # (可选)指定需要加密的域名。不配置表示加密所有的域名 secretName: ingress-secret # 指定 ingress 使用的保密字典名称
说明
kubectl apply -f nginx-ingress.yaml
kubectl get ingress
预期返回结果如下,表示 Ingress 创建成功。其中180.xxx.xxx.xxx
为 Nginx Ingress 对应 CLB 的公网或私网 IP 地址。
NAME CLASS HOSTS ADDRESS PORTS AGE nginx-ingress nginx example.com 180.xxx.xxx.xxx 80,443 74s
使用以下命令,通过域名访问服务。
curl -H "Host: example.com" https://180.xxx.xxx.xxx --insecure
注意
-k
或--insecure
参数忽略证书的验证。预期输出如下,表示可以通过域名访问到后端服务。
<!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> html { color-scheme: light dark; } body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>Welcome to nginx!</h1> <p>If you see this page, the nginx web server is successfully installed and working. Further configuration is required.</p> <p>For online documentation and support please refer to <a href="http://nginx.org/">nginx.org</a>.<br/> Commercial support is available at <a href="http://nginx.com/">nginx.com</a>.</p> <p><em>Thank you for using nginx.</em></p> </body> </html>
openssl genrsa -out tls.key 4096
预期结果如下:
Generating RSA private key, 4096 bit long modulus ........+++++ ...+++++ e is 65537 (0x10001)
openssl req -new -key tls.key -out tls.csr
预期结果如下,需要填写证书的相关信息,包括:国家、地区、组织名称、域名、电子邮件地址等。
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) []:CN # 2 位国家代码,例如 CN State or Province Name (full name) []:Shanghai # 地区名称,例如 Shanghai Locality Name (eg, city) []:Shanghai # 城市名称,例如 Shanghai Organization Name (eg, company) []:vke # 组织名称 Organizational Unit Name (eg, section) []:vke # 组织中的单位名称 Common Name (eg, fully qualified host name) []:example.com # 该证书对应的域名 Email Address []:user@example.com # 电子邮件地址 Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:mypassword # 密码,可以为空
openssl x509 -req -in tls.csr -out tls.crt -signkey tls.key -days 365
tls.key
和证书tls.crt
。当需要更换 Nginx Ingress 的 HTTPS 证书时,需要遵循以下操作步骤: