1. 前提
装备https的证书,阿里有免费的
2. 创建 secret
unzip unzip 3937326_www.center.com_nginx.zip #该文件就是阿里云上下载下来的证书
mv 3937326_www.center.com.crt tls.crt
mv 3937326_www.center.com.key tls.key
cp tls.* /data/yaml
kubectl -n prod create secret tls center-com-secret --key ./tls.key --cert ./tls.crt
参数说明:
a)-n prod:命名空间,没有时可以去掉
b)center-com-secret:证书名称,自定义的,下面使用
3. 在Ingress中引用secret,配置https
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: default
namespace: default
spec:
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_AES_256_GCM_SHA384
- TLS_AES_128_GCM_SHA256
- TLS_CHACHA20_POLY1305_SHA256
- TLS_FALLBACK_SCSV
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: foo
labels:
app: nginx
annotations:
traefik.ingress.kubernetes.io/router.tls: "false"
nginx.ingress.kubernetes.io/rewrite-target: / #重写路径
nginx.ingress.kubernetes.io/ssl-redirect: 'true' #http 自动转https
nginx.ingress.kubernetes.io/proxy-connect-timeout: "600" #修改代理超时时间,默认是60s
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
spec:
tls:
- hosts:
- 'www.lenovofuturecenter.com'
#kubectl create secret tls center-com-secret --key ./tls.key --cert ./tls.crt
secretName: center-com-secret
rules:
# 外界入口可访问的域名配置
- host: www.center.com
http:
paths:
# 可配置访问的入口路径
- path: /
pathType: Prefix
backend:
service:
# 选择器,代表访问Service:future-center-xcx-container-service
# api访问使用对内的服务
name: future-center-xcx-container-service
# 内部容器端口
port:
number: 8189
