37、k8s-ingress-https代理--TLS传输层安全协议(证书的生成)
在上一个实验基础上进行:使用上一个实验的deployment、pod、和ingress-nginx
1、先生成证书:
·openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/C=CN/ST=BJ/L=BJ/O=nginx/CN=intheima.com"
---------------------------------------------------------------------------------------------------
Generating a 2048 bit RSA private key
..........+++
......................................................................................................................................................................................................................................................................................................................................................+++
writing new private key to 'tls.key'
-----
#-x509 通用的证书格式
#-newkey rsa:2048 -keyout tls.key 生成一个私钥rsa 文件tls.key
#-out tls.crt 生成crt
-----------------------------------------------------------------------------------------------------
2、创建密钥:
· kubectl create secret tls tls-secret --key tls.key --cert tls.crt
#使用tls.key和tls.crt 来生成tls-secret加密证书
-----------------------------------------
secret/tls-secret created
#注:TLS:传输层安全协议 与SSL差不多
------------------------------------------
3、创建ingress-https.yaml文件:
---------------------------------------------------------------------------------------------------
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-https
namespace: dev
spec:
tls: #添加安全认证协议(TLS即传输层安全协议-是SSL的加强版)
- hosts:
- nginx.xiaoxin.com #允许这两个域名使用加密证书
- tomcat.xiaoxin.com
secretName: tls-secret #指定密钥-名字要和上面生成的tls名字一致
rules:
- host: nginx.xiaoxin.com
http:
paths:
- path: /
backend:
serviceName: nginx-service
servicePort: 80
- host: tomcat.xiaoxin.com
http:
paths:
- path: /
backend:
serviceName: tomcat-service
servicePort: 8080
---------------------------------------------------------------------------------------------------
4、执行文件生成ingress:kubectl create -f ingress-https.yaml
5、查看生成的ingress-https:kubectl get ing ingress-https -ndev
-------------------------------------------------------------------
NAME HOSTS ADDRESS PORTS AGE
ingress-https nginx.xiaoxin.com,tomcat.xiaoxin.com 10.97.145.253 80, 443 60s
------------------------------------------------------------------------------------------------
6、查看详细信息:kubectl describe ing ingress-https -ndev
------------------------------------------------------------------------------------------------
Name: ingress-https
Namespace: dev
Address: 10.97.145.253
Default backend: default-http-backend:80 (<none>)
TLS: #这里比http多了一个TLS 传输层安全协议
tls-secret terminates nginx.xiaoxin.com,tomcat.xiaoxin.com
Rules:
Host Path Backends
---- ---- --------
nginx.xiaoxin.com
/ nginx-service:80 (10.244.1.11:80,10.244.1.14:80,10.244.1.15:80)
tomcat.xiaoxin.com
/ tomcat-service:8080 (10.244.1.12:8080,10.244.1.13:8080,10.244.1.18:8080)
Annotations:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 109s nginx-ingress-controller Ingress dev/ingress-https
Normal UPDATE 108s nginx-ingress-controller Ingress dev/ingress-https
------------------------------------------------------------------------------------------------------------
7、查看ingress-nginx服务给https分配的端口:
·kubectl get svc ingress-nginx -n ingress-nginx
---------------------------------------------------------------------------------------------
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx NodePort 10.97.145.253 <none> 80:30090/TCP,443:32457/TCP 24h
#这里给https分配的外部访问的端口是32457
------------------------------------------------------------------------------------------------
8、访问:
·https://nginx.xiaoxin.com:32457/
·https://tomcat.xiaoxin.com:32457/
