基于Secret实现nginx的tls认证、私有仓库认证

tls证书加密

创建类型为tls的secret为nginx提供https证书访问

 #创建ca公钥和私钥
openssl req -x509 -sha256 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 3560 -nodes -subj '/CN=www.test.com'
 
#创建客户端公钥和私钥
openssl req -new -newkey rsa:4096 -keyout server.key -out server.csr -nodes -subj '/CN=www.test.com'
 
#ca签发客户端私钥生成证书
openssl x509 -req -sha256 -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

创建secret

 root@deploy:~/secret# kubectl create secret tls nginx-tls --cert=./server.crt --key=./server.key

查看secret，检查创建的私钥和公钥

 root@deploy:~/secret# kubectl get secrets nginx-tls  -o yaml

创建configmap添加nginx配置文件

 root@deploy:~/secret# vim nginx-https.yaml
apiVersion: v1 
kind: ConfigMap
metadata:
  name: nginx-config
data:
 https: |
    server {
       listen       80;
       server_name  www.test.com;
 
       listen 443 ssl;
       ssl_certificate /etc/nginx/conf.d/certs/tls.crt;
       ssl_certificate_key /etc/nginx/conf.d/certs/tls.key;
 
       location / {
           root /usr/share/nginx/html; 
           index index.html;
           if ($scheme = http ){ 
              rewrite / https://www.test.com permanent;
           }  
 
           if (!-e $request_filename) {
               rewrite ^/(.*) /index.html last;
           }
       }
    }
 
root@deploy:~/secret# kubectl apply -f nginx-https.yaml

创建应用和service，绑定configmap和secret

 root@deploy:~/secret# vim deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: web
  name: web-deployment
  namespace: default
spec:
  replicas: 2
  selector:
    matchLabels:
      app: web
  template:
    metadata:
      labels:
        app: web
    spec:
      containers:
      - image: nginx
        name: nginx
        imagePullPolicy: IfNotPresent
        volumeMounts:
        - name: nginx-conf
          mountPath: "/etc/nginx/conf.d"
        - name: nginx-secret
          mountPath: "/etc/nginx/conf.d/certs"
      volumes:
      - name: nginx-conf
        configMap:
          name: nginx-config
          items:
            - key: https
              path: https.conf 
 
      - name: nginx-secret
        secret:
          secretName: nginx-tls
 
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: web-svc
  name: web-svc
  namespace: default
spec:
  ports:
  - name: web1
    port: 80
    protocol: TCP
    targetPort: 80
    nodePort: 30080
  - name: web2
    port: 443
    protocol: TCP
    targetPort: 443
    nodePort: 30443
  selector:
    app: web
  type: NodePort
 
root@deploy:~/secret# kubectl apply -f deployment.yaml

查看pod和svc

配置haproxy设置反向代理

 root@haproxyA:~# vim /etc/haproxy/haproxy.cfg.
listen http
  bind 192.168.100.20:80
  mode tcp
  server node1 192.168.100.5:30080 check inter 3s fall 3 rise 3
  server node2 192.168.100.6:30080 check inter 3s fall 3 rise 3
 
listen https
  bind 192.168.100.20:443
  mode tcp
  server node1 192.168.100.5:30443 check inter 3s fall 3 rise 3
  server node2 192.168.100.6:30443 check inter 3s fall 3 rise 3
 
root@haproxyA:~# systemctl restart haproxy

客户端配置hosts本地域名解析

服务器配置hosts解析curl测试

 root@deploy:~/secret# grep 'www.test.com' /etc/hosts
192.168.100.20 www.test.com
root@deploy:~/secret# curl -k -L www.test.com

访问www.test.com

查看证书签发信息

dockercofnigjson类型

使用私有仓库需要进行仓库凭据，否则kubernetes集群会因权限拒绝访问无法拉取私有仓库镜像。

1、k8s首先手动登录私有镜像仓库，登录成功后，凭据文件会在/root/.docker/config.json

 root@deploy:~/secret# docker login --username=lxh151*****2@163.com registry.cn-hangzhou.aliyuncs.com

2、创建dockerconfigjson类型secret

 root@deploy:~/secret# kubectl create secret generic aliyun-credential \
--from-file=.dockerconfigjson=/root/.docker/config.json \
--type=kubernetes.io/dockerconfigjson

3、创建configmap添加nginx配置文件

 root@deploy:~/secret# vim nginx-https.yaml
apiVersion: v1 
kind: ConfigMap
metadata:
  name: nginx-config
data:
 https: |
    server {
       listen       80;
       server_name  www.test.com;
 
       listen 443 ssl;
       ssl_certificate /etc/nginx/conf.d/certs/tls.crt;
       ssl_certificate_key /etc/nginx/conf.d/certs/tls.key;
 
       location / {
           root /usr/share/nginx/html; 
           index index.html;
           if ($scheme = http ){ 
              rewrite / https://www.test.com permanent;
           }  
 
           if (!-e $request_filename) {
               rewrite ^/(.*) /index.html last;
           }
       }
    }
 
root@deploy:~/secret# kubectl apply -f nginx-https.yaml

4、创建deployment和svc验证镜像发布访问

 apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: aliyun-web
  name: aliyun-web-deployment
  namespace: default
spec:
  replicas: 2
  selector:
    matchLabels:
      app: aliyun-web
  template:
    metadata:
      labels:
        app: aliyun-web
    spec:
      imagePullSecrets:
      - name: aliyun-credential
      containers:
      - image: registry.cn-hangzhou.aliyuncs.com/liangxiaohui/nginx:1.21
        name: aliyun-nginx
        imagePullPolicy: Always
        volumeMounts:
        - name: nginx-conf
          mountPath: "/etc/nginx/conf.d"
        - name: nginx-secret
          mountPath: "/etc/nginx/conf.d/certs"
      volumes:
      - name: nginx-conf
        configMap:
          name: nginx-config
          items:
            - key: https
              path: https.conf 
 
      - name: nginx-secret
        secret:
          secretName: nginx-tls
 
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: aliyun-web-svc
  name: aliyun-web-svc
  namespace: default
spec:
  ports:
  - name: web1
    port: 80
    protocol: TCP
    targetPort: 80
    nodePort: 30088
  - name: web2
    port: 443
    protocol: TCP
    targetPort: 443
    nodePort: 30643
  selector:
    app: aliyun-web
  type: NodePort

查看pod拉取结果

 root@deploy:~/secret# kubectl get pods

 root@deploy:~/secret# kubectl describe pods aliyun-web-deployment-668cb5f7b5-5rnqs

查看svc

 root@deploy:~/secret# kubectl get svc

5、配置haproxy，设置pod反向代理访问

 root@haproxyA:~# vim /etc/haproxy/haproxy.cfg
listen http
  bind 192.168.100.20:80
  mode tcp
  server node1 192.168.100.5:30088 check inter 3s fall 3 rise 3
  server node2 192.168.100.6:30088 check inter 3s fall 3 rise 3
 
listen https
  bind 192.168.100.20:443
  mode tcp
  server node1 192.168.100.5:30643 check inter 3s fall 3 rise 3
  server node2 192.168.100.6:30643 check inter 3s fall 3 rise 3
 
root@haproxyA:~# systemctl restart haproxy

客户端浏览器访问

posted @ 2022-08-04 17:54 PunchLinux 阅读(259) 评论(0) 编辑收藏举报

刷新页面返回顶部

登录后才能查看或发表评论，立即登录或者逛逛博客园首页

相关博文：

· 实现kubernetes基于ceph块存储和cephfs的数据持久化

· k8s中常见的资源对象的使用

· 11、kubernetes资源对象

· k8s之Secret

· Secret

公告

昵称： PunchLinux
园龄： 4年9个月
粉丝： 21
关注： 0

+加关注

2025年3月

日

一

二

三

四

五

六

puchlinux

基于Secret实现nginx的tls认证、私有仓库认证

tls证书加密

dockercofnigjson类型

公告

搜索

常用链接

最新随笔

我的标签

随笔分类

随笔档案

阅读排行榜

评论排行榜

推荐排行榜

最新评论

	#创建ca公钥和私钥
	openssl req -x509 -sha256 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 3560 -nodes -subj '/CN=www.test.com'

	#创建客户端公钥和私钥
	openssl req -new -newkey rsa:4096 -keyout server.key -out server.csr -nodes -subj '/CN=www.test.com'

	#ca签发客户端私钥生成证书
	openssl x509 -req -sha256 -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

	root@deploy:~/secret# vim nginx-https.yaml
	apiVersion: v1
	kind: ConfigMap
	metadata:
	name: nginx-config
	data:
	https: \|
	server {
	listen 80;
	server_name www.test.com;

	listen 443 ssl;
	ssl_certificate /etc/nginx/conf.d/certs/tls.crt;
	ssl_certificate_key /etc/nginx/conf.d/certs/tls.key;

	location / {
	root /usr/share/nginx/html;
	index index.html;
	if ($scheme = http ){
	rewrite / https://www.test.com permanent;
	}

	if (!-e $request_filename) {
	rewrite ^/(.*) /index.html last;
	}
	}
	}

	root@deploy:~/secret# kubectl apply -f nginx-https.yaml

	root@deploy:~/secret# vim deployment.yaml
	apiVersion: apps/v1
	kind: Deployment
	metadata:
	labels:
	app: web
	name: web-deployment
	namespace: default
	spec:
	replicas: 2
	selector:
	matchLabels:
	app: web
	template:
	metadata:
	labels:
	app: web
	spec:
	containers:
	- image: nginx
	name: nginx
	imagePullPolicy: IfNotPresent
	volumeMounts:
	- name: nginx-conf
	mountPath: "/etc/nginx/conf.d"
	- name: nginx-secret
	mountPath: "/etc/nginx/conf.d/certs"
	volumes:
	- name: nginx-conf
	configMap:
	name: nginx-config
	items:
	- key: https
	path: https.conf

	- name: nginx-secret
	secret:
	secretName: nginx-tls

	---
	apiVersion: v1
	kind: Service
	metadata:
	labels:
	app: web-svc
	name: web-svc
	namespace: default
	spec:
	ports:
	- name: web1
	port: 80
	protocol: TCP
	targetPort: 80
	nodePort: 30080
	- name: web2
	port: 443
	protocol: TCP
	targetPort: 443
	nodePort: 30443
	selector:
	app: web
	type: NodePort

	root@deploy:~/secret# kubectl apply -f deployment.yaml

	root@haproxyA:~# vim /etc/haproxy/haproxy.cfg.
	listen http
	bind 192.168.100.20:80
	mode tcp
	server node1 192.168.100.5:30080 check inter 3s fall 3 rise 3
	server node2 192.168.100.6:30080 check inter 3s fall 3 rise 3

	listen https
	bind 192.168.100.20:443
	mode tcp
	server node1 192.168.100.5:30443 check inter 3s fall 3 rise 3
	server node2 192.168.100.6:30443 check inter 3s fall 3 rise 3

	root@haproxyA:~# systemctl restart haproxy

	root@deploy:~/secret# grep 'www.test.com' /etc/hosts
	192.168.100.20 www.test.com
	root@deploy:~/secret# curl -k -L www.test.com

	root@deploy:~/secret# kubectl create secret generic aliyun-credential \
	--from-file=.dockerconfigjson=/root/.docker/config.json \
	--type=kubernetes.io/dockerconfigjson