k8s使用ingress配置https

ingress是一个负载均衡应用，支持http和https，包括通过主机名的访问路径的过滤。通过ingress实现https访问的过程如下图所示：

用户访问service是通过https，service向后端pod调度是通过http，这样就优化了集群，避免在每个pod上配置https，减轻的配置的负担和建立连接的压力。

部署

k8s的部署可以参考：使用kubeadm快速部署k8s
nginx-ingress的部署可以参考：k8s的ingress介绍和nginx-ingress的部署

ssl证书

这里是申请的阿里的一年免费证书：

下载下来解压下来得到：

root@codeeper:~# ls codeeper.com_nginx/
3967376_codeeper.com.key  3967376_codeeper.com.pem

.key文件是私钥base64加密，.pem文件是证书base64加密。

1. 部署一个后端nginx应用

   apiVersion: apps/v1
   kind: Deployment
   metadata:
     name: nginx-rc
     labels:
       app: nginx
   spec:
     selector:
       matchLabels:
         app: nginx
     replicas: 1
     template:
       metadata:
         labels:
           app: nginx
       spec:
         containers:
           - name: nginx
             image: registry.cn-shanghai.aliyuncs.com/lian_ns/nginx:1.19.2
             ports:
               - containerPort: 80
             volumeMounts:
               - name: nginx-conf
                 mountPath: "/etc/nginx/nginx.conf"
                 subPath: nginx.conf
               - name: nginx-vhost-conf
                 mountPath: "/etc/nginx/conf.d/"
               - name: nginx-www
                 mountPath: /var/www/
         volumes:
           - name: nginx-conf
             configMap:
               name: nginx-conf
           - name: nginx-vhost-conf
             configMap:
               name: nginx-vhost-conf
           - name: nginx-www
             hostPath:
               path: /opt/www/

   上面的一些字段说明暂且忽略，有一些需要说明

   volumeMounts:
   
     # nginx.conf的配置
     - name: nginx-conf
       mountPath: "/etc/nginx/nginx.conf"
       subPath: nginx.conf
   
     # nginx虚拟主机配置文件目录的配置
     - name: nginx-vhost-conf
       mountPath: "/etc/nginx/conf.d/"
   
     # nginx网站目录的配置
     - name: nginx-www
       mountPath: /var/www/

   虚拟主机的配置

   apiVersion: v1
   kind: ConfigMap
   metadata:
     name: nginx-vhost-conf
   data:
     blog.conf: |-
       server {
         listen      80;
         server_name www.codeeper.com codeeper.com;
         charset     utf-8;
   
         location / {
           root   /var/www/blog;
           index  index.html index.htm;
         }
       }

2. 新建一个对上方deploy的service

   apiVersion: v1
   kind: Service
   metadata:
     name: nginx-svc
   spec:
     ports:
     - port: 80
       targetPort: 80
       protocol: TCP
       name: http
     selector:
       app: nginx

   查看service

   root@codeeper:~# kubectl get svc | grep nginx-svc
   nginx-svc    ClusterIP     10.98.15.89      <none>      80/TCP     28h

3. 创建secret
   可以使用yaml创建或命令行创建

   apiVersion: v1
   kind: Secret
   metadata:
     name: testsecret-tls
     namespace: default
   data:
     tls.crt: base64 encoded cert
     tls.key: base64 encoded key
   type: kubernetes.io/tls

   由于tls.crt和tls.key的文件过大，这里使用命令行来创建。

   kubectl create secret tls blog-tls-secret --key 3967376_codeeper.com.key --cert 3967376_codeeper.com.pem

   查看secret

   root@codeeper:~# kubectl describe secret blog-tls-secret
   Name:         blog-tls-secret
   Namespace:    default
   Labels:       <none>
   Annotations:  <none>
   
   Type:  kubernetes.io/tls
   
   Data
   ====
   tls.crt:  3675 bytes
   tls.key:  1675 bytes

4. 创建ingress

   apiVersion: extensions/v1beta1
   kind: Ingress
   metadata:
     name: nginx-ing
     annotations:
       kubernetes.io/ingress.class: "nginx" 
   spec:
     tls:
     - hosts:
       - codeeper.com
       secretName: blog-tls-secret
     rules:
     - host: codeeper.com
       http:
         paths:
         - path: /
           backend:
             serviceName: nginx-svc
             servicePort: 80

   添加了spec.tls字段，里面是用来配置https的。

浏览器访问验证

https部署的配置文件

https://github.com/dougaoyang/k8s_deploy

参考文档

https://kubernetes.io/zh/docs/concepts/services-networking/ingress/