kubernetes的ingress配置多个tls证书
背景需求:
有多个域名,且每个域名走HTTPS
示例架构:
测试环境:
公有云提供Kubernetes环境,自动创建负载均衡IP
示例步骤:
1. 创建一个Deployment
2. 创建一个Service
3. 创建2个证书和2个密钥文件
4. 创建使用Secret和Ingress
5. 测试HTTPS(负载均衡IP)
具体配置:
1. 准备一个Deployment文件 my-mc-deployment.yaml
apiVersion: apps/v1 kind: Deployment metadata: name: my-mc-deployment spec: selector: matchLabels: app: products department: sales replicas: 3 template: metadata: labels: app: products department: sales spec: containers: - name: hello image: "gcr.io/google-samples/hello-app:2.0" env: - name: "PORT" value: "50001" - name: hello-again image: "gcr.io/google-samples/node-hello:1.0" env: - name: "PORT" value: "50002"
应用此Deployment: kubectl apply -f my-mc-deployment.yaml
2. 准备一个Service文件 my-mc-service.yaml
apiVersion: v1 kind: Service metadata: name: my-mc-service spec: type: NodePort selector: app: products department: sales ports: - name: my-first-port protocol: TCP port: 60001 targetPort: 50001 - name: my-second-port protocol: TCP port: 60002 targetPort: 50002
应用此Service文件: kubectl apply -f my-mc-service.yaml
3. 创建证书和密钥(这里以两个域名为例)
说明:两个证书,每个证书都有一个相应的密钥,每个证书的公用名 (CN) 必须与您拥有的域名一致。
创建第一个密钥:
openssl genrsa -out test-ingress-1.key 2048
创建第一个证书签名请求(其中,first-domain 是您拥有的域名或虚构域名):
openssl req -new -key test-ingress-1.key -out test-ingress-1.csr -subj "/CN=first-domain"
创建第一个证书:
openssl x509 -req -days 365 -in test-ingress-1.csr -signkey test-ingress-1.key -out test-ingress-1.crt
创建第二个密钥:
openssl genrsa -out test-ingress-2.key 2048
创建第二个证书签名请求(其中,second-domain 是您拥有的另一个域名或虚构域名):
openssl req -new -key test-ingress-2.key -out test-ingress-2.csr -subj "/CN=second-domain"
创建第二个证书:
openssl x509 -req -days 365 -in test-ingress-2.csr -signkey test-ingress-2.key -out test-ingress-2.crt
4. 创建Secret和Ingress
创建包含第一个证书和密钥的Secret:
kubectl create secret tls first-secret-name --cert first-cert-file --key first-key-file
创建包含第二个证书和密钥的 Secret:
kubectl create secret tls second-secret-name --cert second-cert-file --key second-key-file
创建Ingress文件 my-mc-ingress.yaml
apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: my-mc-ingress spec: tls:
- hosts:
- first-domain secretName: first-secret-name
- hosts:
- second-domain secretName: second-secret-name rules: - host: first-domain http: paths: - backend: serviceName: my-mc-service servicePort: my-first-port - host: second-domain http: paths: - backend: serviceName: my-mc-service servicePort: my-second-port
应用该Ingress文件: kubectl apply -f my-mc-ingress.yaml
根据不同的云厂商,稍等一会(分配负载均衡的外网IP),可以查看一下Ingress: kubectl describe ingress my-mc-ingress
Name: my-mc-ingress Address: 203.0.113.1 ... TLS: first-secret-name terminates second-secret-name terminates Rules: Host Path Backends ---- ---- -------- your-store.example my-mc-service:my-first-port (<none>) your-experimental-store.example my-mc-service:my-second-port (<none>) Annotations: ... Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal ADD 3m loadbalancer-controller default/my-mc-ingress Normal CREATE 2m loadbalancer-controller ip: 201.0.113.1
5. 测试HTTPs
要执行此步骤,您需要拥有两个域名,并且两个域名都必须解析 HTTP(S) 负载平衡器的外部 IP 地址
curl -v https://first-domain
... * Trying 203.0.113.1... ... * Connected to your-store.example (203.0.113.1) port 443 (#0) ... * TLSv1.2 (IN), TLS handshake, Certificate (11): ... * Server certificate: * subject: CN=your-store.example ... > Host: your-store.example ... < Hello, world! Version: 2.0.0 ...
curl -v https://second-domain
... * Trying 203.0.113.1... ... * Connected to your-experimental-store.example (203.0.113.1) port 443 (#0) ... * Server certificate: * subject: CN=your-experimental-store.example ... > Host: your-experimental-store.example ... Hello Kubernetes!
