ingress 添加https证书
参考:https://www.cnblogs.com/litter-rabbit/articles/15710593.html
一、nginx ingress添加https
本次的ingress是1.1.1版本自定义部署
1、ingress开启nodeport类型的443端口
方式1、修改deploy.yaml
vim deploy.yaml +283 spec: type: LoadBalancer externalTrafficPolicy: Local ipFamilyPolicy: SingleStack ipFamilies: - IPv4 ports: - name: http port: 80 nodePort: 80 protocol: TCP targetPort: http appProtocol: http - name: https port: 443 nodePort: 443 #添加 protocol: TCP targetPort: https appProtocol: https
方式二:编写service-nodeport.yaml,然后apply
apiVersion: v1 kind: Service metadata: name: ingress-nginx namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx #app.kubernetes.io/part-of: ingress-nginx spec: type: NodePort ports: - name: http port: 80 targetPort: 80 protocol: TCP nodePort: 80 - name: https port: 443 targetPort: 443 protocol: TCP selector: app.kubernetes.io/name: ingress-nginx #app.kubernetes.io/part-of: ingress-nginx
2、导入证书文件到k8s secret 指定命名空间
kubectl create secret tls https-secret --key tls.key --cert tls.crt -n monitoring
3、创建对应的ingress规则
vim prometheus-ingress
annotations:
kubernetes.io/ingress.class: "nginx"
注意:如果不加这一条,在外网访问的时候,可能出现404
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: prometheus namespace: monitoring annotations: kubernetes.io/ingress.class: "nginx" spec: rules: - host: prometheus.seewintech.com http: paths: - backend: service: name: prometheus-k8s port: number: 9090 path: / pathType: Prefix - host: prometheus.boge.com http: paths: - backend: service: name: prometheus-k8s port: number: 9090 path: / pathType: Prefix tls: - hosts: - prometheus.seewintech.com secretName: https-secret
二、alb ingress添加https
提示:subotiz的ingress可以只开80端口,原因cloudflare端开启443,SSL/TLS 加密模式选择灵活,cloudflare到subotiz用http传输
本次的alb ingress是aws上的alb ingress插件
一、在阿里云下载ssl证书
2、上传到服务器后创建secret,注意secret要和ingress所在的namespace一样
kubectl create secret tls crm.shoplazza.site --key shoplazza.site.key --cert shoplazza.site_public.crt
3、创建alb ingress
vim crm.shoplazza.site-ingress.yaml
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: alb.ingress.kubernetes.io/healthcheck-interval-seconds: "15" alb.ingress.kubernetes.io/healthcheck-path: /ping alb.ingress.kubernetes.io/healthcheck-protocol: HTTP alb.ingress.kubernetes.io/healthcheck-timeout-seconds: "5" alb.ingress.kubernetes.io/healthy-threshold-count: "2" # 关键修改:添加 HTTPS 443 端口 alb.ingress.kubernetes.io/listen-ports: '[{"HTTP":80},{"HTTPS":443}]' alb.ingress.kubernetes.io/load-balancer-attributes: | routing.http2.enabled=true, idle_timeout.timeout_seconds=60, routing.http.preserve_host_header.enabled=true, access_logs.s3.enabled=false alb.ingress.kubernetes.io/scheme: internet-facing alb.ingress.kubernetes.io/success-codes: 200,404,302 alb.ingress.kubernetes.io/target-type: ip alb.ingress.kubernetes.io/unhealthy-threshold-count: "2" # 可选:添加 SSL 重定向(HTTP 自动跳转到 HTTPS) alb.ingress.kubernetes.io/ssl-redirect: "443" alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}' name: shoplazza-crm namespace: production spec: ingressClassName: alb rules: - host: crm.shoplazza.site http: paths: - backend: service: name: shoplazza-crm port: number: 80 path: / pathType: Prefix tls: - hosts: - crm.shoplazza.site secretName: shoplazza-tls
4、运行后等几十秒查看
kc apply -f crm.shoplazza.site-ingress.yaml
[ec2-user@subotiz-prod-kubectl domain]$ kc get ingress | grep crm shoplazza-crm alb crm.shoplazza.site k8s-producti-shoplazz-7b53b5ad64-1802075150.us-west-2.elb.amazonaws.com 80, 443 2d12h
浙公网安备 33010602011771号