|NO.Z.00354|——————————|CloudNative|——|KuberNetes&运维.V70|——|IngressNginx.v06|SSL配置|

一、SSH配置
### --- SSH配置

~~~     # SSL官网地址:
~~~     https://kubernetes.github.io/ingress-nginx/user-guide/tls/
二、配置SSL;https;Ingress单证书
### --- 生成自签名证书和私钥

[root@k8s-master01 rewrite]# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.cert -subj "/CN=test-tls.test.com/0=test-tls.test.com"
Generating a 2048 bit RSA private key
.................................................................................................................................................................................................................+++
....+++
writing new private key to 'tls.key'
-----
Subject Attribute 0 has no known NID, skipped
[root@k8s-master01 rewrite]# ls
tls.cert  tls.key
### --- 将cert和key配置成secrets;域名证书
~~~     这个secrets时候TLS的secrets

[root@k8s-master01 rewrite]# kubectl create secret tls ca-cert --key tls.key --cert tls.cert -n ratel-test1
secret/ca-cert created
### --- 查看生成的域名证书的secrets

[root@k8s-master01 rewrite]# kubectl get secret -n ratel-test1
NAME                  TYPE                                  DATA   AGE
ca-cert               kubernetes.io/tls                     2      61s
三、配置Ingress
### --- 配置Ingress

~~~     http://krm.test.com/——>Ingress——>创建——>选择集群:test1
~~~     ——>Namespace: ratel-test1——>选择service:ingress-test1
~~~     ——>Ingress名称“test-tls.test.com——>域名:test-tls.test.com
~~~     ——>HTTPS:开启——>证书:ca-cert——>Create——>END
~~~     ——>配置host文件:192.168.1.11  test-tls.test.com
### --- 配置hosts

[root@k8s-master01 rewrite]# vim /etc/hosts
192.168.1.11 test-tls.test.com
### --- curl这个域名,有没有做redirect
~~~     这个域名只要是配置了https,就会自动跳转到https

[root@k8s-master01 rewrite]# curl test-tls.test.com -I
HTTP/1.1 308 Permanent Redirect
Date: Tue, 01 Jun 2021 06:50:54 GMT
Content-Type: text/html
Content-Length: 164
Connection: keep-alive
Location: https://test-tls.test.com/
四、访问https域名:https://test-tls.test.com/
五、禁用https强制跳转
### --- 禁用https强制跳转

~~~     nginx.ingress.kubernetes.io/ssl-redirect: "false"  
~~~     https配置了http就会强制自动跳转,若是不想跳转,
~~~     可以关闭ssl-redirect:false更改为false就可以,默认是true;是全局配置的
### --- 生成TLS.yaml文件

[root@k8s-master01 rewrite]# cat nginx-ingress-TLS.yaml 
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
  generation: 1
  name: test-tls
  namespace: ratel-test1
spec:
  rules:
  - host: test-tls.test.com
    http:
      paths:
      - backend:
          serviceName: ingress-test
          servicePort: 80
        path: /
  tls:
  - hosts:
    - test-tls.test.com
    secretName: ca-cert
 
 
 
 
 
 
 
 
 
Walter Savage Landor:strove with none,for none was worth my strife.Nature I loved and, next to Nature, Art:I warm'd both hands before the fire of life.It sinks, and I am ready to depart
                                                                                                                                                   ——W.S.Landor
 

 

posted on 2022-04-01 13:24  yanqi_vip  阅读(23)  评论(0)    收藏  举报

导航