ingress-nginx-TLS 使用方法

最新推荐文章于 2025-06-08 09:21:20 发布

大飞哥2

最新推荐文章于 2025-06-08 09:21:20 发布

阅读量1.7k

点赞数 1

CC 4.0 BY-SA版权

分类专栏： kubernetes ingress-nginx 文章标签： ingress tls

本文链接：https://blog.youkuaiyun.com/kozazyh/article/details/80588395

kubernetes 同时被 2 个专栏收录

127 篇文章

订阅专栏

ingress-nginx

5 篇文章

订阅专栏

在kubernetes中如果需要提供https服务，一般使用ingress tls,后端使用http就行，如下

clinet --> ingress tls --> nginx(http)

环境：

kubernetes 1.9.8

NGINX Ingress controller :0.15.0

一、使用CA证书机构的颁发的证书

证书申请参考：https://www.zhihu.com/question/19578422

假设这里我们已经申请了一个证书(包括两文件)：

证书KEY ： example.com-key.pem

证书签名：example.com-cert.pem

1.1、把证书文件保存在kubernetes的secert中：

kubectl create secret tls example-secret --key cert/example.com-key.pem --cert cert/example.com-cert.pem

查看创建的secret:

# kubectl get secret example-secret -o yaml
apiVersion: v1
data:
  tls.crt: LS0tLS1...Sa0tDQo=
  tls.key: LS0tLS1...ZL0tLQ0K
kind: Secret
metadata:
  creationTimestamp: 2018-06-06T00:51:25Z
  name: example-secret
  namespace: default
  resourceVersion: "1484201"
  selfLink: /api/v1/namespaces/default/secrets/example-secret
  uid: bd0cbf86-6923-11e8-9a12-08002768bc4c
type: kubernetes.io/tls

1.2、新建tls ingress规则

# cat tls-example.com-ingress.yaml 
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: a-example-ingress
spec:
  tls:
  - hosts:
    - a.example.com
    secretName: example-secret
  rules:
  - host: a.example.com
    http:
      paths: 
      - path: /
        backend:
          serviceName: nginx
          servicePort: 80

kubectl -f ./tls-example.com-ingress.yaml

1.3、验证https:
$ curl https://a.example.com/

<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>

1.4、其他问题
默认，配置了htts,如果访问http会跳转到https，目前测试（nginx ingress 0.15.0），在浏览器是没问题的，但是使用curl和wget出现以下问题：
$ curl http://a.80166.com

<html>
<head><title>308 Permanent Redirect</title></head>
<body bgcolor="white">
<center><h1>308 Permanent Redirect</h1></center>
<hr><center>nginx/1.13.12</center>
</body>
</html>

碰到上面问题，改为这样访问就好了：

curl http://a.80166.com -L

-L, --location      Follow redirects

参考：https://github.com/rancher/rancher/issues/13218

二、使用自签名证书

2.1、创建证书
首先第一步当然要有个证书，由于我这个 Ingress 有两个服务域名，所以证书要支持两个域名；生成证书命令如下：

# 生成 CA 自签证书
mkdir cert && cd cert
openssl genrsa -out ca-key.pem 2048
openssl req -x509 -new -nodes -key ca-key.pem -days 10000 -out ca.pem -subj "/CN=kube-ca"

# 编辑 openssl 配置
cp /etc/pki/tls/openssl.cnf .
vim openssl.cnf

# 主要修改如下
[req]
req_extensions = v3_req # 这行默认注释关着的 把注释删掉
# 下面配置是新增的
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = a.example.com
DNS.2 = b.example.com

# 生成证书
openssl genrsa -out ingress-key.pem 2048
openssl req -new -key ingress-key.pem -out ingress.csr -subj "/CN=kube-ingress" -config openssl.cnf
openssl x509 -req -in ingress.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ingress.pem -days 365 -extensions v3_req -extfile openssl.cnf

2.2、创建 secret

创建好证书以后，需要将证书内容放到 secret 中，secret 中全部内容需要 base64 编码，然后注意去掉换行符(变成一行)；以下是我的 secret 样例(上一步中 ingress.pem 是证书，ingress-key.pem 是证书的 key)

# kubectl create secret tls example-secret --key ./cert/ingress-key.pem --cert cert/ingress.pem

2.3、新建ingress规则：

# cat tls-self-example.com-ingress.yaml 
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: a-example-ingress
  annotations:
     ingress.kubernetes.io/ssl-redirect: "true"
spec:
  tls:
  - hosts:
    - a.example.com
    secretName: example-secret
  rules:
  - host: a.example.com
    http:
      paths: 
      - path: /
        backend:
          serviceName: nginx
          servicePort: 80

kubectl create -f ./tls-self-example.com-ingress.yaml

2.4、验证自签名证书的https

$ curl http://a.example.com -L -k
$ curl https://a.example.com -k

<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

三、解决问题的经验：

如果碰到访问不上的问题，可以查询控制器的日志，一般都有提示：

kubectl logs po/nginx-ingress-controller-5f6d649c67-pxffk -n ingress-nginx

ingress tls参考：

https://kubernetes.io/docs/concepts/services-networking/ingress/

nginx ingress参考：

https://github.com/kubernetes/ingress-nginx/blob/master/docs/deploy/index.md