preface
Nginx is HTTP protocol in the work, so how to add certificates should operate.
Update history
- 20200701 – First draft – left stand
- The original address – blog.zuolinux.com/2020/07/01/…
Create a certificate
You can apply for a free one-year certificate online or build your own certificate. The following is a self-created certificate.
Download the self-created certificate script
wget -O Makefile https://raw.githubusercontent.com/kubernetes/examples/master/staging/https-nginx/Makefile
Copy the codeCreating a certificate File
make keys KEY=/tmp/nginx.key CERT=/tmp/nginx.crt
Copy the codeWrite the certificate to secret in K8S
# kubectl create secret tls nginxsecret --key /tmp/nginx.key --cert /tmp/nginx.crt
secret/nginxsecret created
Copy the codeWrite the nginx configuration to K8S’s ConfigMap
# cat default.conf server { listen 80 default_server; listen [::]:80 default_server ipv6only=on; listen 443 ssl; root /usr/share/nginx/html; index index.html; server_name localhost; ssl_certificate /etc/nginx/ssl/tls.crt; ssl_certificate_key /etc/nginx/ssl/tls.key; location / { try_files $uri $uri/ =404; }}Copy the code# kubectl create configmap nginxconfigmap --from-file=default.conf
configmap/nginxconfigmap created
Copy the codeIntegrate backend PODS and certificates and publish them using Service
[root@master01 ~]# cat nginx-app.yaml apiVersion: v1 kind: Service metadata: name: my-nginx labels: run: my-nginx spec: type: NodePort ports: - port: 8080 targetPort: 80 protocol: TCP name: http - port: 443 protocol: TCP name: https selector: run: my-nginx --- apiVersion: apps/v1 kind: Deployment metadata: name: my-nginx spec: selector: matchLabels: run: my-nginx replicas: 1 template: metadata: labels: run: my-nginx spec: volumes: - name: secret-volume secret: secretName: nginxsecret - name: configmap-volume configMap: name: nginxconfigmap containers: - name: nginxhttps image: bprashanth/nginxhttps: 1.0 ports: - containerPort: 443 - containerPort: 80 volumeMounts: - mountPath: /etc/nginx/ssl name: secret-volume - mountPath: /etc/nginx/conf.d name: configmap-volumeCopy the code[root@master01 ~]# kubectl apply -f nginx-app.yaml
service/my-nginx created
deployment.apps/my-nginx created
Copy the codeViewing health
[root@master01 ~]# kubectl get service -o wide NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR my-nginx NodePort 192.20.27.173 < none > / TCP, 8080-32529, 443:32699 / TCP 22 s run = my - nginx/root @ master01 ~ # kubectl get pod -o wide NAME READY STATUS RESTARTS AGE IP NODE NODE READINESS GATES My-Nginx-85FCCFD5DC-2pzvw 1/1 Running 0 64s 192.10.205.224 work01 <none> <none>Copy the codeTry to access
[root@master01 ~]# curl -k https://192.20.27.173 <title>Welcome to nginx! </title>Copy the codeThe Service exposes the port using NodePort, so you can access https:// Any node IP:32699 in a browser and see that the certificate has taken effect.
Because the certificate is self-created, you need to manually ignore the error report.
Integrate ingress and certificates
# cat ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: secret-tls-ingress
annotations:
ingress.kubernetes.io/ssl-redirect: "False"
spec:
tls:
- hosts:
- test.com
secretName: nginxsecret
rules:
- host: test.com
http:
paths:
- backend:
serviceName: my-nginx
servicePort: 80
path: /
Copy the code# kubectl apply -f ingress.yaml
ingress.extensions/secret-tls-ingress created
Copy the codeIngress-controller was bound to work01/02 in the previous section, so bind test.com to work01 IP outside the cluster for testing.
# curl -k https://test.com <title>Welcome to nginx! </title>Copy the codeThe access is successful.
conclusion
The certificate part is mainly to store the certificate file into the Secret object of K8S, and then mount the mapping.
This decouples the certificate file from the ingress.
You can configure certificates only in ingress and not in backend Nginx.
To contact me
Wechat official account: zuolinux_com
