CA证书和Ingress (6) Ingress 连接 https

Submitted by Lizhe on Wed, 04/24/2019 - 12:42

在之前做的例子中 ( 实际上也是绝大多数情况下 ) , 我们的 ingress 使用 443 端口, 提供了 https , 并且提供了 cert 证书, 然后它连接到后端服务的 80 端口

Ingress 443 => Backend 80

本例中我将尝试使用 Ingress 连接 backend 的 443 端口

Ingress 443 => Backend 443

这里我会使用下面的镜像

 

docker run -p 8080:80 -p 8443:443 --name nginx--rm -t mendhak/http-https-echo

20190424060454

 

20190424060506

下面我打算利用这个镜像来做测试

在正式开始之前先调整一下 dns 域名解析, 把 域名指向到 Kubernetes 的 master 节点 ( 管理节点ip )

 

先部署Deployment

nginx.yaml

 

lizhedeMacBook-Pro:lz_study lizhe$ cat nginx.yaml 

apiVersion: apps/v1beta1

kind: Deployment

metadata:

  name: nginx-deployment

  namespace: study

spec:

  replicas: 2 # tells deployment to run 2 pods matching the template

  template: # create pods using pod definition in this template

    metadata:

      # unlike pod-nginx.yaml, the name is not included in the meta data as a unique name is

      # generated from the deployment name

      labels:

        app: nginx

    spec:

      containers:

      - name: nginx

        image: mendhak/http-https-echo

        ports:

        - containerPort: 443

 

lizhedeMacBook-Pro:lz_study lizhe$ 

然后我们部署一个使用NodePort 的service, 测试一下

 

lizhedeMacBook-Pro:lz_study lizhe$ cat nodeport.yaml 

apiVersion: v1

kind: Service

metadata: 

  name: nginx-service

  namespace: study

spec:

  type: NodePort

  ports:

    - port: 443

      nodePort: 30001

  selector: 

      app: nginx

lizhedeMacBook-Pro:lz_study lizhe$

访问30001端口可以看到, pod已经正常工作了, 使用的证书是镜像自带的

20190424113509

20190424113630

 

下面我们开始正式创建ingress, 首先是一个 使用 cluster ip 的 service

 

lizhedeMacBook-Pro:lz_study lizhe$ cat svc.yaml 

apiVersion: v1

kind: Service

metadata: 

  name: nginx-service

  namespace: study

spec:

  type: ClusterIP

  ports:

    - port: 443

  selector: 

      app: nginx

lizhedeMacBook-Pro:lz_study lizhe$ 

然后创建 ingress 

 

lizhedeMacBook-Pro:lz_study lizhe$ cat ingress.yaml 

apiVersion: extensions/v1beta1

kind: Ingress

metadata:

  name: hello-nginx-ingress

  namespace: study

  annotations:

    kubernetes.io/ingress.class: "nginx"

    nginx.org/ssl-services: "nginx-service"

    nginx.ingress.kubernetes.io/ssl-passthrough: "true"

spec:

  rules:

  - host: www.bestofgit.com

    http:

      paths:

      - backend:

          serviceName: nginx-service

          servicePort: 443

  tls:

  - hosts:

    - www.bestofgit.com

lizhedeMacBook-Pro:lz_study lizhe$ 

 

可以看到不光是证书替换成了 ingress 的证书, 还多了一些转发信息

20190424113557 20190424113613