[TOC] 互聯網越來越嚴格，很多網站都配置了https的協議了。這里聊一下ingress的tls安全路由，分為以下兩種方式： - 配置安全的路由服務 - 配置HTTPS雙向認證 ## 配置安全的路由服務 1. 生成一個證書文件tls.crt和一個私鑰文件tls.key ```shell $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=foo.ecloud.com" ``` 2. 創建密鑰 ```shell $ kubectl create secret tls app-v1-tls --key tls.key --cert tls.crt ``` 3. 創建一個安全的Nginx Ingress服務 ```shell $ cat <<EOF | kubectl create -f - apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: app-v1-tls spec: ingressClassName: nginx tls: - hosts: - foo.ecloud.com secretName: app-v1-tls rules: - host: foo.ecloud.com http: paths: - path: / backend: serviceName: app-v1 servicePort: 80 EOF ``` 4. 查看ingress服務 ```shell $ kubectl describe ingress app-v1-tls Name: app-v1-tls Namespace: default Address: 192.168.31.103,192.168.31.79 Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>) TLS: app-v1-tls terminates foo.ecloud.com Rules: Host Path Backends ---- ---- -------- foo.ecloud.com / app-v1:80 (20.0.122.173:80,20.0.32.173:80,20.0.58.236:80) Annotations: Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Sync 66s (x2 over 85s) nginx-ingress-controller Scheduled for sync Normal Sync 66s (x2 over 85s) nginx-ingress-controller Scheduled for sync ``` 5. 驗證 ```shell $ curl -Lk -H "Host: foo.ecloud.com" 192.168.31.79 <b>version: v1</b>, <br>IP: 20.0.58.236 , <br>hostname: app-v1-68db595855-bv958 $ curl -k -H "Host: foo.ecloud.com" https://192.168.31.79 <b>version: v1</b>, <br>IP: 20.0.122.173 , <br>hostname: app-v1-68db595855-xkc9j ``` > 訪問 ingress-nginx-controller 的IP地址的 `80` 端口，會自動調轉到 `443` 端口 > -H 是設置該IP的域名是 `foo.ecloud.com` > -L 是自動調轉，-k 跳過證書認證 ## 配置HTTPS雙向認證 > ingress-nginx 默認使用 `TLSv1.2 TLSv1.3` 版本。參考文章 https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#ssl-protocols