要為Ambassador啟用TLS，您需要做一些事情： 您需要TLS證書。 對于任何生產用途，您需要一個與您的TLS證書相匹配的DNS記錄`Common Name`。 您需要將證書存儲在Kubernetes的`secret`中。 您可能需要使用該tls模塊配置其他Ambassador TLS選項。 所有這些要求意味著在第一次配置Ambassador之前決定啟用TLS是最容易的。在設立Ambassador之后可以切換，但這很煩人。 ## 1. 獲取TLS證書 ``` $ openssl genrsa -out private.key 2048 $ openssl req -new -key private.key -out cert.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:beijing Organization Name (eg, company) [Default Company Ltd]:zhoutong Organizational Unit Name (eg, section) []:keji Common Name (eg, your name or your server's hostname) []:univer Email Address []:wu_mingsheng@126.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 An optional company name []: $ openssl x509 -req -days 365 -in cert.csr -signkey private.key -out cert.crt Signature ok subject=/C=cn/ST=beijing/L=beijing/O=zhoutong/OU=keji/CN=univer/emailAddress=wu_mingsheng@126.com Getting Private key $ ll total 12 -rw-r--r-- 1 root root 1298 Nov 26 02:05 cert.crt -rw-r--r-- 1 root root 1082 Nov 26 02:03 cert.csr -rw-r--r-- 1 root root 1675 Nov 26 02:00 private.key ``` 申請證書需要Ambassador的 Common Name (CN)，在實踐中使用https的時候，CN是非常重要的。如果CN和Ambassador的域名對應不上，TLS拒絕連接。因此，請使用DNS名稱為CN，并在步驟2中確保所有內容都匹配。 ## 2. 您需要一個DNS名稱。 ``` kubectl apply -f https://www.getambassador.io/yaml/ambassador/ambassador-https.yaml ``` ``` --- apiVersion: v1 kind: Service metadata: creationTimestamp: null labels: service: ambassador name: ambassador spec: type: NodePort ports: - name: ambassador port: 443 targetPort: https nodePort: 31584 selector: service: ambassador ``` ## 3.您需要將證書存儲在Kubernetes中secret。 創建一個secret名為的Kubernetes ambassador-certs： ``` kubectl create secret tls ambassador-certs --cert=$FULLCHAIN_PATH --key=$PRIVKEY_PATH ``` 其中$FULLCHAIN_PATH是包含證書證書鏈的單個PEM文件的路徑（包括 Ambassador 的證書和所有相關的中間證書 - 這就是Let的加密調用fullchain.pem），并且$PRIVKEY_PATH是相應私鑰的路徑。 ## 4. 安裝ambassador ``` kubectl apply -f https://getambassador.io/yaml/ambassador/ambassador-rbac.yaml ``` ## 5. 使用ambassador tls ``` --- apiVersion: v1 kind: Service metadata: name: say-hello annotations: getambassador.io/config: | --- apiVersion: ambassador/v0 kind: Mapping name: say-hello_mapping prefix: /say-hello/ service: say-hello spec: selector: app: say-hello ports: - port: 80 name: http-qotm targetPort: http-api --- apiVersion: extensions/v1beta1 kind: Deployment metadata: name: say-hello spec: replicas: 1 strategy: type: RollingUpdate template: metadata: labels: app: say-hello spec: containers: - name: say-hello image: woms/say-hello:0.0.1 ports: - name: http-api containerPort: 8080 ``` ## 6. 驗證 ``` https://10.10.2.65:31584/say-hello/say/hello ```