[TOC] 互联网越来越严格，很多网站都配置了https的协议了。这里聊一下ingress的tls安全路由，分为以下两种方式： - 配置安全的路由服务 - 配置HTTPS双向认证 ## 配置安全的路由服务 1. 生成一个证书文件tls.crt和一个私钥文件tls.key ```shell $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=foo.ecloud.com" ``` 2. 创建密钥 ```shell $ kubectl create secret tls app-v1-tls --key tls.key --cert tls.crt ``` 3. 创建一个安全的Nginx Ingress服务 ```shell $ cat <<EOF | kubectl create -f - apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: app-v1-tls spec: ingressClassName: nginx tls: - hosts: - foo.ecloud.com secretName: app-v1-tls rules: - host: foo.ecloud.com http: paths: - path: / backend: serviceName: app-v1 servicePort: 80 EOF ``` 4. 查看ingress服务 ```shell $ kubectl describe ingress app-v1-tls Name: app-v1-tls Namespace: default Address: 192.168.31.103,192.168.31.79 Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>) TLS: app-v1-tls terminates foo.ecloud.com Rules: Host Path Backends ---- ---- -------- foo.ecloud.com / app-v1:80 (20.0.122.173:80,20.0.32.173:80,20.0.58.236:80) Annotations: Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Sync 66s (x2 over 85s) nginx-ingress-controller Scheduled for sync Normal Sync 66s (x2 over 85s) nginx-ingress-controller Scheduled for sync ``` 5. 验证 ```shell $ curl -Lk -H "Host: foo.ecloud.com" 192.168.31.79 <b>version: v1</b>, <br>IP: 20.0.58.236 , <br>hostname: app-v1-68db595855-bv958 $ curl -k -H "Host: foo.ecloud.com" https://192.168.31.79 <b>version: v1</b>, <br>IP: 20.0.122.173 , <br>hostname: app-v1-68db595855-xkc9j ``` > 访问 ingress-nginx-controller 的IP地址的 `80` 端口，会自动调转到 `443` 端口 > -H 是设置该IP的域名是 `foo.ecloud.com` > -L 是自动调转，-k 跳过证书认证 ## 配置HTTPS双向认证 > ingress-nginx 默认使用 `TLSv1.2 TLSv1.3` 版本。参考文章 https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#ssl-protocols