[TOC] ### **示例** 在这个例子中，我们将发布一个tomcat8的deployment，然后使用 https://tomcat8.ccse.io 去访问它。 ##### **环境准备** * K8S集群一个，已安装好NginxIngressController，监听https的443端口 ##### **创建工作负载与服务** 在K8S集群中创建K8S的工作负载与服务，如下： ``` apiVersion: apps/v1 kind: Deployment metadata: name: tomcat8 spec: replicas: 1 selector: matchLabels: app: tomcat8 template: metadata: labels: app: tomcat8 spec: containers: - name: tomcat8 image: tomcat:8 --- apiVersion: v1 kind: Service metadata: name: tomcat8 spec: selector: app: tomcat8 ports: - name: "8080" port: 8080 ``` ##### **制作证书** 我们来制作tomcat8的证书，域名要为`tomcat8.ccse.io`，因为我们要用它去访问。证书的制作可以参考[此文](https://www.kancloud.cn/pshizhsysu/network/2095847)，生成与签发服务器证书时参考方法一。制作好之后，我们验证一下域名是否正确（假设证书名为tomcat8.crt）： ``` $ openssl x509 -in tomcat8.crt -text ... Subject: CN=tomcat8.ccse.io ... ``` ##### **创建Secret保存证书** 首先我们需要计算tomcat8.key和tomcat8.crt的base64编码值，计算方式如下： ``` $ base64 --wrap=0 tomcat8.key LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlDWEFJQkFBS0JnUUNqeXQ3YTBLald1VVYrbmJVTjhPUmF6VFR2V21lYWNwY0k4aERLNjBlNkc2VjMyd21ICnhpSFFmdUFvaWpydVZqb1d3eFBZQXEzZ1NqeTVJb0ZVN0p1ZnhLaFpSeEsvK2FoWk5TZkxVKzJqYmRBMmlnOFcKNVo0eVVMSmxTaitsdm45VTBCbTk4S1d0czFtMUduNGo3RVlkYTEwL3VaVVVXSnBudjcyYzQxMGJDUUlEQVFBQgpBb0dBS0pqOEs5aFVRUVNqQ1FNbUFWS1lCem1keVVYck1Bai9EcVNSTFBxc1NLRFpucCtYK1NOTzlsSzhWTkFPClUwemtFUWhCUHVWTEc3REs1RWg5TGdPSGZ1akNYLzZQZHlYYTBKS2VqeDRMZ29xeHFVdGVibnhaYU05S2NocGsKZGwxTWxORHpQeGlXN1h2eTBrNStydlNCWTE4TE9PYVBnRGhRZFIvSHZoeHhSa0VDUVFEUmNubHFFcFpsWFBWQQpzTDVoQXVtSktZS2h5SmllSVlWMUYvZjFQVGw5c3NMaGtlbFFrRGk2Y0JKRm5PdVcxVUdFc0hpc0tzUUtodXZhCk01dlU0eUJWQWtFQXlES2x5amsvbnp0M2FVb1RueGpjZDNjTHREV3lIY0hQZEh2VTFBNFN0ZURsOENzcHV1Z0oKVWVzZEN2T0tuS3RNT3FvaGZCclhWaktLRTV0UFdQOXo1UUpBWmxaK3lMdG9UUUxNdXQwaFNKbDVycEZmeU5rUQo2VU1MeUpqN2lSSnZRdUhUb3cvK1ptVHhzdmNMbG9RRUFPRVdjRlVod1Uzc0dCQ3dzUjlDWnhUTE9RSkJBTHhVCmlRcFlHTFhlNTFLeFVRd1dBekNQV1A5S2xDalNMaXJTWTBDcGpJaDA3VnFtQURmSUdSeHJKWU1yNEhYSjM0aEEKakFlSDZKTTZNQktKeEhkZ3VORUNRRVpqY0QvY0wzRytGVXdUaTRMRXFiQlJoUnZBNjZ4QkNBczgxWWFyMnFmeQowdmZ4K2xTSVJjdWRlTHBSMTk5WkFidzB1MUtobUw2Z05yYjBERldCOFBJPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= $ base64 --wrap=0 tomcat8.crt LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNKekNDQVE4Q0NRQ0xxWS92dmVkMWFEQU5CZ2txaGtpRzl3MEJBUXNGQURBVk1STXdFUVlEVlFRREV3cHIKZFdKbGNtNWxkR1Z6TUI0WERUSXhNRFF6TURBNE16azBPRm9YRFRNeE1EUXlPREE0TXprME9Gb3dHakVZTUJZRwpBMVVFQXd3UGRHOXRZMkYwT0M1alkzTmxMbWx2TUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCCmdRQ2p5dDdhMEtqV3VVVituYlVOOE9SYXpUVHZXbWVhY3BjSThoREs2MGU2RzZWMzJ3bUh4aUhRZnVBb2lqcnUKVmpvV3d4UFlBcTNnU2p5NUlvRlU3SnVmeEtoWlJ4Sy8rYWhaTlNmTFUrMmpiZEEyaWc4VzVaNHlVTEpsU2orbAp2bjlVMEJtOThLV3RzMW0xR240ajdFWWRhMTAvdVpVVVdKcG52NzJjNDEwYkNRSURBUUFCTUEwR0NTcUdTSWIzCkRRRUJDd1VBQTRJQkFRQStJajl5cG9ObGRYc05nZG1nVTR3aWhKMy9PdHUxTDZVWlBzVDFIUlVuNU1aTjRQajEKSlMxMWlkTzYzQ3J2aXNSemVOajZvT1JQakQvVnhnZE9mVy9vdTJUemZnNktNRVNyNjNDR0RvZEEvN2JycnhCcwowQjBjUFFnZ1hLSC9POHBPdENidmgrejFqQ3Rua2ZhNDhBNzQ5a2oyZjNhTjcybi82aEt3NHNiSlJobVgreTI0CmJzaFZHdmpIZkhMNjdzcDgxWVkxeEdRd05TSmc5Y3J1M2VDNTJWNEU0WHRIRVlxdVBCc0YyRG9WZjF3aUxxcWMKaTdyeWJ3VzRDS2ZERS95ekNpZEJVWnlkZDQzNEVlaXo5UGtuWmRQREJkT0x6NjJwa3VMNVpJN1Ewd3Q2b1JkYwpmaDBEZ1psRit3RWlkSjF5UktlMWZHZmk1ZVE0TWpGSEQvNlkKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= ``` 然后，创建如下的Secret ``` apiVersion: v1 kind: Secret metadata: name: tomcat8 type: kubernetes.io/tls data: tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlDWEFJQkFBS0JnUUNqeXQ3YTBLald1VVYrbmJVTjhPUmF6VFR2V21lYWNwY0k4aERLNjBlNkc2VjMyd21ICnhpSFFmdUFvaWpydVZqb1d3eFBZQXEzZ1NqeTVJb0ZVN0p1ZnhLaFpSeEsvK2FoWk5TZkxVKzJqYmRBMmlnOFcKNVo0eVVMSmxTaitsdm45VTBCbTk4S1d0czFtMUduNGo3RVlkYTEwL3VaVVVXSnBudjcyYzQxMGJDUUlEQVFBQgpBb0dBS0pqOEs5aFVRUVNqQ1FNbUFWS1lCem1keVVYck1Bai9EcVNSTFBxc1NLRFpucCtYK1NOTzlsSzhWTkFPClUwemtFUWhCUHVWTEc3REs1RWg5TGdPSGZ1akNYLzZQZHlYYTBKS2VqeDRMZ29xeHFVdGVibnhaYU05S2NocGsKZGwxTWxORHpQeGlXN1h2eTBrNStydlNCWTE4TE9PYVBnRGhRZFIvSHZoeHhSa0VDUVFEUmNubHFFcFpsWFBWQQpzTDVoQXVtSktZS2h5SmllSVlWMUYvZjFQVGw5c3NMaGtlbFFrRGk2Y0JKRm5PdVcxVUdFc0hpc0tzUUtodXZhCk01dlU0eUJWQWtFQXlES2x5amsvbnp0M2FVb1RueGpjZDNjTHREV3lIY0hQZEh2VTFBNFN0ZURsOENzcHV1Z0oKVWVzZEN2T0tuS3RNT3FvaGZCclhWaktLRTV0UFdQOXo1UUpBWmxaK3lMdG9UUUxNdXQwaFNKbDVycEZmeU5rUQo2VU1MeUpqN2lSSnZRdUhUb3cvK1ptVHhzdmNMbG9RRUFPRVdjRlVod1Uzc0dCQ3dzUjlDWnhUTE9RSkJBTHhVCmlRcFlHTFhlNTFLeFVRd1dBekNQV1A5S2xDalNMaXJTWTBDcGpJaDA3VnFtQURmSUdSeHJKWU1yNEhYSjM0aEEKakFlSDZKTTZNQktKeEhkZ3VORUNRRVpqY0QvY0wzRytGVXdUaTRMRXFiQlJoUnZBNjZ4QkNBczgxWWFyMnFmeQowdmZ4K2xTSVJjdWRlTHBSMTk5WkFidzB1MUtobUw2Z05yYjBERldCOFBJPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNKekNDQVE4Q0NRQ0xxWS92dmVkMWFEQU5CZ2txaGtpRzl3MEJBUXNGQURBVk1STXdFUVlEVlFRREV3cHIKZFdKbGNtNWxkR1Z6TUI0WERUSXhNRFF6TURBNE16azBPRm9YRFRNeE1EUXlPREE0TXprME9Gb3dHakVZTUJZRwpBMVVFQXd3UGRHOXRZMkYwT0M1alkzTmxMbWx2TUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCCmdRQ2p5dDdhMEtqV3VVVituYlVOOE9SYXpUVHZXbWVhY3BjSThoREs2MGU2RzZWMzJ3bUh4aUhRZnVBb2lqcnUKVmpvV3d4UFlBcTNnU2p5NUlvRlU3SnVmeEtoWlJ4Sy8rYWhaTlNmTFUrMmpiZEEyaWc4VzVaNHlVTEpsU2orbAp2bjlVMEJtOThLV3RzMW0xR240ajdFWWRhMTAvdVpVVVdKcG52NzJjNDEwYkNRSURBUUFCTUEwR0NTcUdTSWIzCkRRRUJDd1VBQTRJQkFRQStJajl5cG9ObGRYc05nZG1nVTR3aWhKMy9PdHUxTDZVWlBzVDFIUlVuNU1aTjRQajEKSlMxMWlkTzYzQ3J2aXNSemVOajZvT1JQakQvVnhnZE9mVy9vdTJUemZnNktNRVNyNjNDR0RvZEEvN2JycnhCcwowQjBjUFFnZ1hLSC9POHBPdENidmgrejFqQ3Rua2ZhNDhBNzQ5a2oyZjNhTjcybi82aEt3NHNiSlJobVgreTI0CmJzaFZHdmpIZkhMNjdzcDgxWVkxeEdRd05TSmc5Y3J1M2VDNTJWNEU0WHRIRVlxdVBCc0YyRG9WZjF3aUxxcWMKaTdyeWJ3VzRDS2ZERS95ekNpZEJVWnlkZDQzNEVlaXo5UGtuWmRQREJkT0x6NjJwa3VMNVpJN1Ewd3Q2b1JkYwpmaDBEZ1psRit3RWlkSjF5UktlMWZHZmk1ZVE0TWpGSEQvNlkKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= ``` ##### **创建Ingress** 接下来，创建Ingress对象，配置tls，如下： ``` apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: tomcat8 spec: tls: - secretName: tomcat8 hosts: ["tomcat8.ccse.io"] rules: - host: tomcat8.ccse.io http: paths: - path: / backend: serviceName: tomcat8 servicePort: 8080 ``` ##### **访问验证** 我们在主机的hosts文件中，添加NginxIngressController所在主机的IP与tomcat8.ccse.io的记录，然后访问，如下，会到404的页面，tomcat的版本信息为8.5.61 ``` $ curl --cacert ./ca.crt https://tomcat8.ccse.io <!doctype html><html lang="en"><head><title>HTTP Status 404 – Not Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404 – Not Found</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Description</b> The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.</p><hr class="line" /><h3>Apache Tomcat/8.5.61</h3></body></html> ``` ### **多个Ingress共用一个TLS证书** 其实，多个Ingress可以共用一个TLS证书，不过这个证书中必须包含所有的域名。 这里我们举一个例子：发布tomcat8和tomcat9两个工作负载，tomcat8使用https://tomcat8.ccse.io 访问，tomcat9使用 https://tomcat9.ccse.io 去访问 ##### **发布工作负载和服务** 发布tomcat8和tomcat9的工作负载及对应的Service，这里省略步骤 ##### **制作证书** 我们来制作一个证书，域名要同时包含`tomcat8.ccse.io`和`tomcat9.ccse.io`。证书的制作可以参考[此文](https://www.kancloud.cn/pshizhsysu/network/2095847)，生成与签发服务器证书时参考方法二。制作好之后，我们验证一下域名是否正确： ``` $ openssl x509 -in tomcat89.crt -text ... Subject: CN=tomcat.ccse.io ... DNS:tomcat8.ccse.io, DNS:tomcat9.ccse.io ... ``` 可以发现，CN和DNS中已经包含了`tomcat8.ccse.io`和`tomcat9.ccse.io` ##### **创建Secret** 参考前面的方法创建一个Secret（假设名字叫tomcat89），保存tomcat89.key与tomcat89.crt。 ##### **创建Ingress** 我们来创建两个Ingress，一个是tomcat8，一个是tomcat9，如下，使用同一个证书 ``` apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: tomcat8 spec: tls: - secretName: tomcat89 hosts: ["tomcat8.ccse.io"] rules: - host: tomcat8.ccse.io http: paths: - path: / backend: serviceName: tomcat8 servicePort: 8080 --- apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: tomcat9 spec: tls: - secretName: tomcat89 hosts: ["tomcat9.ccse.io"] rules: - host: tomcat9.ccse.io http: paths: - path: / backend: serviceName: tomcat9 servicePort: 8080 ``` ##### **访问验证** 在主机的hosts文件中配置一个域名(tomcat8.ccse.io和tomcat9.ccse.io)到NginxIngressController的IP的映射关系，然后进行访问，如下： ``` $ curl --cacert ./ca.crt https://tomcat8.ccse.io <!doctype html><html lang="en"><head><title>HTTP Status 404 – Not Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404 – Not Found</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Description</b> The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.</p><hr class="line" /><h3>Apache Tomcat/8.5.61</h3></body></html> $ curl --cacert ./ca.crt https://tomcat9.ccse.io <!doctype html><html lang="en"><head><title>HTTP Status 404 – Not Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404 – Not Found</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Description</b> The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.</p><hr class="line" /><h3>Apache Tomcat/9.0.45</h3></body></html> ``` 同样我们也可以在浏览器上进行访问，不过由于我们没有把ca.crt放到windows主机的受信任证书列表中，所以会提示风险  我们选择接收风险并继续，就可以访问了，可以看到tomcat的404页面，并且版本为tomcat-9.0.45  ### **参考** * https://kubernetes.io/docs/concepts/services-networking/ingress/#tls * https://www.kancloud.cn/pshizhsysu/network/2095847#_221