[TOC]
### **示例**
在这个例子中,我们将发布一个tomcat8的deployment,然后使用 https://tomcat8.ccse.io 去访问它。
##### **环境准备**
* K8S集群一个,已安装好NginxIngressController,监听https的443端口
##### **创建工作负载与服务**
在K8S集群中创建K8S的工作负载与服务,如下:
```
apiVersion: apps/v1
kind: Deployment
metadata:
name: tomcat8
spec:
replicas: 1
selector:
matchLabels:
app: tomcat8
template:
metadata:
labels:
app: tomcat8
spec:
containers:
- name: tomcat8
image: tomcat:8
---
apiVersion: v1
kind: Service
metadata:
name: tomcat8
spec:
selector:
app: tomcat8
ports:
- name: "8080"
port: 8080
```
##### **制作证书**
我们来制作tomcat8的证书,域名要为`tomcat8.ccse.io`,因为我们要用它去访问。证书的制作可以参考[此文](https://www.kancloud.cn/pshizhsysu/network/2095847),生成与签发服务器证书时参考方法一。制作好之后,我们验证一下域名是否正确(假设证书名为tomcat8.crt):
```
$ openssl x509 -in tomcat8.crt -text
...
Subject: CN=tomcat8.ccse.io
...
```
##### **创建Secret保存证书**
首先我们需要计算tomcat8.key和tomcat8.crt的base64编码值,计算方式如下:
```
$ base64 --wrap=0 tomcat8.key
LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlDWEFJQkFBS0JnUUNqeXQ3YTBLald1VVYrbmJVTjhPUmF6VFR2V21lYWNwY0k4aERLNjBlNkc2VjMyd21ICnhpSFFmdUFvaWpydVZqb1d3eFBZQXEzZ1NqeTVJb0ZVN0p1ZnhLaFpSeEsvK2FoWk5TZkxVKzJqYmRBMmlnOFcKNVo0eVVMSmxTaitsdm45VTBCbTk4S1d0czFtMUduNGo3RVlkYTEwL3VaVVVXSnBudjcyYzQxMGJDUUlEQVFBQgpBb0dBS0pqOEs5aFVRUVNqQ1FNbUFWS1lCem1keVVYck1Bai9EcVNSTFBxc1NLRFpucCtYK1NOTzlsSzhWTkFPClUwemtFUWhCUHVWTEc3REs1RWg5TGdPSGZ1akNYLzZQZHlYYTBKS2VqeDRMZ29xeHFVdGVibnhaYU05S2NocGsKZGwxTWxORHpQeGlXN1h2eTBrNStydlNCWTE4TE9PYVBnRGhRZFIvSHZoeHhSa0VDUVFEUmNubHFFcFpsWFBWQQpzTDVoQXVtSktZS2h5SmllSVlWMUYvZjFQVGw5c3NMaGtlbFFrRGk2Y0JKRm5PdVcxVUdFc0hpc0tzUUtodXZhCk01dlU0eUJWQWtFQXlES2x5amsvbnp0M2FVb1RueGpjZDNjTHREV3lIY0hQZEh2VTFBNFN0ZURsOENzcHV1Z0oKVWVzZEN2T0tuS3RNT3FvaGZCclhWaktLRTV0UFdQOXo1UUpBWmxaK3lMdG9UUUxNdXQwaFNKbDVycEZmeU5rUQo2VU1MeUpqN2lSSnZRdUhUb3cvK1ptVHhzdmNMbG9RRUFPRVdjRlVod1Uzc0dCQ3dzUjlDWnhUTE9RSkJBTHhVCmlRcFlHTFhlNTFLeFVRd1dBekNQV1A5S2xDalNMaXJTWTBDcGpJaDA3VnFtQURmSUdSeHJKWU1yNEhYSjM0aEEKakFlSDZKTTZNQktKeEhkZ3VORUNRRVpqY0QvY0wzRytGVXdUaTRMRXFiQlJoUnZBNjZ4QkNBczgxWWFyMnFmeQowdmZ4K2xTSVJjdWRlTHBSMTk5WkFidzB1MUtobUw2Z05yYjBERldCOFBJPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
$ base64 --wrap=0 tomcat8.crt
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNKekNDQVE4Q0NRQ0xxWS92dmVkMWFEQU5CZ2txaGtpRzl3MEJBUXNGQURBVk1STXdFUVlEVlFRREV3cHIKZFdKbGNtNWxkR1Z6TUI0WERUSXhNRFF6TURBNE16azBPRm9YRFRNeE1EUXlPREE0TXprME9Gb3dHakVZTUJZRwpBMVVFQXd3UGRHOXRZMkYwT0M1alkzTmxMbWx2TUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCCmdRQ2p5dDdhMEtqV3VVVituYlVOOE9SYXpUVHZXbWVhY3BjSThoREs2MGU2RzZWMzJ3bUh4aUhRZnVBb2lqcnUKVmpvV3d4UFlBcTNnU2p5NUlvRlU3SnVmeEtoWlJ4Sy8rYWhaTlNmTFUrMmpiZEEyaWc4VzVaNHlVTEpsU2orbAp2bjlVMEJtOThLV3RzMW0xR240ajdFWWRhMTAvdVpVVVdKcG52NzJjNDEwYkNRSURBUUFCTUEwR0NTcUdTSWIzCkRRRUJDd1VBQTRJQkFRQStJajl5cG9ObGRYc05nZG1nVTR3aWhKMy9PdHUxTDZVWlBzVDFIUlVuNU1aTjRQajEKSlMxMWlkTzYzQ3J2aXNSemVOajZvT1JQakQvVnhnZE9mVy9vdTJUemZnNktNRVNyNjNDR0RvZEEvN2JycnhCcwowQjBjUFFnZ1hLSC9POHBPdENidmgrejFqQ3Rua2ZhNDhBNzQ5a2oyZjNhTjcybi82aEt3NHNiSlJobVgreTI0CmJzaFZHdmpIZkhMNjdzcDgxWVkxeEdRd05TSmc5Y3J1M2VDNTJWNEU0WHRIRVlxdVBCc0YyRG9WZjF3aUxxcWMKaTdyeWJ3VzRDS2ZERS95ekNpZEJVWnlkZDQzNEVlaXo5UGtuWmRQREJkT0x6NjJwa3VMNVpJN1Ewd3Q2b1JkYwpmaDBEZ1psRit3RWlkSjF5UktlMWZHZmk1ZVE0TWpGSEQvNlkKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
```
然后,创建如下的Secret
```
apiVersion: v1
kind: Secret
metadata:
name: tomcat8
type: kubernetes.io/tls
data:
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlDWEFJQkFBS0JnUUNqeXQ3YTBLald1VVYrbmJVTjhPUmF6VFR2V21lYWNwY0k4aERLNjBlNkc2VjMyd21ICnhpSFFmdUFvaWpydVZqb1d3eFBZQXEzZ1NqeTVJb0ZVN0p1ZnhLaFpSeEsvK2FoWk5TZkxVKzJqYmRBMmlnOFcKNVo0eVVMSmxTaitsdm45VTBCbTk4S1d0czFtMUduNGo3RVlkYTEwL3VaVVVXSnBudjcyYzQxMGJDUUlEQVFBQgpBb0dBS0pqOEs5aFVRUVNqQ1FNbUFWS1lCem1keVVYck1Bai9EcVNSTFBxc1NLRFpucCtYK1NOTzlsSzhWTkFPClUwemtFUWhCUHVWTEc3REs1RWg5TGdPSGZ1akNYLzZQZHlYYTBKS2VqeDRMZ29xeHFVdGVibnhaYU05S2NocGsKZGwxTWxORHpQeGlXN1h2eTBrNStydlNCWTE4TE9PYVBnRGhRZFIvSHZoeHhSa0VDUVFEUmNubHFFcFpsWFBWQQpzTDVoQXVtSktZS2h5SmllSVlWMUYvZjFQVGw5c3NMaGtlbFFrRGk2Y0JKRm5PdVcxVUdFc0hpc0tzUUtodXZhCk01dlU0eUJWQWtFQXlES2x5amsvbnp0M2FVb1RueGpjZDNjTHREV3lIY0hQZEh2VTFBNFN0ZURsOENzcHV1Z0oKVWVzZEN2T0tuS3RNT3FvaGZCclhWaktLRTV0UFdQOXo1UUpBWmxaK3lMdG9UUUxNdXQwaFNKbDVycEZmeU5rUQo2VU1MeUpqN2lSSnZRdUhUb3cvK1ptVHhzdmNMbG9RRUFPRVdjRlVod1Uzc0dCQ3dzUjlDWnhUTE9RSkJBTHhVCmlRcFlHTFhlNTFLeFVRd1dBekNQV1A5S2xDalNMaXJTWTBDcGpJaDA3VnFtQURmSUdSeHJKWU1yNEhYSjM0aEEKakFlSDZKTTZNQktKeEhkZ3VORUNRRVpqY0QvY0wzRytGVXdUaTRMRXFiQlJoUnZBNjZ4QkNBczgxWWFyMnFmeQowdmZ4K2xTSVJjdWRlTHBSMTk5WkFidzB1MUtobUw2Z05yYjBERldCOFBJPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNKekNDQVE4Q0NRQ0xxWS92dmVkMWFEQU5CZ2txaGtpRzl3MEJBUXNGQURBVk1STXdFUVlEVlFRREV3cHIKZFdKbGNtNWxkR1Z6TUI0WERUSXhNRFF6TURBNE16azBPRm9YRFRNeE1EUXlPREE0TXprME9Gb3dHakVZTUJZRwpBMVVFQXd3UGRHOXRZMkYwT0M1alkzTmxMbWx2TUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCCmdRQ2p5dDdhMEtqV3VVVituYlVOOE9SYXpUVHZXbWVhY3BjSThoREs2MGU2RzZWMzJ3bUh4aUhRZnVBb2lqcnUKVmpvV3d4UFlBcTNnU2p5NUlvRlU3SnVmeEtoWlJ4Sy8rYWhaTlNmTFUrMmpiZEEyaWc4VzVaNHlVTEpsU2orbAp2bjlVMEJtOThLV3RzMW0xR240ajdFWWRhMTAvdVpVVVdKcG52NzJjNDEwYkNRSURBUUFCTUEwR0NTcUdTSWIzCkRRRUJDd1VBQTRJQkFRQStJajl5cG9ObGRYc05nZG1nVTR3aWhKMy9PdHUxTDZVWlBzVDFIUlVuNU1aTjRQajEKSlMxMWlkTzYzQ3J2aXNSemVOajZvT1JQakQvVnhnZE9mVy9vdTJUemZnNktNRVNyNjNDR0RvZEEvN2JycnhCcwowQjBjUFFnZ1hLSC9POHBPdENidmgrejFqQ3Rua2ZhNDhBNzQ5a2oyZjNhTjcybi82aEt3NHNiSlJobVgreTI0CmJzaFZHdmpIZkhMNjdzcDgxWVkxeEdRd05TSmc5Y3J1M2VDNTJWNEU0WHRIRVlxdVBCc0YyRG9WZjF3aUxxcWMKaTdyeWJ3VzRDS2ZERS95ekNpZEJVWnlkZDQzNEVlaXo5UGtuWmRQREJkT0x6NjJwa3VMNVpJN1Ewd3Q2b1JkYwpmaDBEZ1psRit3RWlkSjF5UktlMWZHZmk1ZVE0TWpGSEQvNlkKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
```
##### **创建Ingress**
接下来,创建Ingress对象,配置tls,如下:
```
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: tomcat8
spec:
tls:
- secretName: tomcat8
hosts: ["tomcat8.ccse.io"]
rules:
- host: tomcat8.ccse.io
http:
paths:
- path: /
backend:
serviceName: tomcat8
servicePort: 8080
```
##### **访问验证**
我们在主机的hosts文件中,添加NginxIngressController所在主机的IP与tomcat8.ccse.io的记录,然后访问,如下,会到404的页面,tomcat的版本信息为8.5.61
```
$ curl --cacert ./ca.crt https://tomcat8.ccse.io
<!doctype html><html lang="en"><head><title>HTTP Status 404 – Not Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404 – Not Found</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Description</b> The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.</p><hr class="line" /><h3>Apache Tomcat/8.5.61</h3></body></html>
```
### **多个Ingress共用一个TLS证书**
其实,多个Ingress可以共用一个TLS证书,不过这个证书中必须包含所有的域名。
这里我们举一个例子:发布tomcat8和tomcat9两个工作负载,tomcat8使用https://tomcat8.ccse.io 访问,tomcat9使用 https://tomcat9.ccse.io 去访问
##### **发布工作负载和服务**
发布tomcat8和tomcat9的工作负载及对应的Service,这里省略步骤
##### **制作证书**
我们来制作一个证书,域名要同时包含`tomcat8.ccse.io`和`tomcat9.ccse.io`。证书的制作可以参考[此文](https://www.kancloud.cn/pshizhsysu/network/2095847),生成与签发服务器证书时参考方法二。制作好之后,我们验证一下域名是否正确:
```
$ openssl x509 -in tomcat89.crt -text
...
Subject: CN=tomcat.ccse.io
...
DNS:tomcat8.ccse.io, DNS:tomcat9.ccse.io
...
```
可以发现,CN和DNS中已经包含了`tomcat8.ccse.io`和`tomcat9.ccse.io`
##### **创建Secret**
参考前面的方法创建一个Secret(假设名字叫tomcat89),保存tomcat89.key与tomcat89.crt。
##### **创建Ingress**
我们来创建两个Ingress,一个是tomcat8,一个是tomcat9,如下,使用同一个证书
```
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: tomcat8
spec:
tls:
- secretName: tomcat89
hosts: ["tomcat8.ccse.io"]
rules:
- host: tomcat8.ccse.io
http:
paths:
- path: /
backend:
serviceName: tomcat8
servicePort: 8080
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: tomcat9
spec:
tls:
- secretName: tomcat89
hosts: ["tomcat9.ccse.io"]
rules:
- host: tomcat9.ccse.io
http:
paths:
- path: /
backend:
serviceName: tomcat9
servicePort: 8080
```
##### **访问验证**
在主机的hosts文件中配置一个域名(tomcat8.ccse.io和tomcat9.ccse.io)到NginxIngressController的IP的映射关系,然后进行访问,如下:
```
$ curl --cacert ./ca.crt https://tomcat8.ccse.io
<!doctype html><html lang="en"><head><title>HTTP Status 404 – Not Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404 – Not Found</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Description</b> The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.</p><hr class="line" /><h3>Apache Tomcat/8.5.61</h3></body></html>
$ curl --cacert ./ca.crt https://tomcat9.ccse.io
<!doctype html><html lang="en"><head><title>HTTP Status 404 – Not Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404 – Not Found</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Description</b> The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.</p><hr class="line" /><h3>Apache Tomcat/9.0.45</h3></body></html>
```
同样我们也可以在浏览器上进行访问,不过由于我们没有把ca.crt放到windows主机的受信任证书列表中,所以会提示风险
![](https://img.kancloud.cn/1e/35/1e356509fb91cae5676f2dd46939d1e3_1202x688.png)
我们选择接收风险并继续,就可以访问了,可以看到tomcat的404页面,并且版本为tomcat-9.0.45
![](https://img.kancloud.cn/4a/df/4adf3df060e37a0d89d447935dc0f111_881x282.png)
### **参考**
* https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
* https://www.kancloud.cn/pshizhsysu/network/2095847#_221
- 常用命令
- 安装
- 安装Kubeadm
- 安装单Master集群
- 安装高可用集群(手动分发证书)
- 安装高可用集群(自动分发证书)
- 启动参数解析
- certificate-key
- ETCD相关参数
- Kubernetes端口汇总
- 安装IPv4-IPv6双栈集群
- 下载二进制文件
- 使用Kata容器
- 快速安装shell脚本
- 存储
- 实践
- Ceph-RBD实践
- CephFS实践
- 对象存储
- 阿里云CSI
- CSI
- 安全
- 认证与授权
- 认证
- 认证-实践
- 授权
- ServiceAccount
- NodeAuthorizor
- TLS bootstrapping
- Kubelet的认证
- 准入控制
- 准入控制示例
- Pod安全上下文
- Selinux-Seccomp-Capabilities
- 给容器配置安全上下文
- PodSecurityPolicy
- K8S-1.8手动开启认证与授权
- Helm
- Helm命令
- Chart
- 快速入门
- 内置对象
- 模板函数与管道
- 模板函数列表
- 流程控制
- Chart依赖
- Repository
- 开源的Chart包
- CRD
- CRD入门
- 工作负载
- Pod
- Pod的重启策略
- Container
- 探针
- 工作负载的状态
- 有状态服务
- 网络插件
- Multus
- Calico+Flannel
- 容器网络限速
- 自研网络插件
- 设计文档
- Cilium
- 安装Cilium
- Calico
- Calico-FAQ
- IPAM
- Whereabouts
- 控制平面与Pod网络分开
- 重新编译
- 编译kubeadm
- 编译kubeadm-1.23
- 资源预留
- 资源预留简介
- imagefs与nodefs
- 资源预留 vs 驱逐 vs OOM
- 负载均衡
- 灰度与蓝绿
- Ingress的TLS
- 多个NginxIngressController实例
- Service的会话亲和
- CNI实践
- CNI规范
- 使用cnitool模拟调用
- CNI快速入门
- 性能测试
- 性能测试简介
- 制作kubemark镜像
- 使用clusterloader2进行性能测试
- 编译clusterloader2二进制文件
- 搭建性能测试环境
- 运行density测试
- 运行load测试
- 参数调优
- Measurement
- TestMetrics
- EtcdMetrics
- SLOMeasurement
- PrometheusMeasurement
- APIResponsivenessPrometheus
- PodStartupLatency
- FAQ
- 调度
- 亲和性与反亲和性
- GPU
- HPA
- 命名规范
- 可信云认证
- 磁盘限速
- Virtual-kubelet
- VK思路整理
- Kubebuilder
- FAQ
- 阿里云日志服务SLS