HTTPS安全访问

最近更新时间:2019-08-03 22:32:32

本文将介绍如何在金山云容器引擎中配置HTTPS安全访问

根据访问方式的不同,目前可以分为两种配置证书的方式:

  • 在slb上配置证书
  • 在Ingress中配置证书

前提条件

  • 您已经在金山云创建一个Kubernetes集群,且集群中的cloud-controller-manager正常运行
    [[email protected] ~]# kubectl get deploy -n kube-system | grep cloud
    cloud-controller-manager   1         1         1            1           35d
  • 提前准备好证书,这里为了测试需要,我们使用自签名证书,使用如下命令快速创建
    [[email protected] CAtest]# openssl req -newkey rsa:2048 -nodes -keyout tls.key -x509 -days 365 -out tls.crt
    Generating a 2048 bit RSA private key
    ...............+++
    .............................+++
    writing new private key to 'tls.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:CN
    State or Province Name (full name) []:Beijing
    Locality Name (eg, city) [Default City]:Beijing
    Organization Name (eg, company) [Default Company Ltd]:Kingsoft
    Organizational Unit Name (eg, section) []:Ksyun
    Common Name (eg, your name or your server's hostname) []:foo.bar.com
    Email Address []:[email protected]

在金山云SLB上配置证书

特点:证书配置在负载均衡上,为应用提供外部的访问入口,集群内部访问仍然使用HTTP的形式

适用场景:应用不使用Ingress暴露访问方式,直接通过LoadBalancer类型的service进行应用访问的暴露

  1. 这里我们以nginx应用为例,首先创建一个nginx的应用,nginx-deploy.yaml如下:

    apiVersion: extensions/v1beta1
    kind: Deployment
    metadata:
    name: nginx
    spec:
    replicas: 2
    template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx
  2. 将我们上一步创建的证书上传至金山云负载均衡-证书管理

      ⅰ.进入金山云负载均衡控制台,选择证书>负载均衡证书,点击【创建证书】

      ⅱ.在创建证书的弹窗中,填写证书名称,在证书内容私钥中上传我们在前提条件中创建的证书和私钥,点击【创建】,完成证书的创建

HTTPS安全访问

      ⅲ.在证书详情中获取证书的id

  1. 这里我们通过金山云的负载均衡暴露nginx应用到公网,采用HTTPS的访问形式,nginx-service.yaml如下:

注意: service.beta.kubernetes.io/ksc-loadbalancer-protocol-port,注释的格式是“PROTOCOL:PORT”(PORT必须和spec:ports中的port一致)

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/ksc-loadbalancer-protocol-port: "HTTPS:443"
    service.beta.kubernetes.io/ksc-loadbalancer-cert-id: "your-cert-id"  # 请填写您的证书id
  labels:
    app: nginx
  name: https-lb
spec:
  ports:
  - port: 443
    protocol: TCP
    targetPort: 80
  selector:
    app: nginx
  type: LoadBalancer
  1. 创建以上资源
    [[email protected]]# kubectl create -f nginx-deploy.yaml 
    deployment.extensions/nginx created
    [[email protected]]# kubectl create -f nginx-svc.yaml 
    service/nginx created
  2. 获取nginx服务对应的公网ip
    [[email protected] CAtest]# kubectl get svc | grep nginx
    nginx   LoadBalancer   10.254.101.229   120.92.86.xx   443:31937/TCP        76d

备注: 获取nginx服务对应的公网ip,这里我们将测试域名foo.bar.com解析到nginx服务的公网IP,可以在hosts文件中添加一条记录

120.92.86.xx foo.bar.com

在浏览器中输入https://foo.bar.com 验证

HTTPS安全访问

在Ingress中配置证书

特点:无需改动SLB的配置;每一个应用都可以通过Ingress管理自己的证书,互不干扰

适用场景:每个应用都需要单独的证书进行访问;或者集群中存在需要证书才能访问的应用

  1. 根据前提条件中创建的证书和私钥创建secret资源

    [[email protected]]# kubectl create secret tls secret-https --key tls.key --cert tls.crt
    secret/secret-https created
  2. 将集群中内置的traefik服务暴露到公网,详见Ingress Controller暴露出集群

  3. 创建服务nginx的服务,这里我们仅需将nginx服务暴露到集群内部即可,服务端口80,nginx-service.yaml如下:
apiVersion: v1
kind: Service
metadata:
  labels:
    app: nginx
  name: nginx
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: nginx
  type: ClusterIP
  1. 创建对应的Ingress规则,ingress.yaml如下
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: nginx-https
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  rules:
  - host: foo.bar.com
    http:
      paths:
      - backend:
          serviceName: nginx
          servicePort: 80
  tls:
  - hosts:
    - foo.bar.com
    secretName: secret-https
  1. 创建以上service、ingress资源
[[email protected]]# kubectl create -f svc.yaml 
service/nginx created
[[email protected]]# kubectl create -f ingress.yaml 
ingress.extensions/nginx-https created
[[email protected] CAtest]# kubectl get svc | grep nginx
nginx                   ClusterIP   10.254.99.223    <none>        80/TCP           3m35s
[[email protected] CAtest]# kubectl get ing
NAME          HOSTS         ADDRESS   PORTS     AGE
nginx-https   foo.bar.com             80, 443   2m26s
  1. 获取traefik服务的公网ip
    [[email protected] CAtest]# kubectl get svc -n kube-system | grep traefik
    traefik-ingress-service   LoadBalancer   10.254.101.229   120.92.86.xx   80:31833/TCP,443:31937/TCP,8080:30475/TCP        76d

    备注:

    • 这里我们将测试域名foo.bar.com解析到traefik服务的公网IP,可以在hosts文件中添加一条记录
      120.92.86.xx foo.bar.com

在浏览器中输入https://foo.bar.com 验证

HTTPS安全访问

金山云,开启您的云计算之旅

免费注册