上一节我们进行了ingress的部署,并实现了简单的NodePort+ingress+httpbackend访问集群内部服务的功能。接下来有需求,需要研究下ingress的https TLS 认证,大致是分为三种:
- 在ingress-controller
- 内部服务启用TLS
- ingress-controller和内部服务均启用TLS
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: grpc-ingress
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
rules:
- host: rpc.host.tld
http:
paths:
- backend:
serviceName: svc-grpc
servicePort: 443
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: gateway-ingress
annotations:
# set for letsencrypt support
kubernetes.io/tls-acme: "true"
kubernetes.io/ingress.class: "nginx"
spec:
tls:
- hosts:
- api.host.tld
secretName: api-tls
rules:
- host: api.host.tld
http:
paths:
- backend:
serviceName: gateway
servicePort: 8080
This is the config for the controller itself
containers:
- name: nginx-ingress-controller
image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.10.0
args:
- /nginx-ingress-controller
- --default-backend-service=$(POD_NAMESPACE)/default-http-backend
- --configmap=$(POD_NAMESPACE)/nginx-configuration
- --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
- --udp-services-configmap=$(POD_NAMESPACE)/udp-services
- --publish-service=$(POD_NAMESPACE)/ingress-nginx
- --annotations-prefix=nginx.ingress.kubernetes.io
- --enable-ssl-passthrough
上面是默认的nginx-ingress-controller的启动参数, --annotations-prefix=nginx.ingress.kubernetes.io是可以配置的,默认的前缀为annotations-prefix。
生成证书和secret
openssl genrsa -out tls.key 2048
openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=shanghai/L=shanghai/O=devops/CN=prometheus.mine.com
kubectl create secret tls tomcat-ingress-secret --cert=tls.crt --key=tls.key
kubectl get secret
kubectl describe secret tomcat-ingress-secret
ingress annotations
| aa | bb |
|---|---|
| nginx.ingress.kubernetes.io/app-root | string |
| nginx.ingress.kubernetes.io/affinity | cookie |
| nginx.ingress.kubernetes.io/auth-realm | string |
| nginx.ingress.kubernetes.io/auth-secret | string |
| nginx.ingress.kubernetes.io/auth-type | basic or digest |
| nginx.ingress.kubernetes.io/auth-tls-secret | string |
| nginx.ingress.kubernetes.io/auth-tls-verify-depth | number |
| nginx.ingress.kubernetes.io/auth-tls-verify-client | string |
| nginx.ingress.kubernetes.io/auth-tls-error-page | string |
| nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream | "true" or "false" |
| nginx.ingress.kubernetes.io/auth-url | string |
| nginx.ingress.kubernetes.io/auth-cache-key | string |
| nginx.ingress.kubernetes.io/auth-cache-duration | string |
| nginx.ingress.kubernetes.io/auth-snippet | string |
| nginx.ingress.kubernetes.io/enable-global-auth | "true" or "false" |
| nginx.ingress.kubernetes.io/backend-protocol | string |
| nginx.ingress.kubernetes.io/canary | "true" or "false" |
| nginx.ingress.kubernetes.io/canary-by-header | string |
| nginx.ingress.kubernetes.io/canary-by-header-value | string |
| nginx.ingress.kubernetes.io/canary-by-cookie | string |
| nginx.ingress.kubernetes.io/canary-weight | number |
| nginx.ingress.kubernetes.io/client-body-buffer-size | string |
| nginx.ingress.kubernetes.io/configuration-snippet | string |
| nginx.ingress.kubernetes.io/custom-http-errors | []int |
| nginx.ingress.kubernetes.io/default-backend | string |
| nginx.ingress.kubernetes.io/enable-cors | "true" or "false" |
| nginx.ingress.kubernetes.io/cors-allow-origin | string |
| nginx.ingress.kubernetes.io/cors-allow-methods | string |
| nginx.ingress.kubernetes.io/cors-allow-headers | string |
| nginx.ingress.kubernetes.io/cors-allow-credentials | "true" or "false" |
| nginx.ingress.kubernetes.io/cors-max-age | number |
| nginx.ingress.kubernetes.io/force-ssl-redirect | "true" or "false" |
| nginx.ingress.kubernetes.io/from-to-www-redirect | "true" or "false" |
| nginx.ingress.kubernetes.io/http2-push-preload | "true" or "false" |
| nginx.ingress.kubernetes.io/limit-connections | number |
| nginx.ingress.kubernetes.io/limit-rps | number |
| nginx.ingress.kubernetes.io/permanent-redirect | string |
| nginx.ingress.kubernetes.io/permanent-redirect-code | number |
| nginx.ingress.kubernetes.io/temporal-redirect | string |
| nginx.ingress.kubernetes.io/proxy-body-size | string |
| nginx.ingress.kubernetes.io/proxy-cookie-domain | string |
| nginx.ingress.kubernetes.io/proxy-cookie-path | string |
| nginx.ingress.kubernetes.io/proxy-connect-timeout | number |
| nginx.ingress.kubernetes.io/proxy-send-timeout | number |
| nginx.ingress.kubernetes.io/proxy-read-timeout | number |
| nginx.ingress.kubernetes.io/proxy-next-upstream | string |
| nginx.ingress.kubernetes.io/proxy-next-upstream-timeout | number |
| nginx.ingress.kubernetes.io/proxy-next-upstream-tries | number |
| nginx.ingress.kubernetes.io/proxy-request-buffering | string |
| nginx.ingress.kubernetes.io/proxy-redirect-from | string |
| nginx.ingress.kubernetes.io/proxy-redirect-to | string |
| nginx.ingress.kubernetes.io/proxy-http-version | "1.0" or "1.1" |
| nginx.ingress.kubernetes.io/enable-rewrite-log | "true" or "false" |
| nginx.ingress.kubernetes.io/rewrite-target | URI |
| nginx.ingress.kubernetes.io/satisfy | string |
| nginx.ingress.kubernetes.io/secure-verify-ca-secret | string |
| nginx.ingress.kubernetes.io/server-alias | string |
| nginx.ingress.kubernetes.io/server-snippet | string |
| nginx.ingress.kubernetes.io/service-upstream | "true" or "false" |
| nginx.ingress.kubernetes.io/session-cookie-name | string |
| nginx.ingress.kubernetes.io/session-cookie-path | string |
| nginx.ingress.kubernetes.io/session-cookie-change-on-failure | "true" or "false" |
| nginx.ingress.kubernetes.io/ssl-redirect | "true" or "false" |
| nginx.ingress.kubernetes.io/ssl-passthrough | "true" or "false" |
| nginx.ingress.kubernetes.io/upstream-hash-by | string |
| nginx.ingress.kubernetes.io/x-forwarded-prefix | string |
| nginx.ingress.kubernetes.io/load-balance | string |
| nginx.ingress.kubernetes.io/upstream-vhost | string |
| nginx.ingress.kubernetes.io/whitelist-source-range | CIDR |
| nginx.ingress.kubernetes.io/proxy-buffering | string |
| nginx.ingress.kubernetes.io/proxy-buffers-number | number |
| nginx.ingress.kubernetes.io/proxy-buffer-size | string |
| nginx.ingress.kubernetes.io/ssl-ciphers | string |
| nginx.ingress.kubernetes.io/connection-proxy-header | string |
| nginx.ingress.kubernetes.io/enable-access-log | "true" or "false" |
| nginx.ingress.kubernetes.io/lua-resty-waf | string |
| nginx.ingress.kubernetes.io/lua-resty-waf-debug | "true" or "false" |
| nginx.ingress.kubernetes.io/lua-resty-waf-ignore-rulesets | string |
| nginx.ingress.kubernetes.io/lua-resty-waf-extra-rules | string |
| nginx.ingress.kubernetes.io/lua-resty-waf-allow-unknown-content-types | "true" or "false" |
| nginx.ingress.kubernetes.io/lua-resty-waf-score-threshold | number |
| nginx.ingress.kubernetes.io/lua-resty-waf-process-multipart-body | "true" or "false" |
| nginx.ingress.kubernetes.io/enable-influxdb | "true" or "false" |
| nginx.ingress.kubernetes.io/influxdb-measurement | string |
| nginx.ingress.kubernetes.io/influxdb-port | string |
| nginx.ingress.kubernetes.io/influxdb-host | string |
| nginx.ingress.kubernetes.io/influxdb-server-name | string |
| nginx.ingress.kubernetes.io/use-regex | bool |
| nginx.ingress.kubernetes.io/enable-modsecurity | bool |
| nginx.ingress.kubernetes.io/enable-owasp-core-rules | bool |
| nginx.ingress.kubernetes.io/modsecurity-transaction-id | string |
| nginx.ingress.kubernetes.io/modsecurity-snippet | string |
详情见 官网
以上↑
