背景需求:
有多個域名,且每個域名走HTTPS
示例架構:
測試環境:
公有雲提供Kubernetes環境,自動創建負載均衡IP
示例步驟:
1. 創建一個Deployment
2. 創建一個Service
3. 創建2個證書和2個密鑰文件
4. 創建使用Secret和Ingress
5. 測試HTTPS(負載均衡IP)
具體配置:
1. 准備一個Deployment文件 my-mc-deployment.yaml
apiVersion: apps/v1 kind: Deployment metadata: name: my-mc-deployment spec: selector: matchLabels: app: products department: sales replicas: 3 template: metadata: labels: app: products department: sales spec: containers: - name: hello image: "gcr.io/google-samples/hello-app:2.0" env: - name: "PORT" value: "50001" - name: hello-again image: "gcr.io/google-samples/node-hello:1.0" env: - name: "PORT" value: "50002"
應用此Deployment: kubectl apply -f my-mc-deployment.yaml
2. 准備一個Service文件 my-mc-service.yaml
apiVersion: v1 kind: Service metadata: name: my-mc-service spec: type: NodePort selector: app: products department: sales ports: - name: my-first-port protocol: TCP port: 60001 targetPort: 50001 - name: my-second-port protocol: TCP port: 60002 targetPort: 50002
應用此Service文件: kubectl apply -f my-mc-service.yaml
3. 創建證書和密鑰(這里以兩個域名為例)
說明:兩個證書,每個證書都有一個相應的密鑰,每個證書的公用名 (CN) 必須與您擁有的域名一致。
創建第一個密鑰:
openssl genrsa -out test-ingress-1.key 2048
創建第一個證書簽名請求(其中,first-domain 是您擁有的域名或虛構域名):
openssl req -new -key test-ingress-1.key -out test-ingress-1.csr -subj "/CN=first-domain"
創建第一個證書:
openssl x509 -req -days 365 -in test-ingress-1.csr -signkey test-ingress-1.key -out test-ingress-1.crt
創建第二個密鑰:
openssl genrsa -out test-ingress-2.key 2048
創建第二個證書簽名請求(其中,second-domain 是您擁有的另一個域名或虛構域名):
openssl req -new -key test-ingress-2.key -out test-ingress-2.csr -subj "/CN=second-domain"
創建第二個證書:
openssl x509 -req -days 365 -in test-ingress-2.csr -signkey test-ingress-2.key -out test-ingress-2.crt
4. 創建Secret和Ingress
創建包含第一個證書和密鑰的Secret:
kubectl create secret tls first-secret-name --cert first-cert-file --key first-key-file
創建包含第二個證書和密鑰的 Secret:
kubectl create secret tls second-secret-name --cert second-cert-file --key second-key-file
創建Ingress文件 my-mc-ingress.yaml
apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: my-mc-ingress spec: tls:
- hosts:
- first-domain secretName: first-secret-name
- hosts:
- second-domain secretName: second-secret-name rules: - host: first-domain http: paths: - backend: serviceName: my-mc-service servicePort: my-first-port - host: second-domain http: paths: - backend: serviceName: my-mc-service servicePort: my-second-port
應用該Ingress文件: kubectl apply -f my-mc-ingress.yaml
根據不同的雲廠商,稍等一會(分配負載均衡的外網IP),可以查看一下Ingress: kubectl describe ingress my-mc-ingress
Name: my-mc-ingress Address: 203.0.113.1 ... TLS: first-secret-name terminates second-secret-name terminates Rules: Host Path Backends ---- ---- -------- your-store.example my-mc-service:my-first-port (<none>) your-experimental-store.example my-mc-service:my-second-port (<none>) Annotations: ... Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal ADD 3m loadbalancer-controller default/my-mc-ingress Normal CREATE 2m loadbalancer-controller ip: 201.0.113.1
5. 測試HTTPs
要執行此步驟,您需要擁有兩個域名,並且兩個域名都必須解析 HTTP(S) 負載平衡器的外部 IP 地址
curl -v https://first-domain
... * Trying 203.0.113.1... ... * Connected to your-store.example (203.0.113.1) port 443 (#0) ... * TLSv1.2 (IN), TLS handshake, Certificate (11): ... * Server certificate: * subject: CN=your-store.example ... > Host: your-store.example ... < Hello, world! Version: 2.0.0 ...
curl -v https://second-domain
... * Trying 203.0.113.1... ... * Connected to your-experimental-store.example (203.0.113.1) port 443 (#0) ... * Server certificate: * subject: CN=your-experimental-store.example ... > Host: your-experimental-store.example ... Hello Kubernetes!