【Kubernetes】K8S中使用configmap和secret让pod支持https的访问

很多应用在其初始化或运行期间要依赖一些配置信息。大多数时候,存在要调整配置参数所设置的数值的需求。Kubernetes用来向应用Pod中注入配置数据的方法。
ConfigMap与Secret类似,用来存储配置文件的kubernetes资源对象,所有的配置内容都存储在etcd中。

0. 需求分析

启动nginx的pod,使用configmap投射nginx.conf配置文件到pod里。
使用secret 投射https的证书到pod里,让pod支持https的访问

1. 需要准备nginx.conf配置文件

[root@jdmaster ~]# mkdir -p secret/nginx
[root@jdmaster ~]# cd secret/nginx/
[root@jdmaster nginx]# vim nginx.conf

nginx.conf 内容:

worker_processes  4;
events {
    worker_connections  2048;
}
http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;
    server {
	listen  80;
	server_name localhost;
        location / {
            root   html;
            index  index.html index.htm;
        }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }
server {
        listen       443 ssl;
        server_name  localhost;

        ssl_certificate      /etc/nginx/conf.d/tls.crt;
        ssl_certificate_key  /etc/nginx/conf.d/tls.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
            root   /usr/share/nginx/html;
            index  index.html index.htm;
        }
    }

}

2. 将nginx.conf内容存放到configmap里

https-nginx-1 是configmap的名字

[root@jdmaster nginx]# kubectl create configmap https-nginx-1 --from-file=nginx.conf
configmap/https-nginx-1 created

[root@jdmaster nginx]# kubectl get cm
NAME               DATA   AGE
https-nginx-1      1      20s
kube-root-ca.crt   1      3d21h

[root@jdmaster nginx]# kubectl describe cm https-nginx-1

3. 将证书的内容生成secret

证书是需要去购买或者免费试用的,可以到阿里云或者腾讯云,华为云等平台去购买或者免费申请试用

[root@jdmaster nginx]# ls
7318014_sanchuangedu.cn_nginx.zip  nginx.conf

[root@jdmaster nginx]# unzip 7318014_sanchuangedu.cn_nginx.zip 
Archive:  7318014_sanchuangedu.cn_nginx.zip
Aliyun Certificate Download
  inflating: 7318014_sanchuangedu.cn.pem  
  inflating: 7318014_sanchuangedu.cn.key  
  
[root@jdmaster nginx]# ls
7318014_sanchuangedu.cn.key  7318014_sanchuangedu.cn_nginx.zip  7318014_sanchuangedu.cn.pem  nginx.conf

生成:

[root@jdmaster nginx]# kubectl create secret tls https-secret  --key 7318014_sanchuangedu.cn.key --cert 7318014_sanchuangedu.cn.pem
secret/https-secret created

查看是否生成:
https-secret 是创建的secret的名字

[root@jdmaster nginx]# kubectl get secret
NAME                  TYPE                                  DATA   AGE
default-token-n5p7p   kubernetes.io/service-account-token   3      3d21h
https-secret          kubernetes.io/tls                     2      41s

查看里面的内容:

[root@jdmaster nginx]# kubectl describe secret https-secret
Name:         https-secret
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  kubernetes.io/tls

Data
====
tls.crt:  3830 bytes
tls.key:  1679 bytes

4. 启动pod使用configmap和secret里的内容

[root@jdmaster nginx]# vim nginx.yaml

nginx.yaml 内容:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: jd-nginx-1
spec:
  replicas: 3
  selector:
    matchLabels:
        - name: jd-nginx-config
          configMap:
            name: https-nginx-1
            items:
            - key: nginx.conf
              path: nginx.conf              
        - name: secret-volume
          secret:
            secretName: https-secret
      containers:
        - name: nginx
          image: "nginx:latest"
          imagePullPolicy: IfNotPresent
          ports:
          - containerPort: 80
          - containerPort: 443
          volumeMounts:
          - name: jd-nginx-config
            mountPath: /etc/nginx/nginx.conf
            subPath: nginx.conf
          - name: secret-volume
            mountPath: /etc/nginx/conf.d

mountPath: /etc/nginx/conf.d #挂载的目录,这个conf.d目录必须存在,而且挂载成功后原来这个文件夹里的内容会覆盖,导致原来文件夹里的内容丢失

[root@jdmaster nginx]# kubectl apply -f nginx.yaml
deployment.apps/jd-nginx-1 created

查找到启动的pod的node,然后去查看容器里启动的nginx是否有4个worker进程:

[root@jdmaster nginx]# kubectl get pod -o wide
NAME                          READY   STATUS    RESTARTS   AGE     IP            NODE       NOMINATED NODE   READINESS GATES
jd-nginx-1-55dccd7dcb-kntv7   1/1     Running   0          28s     10.244.2.29   jdnode-1   <none>           <none>
jd-nginx-1-55dccd7dcb-lwlbg   1/1     Running   0          28s     10.244.1.27   jdnode-2   <none>           <none>
jd-nginx-1-55dccd7dcb-rkzgf   1/1     Running   0          28s     10.244.1.26   jdnode-2   <none>           <none>

在node-1:

[root@jdnode-1 ~]# docker ps
CONTAINER ID   IMAGE                                               COMMAND                   CREATED              STATUS              PORTS     NAMES
0521d13d3ab4   ac232364af84                                        "/docker-entrypoint.…"   About a minute ago   Up About a minute             k8s_nginx_jd-nginx-1-55dccd7dcb-kntv7_default_42d734c8-7f6b-46db-baeb-bd14120cfece_0
[root@jdnode-1 ~]# docker top 0521d13d3ab4
UID                 PID                 PPID                C                   STIME               TTY                 TIME                CMD
root                45400               45379               0                   14:17               ?                   00:00:00            nginx: master process nginx -g daemon off;
101                 45426               45400               0                   14:17               ?                   00:00:00            nginx: worker process
101                 45427               45400               0                   14:17               ?                   00:00:00            nginx: worker process
101                 45428               45400               0                   14:17               ?                   00:00:00            nginx: worker process
101                 45429               45400               0                   14:17               ?                   00:00:00            nginx: worker process

没问题。

还有一种方法,进入pod查看nginx.conf配置文件里的内容:

[root@jdmaster nginx]# kubectl exec -it jd-nginx-1-55dccd7dcb-kntv7 -- bash
root@jd-nginx-1-55dccd7dcb-kntv7:/# cat /etc/nginx/nginx.conf 
worker_processes  4;
events {
    worker_connections  2048;
}
http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;
    server {
	listen  80;
	server_name localhost;
        location / {
            root   html;
            index  index.html index.htm;
        }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }
   server {
        listen       443 ssl;
        server_name  localhost;

        ssl_certificate      /etc/nginx/conf.d/tls.crt;  #证书的位置,使用绝对路径
        ssl_certificate_key  /etc/nginx/conf.d/tls.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
            root   html;
            index  index.html index.htm;
        }
    }

}

5. 将https的pod服务发布出去

[root@jdmaster nginx]# vim service.yaml

service.yaml 内容为

apiVersion: v1
kind: Service
metadata:
  name: my-https-nginx
spec:
  type: NodePort
  ports:
  - name: http
    port: 80
    targetPort: 80
    nodePort: 30080
    protocol: TCP
  - name: https
    port: 443
    targetPort: 443
    nodePort: 30443
    protocol: TCP
  selector:
    app: jd-nginx-1
[root@jdmaster nginx]# kubectl apply -f service.yaml 
service/my-https-nginx created
[root@jdmaster nginx]# kubectl get svc
NAME             TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)                      AGE
kubernetes       ClusterIP   10.1.0.1       <none>        443/TCP                      3d21h
my-https-nginx   NodePort    10.1.254.151   <none>        80:30080/TCP,443:30443/TCP   13s

6. 测试访问

浏览器访问:https://192.168.1.7:30443/即可
在这里插入图片描述
成功!

评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

日 近 长 安 远

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值