K8S集群下通过nginx实现服务https的转发

K8S集群下实现服务https的转发

实现服务通过https进行转发

1、首先生成证书文件

新建cert目录并进入该目录

mkdir cert
cd cert

生成私钥

openssl genrsa -out nginx.key 2048

生成自签证书

openssl req -new -x509 -key nginx.key -days 10000 -out nginx.crt -subj /C=CN/ST=Shanghai/L=Shanghai/O=DevOps/CN=ingressnginx.com

会生成nginx.crt nginx.key2个文件

2、配置实现https转发的nginxs.yaml文件

apiVersion: v1
kind: ConfigMap
metadata:
  name: nginx-https-configmap
  namespace: pie-engine-uavjk
data:
  nginx.conf: |
    server {
         listen 443;
         server_name pxpen.shuzipeixian.com;
        ssl on;
         root html;
         index index.html index.htm index.nginx-debian.html;
         ssl_certificate /cert/nginx.crt; #将 domain name.pem 替换成您证书的文件名。
         ssl_certificate_key /cert/nginx.key; #将domain name.key替换成您证书的密钥文件名。
         ssl_session_timeout 5m;
         ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
         ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
         ssl_prefer_server_ciphers on;

         location / {
                   proxy_pass  http://IP:30011;  #代理到你的业务服务端口
               # proxy_cookie_domain domino.server nginx.server;
         }

    }

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: web-nginx-https
  namespace: pie-engine-uavjk
spec:
  replicas: 1
  selector:
    matchLabels:
      name: web-nginx-https
  template:
    metadata:
      labels:
        name: web-nginx-https
    spec:
      #nodeName: master
      nodeSelector:
        engine.node.uavsupervise: "true"
      containers: 
      - name: web-nginx-https
        image: nginx:1.20.1
        imagePullPolicy: Always
        ports: 
    - containerPort: 443
        volumeMounts:
        - name: configmap-volume
          mountPath: /etc/nginx/conf.d/nginx.conf
          subPath: nginx.conf
        - name: sslcert
          mountPath: /cert
      volumes:
      - name: configmap-volume
        configMap:
          name: nginx-https-configmap
          items:
            - key: nginx.conf
              path: nginx.conf
      - name: sslcert
        hostPath:
          path: /home/uav-jk/ssl/cert
---
apiVersion: v1
kind: Service
metadata:
  name: web-nginx-https
  namespace: pie-engine-uavjk
  labels:
    name: web-nginx-https
spec:
  type: NodePort
  selector:
    name: web-nginx-https
  ports:
    - port: 8081
      targetPort: 443
      nodePort: 30015

注意一定要读取到第一步里面生成的证书文件
ssl_certificate /cert/nginx.crt; #替换成您证书的文件名。
ssl_certificate_key /cert/nginx.key; #替换成您证书的密钥文件名。

3、搭建服务并访问

kubectl create -f nginxs.yaml

https://…:30015 #注意反向代理的服务端口不能错