基于Secret实现nginx tls认证
签发nginx使用的证书
mkdir nginx-certs && cd nginx-certs
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=.com" \
-key ca.key \
-out ca.crt
openssl genrsa -out server.key 4096
openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=www.mysite.com" \
-key server.key \
-out server.csr
openssl x509 -req -sha512 -days 3650 \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in server.csr \
-out server.crt
rm -f server.csr
创建Secret
kubectl create secret tls nginx-cert --key nginx-certs/server.key --cert nginx-certs/server.crt
准备nginx配置文件
cat myserver-tls.conf
###########################
server {
listen 80;
server_name www.mysite.com;
listen 443 ssl;
ssl_certificate /etc/nginx/conf.d/certs/tls.crt;
ssl_certificate_key /etc/nginx/conf.d/certs/tls.key;
include /etc/nginx/conf.d/myserver-*.cfg;
location / {
root /usr/share/nginx/html;
index index.html;
if ($schme = http){
rewrite / https://www.mysite.com permanent;
}
if (!-e $request_filename) {
rewrite ^/(.*) /index.html last;
}
}
}
将配置文件创建为configmap
kubectl create configmap nginx-tls-conf --from-file=./myserver-tls.conf
部署nginx Pod
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-tls
spec:
replicas: 2
selector:
matchLabels:
app: nginx-tls
template:
metadata:
labels:
app: nginx-tls
spec:
containers:
- name: nginx
image: nginx
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443
volumeMounts:
- name: nginx-tls-conf
mountPath: /etc/nginx/conf.d/
- name: nginx-cert
mountPath: /etc/nginx/conf.d/certs/
volumes:
- name: nginx-tls-conf
configMap:
name: nginx-tls-conf
optional: false
items:
- key: myserver-tls.conf
path: myserver.conf
- name: nginx-cert
secret:
secretName: nginx-cert
optional: false
创建Service
apiVersion: v1
kind: Service
metadata:
name: nginx-tls-svc
spec:
type: NodePort
selector:
app: nginx-tls
ports:
- name: http
protocol: TCP
targetPort: 80
port: 80
nodePort: 30080
- name: https
protocol: TCP
targetPort: 443
port: 443
nodePort: 30443
负载均衡中添加配置
/etx/hosts添加域名解析
访问测试
查看证书信息
私有镜像仓库认证
创建secret
kubectl create secret docker-registry aliyun-image-registry --docker-username=wangxian776 --docker-password=123456 --docker-server=registry.cn-hangzhou.aliyuncs.com
创建pod测试
apiVersion: apps/v1
kind: Deployment
metadata:
name: centos-test
spec:
replicas: 2
selector:
matchLabels:
app: centos-test
template:
metadata:
labels:
app: centos-test
spec:
containers:
- name: centos
image: registry.cn-hangzhou.aliyuncs.com/wangxian/centos:7.8.2003
imagePullPolicy: IfNotPresent
command: ["/bin/bash"]
args:
- "-c"
- "sleep 3600"
imagePullSecrets: #指定拉取镜像时使用的secret
- name: aliyun-image-registry
查看Pod已经成功运行,就表示镜像下载成功