1. Ingress TLS 配置
采纳官网进行配置
Ingress TLS 配置
$ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/O=nginxsvc"
$ kubectl create secret tls tls-secret --key tls.key --cert tls.crt
$ vim ingress-https.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-https
spec:
tls:
- hosts:
- www1.westos.org
secretName: tls-secret
rules:
- host: www1.westos.org
http:
paths:
- path: /
backend:
serviceName: nginx-svc
servicePort: 80
配置tls的证书
创建key和证书
[kubeadm@server1 certs]$ ls
[kubeadm@server1 certs]$ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/O=nginxsvc"
Generating a 2048 bit RSA private key
............................+++
.........+++
writing new private key to 'tls.key'
-----
[kubeadm@server1 certs]$ ls
tls.crt tls.key
[kubeadm@server1 certs]$
vim ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-demo
spec:
tls:
- hosts:
- www1.westos.org
secretName: tls-secret
rules:
- host: www1.westos.org
http:
paths:
- path: /
backend:
serviceName: ingress-nginx
servicePort: 80
输入www1.westos.org时自动重定向的https:…
2. Ingress 认证配置
Ingress 认证配置
# yum install -y httpd-tools
$ htpasswd -c auth wxh
New password:
Re-type new password:
Adding password for user wxh
$ kubectl create secret generic basic-auth --from-file=auth
secret/basic-auth created
安装httpd-tools工具
[kubeadm@server1 certs]$ sudo yum install httpd-tools.x86_64 -y
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to re
vim ingress-auth.yaml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-with-auth
annotations:
# type of authentication
nginx.ingress.kubernetes.io/auth-type: basic
# name of the secret that contains the user/password definitions
nginx.ingress.kubernetes.io/auth-secret: basic-auth
# message to display with an appropriate context why the authentication is required
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - yrx'
spec:
tls:
- hosts:
- www1.westos.org
secretName: tls-secret
rules:
- host: www1.westos.org
http:
paths:
- path: /
backend:
serviceName: ingress-nginx
servicePort: 80
测试:
发现tls加密和认证都成功
3. ingress地址重写
Ingress地址重写
$ vim ingress-rewrite.yaml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$2
name: rewrite
namespace: default
spec:
rules:
- host: rewrite.westos.org
http:
paths:
- backend:
serviceName: http-svc
servicePort: 80
path: /something(/|$)(.*)
$ kubectl apply -f ingress-rewrite.yaml
(1) 访问域名时,直接重定向到hostname.html文件下
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: rewrite-example
annotations:
nginx.ingress.kubernetes.io/app-root: /hostname.html
spec:
rules:
- host: www1.westos.org
http:
paths:
- path: /
backend:
serviceName: ingress-nginx
servicePort: 80
(2)
www1.westos.org/demo rewrites to www1.westos.org/
www1.westos.org/demo/ rewrites to www1.westos.org/
www1.westos.org/demo/new rewrites to www1.westos.org/new
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$2
name: rewrite
spec:
rules:
- host: ww1.westos.org
http:
paths:
- backend:
serviceName: ingress-nginx
servicePort: 80
path: /demo(/|$)(.*)
当访问www1.westos.orgs时报错404,因为识别不到
当访问www1.westos.org/demo 或者 www1.westos.org/demo/
会被重定向至www1.westos.org
当访问 www1.westos.org/demo/hostname.html rewrites to www1.westos.org/hostname.html
在nginx-ingress pod中查看之前的操作,etcd会将操作同步
在nginx-ingress pod中查看之前的操作,etcd会将操作同步
[kubeadm@server1 certs]$ kubectl -n ingress-nginx exec -it nginx-ingress-controller-qvwvg -- bash
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
