1. 前提
裝備https的證書,阿里有免費的
2. 創建 secret
unzip unzip 3937326_www.center.com_nginx.zip #該文件就是阿里云上下載下來的證書
mv 3937326_www.center.com.crt tls.crt
mv 3937326_www.center.com.key tls.key
cp tls.* /data/yaml
kubectl -n prod create secret tls center-com-secret --key ./tls.key --cert ./tls.crt
參數說明:
a)-n prod:命名空間,沒有時可以去掉
b)center-com-secret:證書名稱,自定義的,下面使用
3. 在Ingress中引用secret,配置https
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: default
namespace: default
spec:
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_AES_256_GCM_SHA384
- TLS_AES_128_GCM_SHA256
- TLS_CHACHA20_POLY1305_SHA256
- TLS_FALLBACK_SCSV
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: foo
labels:
app: nginx
annotations:
traefik.ingress.kubernetes.io/router.tls: "false"
nginx.ingress.kubernetes.io/rewrite-target: / #重寫路徑
nginx.ingress.kubernetes.io/ssl-redirect: 'true' #http 自動轉https
nginx.ingress.kubernetes.io/proxy-connect-timeout: "600" #修改代理超時時間,默認是60s
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
spec:
tls:
- hosts:
- 'www.lenovofuturecenter.com'
#kubectl create secret tls center-com-secret --key ./tls.key --cert ./tls.crt
secretName: center-com-secret
rules:
# 外界入口可訪問的域名配置
- host: www.center.com
http:
paths:
# 可配置訪問的入口路徑
- path: /
pathType: Prefix
backend:
service:
# 選擇器,代表訪問Service:future-center-xcx-container-service
# api訪問使用對內的服務
name: future-center-xcx-container-service
# 內部容器端口
port:
number: 8189
浙公網安備 33010602011771號