---

[CloudNative：KuberNetes&運維.V70]                                                                      [Applications.KuberNetes] [|DevOps|k8s|k8s運維|**3節點.V1**|IngressNginxSSL配置|]

---

---

一、SSH配置

### --- SSH配置

~~~     # SSL官網地址：
~~~     https://kubernetes.github.io/ingress-nginx/user-guide/tls/

二、配置SSL；https；Ingress單證書

### --- 生成自簽名證書和私鑰

[root@k8s-master01 rewrite]# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.cert -subj "/CN=test-tls.test.com/0=test-tls.test.com"
Generating a 2048 bit RSA private key
.................................................................................................................................................................................................................+++
....+++
writing new private key to 'tls.key'
-----
Subject Attribute 0 has no known NID, skipped
[root@k8s-master01 rewrite]# ls
tls.cert  tls.key
 

### --- 將cert和key配置成secrets；域名證書
~~~     這個secrets時候TLS的secrets

[root@k8s-master01 rewrite]# kubectl create secret tls ca-cert --key tls.key --cert tls.cert -n ratel-test1
secret/ca-cert created

### --- 檢視生成的域名證書的secrets

[root@k8s-master01 rewrite]# kubectl get secret -n ratel-test1
NAME                  TYPE                                  DATA   AGE
ca-cert               kubernetes.io/tls                     2      61s
 

三、配置Ingress

### --- 配置Ingress

~~~     http://krm.test.com/——>Ingress——>建立——>選擇叢集：test1
~~~     ——>Namespace: ratel-test1——>選擇service：ingress-test1
~~~     ——>Ingress名稱“test-tls.test.com——>域名：test-tls.test.com
~~~     ——>HTTPS：開啟——>證書：ca-cert——>Create——>END
~~~     ——>配置host檔案：192.168.1.11  test-tls.test.com

### --- 配置hosts

[root@k8s-master01 rewrite]# vim /etc/hosts
192.168.1.11 test-tls.test.com

### --- curl這個域名，有沒有做redirect
~~~     這個域名只要是配置了https，就會自動跳轉到https

[root@k8s-master01 rewrite]# curl test-tls.test.com -I
HTTP/1.1 308 Permanent Redirect
Date: Tue, 01 Jun 2021 06:50:54 GMT
Content-Type: text/html
Content-Length: 164
Connection: keep-alive
Location: https://test-tls.test.com/                

四、訪問https域名：https://test-tls.test.com/ 五、禁用https強制跳轉

### --- 禁用https強制跳轉

~~~     nginx.ingress.kubernetes.io/ssl-redirect: "false"  
~~~     https配置了http就會強制自動跳轉，若是不想跳轉，
~~~     可以關閉ssl-redirect：false更改為false就可以，預設是true；是全域性配置的

### --- 生成TLS.yaml檔案

[root@k8s-master01 rewrite]# cat nginx-ingress-TLS.yaml 
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
  generation: 1
  name: test-tls
  namespace: ratel-test1
spec:
  rules:
  - host: test-tls.test.com
    http:
      paths:
      - backend:
          serviceName: ingress-test
          servicePort: 80
        path: /
  tls:
  - hosts:
    - test-tls.test.com
    secretName: ca-cert

---

===============================END===============================

---

Walter Savage Landor:strove with none,for none was worth my strife.Nature I loved and, next to Nature, Art:I warm'd both hands before the fire of life.It sinks, and I am ready to depart                                                                                                                                                    ——W.S.Landor

---

來自為知筆記(Wiz)