Ingress + Letsencrypt

申请域名

在使用 Let's Encrypt 之前需要申请一个域名,比如可以到 GoDaddy、Name 等网站购买。具体步骤这里不再细说,可以参考网络教程操作。

部署 Nginx Ingress Controller

直接使用 Helm 部署即可:
1
helm install stable/nginx-ingress --name nginx-ingress --set rbac.create=true --namespace=kube-system
Copied!
部署成功后,查询 Ingress 服务的公网 IP 地址(下文中假设该 IP 是 6.6.6.6):
1
$ kubectl -n kube-system get service nginx-ingress-controller
2
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
3
nginx-ingress-controller LoadBalancer 10.0.216.124 6.6.6.6 80:31935/TCP,443:31797/TCP 4d
Copied!
然后到域名注册服务商网站中,创建 A 记录,将需要的域名解析到 6.6.6.6

开启 Let's Encrypt

1
# Install cert-manager
2
helm install --namespace=kube-system --name cert-manager stable/cert-manager --set ingressShim.defaultIssuerName=letsencrypt --set ingressShim.defaultIssuerKind=ClusterIssuer
3
4
# create cluster issuer
5
kubectl apply -f https://raw.githubusercontent.com/feiskyer/kubernetes-handbook/master/manifests/ingress-nginx/cert-manager/cluster-issuer.yaml
Copied!

创建 Ingress

首先,创建一个 Secret,用于登录认证:
1
$ htpasswd -c auth foo
2
$ kubectl -n kube-system create secret generic basic-auth --from-file=auth
Copied!

HTTP Ingress 示例

为 nginx 服务(端口 80)创建 TLS Ingress,并且自动将 http://echo-tls.example.com 重定向到 https://echo-tls.example.com
1
cat <<EOF | kubectl create -f-
2
apiVersion: extensions/v1beta1
3
kind: Ingress
4
metadata:
5
name: web
6
namespace: default
7
annotations:
8
kubernetes.io/tls-acme: "true"
9
kubernetes.io/ingress.class: "nginx"
10
ingress.kubernetes.io/ssl-redirect: "true"
11
certmanager.k8s.io/cluster-issuer: letsencrypt
12
nginx.ingress.kubernetes.io/rewrite-target: /
13
spec:
14
tls:
15
- hosts:
16
- echo-tls.example.com
17
secretName: web-tls
18
rules:
19
- host: echo-tls.example.com
20
http:
21
paths:
22
- path: /
23
backend:
24
serviceName: nginx
25
servicePort: 80
26
EOF
Copied!

TLS Ingress

为 Kubernetes Dashboard 服务(端口443)创建 TLS Ingress,并且禁止该域名的 HTTP 访问:
1
apiVersion: extensions/v1beta1
2
kind: Ingress
3
metadata:
4
annotations:
5
kubernetes.io/ingress.class: nginx
6
kubernetes.io/tls-acme: "true"
7
kubernetes.io/ingress.allow-http: "false"
8
nginx.ingress.kubernetes.io/auth-realm: Authentication Required
9
nginx.ingress.kubernetes.io/auth-secret: basic-auth
10
nginx.ingress.kubernetes.io/auth-type: basic
11
nginx.ingress.kubernetes.io/secure-backends: "true"
12
certmanager.k8s.io/cluster-issuer: letsencrypt
13
name: dashboard
14
namespace: kube-system
15
spec:
16
tls:
17
- hosts:
18
- dashboard.example.com
19
secretName: dashboard-ingress-tls
20
rules:
21
- host: dashboard.example.com
22
http:
23
paths:
24
- path: /
25
backend:
26
serviceName: kubernetes-dashboard
27
servicePort: 443
Copied!

参考文档

最近更新 2yr ago