Kubernetes Ingress Let’s Encrypt

申请域名

在使用 Let’s Encrypt 之前需要申请一个域名,比如可以到 GoDaddy、Name 等网站购买。具体步骤这里不再细说,可以参考网络教程操作。

部署 Nginx Ingress Controller

直接使用 Helm 部署即可:

  1. helm install stable/nginx-ingress --name nginx-ingress --set rbac.create=true --namespace=kube-system

部署成功后,查询 Ingress 服务的公网 IP 地址(下文中假设该 IP 是 6.6.6.6):

  1. $ kubectl -n kube-system get service nginx-ingress-controller
  2. NAME                       TYPE           CLUSTER-IP     EXTERNAL-IP     PORT(S)                      AGE
  3. nginx-ingress-controller   LoadBalancer   10.0.216.124   6.6.6.6         80:31935/TCP,443:31797/TCP   4d

然后到域名注册服务商网站中,创建 A 记录,将需要的域名解析到 6.6.6.6

开启 Let’s Encrypt

  1. # Install cert-manager
  2. helm install --namespace=kube-system --name cert-manager stable/cert-manager --set ingressShim.defaultIssuerName=letsencrypt --set ingressShim.defaultIssuerKind=ClusterIssuer
  4. # create cluster issuer
  5. kubectl apply -f https://raw.githubusercontent.com/feiskyer/kubernetes-handbook/master/manifests/ingress-nginx/cert-manager/cluster-issuer.yaml

创建 Ingress

首先,创建一个 Secret,用于登录认证:

  1. $ htpasswd -c auth foo
  2. $ kubectl -n kube-system create secret generic basic-auth --from-file=auth

HTTP Ingress 示例

为 nginx 服务(端口 80)创建 TLS Ingress,并且自动将 http://echo-tls.example.com 重定向到 https://echo-tls.example.com

  1. cat <<EOF | kubectl create -f-
  2. apiVersion: extensions/v1beta1
  3. kind: Ingress
  4. metadata:
  5.   name: web
  6.   namespace: default
  7.   annotations:
  8.     kubernetes.io/tls-acme: "true"
  9.     kubernetes.io/ingress.class: "nginx"
  10.     ingress.kubernetes.io/ssl-redirect: "true"
  11.     certmanager.k8s.io/cluster-issuer: letsencrypt
  12.     nginx.ingress.kubernetes.io/rewrite-target: /
  13. spec:
  14.   tls:
  15.   - hosts:
  16.     - echo-tls.example.com
  17.     secretName: web-tls
  18.   rules:
  19.   - host: echo-tls.example.com
  20.     http:
  21.       paths:
  22.       - path: /
  23.         backend:
  24.           serviceName: nginx
  25.           servicePort: 80
  26. EOF

TLS Ingress

为 Kubernetes Dashboard 服务(端口443)创建 TLS Ingress,并且禁止该域名的 HTTP 访问:

  1. apiVersion: extensions/v1beta1
  2. kind: Ingress
  3. metadata:
  4.   annotations:
  5.     kubernetes.io/ingress.class: nginx
  6.     kubernetes.io/tls-acme: "true"
  7.     kubernetes.io/ingress.allow-http: "false"
  8.     nginx.ingress.kubernetes.io/auth-realm: Authentication Required
  9.     nginx.ingress.kubernetes.io/auth-secret: basic-auth
  10.     nginx.ingress.kubernetes.io/auth-type: basic
  11.     nginx.ingress.kubernetes.io/secure-backends: "true"
  12.     certmanager.k8s.io/cluster-issuer: letsencrypt
  13.   name: dashboard
  14.   namespace: kube-system
  15. spec:
  16.   tls:
  17.   - hosts:
  18.     - dashboard.example.com
  19.     secretName: dashboard-ingress-tls
  20.   rules:
  21.   - host: dashboard.example.com
  22.     http:
  23.       paths:
  24.       - path: /
  25.         backend:
  26.           serviceName: kubernetes-dashboard
  27.           servicePort: 443

参考文档