我的书签
添加书签
移除书签kubernetes_ingress_letsencrypt
申请 Domain Name
首先就是申请一个你要的网域, 这边网路上资源很多都可以查一下哪个网域商或是一些相关的建议, 这边我就先不去多做介绍了, 文章中会以 sam.nctu.me 来作范例
用 Letsencrypt 来签发凭证
这边我们用手动的把它先签下来, 上 Letsencrypt 去安装 certbot, 手动签的方式也可以参考签 letsencrpyt 凭证 文章, 输入以下指令来签凭证
$ sudo certbot certonly --standalone sam.nctu.me
结果会如下方显示
IMPORTANT NOTES:- Congratulations! Your certificate and chain have been saved at:/etc/letsencrypt/live/sam.nctu.me/fullchain.pemYour key file has been saved at:/etc/letsencrypt/live/sam.nctu.me/privkey.pemYour cert will expire on 2017-12-15. To obtain a new or tweakedversion of this certificate in the future, simply run certbotagain. To non-interactively renew *all* of your certificates, run"certbot renew"- If you like Certbot, please consider supporting our work by:Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donateDonating to EFF: https://eff.org/donate-le
签好后会自动放在
/etc/letsencrypt/live/sam.nctu.me/
可以看到裡面的凭证, 权限必须是 root 才能看到这个资料夹的内容
# lscert.pem chain.pem fullchain.pem privkey.pem README
这样凭证就签完了
设置 Kubernetes Secret
将 fullchain.pem(因为使用 nginx controller) 与 privkey.pem 来建立 secret, 这之后会配置给 ingress 使用
$ kubectl create secret tls tls-certs --cert fullchain.pem --key privkey.pem
查看 secret
$ kubectl get secretNAME TYPE DATA AGEdefault-token-rtlbl kubernetes.io/service-account-token 3 6dtls-certs kubernetes.io/tls 2 55m
以建立完成
建立 Ingress
我们先去建立一个 ingress 的 yaml 档, 来帮助我们 create ingress 并加入 tls 的设定
ingress.yaml
apiVersion: extensions/v1beta1kind: Ingressmetadata:name: nginx-ingressspec:tls:- hosts:- sam.nctu.mesecretName: tls-certsrules:- host: sam.nctu.mehttp:paths:- backend:serviceName: phpmyadminservicePort: 80
然后建立此 Ingress
$ kubectl create -f ingress.yaml
并查看
$ kubectl get ingressNAME HOSTS ADDRESS PORTS AGEnginx-ingress sam.nctu.me 80, 443 1h
建立 default-backend
先建立一个 delfault, 如果试着用 ip 直接 request 或是没有设定过的 domain name, 会回传 404
default-backend.yaml
apiVersion: extensions/v1beta1kind: Deploymentmetadata:name: default-http-backendlabels:k8s-app: default-http-backendnamespace: kube-systemspec:replicas: 1template:metadata:labels:k8s-app: default-http-backendspec:terminationGracePeriodSeconds: 60containers:- name: default-http-backend# Any image is permissable as long as:# 1. It serves a 404 page at /# 2. It serves 200 on a /healthz endpointimage: gcr.io/google_containers/defaultbackend:1.0livenessProbe:httpGet:path: /healthzport: 8080scheme: HTTPinitialDelaySeconds: 30timeoutSeconds: 5ports:- containerPort: 8080resources:limits:cpu: 10mmemory: 20Mirequests:cpu: 10mmemory: 20Mi---apiVersion: v1kind: Servicemetadata:name: default-http-backendnamespace: kube-systemlabels:k8s-app: default-http-backendspec:ports:- port: 80targetPort: 8080selector:k8s-app: default-http-backend
$ kubectl create -f default-backend.yaml
建立 Ingress-Nginx-Controller
这边有个小坑, 在建立之前要先设置 RBAC 才会顺利建起来, 花了点时间才发现, 所以我们要先建立相关的 RBAC
ingress-controller-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1kind: ClusterRolemetadata:name: ingressrules:- apiGroups:- ""resources:- configmaps- secrets- services- endpoints- ingresses- nodes- podsverbs:- list- watch- apiGroups:- "extensions"resources:- ingressesverbs:- get- list- watch- apiGroups:- ""resources:- events- servicesverbs:- create- list- update- get- patch- apiGroups:- "extensions"resources:- ingresses/status- ingressesverbs:- update---apiVersion: rbac.authorization.k8s.io/v1beta1kind: Rolemetadata:name: ingress-nsnamespace: kube-systemrules:- apiGroups:- ""resources:- podsverbs:- list- apiGroups:- ""resources:- servicesverbs:- get- apiGroups:- ""resources:- endpointsverbs:- get- create- update---apiVersion: rbac.authorization.k8s.io/v1beta1kind: RoleBindingmetadata:name: ingress-ns-bindingnamespace: kube-systemroleRef:apiGroup: rbac.authorization.k8s.iokind: Rolename: ingress-nssubjects:- kind: ServiceAccountname: ingressnamespace: kube-system---apiVersion: rbac.authorization.k8s.io/v1beta1kind: ClusterRoleBindingmetadata:name: ingress-bindingroleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: ingresssubjects:- kind: ServiceAccountname: ingressnamespace: kube-system---apiVersion: v1kind: ServiceAccountmetadata:name: ingressnamespace: kube-system
$ kubectl create -f ingress-controller-rbac.yaml
之后就可以建立 Ingress-controller
nginx-ingress-daemonset.yaml
apiVersion: extensions/v1beta1kind: DaemonSetmetadata:name: nginx-ingress-controllerlabels:k8s-app: nginx-ingress-controllernamespace: kube-systemspec:template:metadata:labels:k8s-app: nginx-ingress-controllerspec:# hostNetwork makes it possible to use ipv6 and to preserve the source IP correctly regardless of docker configuration# however, it is not a hard dependency of the nginx-ingress-controller itself and it may cause issues if port 10254 already is taken on the host# that said, since hostPort is broken on CNI (https://github.com/kubernetes/kubernetes/issues/31307) we have to use hostNetwork where CNI is used# like with kubeadmhostNetwork: trueterminationGracePeriodSeconds: 60serviceAccountName: ingresscontainers:- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.3name: nginx-ingress-controllerreadinessProbe:httpGet:path: /healthzport: 10254scheme: HTTPlivenessProbe:httpGet:path: /healthzport: 10254scheme: HTTPinitialDelaySeconds: 10timeoutSeconds: 1ports:- containerPort: 80hostPort: 80- containerPort: 443hostPort: 443env:- name: POD_NAMEvalueFrom:fieldRef:fieldPath: metadata.name- name: POD_NAMESPACEvalueFrom:fieldRef:fieldPath: metadata.namespaceargs:- /nginx-ingress-controller- --default-backend-service=$(POD_NAMESPACE)/default-http-backend
$ kubectl create -f nginx-ingress-daemonset.yaml
查看是否有建立完成
$ kubectl get pod -n kube-systemnginx-ingress-controller-3q2b0 1/1 Running 0 1hnginx-ingress-controller-j28sz 1/1 Running 0 1hnginx-ingress-controller-lrn34 1/1 Running 0 1h
然后再测试 直接输入 https://sam.nctu.tw 就行了, 当然这边只是测试, 记得换成你设定的 domain name
以上相關代碼放在 github
