openssl req -x509 -sha256 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 3560 -nodes -subj '/CN=My Cert Authority'
openssl req -new -newkey rsa:4096 -keyout server.key -out server.csr -nodes -subj '/CN=test.sy.com'
openssl x509 -req -sha256 -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
上面的 CN= 是目标服务要使用的域名。
kubectl create secret generic tls-secret --from-file=tls.crt=server.crt --from-file=tls.key=server.key -n test
ingress 中的 host 一定要与证书的 CN 相同,在 tls 配置中引用前面创建的 secret:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: tomcat-test
namespace: test
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/ssl-redirect: 'true'
spec:
rules:
- host: test.sy.com
http:
paths:
- path: /
backend:
serviceName: tomcat-test
servicePort: 6080
tls:
- hosts:
- test.sy.com
secretName: tls-secret
[root@ingress]# curl --cacert ca.crt https://test.sy.com/abc/check_health.jsp
hello 2020-03-19
创建 basic-auth 用户 foo,密码 123456,将用户信息提交到 kubernetes:
htpasswd -c auth foo
kubectl -n test create secret generic basic-auth --from-file=auth
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: tomcat-test
namespace: test
annotations:
# type of authentication
nginx.ingress.kubernetes.io/auth-type: basic
# name of the secret that contains the user/password definitions
nginx.ingress.kubernetes.io/auth-secret: basic-auth
# message to display with an appropriate context why the authentication is required
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - foo'
spec:
rules:
- host: test.sy.com
http:
paths:
- path: /
backend:
serviceName: tomcat-test
servicePort: 6080
不加认证
[root@ingress]# curl http://test.sy.com/abc/check_health.jsp
<html>
<head><title>401 Authorization Required</title></head>
<body>
<center><h1>401 Authorization Required</h1></center>
<hr><center>openresty/1.15.8.1</center>
</body>
</html>
加认证
[root@ingress]# curl http://test.sy.com/abc/check_health.jsp -u 'foo:123456'
hello 2020-03-19
加https的认证
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: tomcat-test
namespace: test
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/ssl-redirect: 'true'
# type of authentication
nginx.ingress.kubernetes.io/auth-type: basic
# name of the secret that contains the user/password definitions
nginx.ingress.kubernetes.io/auth-secret: basic-auth
# message to display with an appropriate context why the authentication is required
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - foo'
spec:
rules:
- host: test.sy.com
http:
paths:
- path: /
backend:
serviceName: tomcat-test
servicePort: 6080
tls:
- hosts:
- test.sy.com
secretName: tls-secret
[root@ingress]# curl --cacert ca.crt -u 'foo:123456' https://test.sy.com/abc/check_health.jsp
hello 2020-03-19