ingress-nginx传输加密与认证
1. ingress-nginx设置https证书
1.1 准备证书
openssl req -x509 -sha256 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 3560 -nodes -subj '/CN=My Cert Authority'
openssl req -new -newkey rsa:4096 -keyout server.key -out server.csr -nodes -subj '/CN=test.sy.com'
openssl x509 -req -sha256 -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt上面的 CN= 是目标服务要使用的域名。
1.2 将证书上传至k8s
kubectl create secret generic tls-secret --from-file=tls.crt=server.crt --from-file=tls.key=server.key -n test1.3 配置ingress
ingress 中的 host 一定要与证书的 CN 相同,在 tls 配置中引用前面创建的 secret:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: tomcat-test
namespace: test
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/ssl-redirect: 'true'
spec:
rules:
- host: test.sy.com
http:
paths:
- path: /
backend:
serviceName: tomcat-test
servicePort: 6080
tls:
- hosts:
- test.sy.com
secretName: tls-secret1.4 访问
[root@ingress]# curl --cacert ca.crt https://test.sy.com/abc/check_health.jsp
hello 2020-03-192. 认证
2.1 创建用户设置密码
创建 basic-auth 用户 foo,密码 123456,将用户信息提交到 kubernetes:
htpasswd -c auth foo
kubectl -n test create secret generic basic-auth --from-file=auth2.2 设置ingress
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: tomcat-test
namespace: test
annotations:
# type of authentication
nginx.ingress.kubernetes.io/auth-type: basic
# name of the secret that contains the user/password definitions
nginx.ingress.kubernetes.io/auth-secret: basic-auth
# message to display with an appropriate context why the authentication is required
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - foo'
spec:
rules:
- host: test.sy.com
http:
paths:
- path: /
backend:
serviceName: tomcat-test
servicePort: 60802.3 设置ingress
不加认证
[root@ingress]# curl http://test.sy.com/abc/check_health.jsp
<html>
<head><title>401 Authorization Required</title></head>
<body>
<center><h1>401 Authorization Required</h1></center>
<hr><center>openresty/1.15.8.1</center>
</body>
</html>加认证
[root@ingress]# curl http://test.sy.com/abc/check_health.jsp -u 'foo:123456'
hello 2020-03-19加https的认证
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: tomcat-test
namespace: test
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/ssl-redirect: 'true'
# type of authentication
nginx.ingress.kubernetes.io/auth-type: basic
# name of the secret that contains the user/password definitions
nginx.ingress.kubernetes.io/auth-secret: basic-auth
# message to display with an appropriate context why the authentication is required
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - foo'
spec:
rules:
- host: test.sy.com
http:
paths:
- path: /
backend:
serviceName: tomcat-test
servicePort: 6080
tls:
- hosts:
- test.sy.com
secretName: tls-secret[root@ingress]# curl --cacert ca.crt -u 'foo:123456' https://test.sy.com/abc/check_health.jsp
hello 2020-03-19参考链接
- https://kubernetes.github.io/ingress-nginx/user-guide/tls/
- https://kubernetes.github.io/ingress-nginx/examples/auth/basic/
本文参与 腾讯云自媒体同步曝光计划,分享自微信公众号。
原始发表:2020-04-21,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
腾讯云开发者
