Kubernetes服务使用HTTPS

huangapple go评论105阅读模式
英文:

Kubernetes service on HTTPS

问题

要求:设置一个可通过HTTPS在浏览器上公开访问的Kubernetes服务。

我浏览了互联网,无论在哪里,我都看到nginx-ingress可以提供HTTPS URL。

我已经设置了一个入口,并且它正在按预期工作。
但我有疑问,这个入口只会在我本地运行,因为我在本地的/etc/hosts文件中进行了更改?如何使https URL 可以公开访问?我希望我的负载均衡服务可以通过HTTPS公开访问。我的应用正在GKE集群上运行。请指导。

英文:

Requirement: To set up a Kubernetes service that is publicly accessible on the browser on HTTPS

I browsed through the internet and everywhere I saw nginx-ingress which can give HTTPS URL.

I have an ingress setup and its working as expected
But my doubt is, this ingress will only run on my local, as I make the changes in /etc/hosts file of local? How can I make https url publicly accessible? I want my load balancer service to be accessed publicly with HTTPS. I have my application running on GKE Cluster. Please guide

答案1

得分: 1

我有一个Ingress设置,它按预期工作。但我的疑问是:

猜测你正在使用GKE,并运行Nginx Ingress控制器,同时公开了IP地址。你可能会将域名记录添加到 /etcs/hosts 并映射到来自GCP的负载均衡器IP

你必须使用DNS将负载均衡器IP与你的主机名进行映射。在DNS 服务器中添加A记录,映射到域名

example.com 192.168.xx.xx

你可以在这里了解更多关于HTTPS证书创建的信息:https://kubernetes.github.io/ingress-nginx/user-guide/tls/

你的Ingress将如下所示:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-service
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/use-regex: "true"
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
  tls:
  - hosts:
    - example.com
    secretName: letsencrypt-staging
  rules:
    - host: example.com
      http:
        paths:
          - path: /api/users/?(.*)
            pathType: Prefix
            backend:
              service:
                name: auth-srv
                port:
                  number: 3000

如果打算使用cert-manager,请阅读我的文章:https://medium.com/@harsh.manvar111/kubernetes-nginx-ingress-and-cert-manager-ssl-setup-c82313703d0d(文章中使用了旧的API版本Ingress,请使用上述的参考)。

上述配置在浏览器中打开时会提供自签名证书,因此建议使用Cert-manager免费SSL网站下载并创建证书。

如果你使用cert-manager,它将在GKE中创建K8s密钥,然后你必须在Ingress中使用这个密钥。如果从网站下载,你必须手动创建K8s密钥。

GCP官方参考文档:https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-multi-ssl#secrets

文档中提到了各种方法,包括secretuser-managedGoogle managed证书与Ingress一起使用。

如果你使用Google Cloud Managed证书,还可以将其附加到负载均衡器,以便使用HTTPS

英文:

> I have an ingress setup and its working as expected But my doubt is

Guessing you are GKE with running the Nginx ingress controller, and with that you have the IP address exposed publicly. You might be adding domain records to /etcs/hosts and mapping to IP of Loadbalancer from GCP.

You have to use the DNS to map the load balancer IP with your Hostname. Add A record into the DNS server and map to the domain.

example.com 192.168.xx.xx

You read more here about the HTTPS cert creation : https://kubernetes.github.io/ingress-nginx/user-guide/tls/

You ingress will look like

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-service
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/use-regex: "true"
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
  tls:
  - hosts:
    - example.com
    secretName: letsencrypt-staging
  rules:
    - host: example.com
      http:
        paths:
          - path: /api/users/?(.*)
            pathType: Prefix
            backend:
              service:
                name: auth-srv
                port:
                  number: 3000

Read my article if planning to use the cert-manager : https://medium.com/@harsh.manvar111/kubernetes-nginx-ingress-and-cert-manager-ssl-setup-c82313703d0d (article have old API version ingress use above one for ref)

The above one provides the self-signed cert when you will open it in the browser it will throw an error, so would recommend downloading and creating the cert using Cert-manager or Free SSL site.

If you are using the cert-manager it will create the K8s secret in GKE and you have to use this secret with ingress. If downloading from site you have to manually create the K8s secret.

GCP Official ref doc : https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-multi-ssl#secrets

it has all methods mentioned including secret, user-managed, Google managed cert with ingress.

If you are using the Google Cloud Managed cert you can also leverage those and attach to Load Balancer so you will be able to use the HTTPS.

huangapple
  • 本文由 发表于 2023年2月18日 02:09:19
  • 转载请务必保留本文链接:https://go.coder-hub.com/75487873.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定