All Documents
Current Document
Content is empty
If you don't find the content you expect, please try another search term
Found 0 result in total
Content is empty
If you don't find the content you expect, please try another search term
Last updated:2021-05-11 10:41:27
This topic describes how to configure HTTPS-based secure access in KCE.
You can configure certificates by using one of the following methods based on access modes:
A Kubernetes cluster is created in KCE, and cloud-controller-manager is running properly in the cluster.
[root@vm10-0-33-13 ~]# kubectl get deploy -n kube-system | grep cloud
cloud-controller-manager 1 1 1 1 35dA certificate is prepared. A Kingsoft Cloud-signed certificate is used to facilitate testing. The following commands can be used to quickly create a certificate:
[root@vm10-0-33-13 CAtest]# openssl req -newkey rsa:2048 -nodes -keyout tls.key -x509 -days 365 -out tls.crt
Generating a 2048 bit RSA private key
...............+++
.............................+++
writing new private key to 'tls.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Kingsoft
Organizational Unit Name (eg, section) []:Ksyun
Common Name (eg, your name or your server's hostname) []:foo.bar.com
Email Address []:ksyun@kingsoft.comCharacteristics: A certificate is configured in SLB to support external access to applications. Internal access in a cluster is still implemented by using HTTP.
Scenarios: Applications are accessed by using the Services of the LoadBalancer type instead of Ingresses.
Create a NGINX application by using the following nginx-deploy.yaml file. This application is exposed in this example. The nginx-deploy.yaml file is as follows:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: nginx
spec:
replicas: 2
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginxi. Log in to the SLB console. Choose Certificate > SLB Certificate. On the page that appears, click Create Certificate.
ii. In the Create Certificate dialog box, enter the name of the certificate, paste the created certificate and private key in Certificate Content and Private Key, and then click Create.
iii. Obtain the ID of the certificate in certificate details.
nginx-service.yaml file is as follows:Note:
service.beta.kubernetes.io/ksc-loadbalancer-protocol-portis annotated with the format "PROTOCOL:PORT". The value of PORT must be the same as that of port in spec:ports.
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/ksc-loadbalancer-protocol-port: "HTTPS:443"
service.beta.kubernetes.io/ksc-loadbalancer-cert-id: "your-cert-id" # Enter the certificate ID.
labels:
app: nginx
name: https-lb
spec:
ports:
- port: 443
protocol: TCP
targetPort: 80
selector:
app: nginx
type: LoadBalancer[root@vm10-0-33-13]# kubectl create -f nginx-deploy.yaml
deployment.extensions/nginx created
[root@vm10-0-33-13]# kubectl create -f nginx-svc.yaml
service/nginx created[root@vm10-0-33-13 CAtest]# kubectl get svc | grep nginx
nginx LoadBalancer 10.254.101.229 120.92.86.xx 443:31937/TCP 76dNote: In this example, the test domain name foo.bar.com is resolved to the public IP address of the NGINX Service. To achieve this, you can add a record to the hosts file.
120.92.86.xx foo.bar.comVisit https://foo.bar.com in a browser for verification.
Characteristics: SLB configurations do not need to be changed. The certificate for each application can be managed separately by using an Ingress.
Scenarios: Each application can only be accessed by using the corresponding certificate. A cluster contains applications that can only be accessed by using certificates.
Create a Secret based on the certificate and private key created in Prerequisites.
[root@vm10-0-33-13]# kubectl create secret tls secret-https --key tls.key --cert tls.crt
secret/secret-https createdExpose the built-in Traefik Service in the cluster to the Internet. For more information, see Create a Traefik Ingress Service.
nginx-service.yaml file is as follows:apiVersion: v1
kind: Service
metadata:
labels:
app: nginx
name: nginx
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
app: nginx
type: ClusterIPingress.yaml file is as follows:apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: nginx-https
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: foo.bar.com
http:
paths:
- backend:
serviceName: nginx
servicePort: 80
tls:
- hosts:
- foo.bar.com
secretName: secret-https[root@vm10-0-33-13]# kubectl create -f svc.yaml
service/nginx created
[root@vm10-0-33-13]# kubectl create -f ingress.yaml
ingress.extensions/nginx-https created
[root@vm10-0-33-13 CAtest]# kubectl get svc | grep nginx
nginx ClusterIP 10.254.99.223 <none> 80/TCP 3m35s
[root@vm10-0-33-13 CAtest]# kubectl get ing
NAME HOSTS ADDRESS PORTS AGE
nginx-https foo.bar.com 80, 443 2m26s[root@vm10-0-33-13 CAtest]# kubectl get svc -n kube-system | grep traefik
traefik-ingress-service LoadBalancer 10.254.101.229 120.92.86.xx 80:31833/TCP,443:31937/TCP,8080:30475/TCP 76dNote: In this example, the test domain name foo.bar.com is resolved to the public IP address of the Traefik Service. To achieve this, you can add a record to the hosts file.
120.92.86.xx foo.bar.com
Visit https://foo.bar.com in a browser for verification.
Pure Mode