All Documents
Current Document

Content is empty

If you don't find the content you expect, please try another search term

Documentation

HTTPS-based secure access

Last updated:2021-05-11 10:41:27

This topic describes how to configure HTTPS-based secure access in KCE.

You can configure certificates by using one of the following methods based on access modes:

  • Configure a certificate in SLB.
  • Configure a certificate in an Ingress.

Prerequisites

A Kubernetes cluster is created in KCE, and cloud-controller-manager is running properly in the cluster.

[root@vm10-0-33-13 ~]# kubectl get deploy -n kube-system | grep cloud
cloud-controller-manager   1         1         1            1           35d

A certificate is prepared. A Kingsoft Cloud-signed certificate is used to facilitate testing. The following commands can be used to quickly create a certificate:

[root@vm10-0-33-13 CAtest]# openssl req -newkey rsa:2048 -nodes -keyout tls.key -x509 -days 365 -out tls.crt
Generating a 2048 bit RSA private key
...............+++
.............................+++
writing new private key to 'tls.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Kingsoft
Organizational Unit Name (eg, section) []:Ksyun
Common Name (eg, your name or your server's hostname) []:foo.bar.com
Email Address []:ksyun@kingsoft.com

Configure a certificate in SLB

Characteristics: A certificate is configured in SLB to support external access to applications. Internal access in a cluster is still implemented by using HTTP.

Scenarios: Applications are accessed by using the Services of the LoadBalancer type instead of Ingresses.

  1. Create a NGINX application by using the following nginx-deploy.yaml file. This application is exposed in this example. The nginx-deploy.yaml file is as follows:

    apiVersion: extensions/v1beta1
    kind: Deployment
    metadata:
    name: nginx
    spec:
    replicas: 2
    template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx
  2. Upload the created certificate to SLB.

      i. Log in to the SLB console. Choose Certificate > SLB Certificate. On the page that appears, click Create Certificate.

      ii. In the Create Certificate dialog box, enter the name of the certificate, paste the created certificate and private key in Certificate Content and Private Key, and then click Create.

image.png

      iii. Obtain the ID of the certificate in certificate details.

  1. Use SLB to expose the NGINX application to the Internet in HTTPS mode. The nginx-service.yaml file is as follows:

Note: service.beta.kubernetes.io/ksc-loadbalancer-protocol-port is annotated with the format "PROTOCOL:PORT". The value of PORT must be the same as that of port in spec:ports.

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/ksc-loadbalancer-protocol-port: "HTTPS:443"
    service.beta.kubernetes.io/ksc-loadbalancer-cert-id: "your-cert-id"  # Enter the certificate ID.
  labels:
    app: nginx
  name: https-lb
spec:
  ports:
  - port: 443
    protocol: TCP
    targetPort: 80
  selector:
    app: nginx
  type: LoadBalancer
  1. Create the preceding resources.
    [root@vm10-0-33-13]# kubectl create -f nginx-deploy.yaml 
    deployment.extensions/nginx created
    [root@vm10-0-33-13]# kubectl create -f nginx-svc.yaml 
    service/nginx created
  2. Obtain the public IP address corresponding to the NGINX Service.
    [root@vm10-0-33-13 CAtest]# kubectl get svc | grep nginx
    nginx   LoadBalancer   10.254.101.229   120.92.86.xx   443:31937/TCP        76d

Note: In this example, the test domain name foo.bar.com is resolved to the public IP address of the NGINX Service. To achieve this, you can add a record to the hosts file.

120.92.86.xx foo.bar.com

Visit https://foo.bar.com in a browser for verification.

image.png

Configure a certificate in an Ingress

Characteristics: SLB configurations do not need to be changed. The certificate for each application can be managed separately by using an Ingress.

Scenarios: Each application can only be accessed by using the corresponding certificate. A cluster contains applications that can only be accessed by using certificates.

  1. Create a Secret based on the certificate and private key created in Prerequisites.

    [root@vm10-0-33-13]# kubectl create secret tls secret-https --key tls.key --cert tls.crt
    secret/secret-https created
  2. Expose the built-in Traefik Service in the cluster to the Internet. For more information, see Create a Traefik Ingress Service.

  3. Create the NGINX Service. The NGINX Service only needs to be exposed in the cluster. The service port is 80. The nginx-service.yaml file is as follows:
apiVersion: v1
kind: Service
metadata:
  labels:
    app: nginx
  name: nginx
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: nginx
  type: ClusterIP
  1. Create the corresponding Ingress rule. The ingress.yaml file is as follows:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: nginx-https
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  rules:
  - host: foo.bar.com
    http:
      paths:
      - backend:
          serviceName: nginx
          servicePort: 80
  tls:
  - hosts:
    - foo.bar.com
    secretName: secret-https
  1. Create the Service and Ingress.
[root@vm10-0-33-13]# kubectl create -f svc.yaml 
service/nginx created
[root@vm10-0-33-13]# kubectl create -f ingress.yaml 
ingress.extensions/nginx-https created
[root@vm10-0-33-13 CAtest]# kubectl get svc | grep nginx
nginx                   ClusterIP   10.254.99.223    <none>        80/TCP           3m35s
[root@vm10-0-33-13 CAtest]# kubectl get ing
NAME          HOSTS         ADDRESS   PORTS     AGE
nginx-https   foo.bar.com             80, 443   2m26s
  1. Obtain the public IP address of the Traefik Service.
    [root@vm10-0-33-13 CAtest]# kubectl get svc -n kube-system | grep traefik
    traefik-ingress-service   LoadBalancer   10.254.101.229   120.92.86.xx   80:31833/TCP,443:31937/TCP,8080:30475/TCP        76d

    Note: In this example, the test domain name foo.bar.com is resolved to the public IP address of the Traefik Service. To achieve this, you can add a record to the hosts file.

    120.92.86.xx foo.bar.com

Visit https://foo.bar.com in a browser for verification.

image.png

On this page
Pure ModeNormal Mode

Pure Mode

Click to preview the document content in full screen
Feedback