ingress-nginx传输加密与认证

发表于 | 分类于 | 浏览

ingress-nginx 设置 https 证书

准备证书

1
2
3
4
openssl req -x509 -sha256 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 3560 -nodes -subj '/CN=My Cert Authority'

openssl req -new -newkey rsa:4096 -keyout server.key -out server.csr -nodes -subj '/CN=test.sy.com'
openssl x509 -req -sha256 -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

上面的 CN= 是目标服务要使用的域名。

将 server 证书上传到 kubernetes

1
kubectl  create secret generic tls-secret --from-file=tls.crt=server.crt --from-file=tls.key=server.key -n test

配置 ingress

ingress 中的 host 一定要与证书的 CN 相同,在 tls 配置中引用前面创建的 secret: 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: tomcat-test
  namespace: test
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/ssl-redirect: 'true'
spec:
  rules:
  - host: test.sy.com
    http:
      paths:
      - path: /
        backend:
          serviceName: tomcat-test
          servicePort: 6080
  tls:
  - hosts:
    - test.sy.com
    secretName: tls-secret

访问

1
2
[root@ingress]# curl --cacert ca.crt  https://test.sy.com/abc/check_health.jsp 
hello 2020-03-19

认证

创建用户,设置密码

创建 basic-auth 用户 foo,密码 123456,将用户信息提交到 kubernetes:

1
2
htpasswd -c auth foo
kubectl -n test create secret generic basic-auth --from-file=auth

设置 ingress

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: tomcat-test
  namespace: test
  annotations:
    # type of authentication
    nginx.ingress.kubernetes.io/auth-type: basic
    # name of the secret that contains the user/password definitions
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    # message to display with an appropriate context why the authentication is required
    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - foo'
spec:
  rules:
  - host: test.sy.com
    http:
      paths:
      - path: /
        backend:
          serviceName: tomcat-test
          servicePort: 6080

访问

不加认证

1
2
3
4
5
6
7
8
[root@ingress]# curl  http://test.sy.com/abc/check_health.jsp
<html>
<head><title>401 Authorization Required</title></head>
<body>
<center><h1>401 Authorization Required</h1></center>
<hr><center>openresty/1.15.8.1</center>
</body>
</html>

加认证

1
2
[root@ingress]# curl  http://test.sy.com/abc/check_health.jsp -u 'foo:123456'
hello 2020-03-19

加https的认证

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: tomcat-test
  namespace: test
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/ssl-redirect: 'true'
    # type of authentication
    nginx.ingress.kubernetes.io/auth-type: basic
    # name of the secret that contains the user/password definitions
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    # message to display with an appropriate context why the authentication is required
    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - foo'
spec:
  rules:
  - host: test.sy.com
    http:
      paths:
      - path: /
        backend:
          serviceName: tomcat-test
          servicePort: 6080
  tls:
  - hosts:
    - test.sy.com
    secretName: tls-secret
1
2
[root@ingress]# curl --cacert ca.crt  -u 'foo:123456' https://test.sy.com/abc/check_health.jsp
hello 2020-03-19

参考链接

Donate