ssl - 库伯内斯 |公开 HTTPS 服务

Question

我是 Kubernetes 平台的新手，试图为部署在 Kubernetes 平台上的 tomcat 网络应用启用 HTTPS 安全连接。我对与部署、服务和入口 Controller 有关的 manifest.yml 感到困惑。

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: tomcat-webapp
spec:
  selector:
    matchLabels:
      app: tomcat-webapp
  replicas: 1
  template:
    metadata:
      labels:
        app: tomcat-webapp
    spec:
      containers:
        - name: tomcat-webapp
          image: registry.central/*****
          imagePullPolicy: Always
          securityContext:
            runAsUser: 13113
            runAsGroup: 602
          ports:
            - containerPort: 8080
          env:
            - name: JAVA_OPTS
              value: "-Xms128M -Xmx256M -XX:MetaspaceSize=128m -XX:MaxMetaspaceSize=256m"
            - name: CATALINA_OPTS
              value: "-Djavax.net.ssl.trustStore=/opt/apache-tomcat-8.5.32/webapps/ROOT/tomcat.jks -Djavax.net.ssl.trustStorePassword=****"
---
apiVersion: v1
kind: Service
metadata:
  name: tomcat-webapp
  labels:
    app: tomcat-webapp
spec:
  ports:
    - port: 80
      targetPort: 8080
      #nodePort: 30010
      protocol: TCP
      name: http
  selector:
    app: tomcat-webapp
---
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: tomcat-webapp
spec:
  rules:
    - host: "tomcat-webapp.apps.net"
      http:
        paths:
          - path: /
            backend:
              serviceName: tomcat-webapp
              servicePort: 80
  tls:
    - hosts:
        # dont forget to update this url too
        - "tomcat-webapp.apps.net"

所以我也必须在部署(在端口下:-containerPort:8080)服务(如端口:-端口:80 targetPort:8080协议(protocol):TCP名称:http)和入口(在后端:服务名称:tomcat-webapp 服务端口:80) ?

Answer 1

保持简单:

apiVersion: v1
kind: Service
metadata:
  name: tomcat-webapp
  labels:
    app: tomcat-webapp
spec:
  ports:
    - port: 8080
  selector:
    app: tomcat-webapp
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: tomcat-webapp
spec:
  rules:
    - host: "tomcat-webapp.apps.net"
      http:
        paths:
          - path: /
            backend:
              serviceName: tomcat-webapp
              servicePort: 8080
  tls:
    - hosts:
        - "tomcat-webapp.apps.net"`

据我从您的部署配置中了解到，您的 Java 应用程序在端口 8080 上运行并且需要 https 流量。这不适用于上述 Ingress 配置 - 您的 Java 应用程序应监听端口 8080 并期待 http 流量。

如果您真的希望您的 Java 应用程序监听 HTTPS，您可以按以下方式配置 Ingress:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: tomcat-webapp
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
... # the rest is the same