1.生成证书文件
openssl req -x509 -nodes -days 2920 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=shanghai/O=nginxsvc"
req是证书请求的子命令
-newkey rsa:2048 -keyout tls.key -newkey是与-key互斥的,-newkey是指在生成证书请求或者自签名证书的时候自动生成密钥,
-nodes 表示私钥不加密
-out 指定生成的证书请求或者自签名证书名称
-days 2920 证书有效期
若执行自动输入,可使用-subj选项:
-subj——证书相关的用户信息(subject的缩写)
2.导入证书文件到 k8s secret 指定命名空间
kubectl create secret tls https-secret --key tls.key --cert tls.crt -n 5ren
3.实例
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: 5ren-api
namespace: 5ren
labels:
app.kubernetes.io/name: 5ren-api
app.kubernetes.io/instance: 5ren-api
annotations:
# kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/limit-connections: "1000"
nginx.ingress.kubernetes.io/proxy-connect-timeout: "2"
nginx.ingress.kubernetes.io/proxy-read-timeout: "30"
nginx.ingress.kubernetes.io/proxy-send-timeout: "30"
nginx.ingress.kubernetes.io/proxy-body-size: "10M"
nginx.ingress.kubernetes.io/service-upstream: "true"
spec:
ingressClassName: "nginx"
rules:
- host: "www.5ren.ren"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: 5ren
port:
number: 80
tls:
- hosts:
- "www.5ren.ren"
secretName: https-secret