1.生成证书文件

openssl req -x509 -nodes -days 2920 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=shanghai/O=nginxsvc"

req是证书请求的子命令

-newkey rsa:2048 -keyout tls.key  -newkey是与-key互斥的，-newkey是指在生成证书请求或者自签名证书的时候自动生成密钥，

-nodes 表示私钥不加密
-out 指定生成的证书请求或者自签名证书名称

-days 2920  证书有效期
若执行自动输入，可使用-subj选项：

-subj——证书相关的用户信息(subject的缩写)

2.导入证书文件到 k8s secret 指定命名空间

kubectl create secret tls https-secret --key tls.key --cert tls.crt -n 5ren

3.实例

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: 5ren-api
  namespace: 5ren
  labels:
    app.kubernetes.io/name: 5ren-api
    app.kubernetes.io/instance: 5ren-api
  annotations:
    # kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/limit-connections: "1000"
    nginx.ingress.kubernetes.io/proxy-connect-timeout: "2"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "30"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "30"
    nginx.ingress.kubernetes.io/proxy-body-size: "10M"
    nginx.ingress.kubernetes.io/service-upstream: "true"
spec:
  ingressClassName: "nginx"
  rules:
    - host: "www.5ren.ren"
      http:
      paths:
        - pathType: Prefix
          path: "/"
          backend:
            service:
              name: 5ren
              port:
                number: 80
  tls:
    - hosts:
        - "www.5ren.ren"
      secretName: https-secret