Google Kubernetes引擎:为服务类型启用HTTPS [英] Google Kubernetes Engine: Enable HTTPS for Service type
问题描述
我在GKE上有一个应用程序,希望只能通过HTTPS访问,因此我已经获得了签名证书,可以使用TLS保护该应用程序.
I have an application on GKE that I wish to be available via HTTPS only, so I have gotten a signed certificate to secure the application using TLS.
我已经检查了很多有关如何执行此操作的教程,但是它们都涉及使用Ingress并使用LetsEncrypt和KubeLego自动请求证书.但是我希望继续使用外部负载平衡器(由google为我提供的计算引擎实例),但我只是希望可以通过https访问我的应用程序.
I have checked out a lot of tutorials on how I can do this, but they all refer to using Ingress and automatically requesting the certificate using, LetsEncrypt and KubeLego. But I wish to continue using the external load balancers (the compute engine instances that google has provided me) but I just want my application to be accessible via https.
如何应用我的server.crt和server.key文件启用https.我是否
How do I apply my server.crt and server.key files to enable https.Do I apply it to the Load balancers or to the kubernetes cluster.
推荐答案
在通过HTTPS公开应用程序时,Ingress可能是最好的选择. Ingress资源指定了一个后端服务,因此您将继续将应用程序公开为Kubernetes服务,其类型设置为ClusterIP.这将产生一个服务,该服务是您群集的内部"服务,一旦设置,便可以通过Ingress对其进行外部访问.
Ingress is probably your best bet when it comes to exposing your application over HTTPS. The Ingress resource specifies a backend service, so you will to continue exposing your application as a Kubernetes service, just with type set to ClusterIP. This will produce a service that is "internal" to your cluster, and will be externally accessible through the Ingress once you set it up.
现在,特别是在Google Kubernetes Engine(GKE)中,群集中定义的所有入口资源都将由Google Cloud Load Balancer提供服务,因此我认为您不必担心部署自己的入口控制器(例如Nginx)入口控制器).
Now, specifically in Google Kubernetes Engine (GKE), any ingress resources defined in your cluster will be served by a Google Cloud Load Balancer, so I don't think you have to worry about deploying your own Ingress Controller (e.g. Nginx Ingress Controller).
就TLS而言,如果您拥有一个证书,则可以使用自己的证书.证书必须通过Kubernetes Secret上载到集群.定义该秘密后,您可以在Ingress定义中引用该秘密. ( https://kubernetes.io/docs/concepts/services-networking/ingress /#tls )
In terms of TLS, you can use your own certificate if you have one. The certificate must be uploaded to the cluster through a Kubernetes Secret. Once that secret is defined, you can reference that secret in your Ingress definition. (https://kubernetes.io/docs/concepts/services-networking/ingress/#tls)
您可以使用以下命令创建密钥:
You can create the secret using the following command:
kubectl create secret tls my-app-certs --key /tmp/tls.key --cert /tmp/tls.crt
拥有秘密后,您可以在入口资源中引用它:
Once you have your secret, you can reference it in your ingress resource:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: my-app-ingress
spec:
tls:
- secretName: my-app-certs
backend:
serviceName: s1
servicePort: 80
创建入口资源后,GKE将配置负载均衡器,并为您提供可使用的可公开访问的IP:
Once you have created your ingress resource, GKE will configure the load balancer and give you a publicly accessible IP that you can get using:
kubectl get ingress my-app-ingress
以下是一个很好的教程,可指导您完成GKE上的Ingress: https://cloud.google.com/kubernetes-engine/docs/tutorials /http-平衡器
The following is a good tutorial that walks you through Ingress on GKE: https://cloud.google.com/kubernetes-engine/docs/tutorials/http-balancer
这篇关于Google Kubernetes引擎:为服务类型启用HTTPS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
