Google Kubernetes Engine:为服务类型启用 HTTPS [英] Google Kubernetes Engine: Enable HTTPS for Service type
问题描述
我在 GKE 上有一个应用程序,我希望它只能通过 HTTPS 访问,因此我获得了一个签名证书以使用 TLS 来保护应用程序.
I have an application on GKE that I wish to be available via HTTPS only, so I have gotten a signed certificate to secure the application using TLS.
我查阅了很多关于如何做到这一点的教程,但它们都提到使用 Ingress 并使用 LetsEncrypt 和 KubeLego 自动请求证书.但我希望继续使用外部负载平衡器(谷歌为我提供的计算引擎实例),但我只想通过 https 访问我的应用程序.
I have checked out a lot of tutorials on how I can do this, but they all refer to using Ingress and automatically requesting the certificate using, LetsEncrypt and KubeLego. But I wish to continue using the external load balancers (the compute engine instances that google has provided me) but I just want my application to be accessible via https.
我如何应用我的 server.crt 和 server.key 文件来启用 https.Do I 将其应用于负载均衡器 或 kubernetes 集群.
How do I apply my server.crt and server.key files to enable https.Do I apply it to the Load balancers or to the kubernetes cluster.
推荐答案
Ingress 可能是通过 HTTPS 公开应用程序的最佳选择.Ingress 资源指定了一个后端服务,因此您将继续将您的应用程序公开为 Kubernetes 服务,只需将类型设置为 ClusterIP.这将生成一个对您的集群内部"的服务,并且一旦您设置好就可以通过 Ingress 从外部访问它.
Ingress is probably your best bet when it comes to exposing your application over HTTPS. The Ingress resource specifies a backend service, so you will to continue exposing your application as a Kubernetes service, just with type set to ClusterIP. This will produce a service that is "internal" to your cluster, and will be externally accessible through the Ingress once you set it up.
现在,特别是在 Google Kubernetes Engine (GKE) 中,您集群中定义的任何入口资源都将由 Google Cloud Load Balancer 提供服务,因此我认为您不必担心部署自己的入口控制器(例如 Nginx入口控制器).
Now, specifically in Google Kubernetes Engine (GKE), any ingress resources defined in your cluster will be served by a Google Cloud Load Balancer, so I don't think you have to worry about deploying your own Ingress Controller (e.g. Nginx Ingress Controller).
在 TLS 方面,如果您有证书,您可以使用自己的证书.证书必须通过 Kubernetes Secret 上传到集群.一旦定义了该秘密,您就可以在 Ingress 定义中引用该秘密.(https://kubernetes.io/docs/concepts/services-networking/ingress/#tls)
In terms of TLS, you can use your own certificate if you have one. The certificate must be uploaded to the cluster through a Kubernetes Secret. Once that secret is defined, you can reference that secret in your Ingress definition. (https://kubernetes.io/docs/concepts/services-networking/ingress/#tls)
您可以使用以下命令创建密钥:
You can create the secret using the following command:
kubectl create secret tls my-app-certs --key /tmp/tls.key --cert /tmp/tls.crt
一旦你有了你的秘密,你就可以在你的入口资源中引用它:
Once you have your secret, you can reference it in your ingress resource:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: my-app-ingress
spec:
tls:
- secretName: my-app-certs
backend:
serviceName: s1
servicePort: 80
一旦您创建了入口资源,GKE 将配置负载均衡器并为您提供一个可以使用的可公开访问的 IP:
Once you have created your ingress resource, GKE will configure the load balancer and give you a publicly accessible IP that you can get using:
kubectl get ingress my-app-ingress
以下是一个很好的教程,可引导您了解 GKE 上的 Ingress:https://cloud.google.com/kubernetes-engine/docs/tutorials/http-平衡器
The following is a good tutorial that walks you through Ingress on GKE: https://cloud.google.com/kubernetes-engine/docs/tutorials/http-balancer
这篇关于Google Kubernetes Engine:为服务类型启用 HTTPS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
