kubeadm部署ingress-controller
九:kubeadm集群裸机部署:nginx-ingress-controller:0.30.0
以daemonset + hostnetwork + nodeselector为例
集群环境:
1.查看开启是ipvs
[root@master01 ~]# kubectl get pods -n kube-system |grep kube-proxy
kube-proxy-5pl4d 1/1 Running 0 3h17m
kube-proxy-lmfmm 1/1 Running 0 179m
kube-proxy-tfq9c 1/1 Running 0 175m
#如果开启ipvs,会有输出,需要查看三个kube-proxy的pod。
[root@master01 ~]# kubectl logs -f kube-proxy-5pl4d -n kube-system |grep ipvs
I1215 04:08:14.351482 1 server_others.go:259] Using ipvs Proxier.
2.如果没有开启,可以修改配置文件,指定kube-proxy调度为ipvs
[root@master01 ~]# kubectl get cm -n kube-system|grep kube-proxy
kube-proxy 2 3h21m
[root@master01 ~]# kubectl edit cm kube-proxy -n kube-system
。。。。。。。。。。。。。
ipvs:
excludeCIDRs: null
minSyncPeriod: 0s
scheduler: "" #这里默认调度算法是rr,
strictARP: false
syncPeriod: 0s
tcpFinTimeout: 0s
tcpTimeout: 0s
udpTimeout: 0s
kind: KubeProxyConfiguration
metricsBindAddress: ""
mode: ipvs #指定kube-proxy调度规则为ipvs
nodePortAddresses: null
oomScoreAdj: null
portRange: ""
showHiddenMetricsForVersion: ""
udpIdleTimeout: 0s
winkernel:
#保存后,需要删除kube-proxy的pod,重新拉去kube-proxy的配置文件,才可以生效
[root@master01 ~]# kubectl get pod -n kube-system | grep kube-proxy | awk '{system("kubectl delete pod "$1" -n kube-system")}'
#查看新的kube-proxy的pod。是否生效开启ipvs
[root@master01 ~]# kubectl logs -f kube-proxy-5pldd -n kube-system |grep ipvs
I1215 04:08:14.351482 1 server_others.go:259] Using ipvs Proxier.
[root@master01 ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 10.96.0.1:443 rr
-> 192.128.232.11:6443 Masq 1 3 0
-> 192.128.232.12:6443 Masq 1 0 0
TCP 10.96.0.10:53 rr
-> 10.244.0.2:53 Masq 1 0 0
-> 10.244.0.3:53 Masq 1 0 0
TCP 10.96.0.10:9153 rr
-> 10.244.0.2:9153 Masq 1 0 0
-> 10.244.0.3:9153 Masq 1 0 0
UDP 10.96.0.10:53 rr
-> 10.244.0.2:53 Masq 1 0 0
-> 10.244.0.3:53 Masq 1 0 0
3.部署ingress-nginx
# 以daemonset + hostnetwork + nodeselector为例
下载地址:https://github.com/kubernetes/ingress-nginx/
[root@master01 ~]# mkdir ingress/
[root@master01 ingress]# unzip nginx-0.30.0.zip
[root@master01 ingress]# cd ingress-nginx-nginx-0.30.0/deploy/static/
[root@master01 static]# ll
total 28
-rw-rw-r-- 1 root root 580 Feb 24 2020 configmap.yaml
-rw-r--r-- 1 root root 240 Dec 15 13:39 kube-backend.yaml
-rw-rw-r-- 1 root root 6649 Dec 15 11:10 mandatory.yaml
-rw-rw-r-- 1 root root 166 Feb 24 2020 namespace.yaml
drwxrwxr-x 4 root root 60 Feb 24 2020 provider
-rw-rw-r-- 1 root root 2922 Feb 24 2020 rbac.yaml
-rw-rw-r-- 1 root root 2643 Feb 24 2020 with-rbac.yaml
#修改mandatory.yaml的rbac的apiversion
[root@master01 static]# sed -i "s#rbac.authorization.k8s.io/v1beta1#rbac.authorization.k8s.io/v1#g" mandatory.yaml
#修改images地址
[root@master01 static]# cat mandatory.yaml | grep image
image: harbor.od.com/kubeadm/nginx-ingress-controller:0.30.0
#修改mandatory.yaml文件(215行左右)使用宿主机网络:hostNetwork: true、
#文件中的kind 类型由Deployent改为DaemonSet,然后去掉replicas
[root@master01 static]# vi mandatory.yaml
......................................................
---
apiVersion: apps/v1
kind: DaemonSet #把Deployent改为DaemonSet
metadata:
name: nginx-ingress-controller
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
# replicas: 1 #注释掉
selector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
template:
metadata:
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
annotations:
prometheus.io/port: "10254"
prometheus.io/scrape: "true"
spec:
hostNetwork: true #主机网络
# wait up to five minutes for the drain of connections
terminationGracePeriodSeconds: 300
serviceAccountName: nginx-ingress-serviceaccount
nodeSelector: #部署ingress-nginx选择节点的选择器
node: ingress-controller #标签选择
tolerations: #容忍master的taint污点,表示master也可以部署ingress
- key: node-role.kubernetes.io/master
effect: NoSchedule
containers:
- name: nginx-ingress-controller
image: harbor.od.com/kubeadm/nginx-ingress-controller:0.30.0
args:
- /nginx-ingress-controller
- --configmap=$(POD_NAMESPACE)/nginx-configuration
- --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
#给节点打标签,好指定ingress-controller的pod部署指定节点上,指定两台,建议是master节点打上标签,
[root@master01 ~]# kubectl label node master01 node=ingress-controller
[root@master01 ~]# kubectl label node master02 node=ingress-controller
[root@master01 ~]# kubectl label node master03 node=ingress-controller
[root@master01 ~]# kubectl get nodes --show-labels |grep node=ingress-controller
[root@master01 static]# kubectl apply -f mandatory.yaml
namespace/ingress-nginx created
configmap/nginx-configuration created
configmap/tcp-services created
configmap/udp-services created
serviceaccount/nginx-ingress-serviceaccount created
clusterrole.rbac.authorization.k8s.io/nginx-ingress-clusterrole created
role.rbac.authorization.k8s.io/nginx-ingress-role created
rolebinding.rbac.authorization.k8s.io/nginx-ingress-role-nisa-binding created
clusterrolebinding.rbac.authorization.k8s.io/nginx-ingress-clusterrole-nisa-binding created
daemonset.apps/nginx-ingress-controller created
limitrange/ingress-nginx created
#查看nginx-ingress-controller的pod
[root@master01 static]# kubectl get pod -n ingress-nginx
NAME READY STATUS RESTARTS AGE
nginx-ingress-controller-nqgpb 1/1 Running 0 3h38m
#查看ingress-controller的pod描述
[root@master01 static]# kubectl describe pod nginx-ingress-controller-nqgpb -n ingress-nginx
#ingress-controller部署在master01,master02,master03节点上,使用hostnetwork网络。三台主机上都 监听 80,8181,443 端口。
[root@node01 ~]# netstat -lntup|grep nginx
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 8426/nginx: master
tcp 0 0 0.0.0.0:8181 0.0.0.0:* LISTEN 8426/nginx: master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 8426/nginx: master
tcp 0 0 127.0.0.1:10245 0.0.0.0:* LISTEN 8350/nginx-ingress-
tcp 0 0 127.0.0.1:10246 0.0.0.0:* LISTEN 8426/nginx: master
tcp 0 0 127.0.0.1:10247 0.0.0.0:* LISTEN 8426/nginx: master
tcp6 0 0 :::10254 :::* LISTEN 8350/nginx-ingress-
tcp6 0 0 :::80 :::* LISTEN 8426/nginx: master
tcp6 0 0 :::8181 :::* LISTEN 8426/nginx: master
tcp6 0 0 :::443 :::* LISTEN 8426/nginx: master
5.发布服务测试
[root@master01 ~]# cat nginx-service-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 2
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: harbor.od.com/kubeadm/myapp:v1
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: nginx-service #被后面ingress调度
spec:
type: ClusterIP
selector:
app: nginx
ports:
- protocol: TCP
port: 80
targetPort: 80
[root@master01 ~]# kubectl apply -f nginx-service-deployment.yaml
[root@master01 ~]# kubectl get pod -n default
NAME READY STATUS RESTARTS AGE
nginx-deployment-77db97fb47-2p8f7 1/1 Running 0 3h54m
nginx-deployment-77db97fb47-ql98t 1/1 Running 0 3h54m
[root@master01 ~]# kubectl get svc -n default
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1
nginx-service ClusterIP 10.97.95.213
#访问,kube-proxy是ipvs指定的rr(轮询访问)
[root@master01 ~]# curl 10.97.95.213
Hello MyApp | Version: v1 | Pod Name
[root@master01 ~]# curl 10.97.95.213/hostname.html
nginx-deployment-77db97fb47-2p8f7
[root@master01 ~]# curl 10.97.95.213/hostname.html
nginx-deployment-77db97fb47-ql98t
#配置nginx-service的ingress
[root@master01 ~]# cat nginx-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: test-service-ingress
namespace: default
annotations:
kubernets.io/ingress.class: "nginx" #ingress的注解,一定要标识
spec:
rules:
- host: demo.od.com #配置service服务的域名
http:
paths:
- path: /
backend:
serviceName: nginx-service #指定后端service的名字
servicePort: 80 #指定后端service的端口
[root@master01 ~]# kubectl apply -f nginx-ingress.yaml
[root@master01 ~]# kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
test-service-ingress
#查看ingress时,发现报错了,(
因为缺少了一个后端服务叫 “”default-http-backend“”,所以后面创建这个service
[root@master01 ~]# kubectl describe ingress test-service-ingress
Name: test-service-ingress
Namespace: default
Address: 10.108.95.79
Default backend: default-http-backend:80 (
Rules:
Host Path Backends
---- ---- --------
demo.od.com
nginx-service:80 (10.244.2.2:80,10.244.2.3:80)
Annotations: kubernets.io/ingress.class: nginx
Events:
5.先查看default-back-end服务是否存在,在kube-system名称空间,跟kube-dns同一个名称空间里
[root@master01 ~]# kubectl get svc -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.96.0.10
6.使用下面的 yaml 文件创建 default-back-end 服务:
[root@master01 static]# cat kube-backend.yaml
apiVersion: v1
kind: Service
metadata:
name: default-http-backend #不能随便改,ingress服务缺少这个名字"default-http-backend"的服务。
namespace: kube-system
spec:
selector:
#app: ingress-nginx-controller
app: ingress-controller #名字随便定义
ports:
- protocol: TCP
port: 80
targetPort: 80
[root@master01 static]# kubectl apply -f kube-backend.yaml
[root@master01 static]# kubectl get svc -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default-http-backend ClusterIP 10.102.127.253
kube-dns ClusterIP 10.96.0.10
#查看ingress时,已经正常了
[root@master01 static]# kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
test-service-ingress
[root@master01 static]# kubectl describe ingress test-service-ingress
Name: test-service-ingress
Namespace: default
Address: 10.108.95.79
Default backend: default-http-backend:80 (
Rules:
Host Path Backends
---- ---- --------
demo.od.com
nginx-service:80 (10.244.2.2:80,10.244.2.3:80)
Annotations: kubernets.io/ingress.class: nginx
Events:
#demo.od.com解析到vip上面,
[root@master01 ~]# cat /var/named/od.com.zone
demo A 10.4.7.48
[root@master01 ~]# systemctl restart named
[root@master01 ~]# curl ingresstest.od.com
Hello MyApp | Version: v1 | Pod Name
6.配置所有http的域名转发到
#两台nginx机器,做反代:都是ingress-controller指定部署ingress的节点,上面 mandatory.yaml w 文件通过nodeselector指定标有" node=ingress-controller " 三台master节点ip跟nodeport,
#demo.od.com解析到vip上面,
[root@master01 ~]# cat /var/named/od.com.zone
demo A 10.4.7.48
下面只是http服务的配置,https的配置,需要单独配置每个conf文件
[root@nginx01 ~]# vi /etc/nginx/conf.d/od.com.conf
upstream default_backend_ingress {
server 192.128.232.16:80 max_fails=3 fail_timeout=10s;
server 192.128.232.17:80 max_fails=3 fail_timeout=10s;
server 192.128.232.19:80 max_fails=3 fail_timeout=10s;
}
server {
server_name *.od.com;
location / {
proxy_pass http://default_backend_ingress;
proxy_set_header Host $http_host;
proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
}
}
[root@nginx01 ~]# nginx -t
[root@nginx01 ~]# nginx -s reload
7.再发布一个服务到k8s,使用ingress
[root@master01 ~]# cat nginx-clusterIP02-service.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment2
labels:
app: nginx2
spec:
replicas: 2
selector:
matchLabels:
app: nginx2
template:
metadata:
labels:
app: nginx2
spec:
containers:
- name: nginx2
image: harbor.od.com/kubeadm/myapp:v2
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: nginx-service2
spec:
type: ClusterIP
selector:
app: nginx2
ports:
- protocol: TCP
port: 80
targetPort: 80
[root@master01 ~]# kubectl apply -f nginx-clusterIP02-service.yaml
[root@master01 ~]# cat nginx-clusterIP02-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: test02-service-ingress
namespace: default
annotations:
kubernets.io/ingress.class: "nginx"
spec:
rules:
- host: ingresstest02.od.com
http:
paths:
- path:
backend:
serviceName: nginx-service2
servicePort: 80
[root@master01 ~]# kubectl apply -f nginx-clusterIP02-ingress.yaml
[root@master01 ~]# kubectl describe ingress test02-service-ingress
Name: test02-service-ingress
Namespace: default
Address: 10.99.155.170
Default backend: default-http-backend:80 (
Rules:
Host Path Backends
---- ---- --------
ingresstest02.od.com
nginx-service2:80 (10.244.2.4:80,10.244.2.5:80)
Annotations: kubernets.io/ingress.class: nginx02
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 52m nginx-ingress-controller Ingress default/test02-service-ingress
Normal UPDATE 78s (x2 over 52m) nginx-ingress-controller Ingress default/test02-service-ingress
[root@master01 ~]# vi /var/named/od.com.zone
ingresstest02 A 10.4.7.48
[root@master01 ~]# systemctl restart named
[root@master01 ~]# curl ingresstest02.od.com
Hello MyApp | Version: v2 | Pod Name
[root@master01 ingress]# kubectl get pod -n ingress-nginx
NAME READY STATUS RESTARTS AGE
nginx-ingress-controller-jv79q 1/1 Running 0 46m
#进入容器,可以查看配置文件
[root@master01 ingress]# kubectl exec -it nginx-ingress-controller-jv79q -n ingress-nginx -- /bin/bash
bash-5.0$ vi nginx.conf
8.自签证书,创建私钥
[root@master01 tls]# openssl genrsa -out tls.key 2048
Generating RSA private key, 2048 bit long modulus
....................................................................................................................+++
......+++
e is 65537 (0x10001)
#通过私钥生成证书,我指定有效期设置10年。
[root@master01 ssl]# openssl req -new -x509 -days 3650 -key tls.key -out tls.crt -subj /C=CN/ST=Beijing/O=DevOps/CN=tomcat.od.com
[root@master01 ssl]# ll
total 8
-rw-r--r-- 1 root root 1237 Dec 16 13:26 tls.crt
-rw-r--r-- 1 root root 1675 Dec 16 12:26 tls.key
#查看证书有效期
[root@master01 ssl]# openssl x509 -noout -text -in tls.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ac:97:46:33:e0:d1:6c:46
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=Beijing, O=DevOps, CN=tomcat.od.com
Validity
Not Before: Dec 16 05:26:22 2021 GMT
Not After : Dec 14 05:26:22 2031 GMT
Subject: C=CN, ST=Beijing, O=DevOps, CN=tomcat.od.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
#创建secret对象,把这些证书添加到ingress对象里,默认是default名称空间。可以指定名称空间
[root@master01 tls]# kubectl create secret tls tomcat-ingress-secret --cert=tls.crt --key=tls.key
secret/tomcat-ingress-secret created
[root@master01 tls]# kubectl get secret
NAME TYPE DATA AGE
default-token-fcmwb kubernetes.io/service-account-token 3 23h
tomcat-ingress-secret kubernetes.io/tls 2 111s
[root@master01 tls]# kubectl describe secret tomcat-ingress-secret
Name: tomcat-ingress-secret
Namespace: default #默认是default名称空间。
Labels:
Annotations:
Type: kubernetes.io/tls
Data
====
tls.key: 1675 bytes
tls.crt: 1237 bytes
#部署tomcat服务到k8s里
[root@master01 yaml]# cat tomcat-clusterIP-service.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: tomcat-deployment
labels:
app: tomcat
spec:
replicas: 2
selector:
matchLabels:
app: tomcat
template:
metadata:
labels:
app: tomcat
spec:
containers:
- name: tomcat
image: harbor.od.com/kubeadm/tomcat:8.5.15-jre8-alpine #tomcat镜像,测试下载alpine
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8080 #容器tomcat服务端口
---
apiVersion: v1
kind: Service
metadata:
name: tomcat-service #定义tomcat服务的名字,ingress通过这个名字调用,使外部访问。
spec:
type: ClusterIP
selector:
app: tomcat
ports:
- protocol: TCP
port: 8080
targetPort: 8080
#配置tomcat的ingress,使用tls证书
[root@master01 yaml]# cat tomcat-clusterIP-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: tomcat-tls-ingress #定义创建tomcat的ingress名字
namespace: default
annotations:
kubernets.io/ingress.class: "tomcat" #注解一定要有,否则不生效
spec:
tls: #开启tls
- hosts:
- tomcat.od.com #配置外部访问的域名,可以配置多个域名使用同一个secret
secretName: tomcat-ingress-secret #配置使用创建的secret的名字
rules:
- host: tomcat.od.com
http:
paths:
- path: /
backend:
serviceName: tomcat-service #调用tomcat的service名字
servicePort: 8080
#创建tomcat的ingress的pod
[root@master01 tls]# kubectl apply -f tomcat-clusterIP-ingress.yaml
[root@master01 yaml]# kubectl describe ingress tomcat-tls-ingress
Name: tomcat-tls-ingress
Namespace: default
Address: 10.99.155.170
Default backend: default-http-backend:80 (
TLS:
tomcat-ingress-secret terminates tomcat.od.com
Rules:
Host Path Backends
---- ---- --------
tomcat.od.com
/ tomcat-service:8080 (10.244.2.8:8080,10.244.2.9:8080)
Annotations: kubernets.io/ingress.class: tomcat
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 4m27s nginx-ingress-controller Ingress default/tomcat-tls-ingress
Normal UPDATE 4m15s nginx-ingress-controller Ingress default/tomcat-tls-ingress
#解析tomcat.od.com到部署节点,跟http不一样,
[root@master01 ssl]# cat /var/named/od.com.zone
tomcat A 10.4.7.51
[root@master01 ssl]# systemctl restart named
#浏览器测试或者命令行
[root@master01 yaml]# curl -k https://tomcat.od.com
#############################################################################
第二种:配置外部https在外部nginx服务
配置tomcat02.od.com域名为https,一个service可以被多个ingress调用,那这里就直接调用tomcat-service,
[root@master01 yaml]# cat tomcat02-clusterIP-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: tomcat02-ingress #同一个名称空间的名字一定要不一样。
namespace: default
annotations:
kubernets.io/ingress.class: "tomcat"
spec:
rules:
- host: tomcat02.od.com
http:
paths:
- path: /
backend:
serviceName: tomcat-service #调用前面创建的tomcat-service
servicePort: 8080
#创建tomcat02的ingress
[root@master01 yaml]# kubectl apply -f tomcat02-clusterIP-ingress.yaml
[root@master01 yaml]# kubectl get ingress |grep tomcat02-ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
tomcat02-ingress
#############################################################################
#在yunwei主机上操作
#nginx配置tomcat02.od.com域名的https,
[root@yunwei ~]# mkdir -p /opt/certs/CA && cd /opt/certs/CA
#创建域名自签CA证书,先创建域名私钥
[root@yunwei CA]# umask 077; openssl genrsa -out tomcat02.od.com.key 2048
Generating RSA private key, 2048 bit long modulus
...+++
..........................................................................................................................+++
e is 65537 (0x10001)
#查看生成的CA签证私钥
[root@yunwei CA]# ll CA.key
-rw------- 1 root root 1675 Dec 17 15:06 tomcat02.od.com.key
#通过CA自签证书创建域名请求文件csr
[root@yunwei CA]# openssl req -new -key tomcat02.od.com.key -out tomcat02.od.com.csr -subj "/CN=tomcat02.od.com/C=CN/ST=BJ/L=Beijing/O=fengge123/OU=ops"
#查看是否生成成功
[root@yunwei CA]# ll tomcat02.od.com.*
-rw------- 1 root root 1005 Dec 17 15:01 tomcat02.od.com.csr
-rw------- 1 root root 1675 Dec 17 14:59 tomcat02.od.com.key
#通过域名请求文件csr,这里的ca.crt, ca.key都是k8s集群的ca一对证书,运维主机没有,就需要拷贝过来。否则有问题
#拷贝master节点k8s的ca证书到运维节点
[root@yunwei CA]# scp master01:/etc/kubernetes/pki/ca.* .
root@master01's password:
ca.crt 100% 1029 631.4KB/s 00:00
ca.key 100% 1675 429.5KB/s 00:00
ca.srl 100% 17 7.3KB/s 00:00
#把k8s集群的证书也内嵌到域名证书里,指定有效期10年
[root@yunwei CA]# openssl x509 -req -in tomcat02.od.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out tomcat02.od.com.crt -days 3650
Signature ok
subject=/CN=tomcat02.od.com/C=CN/ST=BJ/L=Beijing/O=fengge123/OU=ops
Getting CA Private Key
[root@yunwei CA]# ll tomcat02.od.com.*
-rw------- 1 root root 1090 Dec 17 15:17 tomcat02.od.com.crt
-rw------- 1 root root 1005 Dec 17 15:10 tomcat02.od.com.csr
-rw------- 1 root root 1679 Dec 17 15:09 tomcat02.od.com.key
#上面tomcat02.od.com域名证书就自签成功了,需要拷贝到nginx节点反向代理,部署https
[root@nginx01 yaml]# mkdir -p /etc/nginx/ssl/
[root@nginx01 yaml]# cd /etc/nginx/ssl/
#拷贝运维节点创建好的域名证书
[root@master01 ssl]# scp yunwei:/opt/certs/CA/tomcat02.od.com.crt .
[root@master01 ssl]# scp yunwei:/opt/certs/CA/tomcat02.od.com.key .
#配置https反向代理,这里的节点可以是集群任何节点,
[root@nginx01 ~]# cd /etc/nginx/conf.d/
[root@nginx01 conf.d]# cat tomcat02.do.com.conf
upstream tomcat02_ingress {
server 192.128.232.16:80 max_fails=3 fail_timeout=10s;
server 192.128.232.17:80 max_fails=3 fail_timeout=10s;
}
server {
listen 80;
server_name tomcat02.od.com;
rewrite ^(.*)$ https://${server_name}$1 permanent;
}
server {
listen 443 ssl;
server_name tomcat02.od.com;
ssl_certificate "/etc/nginx/ssl/tomcat02.od.com.crt";
ssl_certificate_key "/etc/nginx/ssl/tomcat02.od.com.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://tomcat02_ingress;
proxy_set_header Host $http_host;
proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
}
}
[root@nginx01 conf.d]# nginx -t
[root@nginx01 conf.d]# nginx -s reload
#解析域名到vip地址,在DNS服务器操作
[root@master01 ssl]# vi /var/named/od.com.zone
tomcat02 A 192.128.232.15
[root@master01 ssl]# systemctl restart named
#测试命令行访问或者浏览器访问
[root@yunwei ~]# curl -k https://tomcat02.od.com