自签名证书一般用于服务间或内网访问使用,在公网访问会有不安全提示。
前提条件
k8s集群<1.19
cert-manager
ingress-nginx
创建ClusterIssuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned
spec:
selfSigned: {}
创建证书
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: selfsigned-test
spec:
dnsNames:
- example.com # dns列表
secretName: selfsigned-cert-tls
issuerRef:
name: selfsigned # 与clusterissusr对应
kind: ClusterIssuer
检查证书状态,True即可使用
创建ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: demo-ingress
annotations:
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
cert-manager.io/cluster-issuer: selfsigned
spec:
ingressClassName: nginx
tls:
- secretName: selfsigned-test # 证书名,与certificate一致
hosts:
- example.com # 证书域名
rules:
- host: example.com # 访问域名
http:
paths:
- path: /
#pathType: ImplementationSpecific
pathType: Prefix
backend:
service:
name: demo # 服务名
port:
number: 80 # 服务的端口号 service port,非pod port
测试
修改hosts文件,浏览器访问域名