接着前面的示例,修改nginx服务器以支持HTTPS服务。创建一个Kubernetes Secret来保存nginx服务器的证书,具体证书代码可见参见目录mtls-go-example/sni下的文件:
kubectl create secret tls nginx-server-certs --key nginx.example.com/3_application/ private/nginx.example.com.key.pem --cert nginx.example.com/3_application/certs/nginx. example.com.cert.pem
为nginx服务器创建配置文件nginx.conf,以挂载上述证书,具体代码可参见目录mtls-go-example/sni下的文件nginx-v1.conf。内容如下:
events {
}
http {
log_format main '$remote_addr - $remote_user [$time_local] $status '
'"$request" $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log;
server {
listen 443 ssl;
root /usr/share/nginx/html;
index index.html;
server_name nginx.example.com;
ssl_certificate /etc/nginx-server-certs/tls.crt;
ssl_certificate_key /etc/nginx-server-certs/tls.key;
}
}
创建Kubernetes Conf igMap存储nginx服务器的配置:
kubectl create configmap nginx-configmap --from-file=nginx.conf=./nginx.conf
使用如下的yaml内容重新部署nginx服务器,具体代码可参考目录mtls-go-exmple/sni下的文件nginx-svc-v1.yaml:
apiVersion: v1
kind: Service
metadata:
name: nginx
labels:
app: nginx
spec:
ports:
- port: 443
protocol: TCP
selector:
app: nginx
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
spec:
selector:
matchLabels:
app: nginx
version: v1
replicas: 1
template:
metadata:
labels:
app: nginx
version: v1
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 443
volumeMounts:
- name: nginx-config
mountPath: /etc/nginx
readOnly: true
- name: nginx-server-certs
mountPath: /etc/nginx-server-certs
readOnly: true
volumes:
- name: nginx-config
configMap:
name: nginx-configmap
- name: nginx-server-certs
secret:
secretName: nginx-server-certs