与上述步骤类似,首先根据命令generate.sh创建域名nginx.api.com的证书,并创建一个Kubernetes Secret来保存nginx服务器的证书,具体证书代码可参见目录mtls-go-example/sni下的文件:
kubectl create secret tls nginx-apiserver-certs --key nginx.api.com/3_application/ private/nginx.api.com.key.pem --cert nginx.api.com/3_application/certs/nginx.api.com.cert.pem
为nginx服务器创建配置文件nginx.conf,具体代码可参见目录mtls-go-example/sni下的文件nginx-v2.conf。通过该配置,以挂载上述证书,并且定义请求根路径直接返回字样“Istio!”及状态码200。具体内容如下:
events {
}
http {
log_format main '$remote_addr - $remote_user [$time_local] $status '
'"$request" $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log;
server {
listen 443 ssl;
location / {
return 200 'Istio!';
add_header Content-Type text/plain;
}
server_name nginx.api.com;
ssl_certificate /etc/nginx-server-certs/tls.crt;
ssl_certificate_key /etc/nginx-server-certs/tls.key;
}
}
创建Kubernetes Conf igMap存储nginx服务器的配置:
kubectl create configmap nginx-api-configmap --from-file=nginx.conf=./nginx- v2.conf
使用如下代码重新部署nginx2服务器,具体代码可参见目录mtls-go-example/sni下的文件nginx-svc-v2.yaml:
kubectl apply -f - <<EOF
apiVersion: v1
kind: Service
metadata:
name: nginx2
labels:
app: nginx2
spec:
ports:
- port: 443
protocol: TCP
selector:
app: nginx2
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx2
spec:
selector:
matchLabels:
app: nginx2
version: v2
replicas: 1
template:
metadata:
labels:
app: nginx2
version: v2
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 443
volumeMounts:
- name: nginx-config
mountPath: /etc/nginx
readOnly: true
- name: nginx-server-certs
mountPath: /etc/nginx-server-certs
readOnly: true
volumes:
- name: nginx-config
configMap:
name: nginx-api-configmap
- name: nginx-server-certs
secret:
secretName: nginx-apiserver-certs
EOF