Nginx
ssc(self signed certificate 셀프인증) - 테스트용
Secret:
kubernetes.io/tls
mkdir x509 && cd x509
Private Key
openssl genrsa -out nginx-tls.key 2048
Public Key
openssl rsa -in nginx-tls.key -pubout -out nginx-tls
CSR
openssl req -new -key nginx-tls.key -out nginx-tls.csr
ssl 인증 시 필요한 정보 예시
:KR (나라)
:Seoul (주)
:Seoul (시)
:Encore Inc. (소속)
:IT (전공)
:www.example.com (도메인)
:admin@encore.com (이메일)
인증서
openssl req -x509 -days 3650 -key nginx-tls.key -in nginx-tls.csr -out nginx-tls.crt
rm nginx-tls nginx-tls.csr
ConfigMap
mkdir conf && cd conf
nginx-tls.conf
server {
listen 80;
listen 443 ssl;
server_name myapp.example.com;
ssl_certificate /etc/nginx/ssl/tls.crt;
ssl_certificate_key /etc/nginx/ssl/tls.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
root /usr/share/nginx/html;
index index.html;
}
}
CM 생성
nginx-tls-config.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-tls-config
data:
nginx-tls.conf: |
server {
listen 80;
listen 443 ssl;
server_name myapp.example.com;
ssl_certificate /etc/nginx/ssl/tls.crt;
ssl_certificate_key /etc/nginx/ssl/tls.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
root /usr/share/nginx/html;
index index.html;
}
}
Secret 생성
nginx-tls-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: nginx-tls-secret
type: kubernetes.io/tls
data:
# base64 x509/nginx-tls.crt -w 0
tls.crt: |
LS0tLS1C...
# base64 x509/nginx-tls.key -w 0
tls.key: |
LS0tLS1C...
Pod 생성
nginx-https-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: nginx-https-pod
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- name: nginx-config
mountPath: /etc/nginx/conf.d
- name: nginx-certs
mountPath: /etc/nginx/ssl
volumes:
- name: nginx-config
configMap:
name: nginx-tls-config
- name: nginx-certs
secret:
secretName: nginx-tls-secret
SVC 생성
nginx-svc-lb.yaml
apiVersion: v1
kind: Service
metadata:
name: nginx-svc-lb
spec:
type: LoadBalancer
selector:
app: nginx
ports:
- name: http
port: 80
targetPort: 80
- name: https
port: 443
targetPort: 443
Test
curl -k https://192.168.100.X