我们内网 springboot 系统一键发布到 k8s 环境后,我们也想通过 https 方式访问我们的服务接口。要做到 https 访问也不复杂,有两种方式:
1、通过 springboot 代码和配置的方式
1、http---->https访问 1)在pom中加入 <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-resources-plugin</artifactId> <configuration> <nonFilteredFileExtensions> <!--这里是文件后缀--> <nonFilteredFileExtension>p12</nonFilteredFileExtension> </nonFilteredFileExtensions> </configuration> </plugin> 2)可以用mkcert生成对应的证书 下载 mv mkcert /usr/local/bin/ mkcert localhost 127.0.0.1 openssl pkcs12 -export -inkey localhost+1-key.pem -in localhost+1.pem -name localhost -out localhost.p12记住这里输入的密码 keytool -importkeystore -srckeystore localhost.p12 -srcstoretype pkcs12 -destkeystore localhost.jks输入上面的密码 yml中加配置 server: port: 9901 #你生成的证书名字 ssl: key-store: classpath:localhost.p12 key-store-password: 123456 key-store-type: PKCS12 也可以用jks,pom中的nonFilteredFileExtension改成jks server: port: 9901 #你生成的证书名字 ssl: key-store: classpath:localhost.jks key-store-password: 123456 key-store-type: JKS 3)代码 可在base 下的BaseHttpsConfig查看,默认是http 8080-->转到https服务端口
复制代码
2、通过 istio gateway 加配置的方式(推荐)
不用修改 springboot 的任何代码,通过 yaml 配置和 k8s 的一些操作即可。
2.1 为服务器和客户端生成证书
#git clone https://github.com/nicholasjackson/mtls-go-example
#pushd mtls-go-example
#cd mtls-go-example
#./generate.sh www.demo-istio.com <password>
#mkdir ../www.demo-istio.com && mv 1root 2intermediate 3application 4client ../www.demo-istio.com
#cd ../
#popd
2.2 配置 gateway 对于 https 的支持
创建 secret
#kubectl create -n istio-system secret generic demo-istio-certs --from-file=key=www.demo-istio.com/3_application/private/www.demo-istio.com.key.pem --from-file=cert=www.demo-istio.com/3_application/certs/www.demo-istio.com.cert.pem
查看 secret 创建是否成功
#kubectl get secret -n istio-system
[root@k8s-master server]# kubectl get secret -n istio-systemNAME TYPE DATA AGEdefault-token-v7sql kubernetes.io/service-account-token 3 45dgrafana-token-6xxxz kubernetes.io/service-account-token 3 45distio-ca-secret istio.io/ca-root 5 45distio-egressgateway-service-account-token-8z4sc kubernetes.io/service-account-token 3 45ddemo-istio-certs Opaque 2 25histio-ingressgateway-service-account-token-mnkw6 kubernetes.io/service-account-token 3 45distio-reader-service-account-token-6zmgx kubernetes.io/service-account-token 3 45distiod-service-account-token-njlqz kubernetes.io/service-account-token 3 45dkiali-token-t9b5x kubernetes.io/service-account-token 3 45dprometheus-token-k8bm4 kubernetes.io/service-account-token 3 31d
复制代码
配置 gateway
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: demo-istio
namespace: default
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- 'www.demo-istio.com'
port:
name: https
number: 443
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: "demo-istio-certs"
复制代码
启动服务和 gateway 通过 https 访问即可
https://www.demo-istio.com
3、完整的服务和路由 yaml 参考
3.1 服务发布
apiVersion: v1kind: Servicemetadata: labels: app: demo-istio service: demo-istio name: demo-istio namespace: defaultspec: ports: - name: demo-istio port: 8070 selector: app: demo-istio---apiVersion: apps/v1kind: Deploymentmetadata: labels: app: demo-istio version: v1 name: demo-istio-v1 namespace: defaultspec: replicas: 1 selector: matchLabels: app: demo-istio version: v1 template: metadata: annotations: prometheus.io/scrape: false prometheus.io/path: /actuator/prometheus prometheus.io/port: 8070 labels: app: demo-istio version: v1 spec: containers: - env: - name: LIMITS_MEMORY valueFrom: resourceFieldRef: divisor: 1Mi resource: limits.memory - name: JAVA_OPTS value: -Xmx$(LIMITS_MEMORY)m -XshowSettings:vm -Duser.timezone=Asia/Shanghai image: 192.168.10.59:8080/frame/demo-frame-istio:1.0.RELEASE imagePullPolicy: Always name: demo-istio ports: - containerPort: 8070 resources: limits: cpu: 2048m memory: 2048Mi requests: cpu: 1024m memory: 1024Mi volumeMounts: - mountPath: /sidecar name: sidecar hostAliases: - hostnames: - www.zipkin.com ip: 192.168.10.80 imagePullSecrets: - name: regsecret initContainers: - command: - cp - -r - /opt/skywalking/agent - /sidecar image: 192.168.10.59:8080/frame/skywalking-agent:v1 imagePullPolicy: Always name: sidecar volumeMounts: - mountPath: /sidecar name: sidecar volumes: - emptyDir: {} name: sidecar
复制代码
3.2 路由发布
支持https://www.demo-istio.com和http://www.demo-istio.com同时访问服务。http 提供在内网中 prometheus 监控需要,https 作为内网服务调用使用即可
apiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata: name: demo-istio namespace: defaultspec: selector: istio: ingressgateway servers: - hosts: - '*.demo-istio.com' port: name: http number: 80 protocol: HTTP - hosts: - '*.demo-istio.com' port: name: https number: 443 protocol: HTTPS tls: credentialName: demo-istio-certs mode: SIMPLE---apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata: name: demo-istio namespace: defaultspec: gateways: - demo-istio hosts: - www.demo-istio.com http: - retries: attempts: 3 perTryTimeout: 3s route: - destination: host: demo-istio port: number: 8070 subset: v1 timeout: 9s---apiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata: name: demo-istio namespace: defaultspec: host: demo-istio subsets: - labels: version: v1 name: v1 trafficPolicy: connectionPool: http: http1MaxPendingRequests: 1024 http2MaxRequests: 2048 maxRequestsPerConnection: 200 maxRetries: 3 tcp: connectTimeout: 3s maxConnections: 2048 outlierDetection: baseEjectionTime: 3m consecutiveErrors: 3 interval: 3s maxEjectionPercent: 100
复制代码
4、一键生成服务发布和路由的 yaml
不要重复造轮子,为每个服务服务手动配置 yaml 工作量较大而且容易出错。可使用技术手段自动生成。
https://gitee.com/lvmoney/lvmoney-frame-parent/tree/master/lvmoney-frame-cloud/lvmoney-frame-cloud-base
评论