写点什么

k8s 上运行我们的 springboot 服务之——springboot 服务 https 请求

用户头像
柠檬
关注
发布于: 2021 年 01 月 22 日
k8s 上运行我们的 springboot 服务之——springboot服务https请求

我们内网 springboot 系统一键发布到 k8s 环境后,我们也想通过 https 方式访问我们的服务接口。要做到 https 访问也不复杂,有两种方式:

1、通过 springboot 代码和配置的方式

1、http---->https访问  1)在pom中加入             <plugin>                  <groupId>org.apache.maven.plugins</groupId>                  <artifactId>maven-resources-plugin</artifactId>                  <configuration>                      <nonFilteredFileExtensions>                          <!--这里是文件后缀-->                        <nonFilteredFileExtension>p12</nonFilteredFileExtension>                      </nonFilteredFileExtensions>                  </configuration>              </plugin>  2)可以用mkcert生成对应的证书 下载   mv mkcert /usr/local/bin/  mkcert localhost 127.0.0.1   openssl pkcs12 -export -inkey localhost+1-key.pem -in localhost+1.pem -name localhost -out localhost.p12记住这里输入的密码  keytool -importkeystore -srckeystore localhost.p12 -srcstoretype pkcs12 -destkeystore localhost.jks输入上面的密码 yml中加配置  server:    port: 9901    #你生成的证书名字    ssl:      key-store: classpath:localhost.p12      key-store-password: 123456      key-store-type: PKCS12 也可以用jks,pom中的nonFilteredFileExtension改成jks  server:  port: 9901  #你生成的证书名字  ssl:    key-store: classpath:localhost.jks    key-store-password: 123456    key-store-type: JKS  3)代码  可在base 下的BaseHttpsConfig查看,默认是http 8080-->转到https服务端口  
复制代码

2、通过 istio gateway 加配置的方式(推荐)

不用修改 springboot 的任何代码,通过 yaml 配置和 k8s 的一些操作即可。


2.1 为服务器和客户端生成证书

#git clone https://github.com/nicholasjackson/mtls-go-example

#pushd mtls-go-example

#cd mtls-go-example

#./generate.sh www.demo-istio.com <password>

#mkdir ../www.demo-istio.com && mv 1root 2intermediate 3application 4client ../www.demo-istio.com

#cd ../

#popd


2.2 配置 gateway 对于 https 的支持


创建 secret

#kubectl create -n istio-system secret generic demo-istio-certs --from-file=key=www.demo-istio.com/3_application/private/www.demo-istio.com.key.pem --from-file=cert=www.demo-istio.com/3_application/certs/www.demo-istio.com.cert.pem


查看 secret 创建是否成功

#kubectl get secret -n istio-system

[root@k8s-master server]# kubectl get secret -n istio-systemNAME                                               TYPE                                  DATA   AGEdefault-token-v7sql                                kubernetes.io/service-account-token   3      45dgrafana-token-6xxxz                                kubernetes.io/service-account-token   3      45distio-ca-secret                                    istio.io/ca-root                      5      45distio-egressgateway-service-account-token-8z4sc    kubernetes.io/service-account-token   3      45ddemo-istio-certs                                   Opaque                                2      25histio-ingressgateway-service-account-token-mnkw6   kubernetes.io/service-account-token   3      45distio-reader-service-account-token-6zmgx           kubernetes.io/service-account-token   3      45distiod-service-account-token-njlqz                 kubernetes.io/service-account-token   3      45dkiali-token-t9b5x                                  kubernetes.io/service-account-token   3      45dprometheus-token-k8bm4                             kubernetes.io/service-account-token   3      31d
复制代码


配置 gateway

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: demo-istio
  namespace: default
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - 'www.demo-istio.com'
    port:
      name: https
      number: 443
      protocol: HTTPS
    tls:
      mode: SIMPLE
      credentialName: "demo-istio-certs"
复制代码


启动服务和 gateway 通过 https 访问即可

https://www.demo-istio.com

3、完整的服务和路由 yaml 参考

3.1 服务发布

apiVersion: v1kind: Servicemetadata:  labels:    app: demo-istio    service: demo-istio  name: demo-istio  namespace: defaultspec:  ports:  - name: demo-istio    port: 8070  selector:    app: demo-istio---apiVersion: apps/v1kind: Deploymentmetadata:  labels:    app: demo-istio    version: v1  name: demo-istio-v1  namespace: defaultspec:  replicas: 1  selector:    matchLabels:      app: demo-istio      version: v1  template:    metadata:      annotations:        prometheus.io/scrape: false        prometheus.io/path: /actuator/prometheus        prometheus.io/port: 8070      labels:        app: demo-istio        version: v1    spec:      containers:      - env:        - name: LIMITS_MEMORY          valueFrom:            resourceFieldRef:              divisor: 1Mi              resource: limits.memory        - name: JAVA_OPTS          value: -Xmx$(LIMITS_MEMORY)m -XshowSettings:vm -Duser.timezone=Asia/Shanghai        image: 192.168.10.59:8080/frame/demo-frame-istio:1.0.RELEASE        imagePullPolicy: Always        name: demo-istio        ports:        - containerPort: 8070        resources:          limits:            cpu: 2048m            memory: 2048Mi          requests:            cpu: 1024m            memory: 1024Mi        volumeMounts:        - mountPath: /sidecar          name: sidecar      hostAliases:      - hostnames:        - www.zipkin.com        ip: 192.168.10.80      imagePullSecrets:      - name: regsecret      initContainers:      - command:        - cp        - -r        - /opt/skywalking/agent        - /sidecar        image: 192.168.10.59:8080/frame/skywalking-agent:v1        imagePullPolicy: Always        name: sidecar        volumeMounts:        - mountPath: /sidecar          name: sidecar      volumes:      - emptyDir: {}        name: sidecar
复制代码


3.2 路由发布

支持https://www.demo-istio.comhttp://www.demo-istio.com同时访问服务。http 提供在内网中 prometheus 监控需要,https 作为内网服务调用使用即可

apiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata:  name: demo-istio  namespace: defaultspec:  selector:    istio: ingressgateway  servers:  - hosts:    - '*.demo-istio.com'    port:      name: http      number: 80      protocol: HTTP  - hosts:    - '*.demo-istio.com'    port:      name: https      number: 443      protocol: HTTPS    tls:      credentialName: demo-istio-certs      mode: SIMPLE---apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:  name: demo-istio  namespace: defaultspec:  gateways:  - demo-istio  hosts:  - www.demo-istio.com  http:  - retries:      attempts: 3      perTryTimeout: 3s    route:    - destination:        host: demo-istio        port:          number: 8070        subset: v1    timeout: 9s---apiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata:  name: demo-istio  namespace: defaultspec:  host: demo-istio  subsets:  - labels:      version: v1    name: v1  trafficPolicy:    connectionPool:      http:        http1MaxPendingRequests: 1024        http2MaxRequests: 2048        maxRequestsPerConnection: 200        maxRetries: 3      tcp:        connectTimeout: 3s        maxConnections: 2048    outlierDetection:      baseEjectionTime: 3m      consecutiveErrors: 3      interval: 3s      maxEjectionPercent: 100
复制代码


4、一键生成服务发布和路由的 yaml

不要重复造轮子,为每个服务服务手动配置 yaml 工作量较大而且容易出错。可使用技术手段自动生成。

https://gitee.com/lvmoney/lvmoney-frame-parent/tree/master/lvmoney-frame-cloud/lvmoney-frame-cloud-base


发布于: 2021 年 01 月 22 日阅读数: 21
用户头像

柠檬

关注

人生尚未成功,朋友仍需努力 2020.05.21 加入

长期从事微服务,中台等后台开发和架构设计。一些见解和实现可查看https://gitee.com/lvmoney/lvmoney-frame-parent

评论

发布
暂无评论
k8s 上运行我们的 springboot 服务之——springboot服务https请求