CKS 模拟真题 Killer.sh | Question 15 | Configure TLS on Ingress

Task weight: 4%

Use context: kubectl config use-context workload-prod

In Namespace team-pink there is an existing Nginx Ingress resources named secure which accepts two paths /app and /api which point to different ClusterIP Services.

From your main terminal you can connect to it using for example:

Right now it uses a default generated TLS certificate by the Nginx Ingress Controller.

You're asked to instead use the key and certificate provided at /opt/course/15/tls.key and /opt/course/15/tls.crt. As it's a self-signed certificate you need to use curl -k when connecting to it.


译文

任务权重:4%。

使用环境: kubectl config use-context workload-prod

在命名空间 team-pink 中,有一个名为 secure 的 Nginx Ingress 资源,它接受两个路径 /app /api ,指向不同的ClusterIP服务。

从你的主终端,你可以使用比如说,连接到它。

现在,它使用由 Nginx Ingress Controller 默认生成的TLS证书。

要求你使用 /opt/course/15/tls.key/opt/course/15/tls.crt 提供的密钥和证书。由于这是一个自签的证书,你需要在连接它时使用 curl -k


解答:

检查域名与地址

k -n team-pink get ing secure
ping secure-ingress.test

file

访问测试,并检查证书

curl http://secure-ingress.test:31080/app
curl http://secure-ingress.test:31080/api
curl https://secure-ingress.test:31443/api
curl -k https://secure-ingress.test:31443/api
curl -kv https://secure-ingress.test:31443/api

file

使用证书创建 secret

k -n team-pink create secret tls tls-secret --key /opt/course/15/tls.crt --cert /opt/course/15/tls.crt
k -n team-pink get ing secure -oyaml > 15_ing_bak.yaml
k -n team-pink edit ing secure
# kubectl -n team-pink edit ing secure
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
...
  generation: 1
  name: secure
  namespace: team-pink
...
spec:
  tls:                            # 添加
    - hosts:                      # 添加
      - secure-ingress.test       # 添加
      secretName: tls-secret      # 添加
  rules:
  - host: secure-ingress.test
    http:
      paths:
      - backend:
          service:
            name: secure-app
            port: 80
        path: /app
        pathType: ImplementationSpecific
      - backend:
          service:
            name: secure-api
            port: 80
        path: /api
        pathType: ImplementationSpecific
...

再次检查证书

curl -k https://secure-ingress.test:31443/api
curl -kv https://secure-ingress.test:31443/api

file