本文介绍了在离线环境下基于Hygon C86处理器和麒麟操作系统部署HTTPS服务的完整流程。首先通过CA签发服务器证书并创建Kubernetes Secret存储证书密钥,然后配置Nginx服务(包含HTTP/HTTPS监听端口),接着创建PV/PVC存储和部署Nginx容器,最后通过NodePort服务暴露端口。关键步骤包括:1)使用ConfigMap管理Nginx配置;2)通过Secret挂载TLS证书;3)绑定本地存储路径;4)实现双端口(80/443)服务暴露。最终可通过NodePort端口同时提供HTTP和HTTPS访问。
一.离线环境
CPU:Hygon C86 7285 32-core Processor
操作系统:麒麟操作系统
containerd:1.7.27
Kubernetes:1.26.12
KubeSphere:4.1.2
kubekey:3.1.10
Harbor:2.13.1
二、CA 签发服务器证书
详见通过HTTPS访问Harbor的配置《生成服务器证书》
三、创建 Kubernetes Secret 来存储证书和密钥
kubectl create secret tls nginx-tls \
--cert=/app/cert/172.23.123.117.crt \
--key=/app/cert/172.23.123.117.key
四、创建 Nginx 配置文件(ConfigMap)
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-conf
namespace: default
data:
nginx.conf: |
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name localhost;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /etc/nginx/tls/tls.crt;
ssl_certificate_key /etc/nginx/tls/tls.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
}
这里我们定义了两个 server 块:一个监听 HTTP 请求(端口 80),另一个监听 HTTPS 请求(端口 443)。HTTPS 服务器块中指定了证书和密钥的位置。
五、创建PV
apiVersion: v1
kind: PersistentVolume
metadata:
name: webapp-pv
spec:
capacity:
storage: 10Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
storageClassName: local
local:
path: /app/data
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- node2
六、创建PVC
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: webapp-pvc
spec:
volumeName: webapp-pv
accessModes:
- ReadWriteOnce
storageClassName: local
resources:
requests:
storage: 10Gi
七、创建Deploy
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: 172.23.123.117:8443/library/nginx:latest
ports:
- containerPort: 80
- containerPort: 443
volumeMounts:
- name: webapp
mountPath: /usr/share/nginx/html
- name: nginx-config
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
- name: nginx-tls
mountPath: /etc/nginx/tls
readOnly: true
volumes:
- name: webapp
persistentVolumeClaim:
claimName: webapp-pvc
- name: nginx-config
configMap:
name: nginx-conf
- name: nginx-tls
secret:
secretName: nginx-tls
将 ConfigMap 和 Secret 分别挂载到了 /etc/nginx/nginx.conf 和 /etc/nginx/tls 路径下
八、创建Service
apiVersion: v1
kind: Service
metadata:
name: nginx-service
spec:
selector:
app: nginx
ports:
- protocol: TCP
port: 80
targetPort: 80
- protocol: TCP
port: 443
targetPort: 443
type: NodePort
九、访问
将工程放到宿主机的/app/data下
HTTP访问
http://172.23.123.118:32690/tdmp_res/vue_baidumap/5b468f1de77d5.mp4
HTTPS访问
https://172.23.123.118:32320/tdmp_res/vue_baidumap/5b468f1de77d5.mp4