发表于 | 分类于 | 0 | 阅读次数 76

简介

通过Apisix反向代理K8S Dashboard HTTPS请求,确保K8S Dashboard能够安全使用

环境与版本

K8S: 1.24
Apisix: 2.15
Cert Manager: 1.10
K8S Dashboard: 2.6.1

参考资料

Apisix发布Api Route: https://apisix.apache.org/zh/docs/apisix/tutorials/expose-api/
K8S部署: https://kubernetes.io/zh-cn/docs/tasks/access-application-cluster/web-ui-dashboard/

Apisix、K8S DashBoard部署

参考资料: K8S部署K8S DashBoard
参考资料: K8S部署Apisix
参考资料: Apisix配置HTTPS,使用Cert Manager管理ACME免费证书

创建Apisix转发k8s-dashboard反向代理

这里使用Apisix admin接口进行部署,是因为Ingress、ApisixRoute目前都没找到上游服务为HTTPS的转发配置

kubectl -n apisix exec -it apisix-764d9d9f47-rlvm4 -- curl http://127.0.0.1:9180/apisix/admin/routes -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X POST -d '{
  "uri": "/*",
  "name": "k8s-dashboard",
  "methods": [
    "GET",
    "POST",
    "PUT",
    "DELETE",
    "PATCH",
    "HEAD",
    "OPTIONS",
    "CONNECT",
    "TRACE"
  ],
  "host": "k8s.ljdzsk.com",
  "plugins": {
    "redirect": {
      "encode_uri": false,
      "http_to_https": true,
      "ret_code": 302
    }
  },
  "upstream": {
    "nodes": [
      {
        "host": "kubernetes-dashboard.kubernetes-dashboard",
        "port": 443,
        "weight": 1
      }
    ],
    "timeout": {
      "connect": 6,
      "send": 6,
      "read": 6
    },
    "type": "roundrobin",
    "scheme": "https",
    "pass_host": "pass",
    "name": "k8s-dashboard",
    "keepalive_pool": {
      "idle_timeout": 60,
      "requests": 1000,
      "size": 320
    }
  },
  "status": 1
}'

创建并关联HTTPS TLS证书

创建TLS证书,并保存到secret

# 部署文件
cat > k8s_dashboard_certificates.yaml <<EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: k8s-cert
  namespace: kubernetes-dashboard
spec:
  dnsNames:
    - k8s.ljdzsk.com
  issuerRef:
    kind: ClusterIssuer
    name: letsencrypt-amce-cluster-issuer # 我们之前定义的ClusterIssuer名称
  secretName: k8s-tls # tls证书存放secret
  usages: # 使用方法,关键字是枚举值。
    - digital signature
    - key encipherment
EOF

# 部署
kubectl apply -f k8s_dashboard_certificates.yaml

通过ApisixTls关联域名与secret内的证书

# 部署文件
cat > k8s_dashboard_apisix_tls.yaml <<EOF
apiVersion: apisix.apache.org/v2
kind: ApisixTls
metadata:
  name: k8s-tls
  namespace: kubernetes-dashboard
spec:
  hosts:
  - k8s.ljdzsk.com
  secret:
    name: k8s-tls # certificates部署时配置的secretName
    namespace: kubernetes-dashboard # 证书所属ns
EOF

# 部署
kubectl apply -f k8s_dashboard_apisix_tls.yaml