python - 如何在 Kubernetes 集群中部署 Simple python HTTPS 服务器？

Question

通常当我在 VM 中部署一个简单的 HTTPS 服务器时，我会这样做
使用 ip 创建证书

$ openssl req -new -x509 -keyout private_key.pem -out public_cert.pem -days 365 -nodes
Generating a RSA private key
..+++++
.................................+++++
writing new private key to 'private_key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Tamil Nadu
Locality Name (eg, city) []:Chennai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Company ,Inc
Organizational Unit Name (eg, section) []: company division
Common Name (e.g. server FQDN or YOUR name) []:35.222.65.55 <----------------------- this ip should be server ip very important
Email Address []:

启动简单的 HTTPS Python 服务器

# libraries needed: 
from http.server import HTTPServer, SimpleHTTPRequestHandler
import ssl , socket

# address set
server_ip = '0.0.0.0'
server_port = 3389

# configuring HTTP -> HTTPS
httpd = HTTPServer((server_ip, server_port), SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket(httpd.socket, certfile='./public_cert.pem',keyfile='./private_key.pem', server_side=True)
httpd.serve_forever()

现在这适用于
本地 curl

curl --cacert /Users/padmanabanpr/Downloads/public_cert.pem --cert-type PEM   https://35.222.65.55:3389

现在如何将其部署到 kubernetes 集群并通过负载均衡器访问？
假设我有

具有写访问权限的公共(public) docker nginx 容器、python3 和此 python https 服务器文件

使用 nginx 部署 yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: external-nginx-server
  labels:
    app: external-nginx-server
spec:
  replicas: 1
  selector:
    matchLabels:
      app: external-nginx-server
  template:
    metadata:
      labels:
        app: external-nginx-server
    spec:
      containers:
      - name: external-nginx-server
        image: <docker nginx public image>
        ports:
        - containerPort: 3389

---
kind: Service
apiVersion: v1
metadata:
  name: external-nginx-service
spec:
  selector:
    app: external-nginx-server
  ports:
  - protocol: TCP
    port: 443
    name: https
    targetPort: 3389
  type: LoadBalancer

Answer 1

要在 Kubernetes 中执行相同操作，您需要创建一个包含证书的 Secret，如下所示:

kind: Secret
apiVersion: v1
metadata:
  name: my-tls-secret
data:
  tls.crt: BASE64-ENCODED CERTIFICATE
  tls.key: BASE64-ENCODED KEY

然后你需要将它安装在所有需要它的 pod 中:

# deployment.yml
volumes:
- name: my-tls
  secret:
    secretName: my-tls-secret
containers:
- name: external-nginx-server
  image: <docker nginx public image>
  volumeMounts:
  - name: my-tls
    # Here will appear the "tls.crt" and "tls.key", defined in the secret's data block.
    # Kubernetes will take care to decode the contents and make them separate files.
    mountPath: /etc/nginx/tls

但这手动管理很痛苦! 您将不得不跟踪证书到期日期、更新 key 、重新启动 pod... 有更好的方法。
您可以安装入口 Controller (例如 NGINX)和 certificate manager对于 Kubernetes。证书管理器将负责颁发证书(通过 LetsEncrypt 或其他提供者)，将它们保存为 secret ，并在到期日期之前更新它们。
入口 Controller 是集群的集中端点。你可以让它处理与多个应用程序的连接，就像正常的 NGINX 安装一样。在这种情况下，它的好处是，如果有新证书或更新，您将不必安装证书。入口 Controller 会为你处理这些。
上面的链接将引导您访问文档，您可以在其中找到有关如何安装和使用它们的详细信息。