diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..757fee3 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +/.idea \ No newline at end of file diff --git a/base/basic-auth/http-basic-auth.yaml b/base/basic-auth/http-basic-auth.yaml new file mode 100644 index 0000000..aaf972d --- /dev/null +++ b/base/basic-auth/http-basic-auth.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: basic-auth +type: Opaque +data: + auth: dXNlcjokYXByMSRPU0JHSXpFbCRFemNTTGk1QkJWVGFBQlhMODlNaXkvCg== +# This is a base64 encoded string of the format "user:$apr1$OSBGIzEl$EzcSLi5BBVTaABXL89Miy/". +# password: FVhxOBuqXK800gdmIq \ No newline at end of file diff --git a/base/basic-auth/kustomization.yaml b/base/basic-auth/kustomization.yaml new file mode 100644 index 0000000..a3e3b00 --- /dev/null +++ b/base/basic-auth/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - http-basic-auth.yaml \ No newline at end of file diff --git a/base/tls/ca-secret.yaml b/base/tls/ca-secret.yaml new file mode 100644 index 0000000..923bbce --- /dev/null +++ b/base/tls/ca-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: ca-secret + namespace: ingress-nginx +type: Opaque +data: + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlEQVRDQ0FlbWdBd0lCQWdJSUdEYVl2WlhzaVFBd0RRWUpLb1pJaHZjTkFRRUxCUUF3TVRFUU1BNEdBMVVFDQpBeE1IVkdWdVkyNWxkREVMTUFrR0ExVUVCaE1DUTA0eEVEQU9CZ05WQkFvVEIxUmxibU51WlhRd0hoY05NalV3DQpOREUxTWpBME5EQTFXaGNOTWpZd05ERTFNakEwTkRBMVdqQXhNUkF3RGdZRFZRUURFd2RVWlc1amJtVjBNUXN3DQpDUVlEVlFRR0V3SkRUakVRTUE0R0ExVUVDaE1IVkdWdVkyNWxkRENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEDQpnZ0VQQURDQ0FRb0NnZ0VCQU5tUmlEV2F0WUFtWDJ2RnQzQXNPa3VWMVlhdmlaOXd3MEVkbjNjdlRXODRORm1vDQpic3FzUHRFUTJzaFpHT25nWUhuWWs1aUg2MU5Yc1U4eDl0ZExMSmJwS0J5clVqWmpEWVBoUWN2c1hNUmJSN1JwDQpybVlhMW40WmZjU3ViVVNhM0Uzdk9sZk1ZcWVuMXJhNTRHOEpGcFZRQ1ozbjQ2KzQxWEQ0V0lWTlBOdHR6ajRPDQpsUDdKanJhcmc1R01lblhWQjdLR3ZyUU9od2xod0lFb1RFZkc1Uk4vNGV5YWdLLzlpUzd2aEhVWjNPNVhsR1FIDQpnZG9mNVFTK3drcCtBREY4bnBhQlpYS1ZYMVhRVzFwVHpId1ZPbFRBaHpMN0pMMUJ5SjN4dy85TElqbDlFWnZCDQp6dzZHcG5rbXFSaGc3SWwrcnBrM0N6SmpGK3NSbE0zZExPcmtiZjBDQXdFQUFhTWRNQnN3REFZRFZSMFRCQVV3DQpBd0VCL3pBTEJnTlZIUThFQkFNQ0FvUXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBTGFMaXZOTm93R1pVSWtKDQpNbEh1Zk9ac1RyYW5OL3FxTmNUY252V0Mrd1IvSE1EaGc2ellYcmZDY3VWdUtRUU5STE1NaUVYa3M1c2dZMVNnDQpVc3VmS25ZSGNJRmdYaHU0cnRjTzFkVVZSMTNjRE5VVkxPRUp5OE5PK0Fac0VYRUxtQTRXbjZGL1NpbEVYOGl1DQpsNmhWeDRyS2FtSk5mMlI5dFhrT3Q2OHVqVDdIcVpWYkJmcVFjVEpxQnZpMG45bUM3SXlZVStDVmhkU2RPTGV4DQpodkMzRWplY0Q4RFNFQ1V0MlNoeitQbjhiM3o3NkhNMHM1UEdPZjlnM2NhTWJESTBudUJOMHpFV3VpOUpteE1DDQp0aXVHMlZXMGFrZ0JkUDE0N1FZMVFKZXN4Vm4yZ05qNWtiTmsxWlpwc1JvV1gzYzdRaVdRUmwwZVE2cnFxdkJlDQovRThmOUNrPQ0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ0K \ No newline at end of file diff --git a/base/tls/kustomization.yaml b/base/tls/kustomization.yaml index 38ff8e6..caf4622 100644 --- a/base/tls/kustomization.yaml +++ b/base/tls/kustomization.yaml @@ -1,2 +1,4 @@ resources: - - kx33-net-cert.yaml \ No newline at end of file + - kx33-cert.yaml + - ca-secret.yaml + - tls-secret.yaml \ No newline at end of file diff --git a/base/tls/kx33-cert.yaml b/base/tls/kx33-cert.yaml new file mode 100644 index 0000000..311f948 --- /dev/null +++ b/base/tls/kx33-cert.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +stringData: + qcloud_cert_id: NVLniB9q + qcloud_ca_cert_id: NVLg94ze +kind: Secret +metadata: + name: kx33-cert +type: Opaque \ No newline at end of file diff --git a/base/tls/kx33-net-cert.yaml b/base/tls/kx33-net-cert.yaml deleted file mode 100644 index 303de47..0000000 --- a/base/tls/kx33-net-cert.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -stringData: - qcloud_cert_id: ESqefc6J -kind: Secret -metadata: - name: kx33-net-cert -type: Opaque \ No newline at end of file diff --git a/base/tls/tls-secret.yaml b/base/tls/tls-secret.yaml new file mode 100644 index 0000000..b67ba31 --- /dev/null +++ b/base/tls/tls-secret.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: tls-secret + namespace: ingress-nginx +type: kubernetes.io/tls +data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlES1RDQ0FoR2dBd0lCQWdJSUdEYVkwYVM3RWdBd0RRWUpLb1pJaHZjTkFRRUxCUUF3TVRFUU1BNEdBMVVFDQpBeE1IVkdWdVkyNWxkREVMTUFrR0ExVUVCaE1DUTA0eEVEQU9CZ05WQkFvVEIxUmxibU51WlhRd0hoY05NalV3DQpOREUxTWpBME5UTXhXaGNOTWpZd05ERTFNakEwTlRNeFdqQXlNUkV3RHdZRFZRUURFd2dxTG5GeExtTnZiVEVMDQpNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQW9UQjFSbGJtTnVaWFF3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBDQpBNElCRHdBd2dnRUtBb0lCQVFEU3lYSzRlMHlHejdHS1dUcTlwMDYvOWVBeVpzUXF4bmhXYTZZcmZlUGNkSTB6DQpDTjZ1RVFBbGk4djlrQ1NINFU1M21BOFJMRm1GL0s0dlRrcE5tQTJJbXdMcHRmR2luTFlHYWhwRDBwUW15aUJjDQptcWJzRURhOGNsajh5NEUzcXA2NU1ydGFxaGhteTdsMmdDMzFCcjYydHZDSlF4b2hMOXZDK1doc2ZwOE1FVS9VDQpmK2hpRXMxU2ROUzZUTG1hc1cvSGFPeVhvYWhZaFFldDhVZXE4bUFSZFF2UmdHdjJWTjgyODgxck55MDRxZG1VDQpQTEdITXBrZzk0elQzZFAyT1RZUHkwcGM5c0JoNnpGT0NDUVpVcXorREk4QUVBOUVUMGQ3bGMrU2drTDA2TjFrDQoyakVmNEV3VWYvMHg5ZHhoQ0c1bzZKWVVIdTJ6Qzk3QzNxRCtQaHZaQWdNQkFBR2pSREJDTUFrR0ExVWRFd1FDDQpNQUF3Q3dZRFZSMFBCQVFEQWdXZ01CTUdBMVVkSlFRTU1Bb0dDQ3NHQVFVRkJ3TUJNQk1HQTFVZEVRUU1NQXFDDQpDQ291Y1hFdVkyOXRNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFXQUxwT0I3bzJ2d01FUHVtdFhDQVJDUnY2DQpCN3hGeTJIeXR1eTZvK0VYSXRLZmZVQ1BaVjBnR3FySTJEUnYrU0pmMWNxUUFaK2ZlUDl6cXJES3dGQURmNm5BDQpnalo5Nkc0ZnBBcnZPZGZpQVQxeHU3WHBweWM1TFNEbXB3d0dEUFppTFc2NXBLaTk4TmZnaFlnOVIxVHpXVlMxDQpKWVVNQVBUeWZDYjJMSFg0Zi9EdmVGQ0Y5QjZQN3MyN2htelh4OHhCRlFiR0RpVHNzOFRtcUQybXBjWVY5S3lrDQpCNjBxdFgzcUltSXhxSk95K1JycEF1NHhmK1NTQXRYUHl0TkRvNWZSajFNc2RuN3FEcjFSYzI0eGlHQlQ4V1lSDQpGSmN2cXFkRUo5ZjhHdTNpamNpWHNGaUJzQkRuQ0EvTXo3REtRU0tLdFhHVFpsN0lWOGNqeHV0Mjc0SWMNCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0NCg== + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQ0KTUlJRW93SUJBQUtDQVFFQTBzbHl1SHRNaHMreGlsazZ2YWRPdi9YZ01tYkVLc1o0Vm11bUszM2ozSFNOTXdqZQ0KcmhFQUpZdkwvWkFraCtGT2Q1Z1BFU3haaGZ5dUwwNUtUWmdOaUpzQzZiWHhvcHkyQm1vYVE5S1VKc29nWEpxbQ0KN0JBMnZISlkvTXVCTjZxZXVUSzdXcW9ZWnN1NWRvQXQ5UWErdHJid2lVTWFJUy9id3Zsb2JINmZEQkZQMUgvbw0KWWhMTlVuVFV1a3k1bXJGdngyanNsNkdvV0lVSHJmRkhxdkpnRVhVTDBZQnI5bFRmTnZQTmF6Y3RPS25abER5eA0KaHpLWklQZU0wOTNUOWprMkQ4dEtYUGJBWWVzeFRnZ2tHVktzL2d5UEFCQVBSRTlIZTVYUGtvSkM5T2pkWk5veA0KSCtCTUZILzlNZlhjWVFodWFPaVdGQjd0c3d2ZXd0NmcvajRiMlFJREFRQUJBb0lCQUF1cUplVHJUV1hsa2JJRA0KcVUrdUMwVVlpM211ams2aHIyZDA1N1R0TnJYUUxTTVJRUHJDcW1zRjcvWmNaeFN1STVtTk90Q3JGbG5ZeGE0Mw0KZnR0Q1RBWGdhd3BaVzBqT1FhSjRyc2hvMUZXdXYzeEZ3bkZYRDdGRWtLNXhoaVBxK3ZWTmdDRzVXemdCRTgyaA0KdEdKQTduZmpRQ0VzNUN5UDN0VDNneVRLeHBlbC9YTmtXUjFBQmg2UkV0WlVUTmh0U2RTaDNwZ0pLMUkwN2Nscg0KNzNtMW80b2RydldOSFNUWUM1bFA3Vk5hL0VpczE1dno2ZGJsNXYyWFEvSnpwTHZWZFVKRWRteHhONWVSNmpGSw0KTlBzbWNJUGZLOFUvN3dyRGNwNjE1bVUzVmIwNUFmNjJyWkhySkZKdHBIMG1iOXFSYzRKMy93RytYaWEvNXhPVA0KOXdnc3BlTUNnWUVBNmtsVFJraStEN3pTV1RUNzQyb3R5VUNjaUlsdXdWZWxJdGNxWHc0MjM3ZDYvMGplV3BhQQ0KOU5MaWJNKzd2UXFWVmRJekJ4V2hjd1ZmdEllMzczRWVFMno0MWhJOXNidnVXNFdUbGNESnc0Mk9SSWNJYmZnQQ0KZXRzR0xXY251R1B3dlVoYTdKZnlIdHl6Ym9UU3AwV3hGZncrSTY0c3JENHlNRmdrWmNxTDUxTUNnWUVBNWxLUw0KMzlRTlByZWgzNlRMdUhMTlJUbE5tSzlUcWphTjNUN25vUTdaSFYzSzFpYzl2ZTEzbUhZRnk1YjJWaGN6ZEhWOQ0KQWhNLzJTRUpxUHdjaWQwMmNpdjlHVlRVbDNVWUFoL3dnZSsrOWsyMFNiS3ZZaVRacmhCRWkzZW1aTzF3eW1NZg0KZ1FsMlk1R3N1SFI4SEpmVTNBdzNSUnlGWCtRTmVpUUJDY0R1cHFNQ2dZQVRtUEtZVEhscGc1ZnMwbHZIbUJnZw0KWDRFNGdwWjdJY08wZUY4WStHMXFwVVJxbWtQUFBBdXBid0oxcTZLK20yWUdlY0MrOVBZK1V0TEFuU0dycThDaQ0KUzFrOVB1VmVPcVFqajdiYXJmZXluZUtxcE1qMXVlc0FXOVhXY215R0pnWDdMMVE3dWpJTWx0V0RoeVMvelRxVQ0KNWpha2NXdFhOUlNwcXBYUTFmS0I5UUtCZ1FDcVZkOHhrYzNKMkZ6cTNTR2M0NnBUeTdGTGZqN04zMUxEa1VZVQ0Kb3JxSE1WcFZUdWdta255a1VJU3dzSkMxMHFySE1peWxZRDhVQVk3M1hweHNpU0UvQnJGRURxeTY1bW8vQ0FnQw0KMEovVjRGbTVOMkRsb0lNc2EvT0ZnWk9aaU5DbG5QRXJxU2ZaTTE4ZGUyaGViUnVMTWEyZWV4MVljWHhXSEZKNA0KT0N0SEtRS0JnRnpBbzBoazFMRVlDMVN6cmpmZjBXZHVESEZuQnoyczJROWRFRzMrZmpVRlhsQVh0NlBBQUxDSg0KY2hKMmdGWTNRY1dBR015alBXK3doQU1HY2RPMWF1MlM0SFpLQTZwbkVYZ0VXbjFRQ3FuR0pwT2ZPd2dDcXI3RQ0KQmdZZG1Telo3MEhvZ3RlVUkrSzAvMUdXRE95eVplbHBHeEFnU3hVTmRKU3p6VDh0bTlCTQ0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0NCg== diff --git a/gp2504/ingress.yaml b/gp2504/ingress.yaml index bc51f03..d60176e 100644 --- a/gp2504/ingress.yaml +++ b/gp2504/ingress.yaml @@ -6,10 +6,25 @@ metadata: kubernetes.io/ingress.class: "nginx" nginx.ingress.kubernetes.io/proxy-body-size: "10m" nginx.ingress.kubernetes.io/use-forwarded-headers: "true" - nginx.ingress.kubernetes.io/rewrite-target: / + nginx.ingress.kubernetes.io/auth-tls-secret: "gp2504/ca-secret" + nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" + nginx.ingress.kubernetes.io/auth-tls-verify-depth: "2" + nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" +# nginx.ingress.kubernetes.io/auth-type: "basic" +# nginx.ingress.kubernetes.io/auth-secret: "basic-auth" +# nginx.ingress.kubernetes.io/auth-realm: "Authentication Required" spec: + tls: + - hosts: + - api-g2504.qq.com + - h5-g2504.qq.com + - admin-g2504.qq.com + - agent-g2504.qq.com + secretName: tls-secret rules: - - host: api.g2504.qq.com + - host: api-g2504.qq.com http: paths: - path: / @@ -26,7 +41,7 @@ spec: name: external-service port: number: 80 - - host: h5.g2504.qq.com + - host: h5-g2504.qq.com http: paths: - path: / @@ -50,7 +65,7 @@ spec: name: external-service port: number: 80 - - host: admin.g2504.qq.com + - host: admin-g2504.qq.com http: paths: - path: / @@ -81,7 +96,7 @@ spec: name: external-service port: number: 80 - - host: agent.g2504.qq.com + - host: agent-g2504.qq.com http: paths: - path: / diff --git a/gp2504/kustomization.yaml b/gp2504/kustomization.yaml index 5d08c6b..3987eab 100644 --- a/gp2504/kustomization.yaml +++ b/gp2504/kustomization.yaml @@ -10,6 +10,8 @@ resources: - ../base/projects/stock2 - ../base/redis - ../base/redis-nodeport + - ../base/tls + - ../base/basic-auth - ingress.yaml configMapGenerator: diff --git a/test.bat b/test.bat new file mode 100644 index 0000000..d7faf9e --- /dev/null +++ b/test.bat @@ -0,0 +1 @@ +kubectl apply --dry-run=client -k gp2504 \ No newline at end of file