AWS中国区ACM证书[1]
1、公共证书免费申请,除了不能下载使用
2、可用在负载均衡器等产品中,因域名备案的原因,中国区Cloudfront还不能使用ACM证书。
本文是基于EKS(Elastic Kubernetes Services)的Ingress路由
一、申请ACM的公有证书
验证的过程是自动完成的,只要检到CNAME记录正确,就会完成签发。
二、EKS的Ingress路由
Ingress可以给service提供集群外部访问的URL、负载均衡、SSL终止、HTTP路由等。为了配置这些Ingress规则,集群管理员需要部署一个Ingress controller,它监听Ingress和service的变化,并根据规则配置负载均衡并提供访问入口。
如下是完整的yaml文件
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress
namespace: example
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
alb.ingress.kubernetes.io/backend-protocol: HTTP
alb.ingress.kubernetes.io/certificate-arn: arn:aws-cn:acm:cn-north-1:00000000:certificate/000000-00000-00000-00000
spec:
rules:
- host: www.example.com
http: &httprules
paths:
- path: /*
backend:
serviceName: service-example
servicePort: 80
- host: test.example.com
http: *httprules注解:
kubernetes.io/ingress.class: alb # ingress类型
alb.ingress.kubernetes.io/scheme: internet-facing # 公网为internet-facing,内网为 internal
alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}' # HTTP 301重定向到HTTPS
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]' # ALB监听80和443端口
alb.ingress.kubernetes.io/backend-protocol: HTTP # ALB的后端协议,HTTPS or HTTP
alb.ingress.kubernetes.io/certificate-arn: arn:aws-cn:acm:cn-north-1:00000000:certificate/000000-00000-00000-00000 # ACM证书的ARN
