forked from utianayuba/kolla-ansible-aio-configs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
octavia-ingress-controller-tls-test.txt
153 lines (143 loc) · 3.72 KB
/
octavia-ingress-controller-tls-test.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
#1. Create server key
mkdir certs
openssl genrsa -out certs/web.stratus.ok.key
#2. Create certificate signing request
openssl req -new -key certs/web.stratus.ok.key -out certs/web.stratus.ok.csr -addext "subjectAltName = DNS:web.stratus.ok"
#3. Sign the CSR using Kolla root CA
openssl x509 -req -extfile <(printf "subjectAltName=DNS:web.stratus.ok") -days 365 -in certs/web.stratus.ok.csr -CA /etc/kolla/certificates/private/root/root.crt -CAkey /etc/kolla/certificates/private/root/root.key -CAcreateserial -out certs/web.stratus.ok.crt
#4. Create secret using the certificates created.
kubectl create secret tls tls-secret --cert certs/web.stratus.ok.crt --key certs/web.stratus.ok.key
kubectl get secret tls-secret
#5. Create a default backend service for the ingress
cat <<EOF > default-http-backend.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: default-http-backend
labels:
app: default-http-backend
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: default-http-backend
template:
metadata:
labels:
app: default-http-backend
spec:
containers:
- name: default-http-backend
# Any image is permissible as long as:
# 1. It serves a 404 page at /
# 2. It serves 200 on a /healthz endpoint
image: k8s.gcr.io/defaultbackend-amd64:1.5
ports:
- containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: default-http-backend
namespace: default
labels:
app: default-http-backend
spec:
type: NodePort
ports:
- port: 80
targetPort: 8080
selector:
app: default-http-backend
EOF
kubectl apply -f default-http-backend.yaml
kubectl get svc
source karno-openrc.sh
openstack server list
ssh -l core 10.14.14.1XX curl http://10.XXX.XXX.XXX
#6. Create a backend service
cat <<EOF > dep-webserver.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: webserver
namespace: default
labels:
app: webserver
spec:
replicas: 1
selector:
matchLabels:
app: webserver
template:
metadata:
labels:
app: webserver
spec:
containers:
- name: webserver
image: lingxiankong/alpine-test
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8080
EOF
kubectl apply -f dep-webserver.yaml
kubectl expose deployment webserver --type=NodePort --target-port=8080
kubectl get svc
openstack server list
ssh -l core 10.14.14.1XX curl http://10.XXX.XXX.XXX:8080
#7. Create a TLS Ingress
cat <<EOF > test-octavia-ingress-tls.yaml
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: test-octavia-ingress-tls
annotations:
kubernetes.io/ingress.class: "openstack"
octavia.ingress.kubernetes.io/internal: "false"
spec:
defaultBackend:
service:
name: default-http-backend
port:
number: 80
tls:
- secretName: tls-secret
rules:
- host: web.stratus.ok
http:
paths:
- path: /ping
pathType: Exact
backend:
service:
name: webserver
port:
number: 8080
EOF
kubectl apply -f test-octavia-ingress-tls.yaml
kubectl get ing -w
#Ctrl+C
openstack secret list
openstack loadbalancer list
IP=10.14.14.1XX
echo "$IP web.stratus.ok" | sudo tee -a /etc/hosts
curl https://web.stratus.ok
curl https://web.stratus.ok/ping
#8. Delete resources
kubectl delete ing test-octavia-ingress-tls
kubectl get ing
openstack loadbalancer list
openstack secret list
kubectl delete svc webserver
kubectl get svc
kubectl delete deployment webserver
kubectl get deployment
kubectl delete svc default-http-backend
kubectl get svc
kubectl delete deployment default-http-backend
kubectl get deployment
kubectl delete secret tls-secret
kubectl get secret