[17.0.0.3 以及更新版本]

IBM Cloud Private 中使用 SSL 來部署具有「入口」的 Liberty

當您要求「入口」時,指向 Proxy 的瀏覽器是安全的。不過,如果您想維護後端連線的安全,請完成這項作業。

關於這項作業

配置對映包含 server.xml 檔的置換項目。這些置換項目會啟用 SSL 所需的特性,並將 Liberty 伺服器或 Liberty 服務配置成使用從架構產生的憑證。

程序

  1. 建立 libertyssl.xml 檔,且其中含有下列內容:
    <?xml version="1.0" encoding="UTF -8"?>
    <server>
    <featureManager>
    <feature>ssl-1.0</feature>
    </featureManager>
    <keyStore id="defaultKeyStore" location="/etc/wlp/config/keystore/key.jks" 
    password="${env.MB_KEYSTORE_PASSWORD}" />
    <keyStore id="defaultTrustStore" location="/etc/wlp/config/truststore/trust.jks" 
    password="${env.MB_TRUSTSTORE_PASSWORD}" />
    </server>
  2. 從您在上一步中建立的檔案,建立配置對映:
    kubectl create configmap liberty -ssl --from-file=libertyssl.xml
  3. 請確定存在 Kubernetes 密碼。 執行下列 kubectl 指令,並在下列清單中找出 mb - truststoremb - truststoremb - keystoremb - keystore - password Kubernetes 密碼:
      kubectl get secrets
      
  4. 執行下列 kubectl 指令,並在清單中找出 liberty - ssl 配置對映值:
    kubectl get configmap
  5. Liberty 服務的 deployment.yaml 檔中,建立下列服務:
    apiVersion: v1
    kind: Service
    metadata:
      name: liberty
      labels:
       name: liberty
    spec:
     selector:
      name: liberty
     ports:
    - name: http
    protocol: TCP
    port: 9080
    targetPort: 9080
    - name: https
    protocol: TCP
    port: 9443
    targetPort: 9443
    type: NodePort
  6. Liberty 服務的 deployment.yaml 檔中,建立下列的入口 YAML 檔案:
    apiVersion: extensions/v1beta1
    kind: Ingress
    metadata:
      name: liberty
      labels:
        name: liberty
      annotations:
        kubernetes.io/ingress.class: "nginx"
        ingress.kubernetes.io/affinity: "cookie"
        ingress.kubernetes.io/session-cookie-name: "route"
        ingress.kubernetes.io/session-cookie-hash: "sha1"
        ingress.kubernetes.io/rewrite-target: /
        ingress.kubernetes.io/secure-backends: "true"
    spec:
      rules:
      - host:
        http:
          paths:
          - path: / liberty
            backend:
              serviceName: liberty
              servicePort: 9443
  7. Liberty 伺服器或 Liberty 服務的 deployment.yaml 檔中,建立將裝載密碼和配置對映的磁區。 使用下列程式碼 Snippet,但不要修改它:
    volumes:
    - name: keystores
      secret:
        secretName: mb-keystore
    - name: truststores
      secret:
        secretName: mb-truststore
    - name: liberty-ssl
      configMap:
        name: liberty-ssl
        items:
          - key: libertyssl.xml
            path: defaults/libertyssl.xml
  8. Liberty 伺服器或 Liberty 服務的 deployment.yaml 檔中,裝載所建立的磁區。 使用下列程式碼 Snippet,但不要修改它:
    volumeMounts:
    - name: keystores
      mountPath: /etc/wlp/config/keystore
      readOnly: true
    - name: truststores
      mountPath: /etc/wlp/config/truststore
      readOnly: true
    - name: liberty-ssl
      mountPath: /config/configDropins
  9. Liberty 伺服器或 Liberty 服務的 deployment.yaml 檔中,指定會參照 Kubernetes 密碼的環境變數。 使用下列程式碼 Snippet,但不要修改它:
    env:
    - name: MB_KEYSTORE_PASSWORD
      valueFrom:
        secretKeyRef:
          name: mb-keystore-password
          key: password
    - name: MB_TRUSTSTORE_PASSWORD
      valueFrom:
        secretKeyRef:
          name: mb-truststore-password
          key: password

範例

下列範例是一個範例 Liberty 部署檔案。範例映像檔使用 mb-truststoremb-truststore-passwordmb-keystoremb-keystore-password Kubernetes 密碼;MB_KEYSTORE_PASSWORDMB_TRUSTSTORE_PASSWORD 環境變數;以及 liberty-ssl 配置對映:
apiVersion: v1
kind: Service
metadata:
  name: liberty
  labels:
    name: liberty
spec:
  selector:
    name: liberty
  ports:
  - name: http
    protocol: TCP
    port: 9080
    targetPort: 9080
  - name: https
    protocol: TCP
    port: 9443
    targetPort: 9443
  type: NodePort
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: liberty
spec:
  replicas: 1
  template:
    metadata:
      labels:
        name: liberty
    spec:
      containers:
      - name: liberty
        image:  master.cfc:8500/admin/liberty:latest
        ports:
          - containerPort: 9080
          - containerPort: 9443
        readinessProbe:
          httpGet:
            path: /
            port: 9080
        env:
        - name: MB_KEYSTORE_PASSWORD
          valueFrom:
            secretKeyRef:
              name: mb-keystore-password
              key: password
        - name: MB_TRUSTSTORE_PASSWORD
          valueFrom:
            secretKeyRef:
              name: mb-truststore-password
              key: password
        volumeMounts:
        - name: keystores
          mountPath: /etc/wlp/config/keystore
          readOnly: true
        - name: truststores
          mountPath: /etc/wlp/config/truststore
          readOnly: true
        - name: liberty-ssl
          mountPath: /config/configDropins
          readOnly: true

      volumes:
        - name: keystores
          secret:
            secretName: mb-keystore
        - name: truststores
          secret:
            secretName: mb-truststore
        - name: liberty-ssl
          configMap:
            name: liberty-ssl
            items:
             - key: libertyssl.xml
               path: defaults/libertyssl.xml
      imagePullSecrets:
      - name: admin.registrykey
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: liberty
  labels:
    name: liberty
  annotations:
    kubernetes.io/ingress.class: "nginx"
    ingress.kubernetes.io/affinity: "cookie"
    ingress.kubernetes.io/session-cookie-name: "route"
    ingress.kubernetes.io/session-cookie-hash: "sha1"
    ingress.kubernetes.io/rewrite-target: /
    ingress.kubernetes.io/secure-backends: "true"
spec:
  rules:
  - host:
    http:
      paths:
      - path: /liberty
        backend:
          serviceName: liberty
          servicePort: 9443

下一步

執行 kubectl 指令,以部署應用程式。從下列 URL 存取您的應用程式:
https://<yourproxyip>/liberty

指示主題類型的圖示 作業主題

檔名:twlp_icp_ssl.html