[17.0.0.3 and later]

IBM Cloud Private 中使用 SSL 来部署带有入口的 Liberty

请求入口时,代理的浏览器是安全的。但是,如果要保护后端连接,请完成此任务。

关于此任务

配置映射包含 server.xml 文件覆盖。这些覆盖启用 SSL 所需的功能,配置 Liberty 服务器或 Liberty 服务以使用通过光纤网生成的证书。

过程

  1. 创建包含以下内容的 libertyssl.xml 文件:
    <?xml version="1.0" encoding="UTF -8"?>
    <server>
    <featureManager>
    <feature>ssl-1.0</feature>
    </featureManager>
    <keyStore id="defaultKeyStore" location="/etc/wlp/config/keystore/key.jks" 
    password="${env.MB_KEYSTORE_PASSWORD}" />
    <keyStore id="defaultTrustStore" location="/etc/wlp/config/truststore/trust.jks" 
    password="${env.MB_TRUSTSTORE_PASSWORD}" />
    </server>
  2. 通过您在上一步中创建的文件创建配置映射:
    kubectl create configmap liberty -ssl --from-file=libertyssl.xml
  3. 确保 Kubernetes 密钥存在。 运行以下 kubectl 命令,并在以下列表中查找 mb - truststoremb - truststoremb - keystoremb - keystore - passwordKubernetes 密钥:
    kubectl get secrets
  4. 运行以下 kubectl 命令,并在列表中查找 liberty - ssl 的配置映射值:
    kubectl get configmap
  5. Liberty 服务 deployment.yaml 文件中,创建以下服务:
    apiVersion: v1
    kind: Service
    metadata:
      name: liberty
      labels:
       name: liberty
    spec:
     selector:
      name: liberty
     ports:
    - name: http
    protocol: TCP
    port: 9080
    targetPort: 9080
    - name: https
    protocol: TCP
    port: 9443
    targetPort: 9443
    type: NodePort
  6. Liberty 服务 deployment.yaml 文件中,创建以下入口 YAML 文件:
    apiVersion: extensions/v1beta1
    kind: Ingress
    metadata:
      name: liberty
      labels:
        name: liberty
      annotations:
        kubernetes.io/ingress.class: "nginx"
        ingress.kubernetes.io/affinity: "cookie"
        ingress.kubernetes.io/session-cookie-name: "route"
        ingress.kubernetes.io/session-cookie-hash: "sha1"
        ingress.kubernetes.io/rewrite-target: /
        ingress.kubernetes.io/secure-backends: "true"
    spec:
      rules:
      - host:
        http:
          paths:
          - path: / liberty
            backend:
              serviceName: liberty
              servicePort: 9443
  7. Liberty 服务器或 Liberty 服务 deployment.yaml 文件中,创建将安装密钥和配置映射的卷。 使用以下代码片段(不进行任何修改):
    volumes:
    - name: keystores
      secret:
        secretName: mb-keystore
    - name: truststores
      secret:
        secretName: mb-truststore
    - name: liberty-ssl
      configMap:
        name: liberty-ssl
        items:
          - key: libertyssl.xml
            path: defaults/libertyssl.xml
  8. Liberty 服务器或 Liberty 服务 deployment.yaml 文件中,安装所创建卷。 使用以下代码片段(不进行任何修改):
    volumeMounts:
    - name: keystores
      mountPath: /etc/wlp/config/keystore
      readOnly: true
    - name: truststores
      mountPath: /etc/wlp/config/truststore
      readOnly: true
    - name: liberty-ssl
      mountPath: /config/configDropins
  9. Liberty 服务器或 Liberty 服务 deployment.yaml 文件中,指定引用 Kubernetes 密钥的环境变量。 使用以下代码片段(不进行任何修改):
    env:
    - name: MB_KEYSTORE_PASSWORD
      valueFrom:
        secretKeyRef:
          name: mb-keystore-password
          key: password
    - name: MB_TRUSTSTORE_PASSWORD
      valueFrom:
        secretKeyRef:
          name: mb-truststore-password
          key: password

示例

以下示例是样本 Liberty 部署文件。此样本映像使用 mb-truststoremb-truststore-passwordmb-keystoremb-keystore-password Kubernetes 密钥;MB_KEYSTORE_PASSWORDMB_TRUSTSTORE_PASSWORD 环境变量以及 liberty-ssl 配置映射:
apiVersion: v1
kind: Service
metadata:
  name: liberty
  labels:
    name: liberty
spec:
  selector:
    name: liberty
  ports:
  - name: http
    protocol: TCP
    port: 9080
    targetPort: 9080
  - name: https
    protocol: TCP
    port: 9443
    targetPort: 9443
  type: NodePort
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: liberty
spec:
  replicas: 1
  template:
    metadata:
      labels:
        name: liberty
    spec:
      containers:
      - name: liberty
        image:  master.cfc:8500/admin/liberty:latest
        ports:
          - containerPort: 9080
          - containerPort: 9443
        readinessProbe:
          httpGet:
            path: /
            port: 9080
        env:
        - name: MB_KEYSTORE_PASSWORD
          valueFrom:
            secretKeyRef:
              name: mb-keystore-password
              key: password
        - name: MB_TRUSTSTORE_PASSWORD
          valueFrom:
            secretKeyRef:
              name: mb-truststore-password
              key: password
        volumeMounts:
        - name: keystores
          mountPath: /etc/wlp/config/keystore
          readOnly: true
        - name: truststores
          mountPath: /etc/wlp/config/truststore
          readOnly: true
        - name: liberty-ssl
          mountPath: /config/configDropins
          readOnly: true

      volumes:
        - name: keystores
          secret:
            secretName: mb-keystore
        - name: truststores
          secret:
            secretName: mb-truststore
        - name: liberty-ssl
          configMap:
            name: liberty-ssl
            items:
             - key: libertyssl.xml
               path: defaults/libertyssl.xml
      imagePullSecrets:
      - name: admin.registrykey
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: liberty
  labels:
    name: liberty
  annotations:
    kubernetes.io/ingress.class: "nginx"
    ingress.kubernetes.io/affinity: "cookie"
    ingress.kubernetes.io/session-cookie-name: "route"
    ingress.kubernetes.io/session-cookie-hash: "sha1"
    ingress.kubernetes.io/rewrite-target: /
    ingress.kubernetes.io/secure-backends: "true"
spec:
  rules:
  - host:
    http:
      paths:
      - path: /liberty
        backend:
          serviceName: liberty
          servicePort: 9443

下一步做什么

运行 kubectl 命令以部署该应用程序。通过以下 URL 访问应用程序:
https://<yourproxyip>/liberty

用于指示主题类型的图标 任务主题

文件名:twlp_icp_ssl.html