主页
产品
Red Hat OpenShift Service on AWS classic architecture
4
教程
12.5. 创建自定义域 Ingress Controller

12.5. 创建自定义域 Ingress Controller

创建并配置证书资源来为自定义域 Ingress Controller 置备证书：

注意

以下示例使用单个域证书。也支持 SAN 和通配符证书。

cat << EOF | oc apply -f -
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: custom-domain-ingress-cert
  namespace: openshift-ingress
spec:
  secretName: custom-domain-ingress-cert-tls
  issuerRef:
     name: letsencrypt-production
     kind: ClusterIssuer
  commonName: "${DOMAIN}"
  dnsNames:
  - "${DOMAIN}"
EOF

$ cat << EOF | oc apply -f -
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: custom-domain-ingress-cert
  namespace: openshift-ingress
spec:
  secretName: custom-domain-ingress-cert-tls
  issuerRef:
     name: letsencrypt-production
     kind: ClusterIssuer
  commonName: "${DOMAIN}"
  dnsNames:
  - "${DOMAIN}"
EOF

Copy to Clipboard

Toggle word wrap

验证证书是否已发布：

注意

需要几分钟时间，此证书才会由 Let's Encrypt 发布。如果用时超过 5 分钟，请运行 oc -n openshift-ingress describe certificate.cert-manager.io/custom-domain-ingress-cert 来查看 cert-manager 报告的问题。

oc -n openshift-ingress get certificate.cert-manager.io/custom-domain-ingress-cert

$ oc -n openshift-ingress get certificate.cert-manager.io/custom-domain-ingress-cert

Copy to Clipboard

Toggle word wrap

输出示例

NAME                         READY   SECRET                           AGE
custom-domain-ingress-cert   True    custom-domain-ingress-cert-tls   9m53s

NAME                         READY   SECRET                           AGE
custom-domain-ingress-cert   True    custom-domain-ingress-cert-tls   9m53s

Copy to Clipboard

Toggle word wrap

创建新的 IngressController 资源：

cat << EOF | oc apply -f -
apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
  name: custom-domain-ingress
  namespace: openshift-ingress-operator
spec:
  domain: ${DOMAIN}
  defaultCertificate:
    name: custom-domain-ingress-cert-tls
  endpointPublishingStrategy:
    loadBalancer:
      dnsManagementPolicy: Unmanaged
      providerParameters:
        aws:
          type: NLB
        type: AWS
      scope: External
    type: LoadBalancerService
EOF

$ cat << EOF | oc apply -f -
apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
  name: custom-domain-ingress
  namespace: openshift-ingress-operator
spec:
  domain: ${DOMAIN}
  defaultCertificate:
    name: custom-domain-ingress-cert-tls
  endpointPublishingStrategy:
    loadBalancer:
      dnsManagementPolicy: Unmanaged
      providerParameters:
        aws:
          type: NLB
        type: AWS
      scope: External
    type: LoadBalancerService
EOF

Copy to Clipboard

Toggle word wrap

警告

此 IngressController 示例将在 AWS 帐户中创建可访问互联网的 Network Load Balancer (NLB)。要置备内部 NLB，请在创建 IngressController 资源前将 .spec.endpointPublishingStrategy.loadBalancer.scope 参数设置为 Internal。

验证自定义域 IngressController 是否已成功创建了外部负载均衡器：

oc -n openshift-ingress get service/router-custom-domain-ingress

$ oc -n openshift-ingress get service/router-custom-domain-ingress

Copy to Clipboard

Toggle word wrap

输出示例

NAME                           TYPE           CLUSTER-IP      EXTERNAL-IP                                                                     PORT(S)                      AGE
router-custom-domain-ingress   LoadBalancer   172.30.174.34   a309962c3bd6e42c08cadb9202eca683-1f5bbb64a1f1ec65.elb.us-east-1.amazonaws.com   80:31342/TCP,443:31821/TCP   7m28s

NAME                           TYPE           CLUSTER-IP      EXTERNAL-IP                                                                     PORT(S)                      AGE
router-custom-domain-ingress   LoadBalancer   172.30.174.34   a309962c3bd6e42c08cadb9202eca683-1f5bbb64a1f1ec65.elb.us-east-1.amazonaws.com   80:31342/TCP,443:31821/TCP   7m28s

Copy to Clipboard

Toggle word wrap

准备包含所需 DNS 更改的文档，以便为自定义域 Ingress Controller 启用 DNS 解析：

INGRESS=$(oc -n openshift-ingress get service/router-custom-domain-ingress -ojsonpath="{.status.loadBalancer.ingress[0].hostname}")
cat << EOF > "${SCRATCH}/create-cname.json"
{
  "Comment":"Add CNAME to custom domain endpoint",
  "Changes":[{
      "Action":"CREATE",
      "ResourceRecordSet":{
        "Name": "*.${DOMAIN}",
      "Type":"CNAME",
      "TTL":30,
      "ResourceRecords":[{
        "Value": "${INGRESS}"
      }]
    }
  }]
}
EOF

$ INGRESS=$(oc -n openshift-ingress get service/router-custom-domain-ingress -ojsonpath="{.status.loadBalancer.ingress[0].hostname}")
$ cat << EOF > "${SCRATCH}/create-cname.json"
{
  "Comment":"Add CNAME to custom domain endpoint",
  "Changes":[{
      "Action":"CREATE",
      "ResourceRecordSet":{
        "Name": "*.${DOMAIN}",
      "Type":"CNAME",
      "TTL":30,
      "ResourceRecords":[{
        "Value": "${INGRESS}"
      }]
    }
  }]
}
EOF

Copy to Clipboard

Toggle word wrap

将您的更改提交到 Amazon Route 53 进行传播：
```
aws route53 change-resource-record-sets \
  --hosted-zone-id ${ZONE_ID} \
  --change-batch file://${SCRATCH}/create-cname.json
```
```
$ aws route53 change-resource-record-sets \
  --hosted-zone-id ${ZONE_ID} \
  --change-batch file://${SCRATCH}/create-cname.json
```
Copy to Clipboard Toggle word wrap
注意
虽然通配符 CNAME 记录避免了需要使用自定义域 Ingress Controller 部署的每个新应用程序创建一个新记录，但这些应用所使用的证书 并不是 通配符证书。

12.5. 创建自定义域 Ingress Controller

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links