Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs(discovery): add document for k8s mtls #8725

Closed
wants to merge 2 commits into from
Closed

docs(discovery): add document for k8s mtls #8725

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
33ff8e2
docs: add document for k8s mtls
e1ijah1 Jan 27, 2023
c486361
docs: update document
e1ijah1 Jan 29, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
82 changes: 72 additions & 10 deletions docs/zh/latest/discovery/kubernetes.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -278,16 +278,6 @@ nodes("release/default/plat-dev:port") 调用会得到如下的返回值:

## Q&A

**Q: 为什么只支持配置 token 来访问 Kubernetes APIServer?**

A: 一般情况下,我们有三种方式可以完成与 Kubernetes APIServer 的认证:

- mTLS
- Token
- Basic authentication

因为 lua-resty-http 目前不支持 mTLS, Basic authentication 不被推荐使用,所以当前只实现了 Token 认证方式。

**Q: APISIX 继承了 NGINX 的多进程模型,是否意味着每个 APISIX 工作进程都会监听 Kubernetes Endpoints?**

A: Kubernetes 服务发现只使用特权进程监听 Kubernetes Endpoints,然后将其值存储到 `ngx.shared.DICT` 中,工作进程通过查询 `ngx.shared.DICT` 来获取结果。
Expand Down Expand Up @@ -343,3 +333,75 @@ A: 假定你指定的 [_ServiceAccount_](https://kubernetes.io/docs/tasks/config
```shell
kubectl -n apisix get secret kubernetes-discovery-token-c64cv -o jsonpath={.data.token} | base64 -d
```

**Q: 如何使用 mTLS 认证连接 Kubernetes?**

A: 假定你在 Kubernetes 集群外启动 APISIX,请按如下步骤来获取 TLS 证书。

1. 从 Kubernetes 配置中取得证书、私钥及 CA 证书:

获取客户端证书:

```shell
kubectl config view --raw -o 'jsonpath={.users[0].user.client-certificate-data}'| base64 -d > k8s_mtls.pem
```

获取证书对应私钥:

```shell
kubectl config view --raw -o 'jsonpath={.users[0].user.client-key-data}'| base64 -d > k8s_mtls.key
```

获取 CA 证书:

```shell
kubectl config view --raw -o 'jsonpath={.clusters[0].cluster.certificate-authority-data}'| base64 -d > k8s_mtls_ca.pem
```

2. 在 APISIX 服务发现配置中配置 mTLS 方式连接 Kubernetes 集群。

单集群模式:

```yaml
ssl:
ssl_trusted_certificate: /var/certs/k8s_mtls_ca.pem
ssl_protocols: TLSv1.2 TLSv1.3
discovery:
kubernetes:
service:
schema: "https"
host: "<apiserver address>"
port: "<apiserver port>"
client:
cert_file: /var/certs/k8s_mtls.pem
key_file: /var/certs/k8s_mtls.key
ssl_verify: true
```

多集群模式:

```yaml
ssl:
ssl_trusted_certificate: /var/certs/k8s_mtls_ca.pem
ssl_protocols: TLSv1.2 TLSv1.3
discovery:
kubernetes:
- id: first
service:
schema: "https"
host: "<apiserver address>"
port: "<apiserver port>"
client:
cert_file: /var/certs/k8s_mtls.pem
key_file: /var/certs/k8s_mtls.key
ssl_verify: true
- id: second
service:
schema: "https"
host: "<apiserver address>"
port: "<apiserver port>"
client:
cert_file: /var/certs/k8s_mtls.pem
key_file: /var/certs/k8s_mtls.key
ssl_verify: true
```