代码之家 › 专栏 › 技术社区 › JAN

在Chrome中,将Kubernetes与Skaffold结合使用并运行Next JS会在HTTPS下产生“你的连接不是私有的”

skaffold dockerfile kubernetes docker javascript

JAN · 技术社区 · 4 年前

我正在用几个开发中的应用程序运行Skaffold:

Skaffold.yaml

apiVersion: skaffold/v2alpha3
kind: Config
deploy:
  kubectl:
    manifests:
      - ./infra/k8s/*
build:
  local:
    push: false
  artifacts:    
    - image: MYDOCKERID/client
      context: client
      docker:
        dockerfile: Dockerfile
      sync:
        manual:
          - src: '**/*.js'
            dest: .

客户端的Docker文件:

FROM node:alpine

WORKDIR /app
COPY package.json .
RUN npm install
COPY . .

CMD ["npm", "run", "dev"]

client-depl.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: client-depl
spec:
  replicas: 1
  selector:
    matchLabels:
      app: client
  template:
    metadata:
      labels:
        app: client
    spec:
      containers:
        - name: client
          image: MYDOCKERID/client
---
apiVersion: v1
kind: Service
metadata:
  name: client-srv
spec:
  selector:
    app: client
  ports:
    - name: client
      protocol: TCP
      port: 3000
      targetPort: 3000

执行时 skaffold dev 从命令行,一切都编译得很完美:

[92m[client-depl-5bdc8cffcd-s9z9r client] [0mevent - compiled successfully
[92m[client-depl-5bdc8cffcd-s9z9r client] [0mwait  - compiling...
[92m[client-depl-5bdc8cffcd-s9z9r client] [0mAttention: Next.js now collects completely anonymous telemetry regarding usage.
[92m[client-depl-5bdc8cffcd-s9z9r client] [0mThis information is used to shape Next.js' roadmap and prioritize features.
[92m[client-depl-5bdc8cffcd-s9z9r client] [0mYou can learn more, including how to opt-out if you'd not like to participate in this anonymous program, by visiting the following URL:
[92m[client-depl-5bdc8cffcd-s9z9r client] [0mhttps://nextjs.org/telemetry
[92m[client-depl-5bdc8cffcd-s9z9r client] [0m
[92m[client-depl-5bdc8cffcd-s9z9r client] [0mevent - compiled successfully

我已在Windows等文件夹的Hosts文件中添加了域:

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.
#   127.0.0.1       localhost
#   ::1             localhost

127.0.0.1 ticketing.dev

但是,在Chrome中键入时 ticketing.dev 我得到:

我如何在Chrome中运行该应用程序并克服此消息?

0 回复 | 直到 4 年前

Crou 4 年前

您缺少确保连接安全的证书。您还需要配置 ingress 使用您创建的证书。

你应该阅读 Manage TLS Certificates in a Cluster .

Kubernetes提供了 certificates.k8s.io API,允许您提供由您控制的证书颁发机构(CA)签名的TLS证书。您的工作负载可以使用这些CA和证书来建立信任。

你可以看看一本关于如何 Adding SSL/TLS support to applications in Kubernetes-native way .

您可以创建自签名证书, this medium article 显示了如何在Windows上执行此操作。

在Linux上,您可以执行以下操作:

[root]# mkdir certs
[root]# openssl req -nodes -newkey rsa:2048 -keyout certs/ticketing.key -out certs/ticketing.csr -subj "/C=/ST=/L=/O=/OU=/CN=default"
[root]# openssl x509 -req -sha256 -days 365 -in certs/ticketing.csr -signkey certs/ticketing.key -out certs/ticketing.crt

这将创建一个有效期为365天的证书。然后创建一个 secret 它将保存您的证书:

kubectl create secret generic ticketing-certs --from-file=certs -n default

一旦证书和 秘密 准备好了,你应该创建一个 进入 :

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: example1-ingress
spec:
tls:
  - hosts:
    - www.ticketing.dev
    secretName: ticketing-cert
  rules:
  - host: www.ticketing.dev
  http:
   paths:
   - path: /
   backend:
     serviceName: client-srv
     servicePort: 3000

如果你还需要什么,请告诉我。

Rehan 4 年前

我假设您将该项目用于开发目的。如果你想在chrome上运行应用程序。要绕过此安全警告,请在盲目显示警告的网页上正确显示:

thisisunsafe