一看必會系列:k8s 練習9 ingress ssl https 多證書實戰

來源:本站原創 Kubernetes 超過304 views圍觀 0條評論

ingress nginx https ssl多證書
創建私有證書
# openssl req -x509 -nodes -days 365 \
-newkey rsa:2048 -keyout xxx.yyy.key \
-out xxx.yyy.crt \
-subj “/CN=*.xxx.yyy/O=xxx.yyy”
方案1.每個證書對應一個 name? #官方推薦
[[email protected] ssl]# kubectl create secret tls tls.ccie.wang –key ccie.wang.key –cert ccie.wang.crt
[[email protected] ssl]# kubectl create secret tls tls.xxx.yyy –key xxx.yyy.key –cert xxx.yyy.crt

查看證書
[[email protected] ssl]# kubectl get secret
NAME????????????????? TYPE????????????????????????????????? DATA?? AGE
default-token-tkfmx?? kubernetes.io/service-account-token?? 3????? 30d
tls.ccie.wang???????? kubernetes.io/tls???????????????????? 2????? 78m
tls.xxx.yyy?????????? kubernetes.io/tls???????????????????? 2????? 12s
[[email protected] ssl]#
創建ingress https服務
[[email protected] ssl]# kubectl apply -f xxx.yyy.yaml
ingress.extensions/nginx-xxx-yyy-test created

查看ingress狀態
[[email protected] ssl]# kubectl get ingress
NAME?????????????????? HOSTS????????????? ADDRESS?? PORTS???? AGE
ingress-nginx-test???? in2.ccie.wang??????????????? 80??????? 23h
nginx-ccie-wang-test?? in4ssl.ccie.wang???????????? 80, 443?? 37m #自動生成80、443端口
nginx-xxx-yyy-test???? in4ssl.xxx.yyy?????????????? 80, 443?? 9s
[[email protected] ssl]#
驗證
[email protected]:/etc/nginx/conf.d# curl -s https://in4ssl.xxx.yyy -k |head -5
<html ng-app=”redis”>
<head>
<title>Guestbook</title>
<link rel=”stylesheet” href=”bootstrap.min.css”>
<script src=”angular.min.js”></script>
[email protected]:/etc/nginx/conf.d#
方案2.所有證書對應一個namE 測試不可用
#將兩個域名證書放到一個secret里
# kubectl create secret generic tow-cert \
–from-file=ccie.wang.key? \
–from-file=ccie.wang.crt? \
–from-file=xxx.yyy.key? \
–from-file=xxx.yyy.crt -n default

查看Secret
[[email protected] ssl]# kubectl describe secret tow-cert
Name:???????? tow-cert
Namespace:??? default
Labels:?????? <none>
Annotations:? <none>

Type:? Opaque

Data
#包含兩個證書
ccie.wang.crt:? 3622 bytes
ccie.wang.key:? 1732 bytes
xxx.yyy.crt:??? 1143 bytes
xxx.yyy.key:??? 1704 bytes
實際驗證發現 證書信息是不對的。而且證書加載的是default-fake-certificate.pem
可能需要confitmap進行掛載,但這樣比單獨配置證書更麻煩
正常應該是 tow-cert
ssl_certificate???????? /etc/ingress-controller/ssl/default-fake-certificate.pem;
ssl_certificate_key???? /etc/ingress-controller/ssl/default-fake-certificate.pem;

————–報錯
[email protected]:/etc/nginx/conf.d# curl https://!$
curl https://in4ssl.xxx.yyy
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

使用curl會報證書錯,因為這個是私有證書,用下面方式可以解決

curl需要加上-k,wget需要加上–no-check-certificate:
curl https://172.16.0.168/api/v4/projects?search=xxxx -k

wget ‘https://172.16.0.168/api/v4/projects?search=xxxx -k’ –no-check-certificate

文章出自:CCIE那點事 http://www.qdxgqk.live/ 版權所有。本站文章除注明出處外,皆為作者原創文章,可自由引用,但請注明來源。 禁止全文轉載。
本文鏈接:http://www.qdxgqk.live/?p=4131轉載請注明轉自CCIE那點事
如果喜歡:點此訂閱本站
  • 相關文章
  • 為您推薦
  • 各種觀點
?
暫時還木有人評論,坐等沙發!
發表評論

您必須 [ 登錄 ] 才能發表留言!

?
?
萌宠夺宝游戏