创建自签名证书的ca
ca的创建参考:<使用cfssl创建自签名证书>
代码语言:javascript
复制
kubectl create secret tls ca-key --cert=ca.pem --key=ca-key.pem --namespace=cert-manager创建clusterissuer
代码语言:javascript
复制
# cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: ssli-cluster-issuer
spec:
ca:
secretName: ca-key
EOF
# k get clusterissuers.cert-manager.io
NAME READY AGE
ssli-cluster-issuer True 6s创建certificate
这里需要指定clusterissuer和生成证书的secret名字,创建certificate:
代码语言:javascript
复制
# cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: ssli-com
spec:
dnsNames:
- www.ssli.com
issuerRef:
kind: ClusterIssuer
name: ssli-cluster-issuer
secretName: ssli-cert
EOF
# k get certificate
NAME READY SECRET AGE
ssli-com True ssli-cert 9s创建成功后,证书会保存到指定的secret,如下:
代码语言:javascript
复制
# k get secret ssli-cert
NAME TYPE DATA AGE
ssli-cert kubernetes.io/tls 3 26s在ingress中使用该证书
创建一个nginx deployment并修改了默认页面 /usr/share/nginx/html/index.html为hello nginx,在ingress中使用创建的证书:
代码语言:javascript
复制
# k create deployment nginx --image=nginx
# k exec nginx-6799fc88d8-nbs4h -- sh -c "echo hello nginx > /usr/share/nginx/html/index.html"
# kubectl expose deployment nginx --port=80 --name=nginx
service/nginx exposed
# k get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 41h
nginx ClusterIP 10.102.140.200 <none> 80/TCP 16s
# curl 10.102.140.200
hello nginx
# cat <<EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
tls:
- hosts:
- www.ssli.com
secretName: ssli-cert
rules:
- host: www.ssli.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nginx
port:
number: 80
EOF
# curl -k https://www.ssli.com
hello nginx或者在ingress中指定相应的clusterissuer,ingress会自动签发证书并使用,如下:
代码语言:javascript
复制
$ cat <<EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx
annotations:
kubernetes.io/ingress.class: "nginx"
cert-manager.io/cluster-issuer: "ssli-cluster-issuer"
spec:
tls:
- hosts:
- www.ssli.com
secretName: auto-ssli-cert
rules:
- host: www.ssli.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nginx
port:
number: 80
EOF
# k get secret auto-ssli-cert
NAME TYPE DATA AGE
auto-ssli-cert kubernetes.io/tls 3 38s
# curl -k https://www.ssli.com
hello nginx可以看到自动生成了证书secret,并且服务也正常。
创建selfSigned类型的issuer
代码语言:javascript
复制
$ cat <<EOF | kubectl apply -f - apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: ssli-selfsigned spec: selfSigned: {} EOF # cat <<EOF | kubectl apply -f - apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: nginx annotations: kubernetes.io/ingress.class: "nginx" cert-manager.io/cluster-issuer: "ssli-selfsigned" spec: tls: - hosts: - www.ssli.com secretName: selfsigned-ssli-cert rules: - host: www.ssli.com http: paths: - path: / pathType: Prefix backend: service: name: nginx port: number: 80 EOF # k get secret selfsigned-ssli-cert-s7s78 NAME TYPE DATA AGE selfsigned-ssli-cert-s7s78 Opaque 1 19s # curl -k https://www.ssli.com hello nginx # curl -kv https://www.ssli.com...
- Server certificate:
- subject: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
- start date: Dec 26 09:16:01 2021 GMT
- expire date: Dec 26 09:16:01 2022 GMT
- issuer: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
- SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
...
可以看到ingress使用了ingress controller自签名的证书。
LEo at 00:12
