下文为记录 kubernetes-dashboard 如何实现免密且通过客户端证书直接登录
-
Nginx在配置443 服务端证书时,同时配置客户端证书,实现双向认证
server { listen 443; server_name xx.xx.com; ssl_certificate server.crt; # 服务端公钥 ssl_certificate_key server.key; # 服务端私钥 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; ssl_client_certificate client.pem; # 根级证书公钥,用于验证各个二级client ssl_verify_client on; # 开启客户端证书验证 # ssl_crl /xx/employee/crl.pem; # ssl_prefer_server_ciphers on; error_page 495 496 497 https://xx.xx.com/no_cert.html; ... } -
证书如何生成?
// 制作CA私钥 $ openssl genrsa -out ca.key 2048 // 制作CA根证书(公钥) $ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt // 制作服务端证书 $ openssl genrsa -out server.pem 1024 $ openssl rsa -in server.pem -out server.key # 私钥 $ openssl req -new -key server.pem -out server.csr $ openssl x509 -req -sha256 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 -out server.crt # 签发CRT证书 // 制作客户端证书, 与客户端证书同 -
浏览器如何访问?
// 浏览器安装的证书生成, Windows 需要pfx格式(p12) $ openssl pkcs12 -export -inkey client.key -in client.crt -out ssl/client.pfx # 需要设置密码 // 生成后PC端点击安装到浏览器(期间需要输入密码). -
kubernetes-dashboard 如何实现免密登录?
// 屏蔽证书环节, Edit kubernetes-dashboard.yaml, delete args "--auto-generate-certificates" : kubernetes-dashboard.yaml args: # - --auto-generate-certificates # Uncomment the following line to manually specify Kubernetes API server Host # If not specified, Dashboard will attempt to auto discover the API server and connect # to it. Uncomment only if the default does not work. - --apiserver-host=http://my-address:port : kubernetes-dashboard-svc.json ... "spec": { "ports": [ { "protocol": "TCP", "port": 80, "targetPort": 9090, # 内部默认端点 "nodePort": 31698 # 便于直接内部通过http://IP:PORT访问 } ], "selector": { "app": "kubernetes-dashboard" }, "clusterIP": "172.18.79.136", "type": "NodePort", "sessionAffinity": "None", "externalTrafficPolicy": "Cluster" ...DONE!