- 创建ca证书签名请求文件
ca-cst.json
{
"CN": "www.abc.com",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "yngwie",
"OU": "ops"
}
]
}
- 生成ca证书和私钥
../cfssl_1.4.1_linux_amd64 gencert -initca ca-cst.json | ../cfssljson_1.4.1_linux_amd64 -bare ca
- 创建网站证书签名请求文件
csr.json
{
"hosts": [
"example.com",
"www.example.com"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "San Francisco",
"O": "Internet Widgets, Inc.",
"OU": "WWW",
"ST": "California"
}
]
}
- 生成网站证书的私钥和签名请求
../cfssl_1.4.1_linux_amd64 genkey csr.json | ../cfssljson_1.4.1_linux_amd64 -bare server
- 用ca签署网站证书,得到网站证书的公钥
../cfssl_1.4.1_linux_amd64 sign -ca=ca.pem -ca-key=ca-key.pem -csr=server.csr | ../cfssljson_1.4.1_linux_amd64 -bare server
- 创建secret,包含网站证书和其私钥
kubectl create secret generic https --from-file=server.pem --from-file=server-key.pem
- 创建nginx的https配置
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx
data:
my-nginx-config.conf: |
server {
listen 80;
listen 443 ssl;
server_name www.example.com;
ssl_certificate certs/server.pem;
ssl_certificate_key certs/server-key.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
- 创建pod挂载secret和cm
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- name: web-server
image: nginx:1.7.9
imagePullPolicy: IfNotPresent
volumeMounts:
- name: config
mountPath: /etc/nginx/conf.d
readOnly: true
- name: certs
mountPath: /etc/nginx/certs/
readOnly: true
ports:
- containerPort: 80
- containerPort: 443
volumes:
- name: config
configMap:
name: nginx
items:
- key: my-nginx-config.conf
path: https.conf
- name: certs
secret:
secretName: https
- 端口转发
kubectl port-froward nginx 8443:443
- 不验证证书请求
curl -k -v https://localhost:8443
- 验证证书请求,先配置hosts文件,将网站证书的域名指向本机
/etc/hosts
127.0.0.1 www.example.com
再请求
curl --cacert ca.pem https://www.example.com