使用 HTTPS 加密 Ingress 流量

其他 2022-05-18 22:10:19 阅读次数: 0

1.安装cfssl

CFSSL是CloudFlare开源的一款PKI/TLS工具。 CFSSL 包含一个命令行工具 和一个用于 签名,验证并且捆绑TLS证书的 HTTP API 服务,使用Go语言编写。 下载地址: https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64

2.创建CA证书

#得到的json文件保持默认
cfssl print-defaults config > ca-config.json

{
    "signing": {
        "default": {
            "expiry": "168h"
        },
        "profiles": {
            "www": {  #后面生成服务器证书--profile使用的是这里的www
                "expiry": "8760h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth"
                ]
            },
            "client": {
                "expiry": "8760h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "client auth"
                ]
            }
        }
    }
}
#得到的json文件保持默认
cfssl print-defaults csr > ca-csr.json
{
    "CN": "example.net",
    "hosts": [    #这里的hosts无所谓
        "example.net",
        "www.example.net"
    ],
    "key": {
        "algo": "ecdsa",
        "size": 256
    },
    "names": [
        {
            "C": "US",
            "L": "CA",
            "ST": "San Francisco"
        }
    ]
}
#生成CA,得到ca.csr,ca.pem,ca-key.pem,
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
字段名 字段值
公用名称 (Common Name) 简称:CN 字段,对于 SSL 证书,一般为网站域名;而对于代码签名证书则为申请单位名称;而对于客户端证书则为证书申请者的姓名;
单位名称 (Organization Name) 简称:O 字段,对于 SSL 证书,一般为网站域名;而对于代码签名证书则为申请单位名称;而对于客户端单位证书则为证书申请者所在单位名称;
所在城市 (Locality) 简称:L 字段
所在省份 (State/Provice) 简称:S 字段
所在国家 (Country) 简称:C 字段,只能是国家字母缩写,如中国:CN

3.创建服务器证书

{
    "CN": "cr7.example.com",
    "hosts": [
        "cr7.example.com" //这里的hosts很重要,要和后面的ingress中定义的hosts一样,当客户端访问该hosts时才会动态加载ssl证书
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Shanghai",
            "ST": "Shanghai"
        }
    ]
}
  • -ca:指明ca的证书
  • -ca-key:指明ca的私钥文件
  • -config:指明请求证书的json文件
  • -profile:与-config中的profile对应,是指根据config中的profile段来生成证书的相关信息
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem --config=ca-config.json --profile www cr7-csr.json  | cfssljson -bare cr7

4.根据服务器证书创建secret

根据服务器私钥和证书创建secret

[root@containerd-master1 cert]# kubectl create secret tls cr7-secret --cert=cr7.pem --key=cr7-key.pem 
secret/cr7-secret created

5.kubernetes ingress controller安装

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm install ingress-nginx ingress-nginx

6.创建ingress

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: nginx-test
spec:
   tls:
     - hosts:
        - cr7.example.com #hosts和cr7-csr.json的一致
          # This assumes cr7-secret exists and the SSL
          # certificate contains a CN for cr7-example.com
       secretName: cr7-secret  #使用服务器证书创建出来的secret
   rules:
    - host: foo.bar.com  #不加载前面创建的服务器证书
      http:
        paths:
        - path: /
          backend:
            serviceName: http-svc
            servicePort: 80
    - host: cr7.example.com  #加载前面创建的服务器证书
      http:
        paths:
        - path: /
          backend:
            serviceName: nginx-svc
            servicePort: 80

7.访问测试

当访问的host为cr7.example.com满足ingress中hosts和cr7-csr.json中hosts值时,kubernetes ingress controller会动态地加载ssl证书:

#31252是暴露ingress controller的NodePort的端口
curl -kv https://cr7.example.com:31252                              

*   Trying 192.168.1.111...
* TCP_NODELAY set
* Connected to cr7.example.com (192.168.1.111) port 31252 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:  #可以看到使用了我们自己的的证书
*  subject: C=CN; ST=Shanghai; L=Shanghai; CN=cr7.example.com
*  start date: Dec 19 12:25:00 2020 GMT
*  expire date: Dec 19 12:25:00 2021 GMT
*  issuer: C=US; ST=San Francisco; L=CA; CN=example.net
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f963100dc00)
> GET / HTTP/2
> Host: cr7.example.com:31252
> User-Agent: curl/7.64.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
< date: Sat, 19 Dec 2020 12:37:39 GMT
< content-type: text/html
< content-length: 612
< last-modified: Tue, 15 Dec 2020 13:59:38 GMT
< etag: "5fd8c14a-264"
< accept-ranges: bytes
< strict-transport-security: max-age=15724800; includeSubDomains
<
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>
* Connection #0 to host cr7.example.com left intact
* Closing connection 0

然而访问另一个不满足条件的域名,则使用nginx ingress controller默认的证书:

curl -kv https://foo.bar.com:31252 
                                 
*   Trying 192.168.1.111...
* TCP_NODELAY set
* Connected to foo.bar.com (192.168.1.111) port 31252 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate: #使用了kubernetes ingress controller默认的证书
*  subject: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
*  start date: Dec 19 12:39:47 2020 GMT
*  expire date: Dec 19 12:39:47 2021 GMT
*  issuer: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f99fb80dc00)
> GET / HTTP/2
> Host: foo.bar.com:31252
> User-Agent: curl/7.64.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
< date: Sat, 19 Dec 2020 12:40:03 GMT
< content-type: text/plain
< strict-transport-security: max-age=15724800; includeSubDomains
<

Hostname: http-svc-6b7fcd49cc-xlx4d

Pod Information:
	node name:	containerd-worker1
	pod name:	http-svc-6b7fcd49cc-xlx4d
	pod namespace:	default
	pod IP:	7.7.69.5

Server values:
	server_version=nginx: 1.12.2 - lua: 10010

Request Information:
	client_address=7.7.69.6
	method=GET
	real path=/
	query=
	request_version=1.1
	request_scheme=http
	request_uri=http://foo.bar.com:8080/

Request Headers:
	accept=*/*
	host=foo.bar.com:31252
	user-agent=curl/7.64.1
	x-forwarded-for=192.168.1.111
	x-forwarded-host=foo.bar.com:31252
	x-forwarded-port=443
	x-forwarded-proto=https
	x-real-ip=192.168.1.111
	x-request-id=3780eb8ddd12bc150d3a6a2a5c967f7e
	x-scheme=https

Request Body:
	-no body in request-

* Connection #0 to host foo.bar.com left intact
* Closing connection 0

8.修改默认证书

8.1创建secret

按照前面相同的方式创建出服务器的证书和私钥,然后创建secret:

apiVersion: v1
data:
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJBQ0NRQzFOUllWRHhIREJ6QU5CZ2txaGtpRzl3MEJBUXNGQURBbU1SRXdEd1lEVlFRRERBaHUKWjJsdWVITjJZekVSTUE4R0ExVUVDZ3dJYm1kcGJuaHpkbU13SGhjTk1qQXhNakU1TURRd09EQTNXaGNOTWpFeApNakU1TURRd09EQTNXakFtTVJFd0R3WURWUVFEREFodVoybHVlSE4yWXpFUk1BOEdBMVVFQ2d3SWJtZHBibmh6CmRtTXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFETXpkdlJQUVNQWXJ5WTBPSUYKczlNZ0ZSSm1icHJmSWRVZEZIT0YxT1R5UTBPVDVxRnk4RUVGTlV3S2wwTlVJNzd4SG5hRWYwNFhXVFM0Q09lcAp5bUlWTWVFUXlwQk9MdUd1bXlXUy9BejlxR1BYQ2xzN0NNcHpFbmpuMXllNUpQaTJzTHBVL2xGdGViMS8zUXJXCkJFMFRQczQ2c1U3RVNvZlc4cll4dDk1WDFaOVBiakZ4dUZETkxTTzc5N3RkR3BnK09BdFFETXRpUDJjWDdpdS8KVm4rNzQwTHRlM1BUa2ZOT2Y1aWkyTVJld2tlVTlLYnpGdmVMZFdIZ01vS3hXVjY3WTNUWmx2eXVXVlNhd0s3SgptbDNkYTFweTNOMkoyR2hjaFIySkF3QTdUdlEydlZzb284MHZEU1p6NE1wMm55Q1l2a0F1UzllWlc3TVVxRElXCjd4TGRBZ01CQUFFd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFDOVd0Q3JZY01FVEpwU2w2QmFFSVlpZEZKNnoKYW1CdmFnakpwQlpsSmRsOVBUTkxzSEVVZU9FS3Y1RTJ2SGhId21FQ25paDROLzI5MEtCTEw3TU5jcHhraGxsVQozM1FpcFluSVQzbS9rV0RrRXQwbkUva0YzZFVVZFNtcTRBYnpESjF1MjFOMDlLb0psR2tyUnJRcGhXN1I1UTBWCnFHN082RDhNNjBORlZlSFpyYjdjY0RKNVJXTjNuYXZDeXF3VWxlM2pHSEU3TmpCb29WdWd3TldEYW9ZWURkUnkKQ243WFREZ1FrUEdmSTdjM1E0b09lcVRWUVZhLzk5MS9oanJ5YWlDT29JWEZyNTBFV0hUWmtIU2xKV1BHR3JDSgpCSnJqVlIxWVAxTTlvVXc0NUlQQ25zSzRyeTRzMzBxSXQ5VHFHQ25TcGs1UFZ0ck1PWWVEZ2xTMXdPdz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2d0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktrd2dnU2xBZ0VBQW9JQkFRRE16ZHZSUFFTUFlyeVkKME9JRnM5TWdGUkptYnByZklkVWRGSE9GMU9UeVEwT1Q1cUZ5OEVFRk5Vd0tsME5VSTc3eEhuYUVmMDRYV1RTNApDT2VweW1JVk1lRVF5cEJPTHVHdW15V1MvQXo5cUdQWENsczdDTXB6RW5qbjF5ZTVKUGkyc0xwVS9sRnRlYjEvCjNRcldCRTBUUHM0NnNVN0VTb2ZXOHJZeHQ5NVgxWjlQYmpGeHVGRE5MU083OTd0ZEdwZytPQXRRRE10aVAyY1gKN2l1L1ZuKzc0MEx0ZTNQVGtmTk9mNWlpMk1SZXdrZVU5S2J6RnZlTGRXSGdNb0t4V1Y2N1kzVFpsdnl1V1ZTYQp3SzdKbWwzZGExcHkzTjJKMkdoY2hSMkpBd0E3VHZRMnZWc29vODB2RFNaejRNcDJueUNZdmtBdVM5ZVpXN01VCnFESVc3eExkQWdNQkFBRUNnZ0VBRVQyZkxKMFRYakswcDdTbDRrOENEZWhZTlRGSWJsSTl5NFhtTjdUMVZRT2UKazd2TmlZeDZITU1nMUo5cE5wTVB4dUtHblo3TjV4OUdWZHZDRE1RUnY3RUVQbEtmRlVYVEQ4elZ1K3JsK1JDTQozeFJyRzZ3Z3h0RWVSbjRSUlArOHhEeGFZejlKZ1lySERoV0FqUVd0cTFvVktGRzJ6TVZ0YkFYZ21vemM5YzNLCkkwR29zc0g3YmhkZlFDck5MTDJKS1IyOGVuSjNRQ3hkYldoUUlvZWV5bVltbHBraW0yRjBMU1RQSGlsSFB2eUUKWklCd05RdGVaVjBBZ3o4WmtUc3VoTGVXb0NnaGFsQzFoWlVUMVIrZHlNSDNCbmhyK1duai9UL3ByNlBiL3o0WgpkeGJ5QU5JOHg4WU1LSGQvOFZrSjJ2djMrWEk4VWFmSTc4SkR5QmdnQVFLQmdRRC9wL1AySWJwMGlQdE1ZbWR2Cm11SDFQRVZiWEx1VVpySW1CODlJSHVBb3VVWTJqSXAyRkVTZUllWG05cDBaeWdLb091MDdSc1A4WVY0YSt0VzYKNGlwRGZNbG5ZWkVlT3lQOFBXdFdhb3RMdGVGUFg5UTg0YWlTQUprRWo4RmhnWnRwQTJ6MGZFd3pSN0dqSTFSRwpqNmxsSDFYR2NSWVdlU0ZnazVoWmdvbllBUUtCZ1FETkZHUjRvdmtxUThsSUZPN0JMVlNmTENIWndBdXNFbHBlCm9iSWs0QmMvVEVHWExjWFQ2a1I5a0Fwa2RoQkM4L242aCtITlU3ZElLR2JvbUhJaVV3WVpRUUo4MkhVcEx0bzQKR2dYSytacHJwWWhLUVBOeWxsL3dBMHlHSWNsUS8wekczVnZENTkxbGo4NEpUTUtDR1g0Wk5JNC9xOERKS0pOTApQWDIvVWYrYTNRS0JnUURUSkhVYVBIVHZ0Z3BGNWFlanh2a0RQd25SRU45akN3WHEzdHhVcGh0Znh0UzBUSkkyClB6c0VsdDUzU0FvcnVHbEZZNVYyTlZXNzVQYUJ0ZFE3Q25yNVRlQlEzNFdvd0JOU1NhK1NxVi90NFlMNXVSMWkKUXNTa0FKWmY3Qkk4WTN4azJJMXR4aEp3NzY5SUd1K0piekRwOFYwNERVRyt3Yi9OTVZqTDVFSFFBUUtCZ1FDVApOZ1E1SktPL1Z4RnhrTFVpTGl3RVptV1dMV2t6aDZrZkxPcjMxWFJhbDU2dHFzbkxLT3NwUnZCdTFPRXZibnNPCi8rTnl4SmxZVHNnd1J0NEhEWm5mSHU5dU51TkRRTUtjYXZHbGxpN20vdGdxbFIwc01BMkYrSmhCNEpibWNaem4KVTVhL3RmMFRIbnRENmJubU1lNTJvV2RMQlR0S0tyb3cxRjhqcXZUVWNRS0JnUUNuZEs4LzNITElJVkkyUWJBMApBY0x5Sjd1SW5ua3VMNGkrcmhvM1JvZ2hZNTRuTXJzdDRUNkdCVVhZT050akZsQ2hPQ3ZHWmlraWsxaHRkcCtMCjJhU05wRG9WV2JJVWl1bEFGZjA5NkNGWWsrNnpPU0FDQ0xHTy9NMjFnTEN5Njdia3VLRkFZMzZOa201ZUN3TTIKT2p2UC95TUJKNVdGS3kvWmc0QzVIRFI1akE9PQotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg==
kind: Secret
metadata:
  managedFields:
  - apiVersion: v1
  name: tls-secret
type: kubernetes.io/tls

8.2修改kubernetes ingress controller配置

添加--default-ssl-certificate=default/tls-secret参数,表示默认的证书使用tls-secret的内容:

......
    spec:
      containers:
      - args:
        - /nginx-ingress-controller
        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
        - --election-id=ingress-controller-leader
        - --ingress-class=nginx
        - --default-ssl-certificate=default/tls-secret
        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
        - --validating-webhook=:8443
        - --validating-webhook-certificate=/usr/local/certificates/cert
        - --validating-webhook-key=/usr/local/certificates/key
        env:
        - name: POD_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.name
......

再次访问foo.bar.com,这次就是使用我们自己的证书作为默认证书了:

curl -kv https://foo.bar.com:31252  
                                                                                                               
*   Trying 192.168.1.111...
* TCP_NODELAY set
* Connected to foo.bar.com (192.168.1.111) port 31252 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
#此时默认证书就改成我们自己的
*  subject: CN=nginxsvc; O=nginxsvc
*  start date: Dec 19 04:08:07 2020 GMT
*  expire date: Dec 19 04:08:07 2021 GMT
*  issuer: CN=nginxsvc; O=nginxsvc
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fd300010e00)
> GET / HTTP/2
> Host: foo.bar.com:31252
> User-Agent: curl/7.64.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
< date: Sat, 19 Dec 2020 12:51:47 GMT
< content-type: text/plain
< strict-transport-security: max-age=15724800; includeSubDomains
<


Hostname: http-svc-6b7fcd49cc-xlx4d

Pod Information:
	node name:	containerd-worker1
	pod name:	http-svc-6b7fcd49cc-xlx4d
	pod namespace:	default
	pod IP:	7.7.69.5

Server values:
	server_version=nginx: 1.12.2 - lua: 10010

Request Information:
	client_address=7.7.22.4
	method=GET
	real path=/
	query=
	request_version=1.1
	request_scheme=http
	request_uri=http://foo.bar.com:8080/

Request Headers:
	accept=*/*
	host=foo.bar.com:31252
	user-agent=curl/7.64.1
	x-forwarded-for=192.168.1.111
	x-forwarded-host=foo.bar.com:31252
	x-forwarded-port=443
	x-forwarded-proto=https
	x-real-ip=192.168.1.111
	x-request-id=db4811e08800ad0c6320bad066e2f62c
	x-scheme=https

Request Body:
	-no body in request-

* Connection #0 to host foo.bar.com left intact
* Closing connection 0

9.ingress-nginx kubectl plugin插件

K8s社区的Ingress的由于这个Ingress的实现并不是直接在配置文件中写入upstream, 所以我们在调试时, 没法直接cat出文件,可以通过ingress-插件来读取Ingress配置: 参考网址:https://kubernetes.github.io/ingress-nginx/kubectl-plugin/

常用命令

# 获取kubernetes ingress controller后端服务器信息 
kubectl ingress-nginx backends
# --list只列出upstream的名字
kubectl ingress-nginx backends --list
# 获取cr7.example.com的nginx配置文件
kubectl ingress-nginx conf --host cr7.example.com
#获取ingress信息
kubectl ingress-nginx ingresses                 
INGRESS NAME   HOST+PATH          ADDRESSES   TLS   SERVICE     SERVICE PORT   ENDPOINTS
nginx-test     foo.bar.com/                   NO    http-svc    80             1
nginx-test     cr7.example.com/               YES   nginx-svc   80             1
#获取cr7.example.com域名的证书信息
kubectl ingress-nginx certs --host cr7.example.com

获取证书信息例子

通过ingress-nginx kubectl plugin来获取域名所对应的证书

kubectl ingress-nginx certs --host cr7.example.com    

-----BEGIN CERTIFICATE-----
MIIC9jCCApugAwIBAgIUErauO0ao2H0vLhcZPGCjjC9as2wwCgYIKoZIzj0EAwIw
SDELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNVBAcT
AkNBMRQwEgYDVQQDEwtleGFtcGxlLm5ldDAeFw0yMDEyMTkxMjI1MDBaFw0yMTEy
MTkxMjI1MDBaME0xCzAJBgNVBAYTAkNOMREwDwYDVQQIEwhTaGFuZ2hhaTERMA8G
A1UEBxMIU2hhbmdoYWkxGDAWBgNVBAMTD2NyNy5leGFtcGxlLmNvbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBANb3Ju5hY/gWu1osXSKj1DmMYQzKvFFZ
d2gK3YUHpxnWJHHs/gHVwMBu4yswKVeHv8+Mt1quPGW2GXItviuLXRoA5FU7wIYI
28IuXZXbXePOQsXbTlVoHzmQWUahlky7i36go8lekJb26ca945NvprH7ZFzDI/aJ
HINMa42JNtrhtZjfUlO+xvF7QwOrj2CkS+DnviSVbTEksnvI8nFX6Kq4xlMs1Wv2
KpnxFkg6I3zcfTFQ25OO3wkZ8dJdp2yPuydyNSMj2daWXwN51x2MkT4VbGN0Uyeq
y1shgQE5tkunTJasM7NxJvCWqHQ1hyb8/f4Vo+RBYCVxSt9vDvzxbpECAwEAAaOB
kjCBjzAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0T
AQH/BAIwADAdBgNVHQ4EFgQUAv50fyjzOgtHNSANxNbRKTVwOuAwHwYDVR0jBBgw
FoAUORZuzO4bNpnTCQncDGjYp/sdQyAwGgYDVR0RBBMwEYIPY3I3LmV4YW1wbGUu
Y29tMAoGCCqGSM49BAMCA0kAMEYCIQDwZ+pSfD3yikvvULWe8TicdLK3UfIT3gg2
Mi97uc+2agIhANif3PoMM94P/xUAWXv0N0wyJBqbxBVOVnC4H0bwVdxU
-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA1vcm7mFj+Ba7WixdIqPUOYxhDMq8UVl3aArdhQenGdYkcez+
AdXAwG7jKzApV4e/z4y3Wq48ZbYZci2+K4tdGgDkVTvAhgjbwi5dldtd485CxdtO
VWgfOZBZRqGWTLuLfqCjyV6Qlvbpxr3jk2+msftkXMMj9okcg0xrjYk22uG1mN9S
U77G8XtDA6uPYKRL4Oe+JJVtMSSye8jycVfoqrjGUyzVa/YqmfEWSDojfNx9MVDb
k47fCRnx0l2nbI+7J3I1IyPZ1pZfA3nXHYyRPhVsY3RTJ6rLWyGBATm2S6dMlqwz
s3Em8JaodDWHJvz9/hWj5EFgJXFK328O/PFukQIDAQABAoIBADPvvs41ZYvZIibl
NRNbdbj5u7D1go49CWZvyZmMgcjyPhfwZGZZGJrlr6kNl894EtW4b8xO8HS6jGdT
ufCXWUUhFgmpyBgaJ85AmYfNWl/hw6w+Eiz8XR7xS0CPZdrgLRHJCglq+ZAf09ea
pVNH1ISH8nWfCB9WfTcTzaCCmGhFUst5Xd0o2UfekvIhHZ5GB20eQQUqWlAwZUpP
g8n2Tc9OS9V0YhTtn/LIOFTsmTDEaDQ21x7D2/K9AE9sJhadgkeC+o33tyhe1zZR
AwRFqSv5Cr6Q5Ba4En+0ZD4fs1VCU6j+tCPcNsv0Y1vfR5iNnoE2gsWeQfkcUNaL
cYeCY2ECgYEA42MZr/nxQzmJIqBFzmeofTqUuzZxUjdoc/2OIY6PIgknzcdqrSM1
0WUgH+kp5LMgBYXATOswNTprwu+UlaC1iYmIl3d6zfQIp35x3Ble2a90jGbEdekg
P2PP8vAYBD1b7jYRLlyTgJNmi2J3eE0GdDK+I2XlH2wwAdpg4odjX10CgYEA8gPo
eF7uv49VtOTNlky0tNPTUP9aiM92Het6c1kInB3D4X6ot4JYeQSRqfGwmFXR7Co0
s/Jm9kVmo95pp8nKE4dB5ARqt78lcRMDPO131sRNRrDdvNm3cOenX8lZB8L9lkOY
QQWBB8nAV0Tav4kB98lBg5iAzGxTAYMYMkvofMUCgYBIIgnmD03/22Krf1hlr/B9
OXYxJYYxZK5YDVlnP8gcLfdYiihHIGJUONZGCTtm94Py/IkSXZF/cTb6MfJavQ6Z
wO15z0c/ymhsaepIviuettAsMfWkyf2W3lz7XjrgLW7aVICCyo9oPFpNYUExAo5H
kklLBWn32+Qm0lXlxrk5aQKBgQCafu4vsYK+HRV8lje8BBmz+inDYk/8WFwx+3o/
Go5JgyLh18aC553tG4KVt6mhhd+t4L+mRE+AVYuRftF6AHKVBtqEYmFyDX8scRO3
GG1RWB1wzEWxYlcdp3SMzG+eadcSzvHqSEY3n46+50Cx1xe/g+XjyT4nwds3cuXG
bfjrdQKBgQCXyHwg7XSyoHz+sv5WhCUv/rvL5AYy4zv5qPPusGbpJi+GxsSdrzTQ
cPXmY6xxQEC7dO+QYD9KDfghVOxQ+Pjg3T9DV1CSCCiN3SR34Jy2X01eeTtvCxqU
bnZga6ChZj0xPV6UvY99hETH+qdx0aI2ZPRK7sL+mMo7cDdUNyDKgw==
-----END RSA PRIVATE KEY-----

查看secret验证,由于secret是base64加密的,所以需要先解密: tls.crt和tls.key比较特别,由于有一个.,所以用\\来转义

#获取服务器证书
❯ kubectl secrets cr7-secret -o jsonpath={.data.tls\\.crt} | base64 -d
-----BEGIN CERTIFICATE-----
MIIC9jCCApugAwIBAgIUErauO0ao2H0vLhcZPGCjjC9as2wwCgYIKoZIzj0EAwIw
SDELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNVBAcT
AkNBMRQwEgYDVQQDEwtleGFtcGxlLm5ldDAeFw0yMDEyMTkxMjI1MDBaFw0yMTEy
MTkxMjI1MDBaME0xCzAJBgNVBAYTAkNOMREwDwYDVQQIEwhTaGFuZ2hhaTERMA8G
A1UEBxMIU2hhbmdoYWkxGDAWBgNVBAMTD2NyNy5leGFtcGxlLmNvbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBANb3Ju5hY/gWu1osXSKj1DmMYQzKvFFZ
d2gK3YUHpxnWJHHs/gHVwMBu4yswKVeHv8+Mt1quPGW2GXItviuLXRoA5FU7wIYI
28IuXZXbXePOQsXbTlVoHzmQWUahlky7i36go8lekJb26ca945NvprH7ZFzDI/aJ
HINMa42JNtrhtZjfUlO+xvF7QwOrj2CkS+DnviSVbTEksnvI8nFX6Kq4xlMs1Wv2
KpnxFkg6I3zcfTFQ25OO3wkZ8dJdp2yPuydyNSMj2daWXwN51x2MkT4VbGN0Uyeq
y1shgQE5tkunTJasM7NxJvCWqHQ1hyb8/f4Vo+RBYCVxSt9vDvzxbpECAwEAAaOB
kjCBjzAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0T
AQH/BAIwADAdBgNVHQ4EFgQUAv50fyjzOgtHNSANxNbRKTVwOuAwHwYDVR0jBBgw
FoAUORZuzO4bNpnTCQncDGjYp/sdQyAwGgYDVR0RBBMwEYIPY3I3LmV4YW1wbGUu
Y29tMAoGCCqGSM49BAMCA0kAMEYCIQDwZ+pSfD3yikvvULWe8TicdLK3UfIT3gg2
Mi97uc+2agIhANif3PoMM94P/xUAWXv0N0wyJBqbxBVOVnC4H0bwVdxU
-----END CERTIFICATE-----

#获取服务器私钥
❯ kubectl get  secrets cr7-secret -o jsonpath={.data.tls\\.key} | base64 -d

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA1vcm7mFj+Ba7WixdIqPUOYxhDMq8UVl3aArdhQenGdYkcez+
AdXAwG7jKzApV4e/z4y3Wq48ZbYZci2+K4tdGgDkVTvAhgjbwi5dldtd485CxdtO
VWgfOZBZRqGWTLuLfqCjyV6Qlvbpxr3jk2+msftkXMMj9okcg0xrjYk22uG1mN9S
U77G8XtDA6uPYKRL4Oe+JJVtMSSye8jycVfoqrjGUyzVa/YqmfEWSDojfNx9MVDb
k47fCRnx0l2nbI+7J3I1IyPZ1pZfA3nXHYyRPhVsY3RTJ6rLWyGBATm2S6dMlqwz
s3Em8JaodDWHJvz9/hWj5EFgJXFK328O/PFukQIDAQABAoIBADPvvs41ZYvZIibl
NRNbdbj5u7D1go49CWZvyZmMgcjyPhfwZGZZGJrlr6kNl894EtW4b8xO8HS6jGdT
ufCXWUUhFgmpyBgaJ85AmYfNWl/hw6w+Eiz8XR7xS0CPZdrgLRHJCglq+ZAf09ea
pVNH1ISH8nWfCB9WfTcTzaCCmGhFUst5Xd0o2UfekvIhHZ5GB20eQQUqWlAwZUpP
g8n2Tc9OS9V0YhTtn/LIOFTsmTDEaDQ21x7D2/K9AE9sJhadgkeC+o33tyhe1zZR
AwRFqSv5Cr6Q5Ba4En+0ZD4fs1VCU6j+tCPcNsv0Y1vfR5iNnoE2gsWeQfkcUNaL
cYeCY2ECgYEA42MZr/nxQzmJIqBFzmeofTqUuzZxUjdoc/2OIY6PIgknzcdqrSM1
0WUgH+kp5LMgBYXATOswNTprwu+UlaC1iYmIl3d6zfQIp35x3Ble2a90jGbEdekg
P2PP8vAYBD1b7jYRLlyTgJNmi2J3eE0GdDK+I2XlH2wwAdpg4odjX10CgYEA8gPo
eF7uv49VtOTNlky0tNPTUP9aiM92Het6c1kInB3D4X6ot4JYeQSRqfGwmFXR7Co0
s/Jm9kVmo95pp8nKE4dB5ARqt78lcRMDPO131sRNRrDdvNm3cOenX8lZB8L9lkOY
QQWBB8nAV0Tav4kB98lBg5iAzGxTAYMYMkvofMUCgYBIIgnmD03/22Krf1hlr/B9
OXYxJYYxZK5YDVlnP8gcLfdYiihHIGJUONZGCTtm94Py/IkSXZF/cTb6MfJavQ6Z
wO15z0c/ymhsaepIviuettAsMfWkyf2W3lz7XjrgLW7aVICCyo9oPFpNYUExAo5H
kklLBWn32+Qm0lXlxrk5aQKBgQCafu4vsYK+HRV8lje8BBmz+inDYk/8WFwx+3o/
Go5JgyLh18aC553tG4KVt6mhhd+t4L+mRE+AVYuRftF6AHKVBtqEYmFyDX8scRO3
GG1RWB1wzEWxYlcdp3SMzG+eadcSzvHqSEY3n46+50Cx1xe/g+XjyT4nwds3cuXG
bfjrdQKBgQCXyHwg7XSyoHz+sv5WhCUv/rvL5AYy4zv5qPPusGbpJi+GxsSdrzTQ
cPXmY6xxQEC7dO+QYD9KDfghVOxQ+Pjg3T9DV1CSCCiN3SR34Jy2X01eeTtvCxqU
bnZga6ChZj0xPV6UvY99hETH+qdx0aI2ZPRK7sL+mMo7cDdUNyDKgw==
-----END RSA PRIVATE KEY-----

如果是foo.bar.com则回返回默认的证书信息。

欢迎关注

{{o.name}}
{{m.name}}

猜你喜欢

转载自my.oschina.net/u/4923278/blog/5517435
今日推荐
LFOSSA 源来如此公开课 | 掌握云原生未来:CNCF 认证全面攻略与备考秘籍
国产云输入法——仅华为无云端数据上传安全问题
开源日报 | 工业开源项目OGG 1.0;姐姐,你要和我一起配置火狐吗;苹果AI遥遥落后?Fedora 40
开放签电子签章:停止新增,优化体验,前进更进(五一假期前工作)
开源日报 | 中学生开源前端动画引擎;全球首个Llama3 8B中文版开源模型;联想电脑恐出局;Linus讽刺AI炒作
“百模大战”必有一战 | 2024中国“百模大战”竞争格局分析
周排行
Family Tree 题解
BZOJ 1093 最大半连通子图 SCC + DP
幂等处理
Spring----学习(2)----XML 配置Bean 自动装配
SQL Server 远程更新目标表数据
HIbernate3.6 环境搭建
特殊符号正则表达式
【Linux】第一章 进程的理解
843. n-皇后问题(dfs+输出各种情况)
空间数据库2
每日归档
更多
2024-04-26(39)
2024-04-25(22)
2024-04-24(36)
2024-04-23(26)
2024-04-22(39)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)
2024-04-17(5)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022