- Create ca certificate signing request file
ca-cst.json
{
"CN": "www.abc.com",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "yngwie",
"OU": "ops"
}
]
}
- Generate CA certificate and private key
../cfssl_1.4.1_linux_amd64 gencert -initca ca-cst.json | ../cfssljson_1.4.1_linux_amd64 -bare ca
- Create website certificate signing request file
csr.json
{
"hosts": [
"example.com",
"www.example.com"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "San Francisco",
"O": "Internet Widgets, Inc.",
"OU": "WWW",
"ST": "California"
}
]
}
- Generate private key and signature request for website certificate
../cfssl_1.4.1_linux_amd64 genkey csr.json | ../cfssljson_1.4.1_linux_amd64 -bare server
- Sign the website certificate with ca, and get the public key of the website certificate
../cfssl_1.4.1_linux_amd64 sign -ca=ca.pem -ca-key=ca-key.pem -csr=server.csr | ../cfssljson_1.4.1_linux_amd64 -bare server
- Create a secret, including the website certificate and its private key
kubectl create secret generic https --from-file=server.pem --from-file=server-key.pem
- Create nginx https configuration
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx
data:
my-nginx-config.conf: |
server {
listen 80;
listen 443 ssl;
server_name www.example.com;
ssl_certificate certs/server.pem;
ssl_certificate_key certs/server-key.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
- Create pod mount secret and cm
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- name: web-server
image: nginx:1.7.9
imagePullPolicy: IfNotPresent
volumeMounts:
- name: config
mountPath: /etc/nginx/conf.d
readOnly: true
- name: certs
mountPath: /etc/nginx/certs/
readOnly: true
ports:
- containerPort: 80
- containerPort: 443
volumes:
- name: config
configMap:
name: nginx
items:
- key: my-nginx-config.conf
path: https.conf
- name: certs
secret:
secretName: https
- Port forwarding
kubectl port-froward nginx 8443:443
- Do not verify certificate request
curl -k -v https://localhost:8443
- To verify the certificate request, configure the hosts file first, and point the domain name of the website certificate to the local
/etc/hosts
127.0.0.1 www.example.com
Request again
curl --cacert ca.pem https://www.example.com