k8s ingress配置自签名证书，并解决Kubernetes Ingress Controller Fake Certificate

生成自签名证书

参考https://hknaruto.blog.csdn.net/article/details/79556245

得到密钥及证书文件：hknaruto.com.key， hknaruto.com.pem

 

 

创建k8s secret

[yeqiang@localhost openssl-CA]$ kubectl create secret tls hknaruto.com --cert=hknaruto.com.pem --key=hknaruto.com.key -n default
secret/hknaruto.com created

创建nginx服务

参考https://hknaruto.blog.csdn.net/article/details/106541725

部署ingress

编辑nginx_ingress.yml

kind: Ingress
apiVersion: extensions/v1beta1
metadata:
  name: nginx-ingress
  namespace: default  
  labels:
    app: nginx    
  annotations:
    ingress.kubernetes.io/proxy-body-size: '0'
    ingress.kubernetes.io/ssl-redirect: 'true'    
    nginx.ingress.kubernetes.io/proxy-body-size: '0'
    nginx.ingress.kubernetes.io/ssl-redirect: 'true'  
spec:
  tls:
    - hosts:
        - k8s.hknaruto.com
      secretName: hknaruto.com
  rules:
    - host: k8s.hknaruto.com
      http:
        paths:
          - path: /
            pathType: ImplementationSpecific
            backend:
              serviceName: nginx
              servicePort: 80

执行部署指令

[yeqiang@localhost openssl-CA]$ kubectl apply -f nginx_ingress.yml 
ingress.extensions/nginx-ingress created

查询ip地址

[yeqiang@localhost openssl-CA]$ kubectl get ingress 
NAME            CLASS    HOSTS              ADDRESS          PORTS     AGE
nginx-ingress      k8s.hknaruto.com   192.168.99.100   80, 443   38s

修改/etc/hosts，添加

192.168.99.100 k8s.hknaruto.com

Chrome访问测试

curl访问测试

[yeqiang@localhost openssl-CA]$ curl -vv https://k8s.hknaruto.com
*   Trying 192.168.99.100:443...
* TCP_NODELAY set
* Connected to k8s.hknaruto.com (192.168.99.100) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=CS; ST=Hunan; L=Changsha; O=gw; OU=dev; CN=*.hknaruto.com
*  start date: Aug  4 06:26:26 2020 GMT
*  expire date: Aug  2 06:26:26 2030 GMT
*  subjectAltName: host "k8s.hknaruto.com" matched cert's "*.hknaruto.com"
*  issuer: C=CS; ST=Hunan; O=gw; OU=dev; CN=opensslCA
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5559c10c8180)
> GET / HTTP/2
> Host: k8s.hknaruto.com
> User-Agent: curl/7.66.0
> Accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200 
< server: nginx/1.17.10
< date: Wed, 05 Aug 2020 01:32:55 GMT
< content-type: text/html
< content-length: 612
< vary: Accept-Encoding
< last-modified: Tue, 07 Jul 2020 15:52:25 GMT
< etag: "5f049a39-264"
< accept-ranges: bytes
< 







Welcome to nginx!
If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.

For online documentation and support please refer to
nginx.org.

Commercial support is available at
nginx.com.

Thank you for using nginx.


* Connection #0 to host k8s.hknaruto.com left intact

注意：curl访问没有报ssl错误时因为把根证书ca.pem受到追加到系统受信任证书列表，参考：https://hknaruto.blog.csdn.net/article/details/107786300

附：

错误处理Kubernetes Ingress Controller Fake Certificate

原因：hknaruto.com.pem未从newcert.pem导出，newcert.pem文件包内容如下

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            3b:35:e4:4d:92:0a:43:84:87:86:23:f1:23:0d:37:ba:1b:b3:ca:fa
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CS, ST=Hunan, O=gw, OU=dev, CN=opensslCA
        Validity
            Not Before: Aug  4 06:26:26 2020 GMT
            Not After : Aug  2 06:26:26 2030 GMT
        Subject: C=CS, ST=Hunan, L=Changsha, O=gw, OU=dev, CN=*.hknaruto.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:f4:28:60:39:b8:91:b9:3a:e4:4f:96:07:a6:96:
                    6d:ab:bb:07:26:9f:0f:79:71:ee:f2:c9:11:51:ca:
                    6c:9b:3a:e5:2b:32:ff:aa:7a:3b:12:c9:33:45:8b:
                    0e:2f:89:e3:1c:65:e8:ee:f6:2a:65:0f:88:0d:82:
                    20:84:e4:2a:41:56:31:ce:b3:69:78:1a:77:be:be:
                    26:73:04:a7:90:3b:f3:0a:34:07:df:37:74:b9:f5:
                    b4:bd:2f:77:15:67:14:9c:32:95:08:0c:16:8f:44:
                    57:e5:7a:6a:e5:3f:59:ff:e3:f8:44:49:d2:72:cb:
                    96:a6:9e:ec:a6:bc:6f:b3:c9:37:b5:c7:0d:84:8f:
                    4c:a8:04:1e:02:e3:f2:7c:b6:b7:23:dd:b9:b8:8a:
                    1b:7e:68:b8:88:b5:b8:9e:ef:0e:e1:2e:77:42:bd:
                    f7:51:c6:2d:1d:ac:56:43:ea:3f:92:c9:17:10:e6:
                    e6:3e:30:b9:59:6d:f0:83:3c:76:08:ec:f6:5e:21:
                    0a:8b:a5:0f:08:2c:5d:4a:66:41:f0:39:2b:cd:fa:
                    78:f1:66:01:e0:b7:61:57:58:51:4a:90:60:d7:63:
                    50:67:87:a2:6e:28:af:33:43:d8:ff:49:14:6e:b6:
                    fb:77:eb:84:0d:47:f3:ea:27:e5:1d:43:22:80:01:
                    38:c3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                1E:00:C7:75:9A:42:60:17:D5:68:92:36:7E:64:00:73:05:79:CD:8A
            X509v3 Authority Key Identifier: 
                keyid:50:4E:05:3D:D7:CA:B3:ED:3B:D9:60:63:EE:2C:7F:FE:FF:EC:3A:E0

            X509v3 Basic Constraints: 
                CA:TRUE
            X509v3 Subject Alternative Name: 
                DNS:*.hknaruto.com, DNS:*.abc.com
    Signature Algorithm: sha256WithRSAEncryption
         6a:df:83:49:46:a6:d4:d6:51:50:8e:c2:cf:63:c2:f1:0c:e4:
         fd:cd:89:7f:f4:05:cd:bb:73:fe:26:3f:60:55:a3:13:ad:9c:
         e4:72:8b:a9:9f:77:d8:7f:50:6b:b9:f3:52:fb:78:b7:5f:c3:
         b2:e4:5b:87:bd:71:04:a5:06:0c:72:c1:1c:98:17:ba:59:fc:
         f1:ae:2b:f5:60:6e:52:c9:a7:42:dd:80:4e:bc:4b:b6:cc:3c:
         be:92:22:40:15:80:12:a9:71:7a:02:19:4b:b9:6e:eb:70:bd:
         09:ca:68:f9:20:b8:cc:08:69:da:8c:5b:b2:a5:a5:51:72:98:
         75:08:59:85:e5:c5:d0:05:de:7d:d9:5a:e5:8e:3e:67:5f:c9:
         2f:d8:f3:98:0f:40:d8:77:6a:91:42:7d:b8:58:54:ce:54:4f:
         f7:43:d4:ae:51:19:39:b9:17:aa:de:15:b9:10:45:46:d7:bf:
         3b:ad:04:f7:eb:96:ec:d0:96:f0:98:98:2d:b8:cb:c3:5f:65:
         63:7a:b6:bf:0c:91:62:b6:71:3e:ce:ce:fe:f7:98:85:12:be:
         08:28:5f:c9:9c:d8:f9:8a:9a:69:8a:7d:3f:ff:94:b9:47:26:
         40:e5:1f:3c:e0:bf:22:d8:3d:c1:ac:42:2f:4c:13:ce:64:90:
         96:7a:ce:2b
-----BEGIN CERTIFICATE-----
MIIDtDCCApygAwIBAgIUOzXkTZIKQ4SHhiPxIw03uhuzyvowDQYJKoZIhvcNAQEL
BQAwTDELMAkGA1UEBhMCQ1MxDjAMBgNVBAgMBUh1bmFuMQswCQYDVQQKDAJndzEM
MAoGA1UECwwDZGV2MRIwEAYDVQQDDAlvcGVuc3NsQ0EwHhcNMjAwODA0MDYyNjI2
WhcNMzAwODAyMDYyNjI2WjBkMQswCQYDVQQGEwJDUzEOMAwGA1UECAwFSHVuYW4x
ETAPBgNVBAcMCENoYW5nc2hhMQswCQYDVQQKDAJndzEMMAoGA1UECwwDZGV2MRcw
FQYDVQQDDA4qLmhrbmFydXRvLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAPQoYDm4kbk65E+WB6aWbau7ByafD3lx7vLJEVHKbJs65Ssy/6p6OxLJ
M0WLDi+J4xxl6O72KmUPiA2CIITkKkFWMc6zaXgad76+JnMEp5A78wo0B983dLn1
tL0vdxVnFJwylQgMFo9EV+V6auU/Wf/j+ERJ0nLLlqae7Ka8b7PJN7XHDYSPTKgE
HgLj8ny2tyPdubiKG35ouIi1uJ7vDuEud0K991HGLR2sVkPqP5LJFxDm5j4wuVlt
8IM8dgjs9l4hCoulDwgsXUpmQfA5K836ePFmAeC3YVdYUUqQYNdjUGeHom4orzND
2P9JFG62+3frhA1H8+on5R1DIoABOMMCAwEAAaN2MHQwHQYDVR0OBBYEFB4Ax3Wa
QmAX1WiSNn5kAHMFec2KMB8GA1UdIwQYMBaAFFBOBT3XyrPtO9lgY+4sf/7/7Drg
MAwGA1UdEwQFMAMBAf8wJAYDVR0RBB0wG4IOKi5oa25hcnV0by5jb22CCSouYWJj
LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAat+DSUam1NZRUI7Cz2PC8Qzk/c2Jf/QF
zbtz/iY/YFWjE62c5HKLqZ932H9Qa7nzUvt4t1/DsuRbh71xBKUGDHLBHJgXuln8
8a4r9WBuUsmnQt2ATrxLtsw8vpIiQBWAEqlxegIZS7lu63C9Ccpo+SC4zAhp2oxb
sqWlUXKYdQhZheXF0AXefdla5Y4+Z1/JL9jzmA9A2HdqkUJ9uFhUzlRP90PUrlEZ
ObkXqt4VuRBFRte/O60E9+uW7NCW8JiYLbjLw19lY3q2vwyRYrZxPs7O/veYhRK+
CChfyZzY+YqaaYp9P/+UuUcmQOUfPOC/Itg9waxCL0wTzmSQlnrOKw==
-----END CERTIFICATE-----

解决方案

[yeqiang@localhost openssl-CA]$ openssl x509 -in newcert.pem -out hknaruto.com.pem

hknaruto.com.pem内容如下

-----BEGIN CERTIFICATE-----
MIIDtDCCApygAwIBAgIUOzXkTZIKQ4SHhiPxIw03uhuzyvowDQYJKoZIhvcNAQEL
BQAwTDELMAkGA1UEBhMCQ1MxDjAMBgNVBAgMBUh1bmFuMQswCQYDVQQKDAJndzEM
MAoGA1UECwwDZGV2MRIwEAYDVQQDDAlvcGVuc3NsQ0EwHhcNMjAwODA0MDYyNjI2
WhcNMzAwODAyMDYyNjI2WjBkMQswCQYDVQQGEwJDUzEOMAwGA1UECAwFSHVuYW4x
ETAPBgNVBAcMCENoYW5nc2hhMQswCQYDVQQKDAJndzEMMAoGA1UECwwDZGV2MRcw
FQYDVQQDDA4qLmhrbmFydXRvLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAPQoYDm4kbk65E+WB6aWbau7ByafD3lx7vLJEVHKbJs65Ssy/6p6OxLJ
M0WLDi+J4xxl6O72KmUPiA2CIITkKkFWMc6zaXgad76+JnMEp5A78wo0B983dLn1
tL0vdxVnFJwylQgMFo9EV+V6auU/Wf/j+ERJ0nLLlqae7Ka8b7PJN7XHDYSPTKgE
HgLj8ny2tyPdubiKG35ouIi1uJ7vDuEud0K991HGLR2sVkPqP5LJFxDm5j4wuVlt
8IM8dgjs9l4hCoulDwgsXUpmQfA5K836ePFmAeC3YVdYUUqQYNdjUGeHom4orzND
2P9JFG62+3frhA1H8+on5R1DIoABOMMCAwEAAaN2MHQwHQYDVR0OBBYEFB4Ax3Wa
QmAX1WiSNn5kAHMFec2KMB8GA1UdIwQYMBaAFFBOBT3XyrPtO9lgY+4sf/7/7Drg
MAwGA1UdEwQFMAMBAf8wJAYDVR0RBB0wG4IOKi5oa25hcnV0by5jb22CCSouYWJj
LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAat+DSUam1NZRUI7Cz2PC8Qzk/c2Jf/QF
zbtz/iY/YFWjE62c5HKLqZ932H9Qa7nzUvt4t1/DsuRbh71xBKUGDHLBHJgXuln8
8a4r9WBuUsmnQt2ATrxLtsw8vpIiQBWAEqlxegIZS7lu63C9Ccpo+SC4zAhp2oxb
sqWlUXKYdQhZheXF0AXefdla5Y4+Z1/JL9jzmA9A2HdqkUJ9uFhUzlRP90PUrlEZ
ObkXqt4VuRBFRte/O60E9+uW7NCW8JiYLbjLw19lY3q2vwyRYrZxPs7O/veYhRK+
CChfyZzY+YqaaYp9P/+UuUcmQOUfPOC/Itg9waxCL0wTzmSQlnrOKw==
-----END CERTIFICATE-----