参考https://hknaruto.blog.csdn.net/article/details/79556245
得到密钥及证书文件:hknaruto.com.key, hknaruto.com.pem
[yeqiang@localhost openssl-CA]$ kubectl create secret tls hknaruto.com --cert=hknaruto.com.pem --key=hknaruto.com.key -n default
secret/hknaruto.com created
参考https://hknaruto.blog.csdn.net/article/details/106541725
编辑nginx_ingress.yml
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
name: nginx-ingress
namespace: default
labels:
app: nginx
annotations:
ingress.kubernetes.io/proxy-body-size: '0'
ingress.kubernetes.io/ssl-redirect: 'true'
nginx.ingress.kubernetes.io/proxy-body-size: '0'
nginx.ingress.kubernetes.io/ssl-redirect: 'true'
spec:
tls:
- hosts:
- k8s.hknaruto.com
secretName: hknaruto.com
rules:
- host: k8s.hknaruto.com
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
serviceName: nginx
servicePort: 80
[yeqiang@localhost openssl-CA]$ kubectl apply -f nginx_ingress.yml
ingress.extensions/nginx-ingress created
[yeqiang@localhost openssl-CA]$ kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
nginx-ingress k8s.hknaruto.com 192.168.99.100 80, 443 38s
修改/etc/hosts,添加
192.168.99.100 k8s.hknaruto.com
[yeqiang@localhost openssl-CA]$ curl -vv https://k8s.hknaruto.com
* Trying 192.168.99.100:443...
* TCP_NODELAY set
* Connected to k8s.hknaruto.com (192.168.99.100) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=CS; ST=Hunan; L=Changsha; O=gw; OU=dev; CN=*.hknaruto.com
* start date: Aug 4 06:26:26 2020 GMT
* expire date: Aug 2 06:26:26 2030 GMT
* subjectAltName: host "k8s.hknaruto.com" matched cert's "*.hknaruto.com"
* issuer: C=CS; ST=Hunan; O=gw; OU=dev; CN=opensslCA
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5559c10c8180)
> GET / HTTP/2
> Host: k8s.hknaruto.com
> User-Agent: curl/7.66.0
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
< server: nginx/1.17.10
< date: Wed, 05 Aug 2020 01:32:55 GMT
< content-type: text/html
< content-length: 612
< vary: Accept-Encoding
< last-modified: Tue, 07 Jul 2020 15:52:25 GMT
< etag: "5f049a39-264"
< accept-ranges: bytes
<
Welcome to nginx!
Welcome to nginx!
If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.
For online documentation and support please refer to
nginx.org.
Commercial support is available at
nginx.com.
Thank you for using nginx.
* Connection #0 to host k8s.hknaruto.com left intact
注意:curl访问没有报ssl错误时因为把根证书ca.pem受到追加到系统受信任证书列表,参考:https://hknaruto.blog.csdn.net/article/details/107786300
原因:hknaruto.com.pem未从newcert.pem导出,newcert.pem文件包内容如下
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
3b:35:e4:4d:92:0a:43:84:87:86:23:f1:23:0d:37:ba:1b:b3:ca:fa
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CS, ST=Hunan, O=gw, OU=dev, CN=opensslCA
Validity
Not Before: Aug 4 06:26:26 2020 GMT
Not After : Aug 2 06:26:26 2030 GMT
Subject: C=CS, ST=Hunan, L=Changsha, O=gw, OU=dev, CN=*.hknaruto.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:f4:28:60:39:b8:91:b9:3a:e4:4f:96:07:a6:96:
6d:ab:bb:07:26:9f:0f:79:71:ee:f2:c9:11:51:ca:
6c:9b:3a:e5:2b:32:ff:aa:7a:3b:12:c9:33:45:8b:
0e:2f:89:e3:1c:65:e8:ee:f6:2a:65:0f:88:0d:82:
20:84:e4:2a:41:56:31:ce:b3:69:78:1a:77:be:be:
26:73:04:a7:90:3b:f3:0a:34:07:df:37:74:b9:f5:
b4:bd:2f:77:15:67:14:9c:32:95:08:0c:16:8f:44:
57:e5:7a:6a:e5:3f:59:ff:e3:f8:44:49:d2:72:cb:
96:a6:9e:ec:a6:bc:6f:b3:c9:37:b5:c7:0d:84:8f:
4c:a8:04:1e:02:e3:f2:7c:b6:b7:23:dd:b9:b8:8a:
1b:7e:68:b8:88:b5:b8:9e:ef:0e:e1:2e:77:42:bd:
f7:51:c6:2d:1d:ac:56:43:ea:3f:92:c9:17:10:e6:
e6:3e:30:b9:59:6d:f0:83:3c:76:08:ec:f6:5e:21:
0a:8b:a5:0f:08:2c:5d:4a:66:41:f0:39:2b:cd:fa:
78:f1:66:01:e0:b7:61:57:58:51:4a:90:60:d7:63:
50:67:87:a2:6e:28:af:33:43:d8:ff:49:14:6e:b6:
fb:77:eb:84:0d:47:f3:ea:27:e5:1d:43:22:80:01:
38:c3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
1E:00:C7:75:9A:42:60:17:D5:68:92:36:7E:64:00:73:05:79:CD:8A
X509v3 Authority Key Identifier:
keyid:50:4E:05:3D:D7:CA:B3:ED:3B:D9:60:63:EE:2C:7F:FE:FF:EC:3A:E0
X509v3 Basic Constraints:
CA:TRUE
X509v3 Subject Alternative Name:
DNS:*.hknaruto.com, DNS:*.abc.com
Signature Algorithm: sha256WithRSAEncryption
6a:df:83:49:46:a6:d4:d6:51:50:8e:c2:cf:63:c2:f1:0c:e4:
fd:cd:89:7f:f4:05:cd:bb:73:fe:26:3f:60:55:a3:13:ad:9c:
e4:72:8b:a9:9f:77:d8:7f:50:6b:b9:f3:52:fb:78:b7:5f:c3:
b2:e4:5b:87:bd:71:04:a5:06:0c:72:c1:1c:98:17:ba:59:fc:
f1:ae:2b:f5:60:6e:52:c9:a7:42:dd:80:4e:bc:4b:b6:cc:3c:
be:92:22:40:15:80:12:a9:71:7a:02:19:4b:b9:6e:eb:70:bd:
09:ca:68:f9:20:b8:cc:08:69:da:8c:5b:b2:a5:a5:51:72:98:
75:08:59:85:e5:c5:d0:05:de:7d:d9:5a:e5:8e:3e:67:5f:c9:
2f:d8:f3:98:0f:40:d8:77:6a:91:42:7d:b8:58:54:ce:54:4f:
f7:43:d4:ae:51:19:39:b9:17:aa:de:15:b9:10:45:46:d7:bf:
3b:ad:04:f7:eb:96:ec:d0:96:f0:98:98:2d:b8:cb:c3:5f:65:
63:7a:b6:bf:0c:91:62:b6:71:3e:ce:ce:fe:f7:98:85:12:be:
08:28:5f:c9:9c:d8:f9:8a:9a:69:8a:7d:3f:ff:94:b9:47:26:
40:e5:1f:3c:e0:bf:22:d8:3d:c1:ac:42:2f:4c:13:ce:64:90:
96:7a:ce:2b
-----BEGIN CERTIFICATE-----
MIIDtDCCApygAwIBAgIUOzXkTZIKQ4SHhiPxIw03uhuzyvowDQYJKoZIhvcNAQEL
BQAwTDELMAkGA1UEBhMCQ1MxDjAMBgNVBAgMBUh1bmFuMQswCQYDVQQKDAJndzEM
MAoGA1UECwwDZGV2MRIwEAYDVQQDDAlvcGVuc3NsQ0EwHhcNMjAwODA0MDYyNjI2
WhcNMzAwODAyMDYyNjI2WjBkMQswCQYDVQQGEwJDUzEOMAwGA1UECAwFSHVuYW4x
ETAPBgNVBAcMCENoYW5nc2hhMQswCQYDVQQKDAJndzEMMAoGA1UECwwDZGV2MRcw
FQYDVQQDDA4qLmhrbmFydXRvLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAPQoYDm4kbk65E+WB6aWbau7ByafD3lx7vLJEVHKbJs65Ssy/6p6OxLJ
M0WLDi+J4xxl6O72KmUPiA2CIITkKkFWMc6zaXgad76+JnMEp5A78wo0B983dLn1
tL0vdxVnFJwylQgMFo9EV+V6auU/Wf/j+ERJ0nLLlqae7Ka8b7PJN7XHDYSPTKgE
HgLj8ny2tyPdubiKG35ouIi1uJ7vDuEud0K991HGLR2sVkPqP5LJFxDm5j4wuVlt
8IM8dgjs9l4hCoulDwgsXUpmQfA5K836ePFmAeC3YVdYUUqQYNdjUGeHom4orzND
2P9JFG62+3frhA1H8+on5R1DIoABOMMCAwEAAaN2MHQwHQYDVR0OBBYEFB4Ax3Wa
QmAX1WiSNn5kAHMFec2KMB8GA1UdIwQYMBaAFFBOBT3XyrPtO9lgY+4sf/7/7Drg
MAwGA1UdEwQFMAMBAf8wJAYDVR0RBB0wG4IOKi5oa25hcnV0by5jb22CCSouYWJj
LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAat+DSUam1NZRUI7Cz2PC8Qzk/c2Jf/QF
zbtz/iY/YFWjE62c5HKLqZ932H9Qa7nzUvt4t1/DsuRbh71xBKUGDHLBHJgXuln8
8a4r9WBuUsmnQt2ATrxLtsw8vpIiQBWAEqlxegIZS7lu63C9Ccpo+SC4zAhp2oxb
sqWlUXKYdQhZheXF0AXefdla5Y4+Z1/JL9jzmA9A2HdqkUJ9uFhUzlRP90PUrlEZ
ObkXqt4VuRBFRte/O60E9+uW7NCW8JiYLbjLw19lY3q2vwyRYrZxPs7O/veYhRK+
CChfyZzY+YqaaYp9P/+UuUcmQOUfPOC/Itg9waxCL0wTzmSQlnrOKw==
-----END CERTIFICATE-----
[yeqiang@localhost openssl-CA]$ openssl x509 -in newcert.pem -out hknaruto.com.pem
hknaruto.com.pem内容如下
-----BEGIN CERTIFICATE-----
MIIDtDCCApygAwIBAgIUOzXkTZIKQ4SHhiPxIw03uhuzyvowDQYJKoZIhvcNAQEL
BQAwTDELMAkGA1UEBhMCQ1MxDjAMBgNVBAgMBUh1bmFuMQswCQYDVQQKDAJndzEM
MAoGA1UECwwDZGV2MRIwEAYDVQQDDAlvcGVuc3NsQ0EwHhcNMjAwODA0MDYyNjI2
WhcNMzAwODAyMDYyNjI2WjBkMQswCQYDVQQGEwJDUzEOMAwGA1UECAwFSHVuYW4x
ETAPBgNVBAcMCENoYW5nc2hhMQswCQYDVQQKDAJndzEMMAoGA1UECwwDZGV2MRcw
FQYDVQQDDA4qLmhrbmFydXRvLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAPQoYDm4kbk65E+WB6aWbau7ByafD3lx7vLJEVHKbJs65Ssy/6p6OxLJ
M0WLDi+J4xxl6O72KmUPiA2CIITkKkFWMc6zaXgad76+JnMEp5A78wo0B983dLn1
tL0vdxVnFJwylQgMFo9EV+V6auU/Wf/j+ERJ0nLLlqae7Ka8b7PJN7XHDYSPTKgE
HgLj8ny2tyPdubiKG35ouIi1uJ7vDuEud0K991HGLR2sVkPqP5LJFxDm5j4wuVlt
8IM8dgjs9l4hCoulDwgsXUpmQfA5K836ePFmAeC3YVdYUUqQYNdjUGeHom4orzND
2P9JFG62+3frhA1H8+on5R1DIoABOMMCAwEAAaN2MHQwHQYDVR0OBBYEFB4Ax3Wa
QmAX1WiSNn5kAHMFec2KMB8GA1UdIwQYMBaAFFBOBT3XyrPtO9lgY+4sf/7/7Drg
MAwGA1UdEwQFMAMBAf8wJAYDVR0RBB0wG4IOKi5oa25hcnV0by5jb22CCSouYWJj
LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAat+DSUam1NZRUI7Cz2PC8Qzk/c2Jf/QF
zbtz/iY/YFWjE62c5HKLqZ932H9Qa7nzUvt4t1/DsuRbh71xBKUGDHLBHJgXuln8
8a4r9WBuUsmnQt2ATrxLtsw8vpIiQBWAEqlxegIZS7lu63C9Ccpo+SC4zAhp2oxb
sqWlUXKYdQhZheXF0AXefdla5Y4+Z1/JL9jzmA9A2HdqkUJ9uFhUzlRP90PUrlEZ
ObkXqt4VuRBFRte/O60E9+uW7NCW8JiYLbjLw19lY3q2vwyRYrZxPs7O/veYhRK+
CChfyZzY+YqaaYp9P/+UuUcmQOUfPOC/Itg9waxCL0wTzmSQlnrOKw==
-----END CERTIFICATE-----