使用 HTTPS 加密 Ingress 流量

1.安装cfssl

CFSSL是CloudFlare开源的一款PKI/TLS工具。 CFSSL 包含一个命令行工具 和一个用于 签名,验证并且捆绑TLS证书的 HTTP API 服务,使用Go语言编写。
下载地址:
https://pkg.cfssl.org/R1.2/cf...
https://pkg.cfssl.org/R1.2/cf...

2.创建CA证书

#得到的json文件保持默认
cfssl print-defaults config > ca-config.json

{
    "signing": {
        "default": {
            "expiry": "168h"
        },
        "profiles": {
            "www": {  #后面生成服务器证书--profile使用的是这里的www
                "expiry": "8760h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth"
                ]
            },
            "client": {
                "expiry": "8760h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "client auth"
                ]
            }
        }
    }
}
#得到的json文件保持默认
cfssl print-defaults csr > ca-csr.json
{
    "CN": "example.net",
    "hosts": [    #这里的hosts无所谓
        "example.net",
        "www.example.net"
    ],
    "key": {
        "algo": "ecdsa",
        "size": 256
    },
    "names": [
        {
            "C": "US",
            "L": "CA",
            "ST": "San Francisco"
        }
    ]
}
#生成CA,得到ca.csr,ca.pem,ca-key.pem,
cfssl gencert -initca ca-csr.json | cfssljson -bare ca  
字段名 字段值
公用名称 (Common Name) 简称:CN 字段,对于 SSL 证书,一般为网站域名;而对于代码签名证书则为申请单位名称;而对于客户端证书则为证书申请者的姓名;
单位名称 (Organization Name) 简称:O 字段,对于 SSL 证书,一般为网站域名;而对于代码签名证书则为申请单位名称;而对于客户端单位证书则为证书申请者所在单位名称;
所在城市 (Locality) 简称:L 字段
所在省份 (State/Provice) 简称:S 字段
所在国家 (Country) 简称:C 字段,只能是国家字母缩写,如中国:CN

3.创建服务器证书

{
    "CN": "cr7.example.com",
    "hosts": [
        "cr7.example.com" //这里的hosts很重要,要和后面的ingress中定义的hosts一样,当客户端访问该hosts时才会动态加载ssl证书
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Shanghai",
            "ST": "Shanghai"
        }
    ]
}
  • -ca:指明ca的证书
  • -ca-key:指明ca的私钥文件
  • -config:指明请求证书的json文件
  • -profile:与-config中的profile对应,是指根据config中的profile段来生成证书的相关信息
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem --config=ca-config.json --profile www cr7-csr.json  | cfssljson -bare cr7

4.根据服务器证书创建secret

根据服务器私钥和证书创建secret

[root@containerd-master1 cert]# kubectl create secret tls cr7-secret --cert=cr7.pem --key=cr7-key.pem 
secret/cr7-secret created

5.kubernetes ingress controller安装

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm install ingress-nginx ingress-nginx

6.创建ingress

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: nginx-test
spec:
   tls:
     - hosts:
        - cr7.example.com #hosts和cr7-csr.json的一致
          # This assumes cr7-secret exists and the SSL
          # certificate contains a CN for cr7-example.com
       secretName: cr7-secret  #使用服务器证书创建出来的secret
   rules:
    - host: foo.bar.com  #不加载前面创建的服务器证书
      http:
        paths:
        - path: /
          backend:
            serviceName: http-svc
            servicePort: 80
    - host: cr7.example.com  #加载前面创建的服务器证书
      http:
        paths:
        - path: /
          backend:
            serviceName: nginx-svc
            servicePort: 80

7.访问测试

当访问的host为cr7.example.com满足ingress中hosts和cr7-csr.json中hosts值时,kubernetes ingress controller会动态地加载ssl证书:

#31252是暴露ingress controller的NodePort的端口
curl -kv https://cr7.example.com:31252                              

*   Trying 192.168.1.111...
* TCP_NODELAY set
* Connected to cr7.example.com (192.168.1.111) port 31252 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:  #可以看到使用了我们自己的的证书
*  subject: C=CN; ST=Shanghai; L=Shanghai; CN=cr7.example.com
*  start date: Dec 19 12:25:00 2020 GMT
*  expire date: Dec 19 12:25:00 2021 GMT
*  issuer: C=US; ST=San Francisco; L=CA; CN=example.net
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f963100dc00)
> GET / HTTP/2
> Host: cr7.example.com:31252
> User-Agent: curl/7.64.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
< date: Sat, 19 Dec 2020 12:37:39 GMT
< content-type: text/html
< content-length: 612
< last-modified: Tue, 15 Dec 2020 13:59:38 GMT
< etag: "5fd8c14a-264"
< accept-ranges: bytes
< strict-transport-security: max-age=15724800; includeSubDomains
<



Welcome to nginx!



Welcome to nginx!

If you see this page, the nginx web server is successfully installed and working. Further configuration is required.

For online documentation and support please refer to nginx.org.
Commercial support is available at nginx.com.

Thank you for using nginx.

* Connection #0 to host cr7.example.com left intact * Closing connection 0

然而访问另一个不满足条件的域名,则使用nginx ingress controller默认的证书:

curl -kv https://foo.bar.com:31252 
                                 
*   Trying 192.168.1.111...
* TCP_NODELAY set
* Connected to foo.bar.com (192.168.1.111) port 31252 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate: #使用了kubernetes ingress controller默认的证书
*  subject: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
*  start date: Dec 19 12:39:47 2020 GMT
*  expire date: Dec 19 12:39:47 2021 GMT
*  issuer: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f99fb80dc00)
> GET / HTTP/2
> Host: foo.bar.com:31252
> User-Agent: curl/7.64.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
< date: Sat, 19 Dec 2020 12:40:03 GMT
< content-type: text/plain
< strict-transport-security: max-age=15724800; includeSubDomains
<

Hostname: http-svc-6b7fcd49cc-xlx4d

Pod Information:
    node name:    containerd-worker1
    pod name:    http-svc-6b7fcd49cc-xlx4d
    pod namespace:    default
    pod IP:    7.7.69.5

Server values:
    server_version=nginx: 1.12.2 - lua: 10010

Request Information:
    client_address=7.7.69.6
    method=GET
    real path=/
    query=
    request_version=1.1
    request_scheme=http
    request_uri=http://foo.bar.com:8080/

Request Headers:
    accept=*/*
    host=foo.bar.com:31252
    user-agent=curl/7.64.1
    x-forwarded-for=192.168.1.111
    x-forwarded-host=foo.bar.com:31252
    x-forwarded-port=443
    x-forwarded-proto=https
    x-real-ip=192.168.1.111
    x-request-id=3780eb8ddd12bc150d3a6a2a5c967f7e
    x-scheme=https

Request Body:
    -no body in request-

* Connection #0 to host foo.bar.com left intact
* Closing connection 0

8.修改默认证书

8.1创建secret

按照前面相同的方式创建出服务器的证书和私钥,然后创建secret:

apiVersion: v1
data:
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJBQ0NRQzFOUllWRHhIREJ6QU5CZ2txaGtpRzl3MEJBUXNGQURBbU1SRXdEd1lEVlFRRERBaHUKWjJsdWVITjJZekVSTUE4R0ExVUVDZ3dJYm1kcGJuaHpkbU13SGhjTk1qQXhNakU1TURRd09EQTNXaGNOTWpFeApNakU1TURRd09EQTNXakFtTVJFd0R3WURWUVFEREFodVoybHVlSE4yWXpFUk1BOEdBMVVFQ2d3SWJtZHBibmh6CmRtTXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFETXpkdlJQUVNQWXJ5WTBPSUYKczlNZ0ZSSm1icHJmSWRVZEZIT0YxT1R5UTBPVDVxRnk4RUVGTlV3S2wwTlVJNzd4SG5hRWYwNFhXVFM0Q09lcAp5bUlWTWVFUXlwQk9MdUd1bXlXUy9BejlxR1BYQ2xzN0NNcHpFbmpuMXllNUpQaTJzTHBVL2xGdGViMS8zUXJXCkJFMFRQczQ2c1U3RVNvZlc4cll4dDk1WDFaOVBiakZ4dUZETkxTTzc5N3RkR3BnK09BdFFETXRpUDJjWDdpdS8KVm4rNzQwTHRlM1BUa2ZOT2Y1aWkyTVJld2tlVTlLYnpGdmVMZFdIZ01vS3hXVjY3WTNUWmx2eXVXVlNhd0s3SgptbDNkYTFweTNOMkoyR2hjaFIySkF3QTdUdlEydlZzb284MHZEU1p6NE1wMm55Q1l2a0F1UzllWlc3TVVxRElXCjd4TGRBZ01CQUFFd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFDOVd0Q3JZY01FVEpwU2w2QmFFSVlpZEZKNnoKYW1CdmFnakpwQlpsSmRsOVBUTkxzSEVVZU9FS3Y1RTJ2SGhId21FQ25paDROLzI5MEtCTEw3TU5jcHhraGxsVQozM1FpcFluSVQzbS9rV0RrRXQwbkUva0YzZFVVZFNtcTRBYnpESjF1MjFOMDlLb0psR2tyUnJRcGhXN1I1UTBWCnFHN082RDhNNjBORlZlSFpyYjdjY0RKNVJXTjNuYXZDeXF3VWxlM2pHSEU3TmpCb29WdWd3TldEYW9ZWURkUnkKQ243WFREZ1FrUEdmSTdjM1E0b09lcVRWUVZhLzk5MS9oanJ5YWlDT29JWEZyNTBFV0hUWmtIU2xKV1BHR3JDSgpCSnJqVlIxWVAxTTlvVXc0NUlQQ25zSzRyeTRzMzBxSXQ5VHFHQ25TcGs1UFZ0ck1PWWVEZ2xTMXdPdz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2d0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktrd2dnU2xBZ0VBQW9JQkFRRE16ZHZSUFFTUFlyeVkKME9JRnM5TWdGUkptYnByZklkVWRGSE9GMU9UeVEwT1Q1cUZ5OEVFRk5Vd0tsME5VSTc3eEhuYUVmMDRYV1RTNApDT2VweW1JVk1lRVF5cEJPTHVHdW15V1MvQXo5cUdQWENsczdDTXB6RW5qbjF5ZTVKUGkyc0xwVS9sRnRlYjEvCjNRcldCRTBUUHM0NnNVN0VTb2ZXOHJZeHQ5NVgxWjlQYmpGeHVGRE5MU083OTd0ZEdwZytPQXRRRE10aVAyY1gKN2l1L1ZuKzc0MEx0ZTNQVGtmTk9mNWlpMk1SZXdrZVU5S2J6RnZlTGRXSGdNb0t4V1Y2N1kzVFpsdnl1V1ZTYQp3SzdKbWwzZGExcHkzTjJKMkdoY2hSMkpBd0E3VHZRMnZWc29vODB2RFNaejRNcDJueUNZdmtBdVM5ZVpXN01VCnFESVc3eExkQWdNQkFBRUNnZ0VBRVQyZkxKMFRYakswcDdTbDRrOENEZWhZTlRGSWJsSTl5NFhtTjdUMVZRT2UKazd2TmlZeDZITU1nMUo5cE5wTVB4dUtHblo3TjV4OUdWZHZDRE1RUnY3RUVQbEtmRlVYVEQ4elZ1K3JsK1JDTQozeFJyRzZ3Z3h0RWVSbjRSUlArOHhEeGFZejlKZ1lySERoV0FqUVd0cTFvVktGRzJ6TVZ0YkFYZ21vemM5YzNLCkkwR29zc0g3YmhkZlFDck5MTDJKS1IyOGVuSjNRQ3hkYldoUUlvZWV5bVltbHBraW0yRjBMU1RQSGlsSFB2eUUKWklCd05RdGVaVjBBZ3o4WmtUc3VoTGVXb0NnaGFsQzFoWlVUMVIrZHlNSDNCbmhyK1duai9UL3ByNlBiL3o0WgpkeGJ5QU5JOHg4WU1LSGQvOFZrSjJ2djMrWEk4VWFmSTc4SkR5QmdnQVFLQmdRRC9wL1AySWJwMGlQdE1ZbWR2Cm11SDFQRVZiWEx1VVpySW1CODlJSHVBb3VVWTJqSXAyRkVTZUllWG05cDBaeWdLb091MDdSc1A4WVY0YSt0VzYKNGlwRGZNbG5ZWkVlT3lQOFBXdFdhb3RMdGVGUFg5UTg0YWlTQUprRWo4RmhnWnRwQTJ6MGZFd3pSN0dqSTFSRwpqNmxsSDFYR2NSWVdlU0ZnazVoWmdvbllBUUtCZ1FETkZHUjRvdmtxUThsSUZPN0JMVlNmTENIWndBdXNFbHBlCm9iSWs0QmMvVEVHWExjWFQ2a1I5a0Fwa2RoQkM4L242aCtITlU3ZElLR2JvbUhJaVV3WVpRUUo4MkhVcEx0bzQKR2dYSytacHJwWWhLUVBOeWxsL3dBMHlHSWNsUS8wekczVnZENTkxbGo4NEpUTUtDR1g0Wk5JNC9xOERKS0pOTApQWDIvVWYrYTNRS0JnUURUSkhVYVBIVHZ0Z3BGNWFlanh2a0RQd25SRU45akN3WHEzdHhVcGh0Znh0UzBUSkkyClB6c0VsdDUzU0FvcnVHbEZZNVYyTlZXNzVQYUJ0ZFE3Q25yNVRlQlEzNFdvd0JOU1NhK1NxVi90NFlMNXVSMWkKUXNTa0FKWmY3Qkk4WTN4azJJMXR4aEp3NzY5SUd1K0piekRwOFYwNERVRyt3Yi9OTVZqTDVFSFFBUUtCZ1FDVApOZ1E1SktPL1Z4RnhrTFVpTGl3RVptV1dMV2t6aDZrZkxPcjMxWFJhbDU2dHFzbkxLT3NwUnZCdTFPRXZibnNPCi8rTnl4SmxZVHNnd1J0NEhEWm5mSHU5dU51TkRRTUtjYXZHbGxpN20vdGdxbFIwc01BMkYrSmhCNEpibWNaem4KVTVhL3RmMFRIbnRENmJubU1lNTJvV2RMQlR0S0tyb3cxRjhqcXZUVWNRS0JnUUNuZEs4LzNITElJVkkyUWJBMApBY0x5Sjd1SW5ua3VMNGkrcmhvM1JvZ2hZNTRuTXJzdDRUNkdCVVhZT050akZsQ2hPQ3ZHWmlraWsxaHRkcCtMCjJhU05wRG9WV2JJVWl1bEFGZjA5NkNGWWsrNnpPU0FDQ0xHTy9NMjFnTEN5Njdia3VLRkFZMzZOa201ZUN3TTIKT2p2UC95TUJKNVdGS3kvWmc0QzVIRFI1akE9PQotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg==
kind: Secret
metadata:
  managedFields:
  - apiVersion: v1
  name: tls-secret
type: kubernetes.io/tls

8.2修改kubernetes ingress controller配置

添加--default-ssl-certificate=default/tls-secret参数,表示默认的证书使用tls-secret的内容:

......
    spec:
      containers:
      - args:
        - /nginx-ingress-controller
        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
        - --election-id=ingress-controller-leader
        - --ingress-class=nginx
        - --default-ssl-certificate=default/tls-secret
        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
        - --validating-webhook=:8443
        - --validating-webhook-certificate=/usr/local/certificates/cert
        - --validating-webhook-key=/usr/local/certificates/key
        env:
        - name: POD_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.name
......

再次访问foo.bar.com,这次就是使用我们自己的证书作为默认证书了:

curl -kv https://foo.bar.com:31252  
                                                                                                               
*   Trying 192.168.1.111...
* TCP_NODELAY set
* Connected to foo.bar.com (192.168.1.111) port 31252 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
#此时默认证书就改成我们自己的
*  subject: CN=nginxsvc; O=nginxsvc
*  start date: Dec 19 04:08:07 2020 GMT
*  expire date: Dec 19 04:08:07 2021 GMT
*  issuer: CN=nginxsvc; O=nginxsvc
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fd300010e00)
> GET / HTTP/2
> Host: foo.bar.com:31252
> User-Agent: curl/7.64.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
< date: Sat, 19 Dec 2020 12:51:47 GMT
< content-type: text/plain
< strict-transport-security: max-age=15724800; includeSubDomains
<


Hostname: http-svc-6b7fcd49cc-xlx4d

Pod Information:
    node name:    containerd-worker1
    pod name:    http-svc-6b7fcd49cc-xlx4d
    pod namespace:    default
    pod IP:    7.7.69.5

Server values:
    server_version=nginx: 1.12.2 - lua: 10010

Request Information:
    client_address=7.7.22.4
    method=GET
    real path=/
    query=
    request_version=1.1
    request_scheme=http
    request_uri=http://foo.bar.com:8080/

Request Headers:
    accept=*/*
    host=foo.bar.com:31252
    user-agent=curl/7.64.1
    x-forwarded-for=192.168.1.111
    x-forwarded-host=foo.bar.com:31252
    x-forwarded-port=443
    x-forwarded-proto=https
    x-real-ip=192.168.1.111
    x-request-id=db4811e08800ad0c6320bad066e2f62c
    x-scheme=https

Request Body:
    -no body in request-

* Connection #0 to host foo.bar.com left intact
* Closing connection 0

9.ingress-nginx kubectl plugin插件

K8s社区的Ingress的由于这个Ingress的实现并不是直接在配置文件中写入upstream, 所以我们在调试时, 没法直接cat出文件,可以通过ingress-插件来读取Ingress配置:
参考网址:https://kubernetes.github.io/...

常用命令

# 获取kubernetes ingress controller后端服务器信息 
kubectl ingress-nginx backends
# --list只列出upstream的名字
kubectl ingress-nginx backends --list
# 获取cr7.example.com的nginx配置文件
kubectl ingress-nginx conf --host cr7.example.com
#获取ingress信息
kubectl ingress-nginx ingresses                 
INGRESS NAME   HOST+PATH          ADDRESSES   TLS   SERVICE     SERVICE PORT   ENDPOINTS
nginx-test     foo.bar.com/                   NO    http-svc    80             1
nginx-test     cr7.example.com/               YES   nginx-svc   80             1
#获取cr7.example.com域名的证书信息
kubectl ingress-nginx certs --host cr7.example.com  

获取证书信息例子

通过ingress-nginx kubectl plugin来获取域名所对应的证书

kubectl ingress-nginx certs --host cr7.example.com    

-----BEGIN CERTIFICATE-----
MIIC9jCCApugAwIBAgIUErauO0ao2H0vLhcZPGCjjC9as2wwCgYIKoZIzj0EAwIw
SDELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNVBAcT
AkNBMRQwEgYDVQQDEwtleGFtcGxlLm5ldDAeFw0yMDEyMTkxMjI1MDBaFw0yMTEy
MTkxMjI1MDBaME0xCzAJBgNVBAYTAkNOMREwDwYDVQQIEwhTaGFuZ2hhaTERMA8G
A1UEBxMIU2hhbmdoYWkxGDAWBgNVBAMTD2NyNy5leGFtcGxlLmNvbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBANb3Ju5hY/gWu1osXSKj1DmMYQzKvFFZ
d2gK3YUHpxnWJHHs/gHVwMBu4yswKVeHv8+Mt1quPGW2GXItviuLXRoA5FU7wIYI
28IuXZXbXePOQsXbTlVoHzmQWUahlky7i36go8lekJb26ca945NvprH7ZFzDI/aJ
HINMa42JNtrhtZjfUlO+xvF7QwOrj2CkS+DnviSVbTEksnvI8nFX6Kq4xlMs1Wv2
KpnxFkg6I3zcfTFQ25OO3wkZ8dJdp2yPuydyNSMj2daWXwN51x2MkT4VbGN0Uyeq
y1shgQE5tkunTJasM7NxJvCWqHQ1hyb8/f4Vo+RBYCVxSt9vDvzxbpECAwEAAaOB
kjCBjzAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0T
AQH/BAIwADAdBgNVHQ4EFgQUAv50fyjzOgtHNSANxNbRKTVwOuAwHwYDVR0jBBgw
FoAUORZuzO4bNpnTCQncDGjYp/sdQyAwGgYDVR0RBBMwEYIPY3I3LmV4YW1wbGUu
Y29tMAoGCCqGSM49BAMCA0kAMEYCIQDwZ+pSfD3yikvvULWe8TicdLK3UfIT3gg2
Mi97uc+2agIhANif3PoMM94P/xUAWXv0N0wyJBqbxBVOVnC4H0bwVdxU
-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA1vcm7mFj+Ba7WixdIqPUOYxhDMq8UVl3aArdhQenGdYkcez+
AdXAwG7jKzApV4e/z4y3Wq48ZbYZci2+K4tdGgDkVTvAhgjbwi5dldtd485CxdtO
VWgfOZBZRqGWTLuLfqCjyV6Qlvbpxr3jk2+msftkXMMj9okcg0xrjYk22uG1mN9S
U77G8XtDA6uPYKRL4Oe+JJVtMSSye8jycVfoqrjGUyzVa/YqmfEWSDojfNx9MVDb
k47fCRnx0l2nbI+7J3I1IyPZ1pZfA3nXHYyRPhVsY3RTJ6rLWyGBATm2S6dMlqwz
s3Em8JaodDWHJvz9/hWj5EFgJXFK328O/PFukQIDAQABAoIBADPvvs41ZYvZIibl
NRNbdbj5u7D1go49CWZvyZmMgcjyPhfwZGZZGJrlr6kNl894EtW4b8xO8HS6jGdT
ufCXWUUhFgmpyBgaJ85AmYfNWl/hw6w+Eiz8XR7xS0CPZdrgLRHJCglq+ZAf09ea
pVNH1ISH8nWfCB9WfTcTzaCCmGhFUst5Xd0o2UfekvIhHZ5GB20eQQUqWlAwZUpP
g8n2Tc9OS9V0YhTtn/LIOFTsmTDEaDQ21x7D2/K9AE9sJhadgkeC+o33tyhe1zZR
AwRFqSv5Cr6Q5Ba4En+0ZD4fs1VCU6j+tCPcNsv0Y1vfR5iNnoE2gsWeQfkcUNaL
cYeCY2ECgYEA42MZr/nxQzmJIqBFzmeofTqUuzZxUjdoc/2OIY6PIgknzcdqrSM1
0WUgH+kp5LMgBYXATOswNTprwu+UlaC1iYmIl3d6zfQIp35x3Ble2a90jGbEdekg
P2PP8vAYBD1b7jYRLlyTgJNmi2J3eE0GdDK+I2XlH2wwAdpg4odjX10CgYEA8gPo
eF7uv49VtOTNlky0tNPTUP9aiM92Het6c1kInB3D4X6ot4JYeQSRqfGwmFXR7Co0
s/Jm9kVmo95pp8nKE4dB5ARqt78lcRMDPO131sRNRrDdvNm3cOenX8lZB8L9lkOY
QQWBB8nAV0Tav4kB98lBg5iAzGxTAYMYMkvofMUCgYBIIgnmD03/22Krf1hlr/B9
OXYxJYYxZK5YDVlnP8gcLfdYiihHIGJUONZGCTtm94Py/IkSXZF/cTb6MfJavQ6Z
wO15z0c/ymhsaepIviuettAsMfWkyf2W3lz7XjrgLW7aVICCyo9oPFpNYUExAo5H
kklLBWn32+Qm0lXlxrk5aQKBgQCafu4vsYK+HRV8lje8BBmz+inDYk/8WFwx+3o/
Go5JgyLh18aC553tG4KVt6mhhd+t4L+mRE+AVYuRftF6AHKVBtqEYmFyDX8scRO3
GG1RWB1wzEWxYlcdp3SMzG+eadcSzvHqSEY3n46+50Cx1xe/g+XjyT4nwds3cuXG
bfjrdQKBgQCXyHwg7XSyoHz+sv5WhCUv/rvL5AYy4zv5qPPusGbpJi+GxsSdrzTQ
cPXmY6xxQEC7dO+QYD9KDfghVOxQ+Pjg3T9DV1CSCCiN3SR34Jy2X01eeTtvCxqU
bnZga6ChZj0xPV6UvY99hETH+qdx0aI2ZPRK7sL+mMo7cDdUNyDKgw==
-----END RSA PRIVATE KEY-----

查看secret验证,由于secret是base64加密的,所以需要先解密:
tls.crt和tls.key比较特别,由于有一个.,所以用\\来转义

#获取服务器证书
❯ kubectl secrets cr7-secret -o jsonpath={.data.tls\\.crt} | base64 -d
-----BEGIN CERTIFICATE-----
MIIC9jCCApugAwIBAgIUErauO0ao2H0vLhcZPGCjjC9as2wwCgYIKoZIzj0EAwIw
SDELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNVBAcT
AkNBMRQwEgYDVQQDEwtleGFtcGxlLm5ldDAeFw0yMDEyMTkxMjI1MDBaFw0yMTEy
MTkxMjI1MDBaME0xCzAJBgNVBAYTAkNOMREwDwYDVQQIEwhTaGFuZ2hhaTERMA8G
A1UEBxMIU2hhbmdoYWkxGDAWBgNVBAMTD2NyNy5leGFtcGxlLmNvbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBANb3Ju5hY/gWu1osXSKj1DmMYQzKvFFZ
d2gK3YUHpxnWJHHs/gHVwMBu4yswKVeHv8+Mt1quPGW2GXItviuLXRoA5FU7wIYI
28IuXZXbXePOQsXbTlVoHzmQWUahlky7i36go8lekJb26ca945NvprH7ZFzDI/aJ
HINMa42JNtrhtZjfUlO+xvF7QwOrj2CkS+DnviSVbTEksnvI8nFX6Kq4xlMs1Wv2
KpnxFkg6I3zcfTFQ25OO3wkZ8dJdp2yPuydyNSMj2daWXwN51x2MkT4VbGN0Uyeq
y1shgQE5tkunTJasM7NxJvCWqHQ1hyb8/f4Vo+RBYCVxSt9vDvzxbpECAwEAAaOB
kjCBjzAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0T
AQH/BAIwADAdBgNVHQ4EFgQUAv50fyjzOgtHNSANxNbRKTVwOuAwHwYDVR0jBBgw
FoAUORZuzO4bNpnTCQncDGjYp/sdQyAwGgYDVR0RBBMwEYIPY3I3LmV4YW1wbGUu
Y29tMAoGCCqGSM49BAMCA0kAMEYCIQDwZ+pSfD3yikvvULWe8TicdLK3UfIT3gg2
Mi97uc+2agIhANif3PoMM94P/xUAWXv0N0wyJBqbxBVOVnC4H0bwVdxU
-----END CERTIFICATE-----

#获取服务器私钥
❯ kubectl get  secrets cr7-secret -o jsonpath={.data.tls\\.key} | base64 -d

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA1vcm7mFj+Ba7WixdIqPUOYxhDMq8UVl3aArdhQenGdYkcez+
AdXAwG7jKzApV4e/z4y3Wq48ZbYZci2+K4tdGgDkVTvAhgjbwi5dldtd485CxdtO
VWgfOZBZRqGWTLuLfqCjyV6Qlvbpxr3jk2+msftkXMMj9okcg0xrjYk22uG1mN9S
U77G8XtDA6uPYKRL4Oe+JJVtMSSye8jycVfoqrjGUyzVa/YqmfEWSDojfNx9MVDb
k47fCRnx0l2nbI+7J3I1IyPZ1pZfA3nXHYyRPhVsY3RTJ6rLWyGBATm2S6dMlqwz
s3Em8JaodDWHJvz9/hWj5EFgJXFK328O/PFukQIDAQABAoIBADPvvs41ZYvZIibl
NRNbdbj5u7D1go49CWZvyZmMgcjyPhfwZGZZGJrlr6kNl894EtW4b8xO8HS6jGdT
ufCXWUUhFgmpyBgaJ85AmYfNWl/hw6w+Eiz8XR7xS0CPZdrgLRHJCglq+ZAf09ea
pVNH1ISH8nWfCB9WfTcTzaCCmGhFUst5Xd0o2UfekvIhHZ5GB20eQQUqWlAwZUpP
g8n2Tc9OS9V0YhTtn/LIOFTsmTDEaDQ21x7D2/K9AE9sJhadgkeC+o33tyhe1zZR
AwRFqSv5Cr6Q5Ba4En+0ZD4fs1VCU6j+tCPcNsv0Y1vfR5iNnoE2gsWeQfkcUNaL
cYeCY2ECgYEA42MZr/nxQzmJIqBFzmeofTqUuzZxUjdoc/2OIY6PIgknzcdqrSM1
0WUgH+kp5LMgBYXATOswNTprwu+UlaC1iYmIl3d6zfQIp35x3Ble2a90jGbEdekg
P2PP8vAYBD1b7jYRLlyTgJNmi2J3eE0GdDK+I2XlH2wwAdpg4odjX10CgYEA8gPo
eF7uv49VtOTNlky0tNPTUP9aiM92Het6c1kInB3D4X6ot4JYeQSRqfGwmFXR7Co0
s/Jm9kVmo95pp8nKE4dB5ARqt78lcRMDPO131sRNRrDdvNm3cOenX8lZB8L9lkOY
QQWBB8nAV0Tav4kB98lBg5iAzGxTAYMYMkvofMUCgYBIIgnmD03/22Krf1hlr/B9
OXYxJYYxZK5YDVlnP8gcLfdYiihHIGJUONZGCTtm94Py/IkSXZF/cTb6MfJavQ6Z
wO15z0c/ymhsaepIviuettAsMfWkyf2W3lz7XjrgLW7aVICCyo9oPFpNYUExAo5H
kklLBWn32+Qm0lXlxrk5aQKBgQCafu4vsYK+HRV8lje8BBmz+inDYk/8WFwx+3o/
Go5JgyLh18aC553tG4KVt6mhhd+t4L+mRE+AVYuRftF6AHKVBtqEYmFyDX8scRO3
GG1RWB1wzEWxYlcdp3SMzG+eadcSzvHqSEY3n46+50Cx1xe/g+XjyT4nwds3cuXG
bfjrdQKBgQCXyHwg7XSyoHz+sv5WhCUv/rvL5AYy4zv5qPPusGbpJi+GxsSdrzTQ
cPXmY6xxQEC7dO+QYD9KDfghVOxQ+Pjg3T9DV1CSCCiN3SR34Jy2X01eeTtvCxqU
bnZga6ChZj0xPV6UvY99hETH+qdx0aI2ZPRK7sL+mMo7cDdUNyDKgw==
-----END RSA PRIVATE KEY-----

如果是foo.bar.com则回返回默认的证书信息。

欢迎关注

使用 HTTPS 加密 Ingress 流量_第1张图片

你可能感兴趣的:(云计算)