共计 19646 个字符,预计需要花费 50 分钟才能阅读完成。
1. 装置 cfssl
CFSSL 是 CloudFlare 开源的一款 PKI/TLS 工具。CFSSL 蕴含一个命令行工具 和一个用于 签名,验证并且捆绑 TLS 证书的 HTTP API 服务,应用 Go 语言编写。
下载地址:
https://pkg.cfssl.org/R1.2/cf…
https://pkg.cfssl.org/R1.2/cf…
2. 创立 CA 证书
# 失去的 json 文件放弃默认
cfssl print-defaults config > ca-config.json
{
"signing": {
"default": {"expiry": "168h"},
"profiles": {
"www": { #前面生成服务器证书 --profile 应用的是这里的 www
"expiry": "8760h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "8760h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
}
}
}
}
#失去的 json 文件放弃默认
cfssl print-defaults csr > ca-csr.json
{
"CN": "example.net",
"hosts": [ #这里的 hosts 无所谓
"example.net",
"www.example.net"
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "US",
"L": "CA",
"ST": "San Francisco"
}
]
}
#生成 CA,失去 ca.csr,ca.pem,ca-key.pem,
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
| 字段名 | 字段值 |
|---|---|
| 专用名称 (Common Name) | 简称:CN 字段,对于 SSL 证书,个别为网站域名;而对于代码签名证书则为申请单位名称;而对于客户端证书则为证书申请者的姓名; |
| 单位名称 (Organization Name) | 简称:O 字段,对于 SSL 证书,个别为网站域名;而对于代码签名证书则为申请单位名称;而对于客户端单位证书则为证书申请者所在单位名称; |
| 所在城市 (Locality) | 简称:L 字段 |
| 所在省份 (State/Provice) | 简称:S 字段 |
| 所在国家 (Country) | 简称:C 字段,只能是国家字母缩写,如中国:CN |
3. 创立服务器证书
{
"CN": "cr7.example.com",
"hosts": ["cr7.example.com" // 这里的 hosts 很重要,要和前面的 ingress 中定义的 hosts 一样,当客户端拜访该 hosts 时才会动静加载 ssl 证书],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Shanghai",
"ST": "Shanghai"
}
]
}- -ca:指明 ca 的证书
- -ca-key:指明 ca 的私钥文件
- -config:指明申请证书的 json 文件
- -profile:与 -config 中的 profile 对应,是指依据 config 中的 profile 段来生成证书的相干信息
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem --config=ca-config.json --profile www cr7-csr.json | cfssljson -bare cr74. 依据服务器证书创立 secret
依据服务器私钥和证书创立 secret
[root@containerd-master1 cert]# kubectl create secret tls cr7-secret --cert=cr7.pem --key=cr7-key.pem
secret/cr7-secret created5.kubernetes ingress controller 装置
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm install ingress-nginx ingress-nginx6. 创立 ingress
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: nginx-test
spec:
tls:
- hosts:
- cr7.example.com #hosts 和 cr7-csr.json 的统一
# This assumes cr7-secret exists and the SSL
# certificate contains a CN for cr7-example.com
secretName: cr7-secret #应用服务器证书创立进去的 secret
rules:
- host: foo.bar.com #不加载后面创立的服务器证书
http:
paths:
- path: /
backend:
serviceName: http-svc
servicePort: 80
- host: cr7.example.com #加载后面创立的服务器证书
http:
paths:
- path: /
backend:
serviceName: nginx-svc
servicePort: 807. 拜访测试
当拜访的 host 为 cr7.example.com 满足 ingress 中 hosts 和 cr7-csr.json 中 hosts 值时,kubernetes ingress controller 会动静地加载 ssl 证书:
#31252 是裸露 ingress controller 的 NodePort 的端口
curl -kv https://cr7.example.com:31252
* Trying 192.168.1.111...
* TCP_NODELAY set
* Connected to cr7.example.com (192.168.1.111) port 31252 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate: #能够看到应用了咱们本人的的证书
* subject: C=CN; ST=Shanghai; L=Shanghai; CN=cr7.example.com
* start date: Dec 19 12:25:00 2020 GMT
* expire date: Dec 19 12:25:00 2021 GMT
* issuer: C=US; ST=San Francisco; L=CA; CN=example.net
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f963100dc00)
> GET / HTTP/2
> Host: cr7.example.com:31252
> User-Agent: curl/7.64.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
< date: Sat, 19 Dec 2020 12:37:39 GMT
< content-type: text/html
< content-length: 612
< last-modified: Tue, 15 Dec 2020 13:59:38 GMT
< etag: "5fd8c14a-264"
< accept-ranges: bytes
< strict-transport-security: max-age=15724800; includeSubDomains
<
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
* Connection #0 to host cr7.example.com left intact
* Closing connection 0然而拜访另一个不满足条件的域名,则应用 nginx ingress controller 默认的证书:
curl -kv https://foo.bar.com:31252
* Trying 192.168.1.111...
* TCP_NODELAY set
* Connected to foo.bar.com (192.168.1.111) port 31252 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate: #应用了 kubernetes ingress controller 默认的证书
* subject: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
* start date: Dec 19 12:39:47 2020 GMT
* expire date: Dec 19 12:39:47 2021 GMT
* issuer: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f99fb80dc00)
> GET / HTTP/2
> Host: foo.bar.com:31252
> User-Agent: curl/7.64.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
< date: Sat, 19 Dec 2020 12:40:03 GMT
< content-type: text/plain
< strict-transport-security: max-age=15724800; includeSubDomains
<
Hostname: http-svc-6b7fcd49cc-xlx4d
Pod Information:
node name: containerd-worker1
pod name: http-svc-6b7fcd49cc-xlx4d
pod namespace: default
pod IP: 7.7.69.5
Server values:
server_version=nginx: 1.12.2 - lua: 10010
Request Information:
client_address=7.7.69.6
method=GET
real path=/
query=
request_version=1.1
request_scheme=http
request_uri=http://foo.bar.com:8080/
Request Headers:
accept=*/*
host=foo.bar.com:31252
user-agent=curl/7.64.1
x-forwarded-for=192.168.1.111
x-forwarded-host=foo.bar.com:31252
x-forwarded-port=443
x-forwarded-proto=https
x-real-ip=192.168.1.111
x-request-id=3780eb8ddd12bc150d3a6a2a5c967f7e
x-scheme=https
Request Body:
-no body in request-
* Connection #0 to host foo.bar.com left intact
* Closing connection 08. 批改默认证书
8.1 创立 secret
依照后面雷同的形式创立出服务器的证书和私钥,而后创立 secret:
apiVersion: v1
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJBQ0NRQzFOUllWRHhIREJ6QU5CZ2txaGtpRzl3MEJBUXNGQURBbU1SRXdEd1lEVlFRRERBaHUKWjJsdWVITjJZekVSTUE4R0ExVUVDZ3dJYm1kcGJuaHpkbU13SGhjTk1qQXhNakU1TURRd09EQTNXaGNOTWpFeApNakU1TURRd09EQTNXakFtTVJFd0R3WURWUVFEREFodVoybHVlSE4yWXpFUk1BOEdBMVVFQ2d3SWJtZHBibmh6CmRtTXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFETXpkdlJQUVNQWXJ5WTBPSUYKczlNZ0ZSSm1icHJmSWRVZEZIT0YxT1R5UTBPVDVxRnk4RUVGTlV3S2wwTlVJNzd4SG5hRWYwNFhXVFM0Q09lcAp5bUlWTWVFUXlwQk9MdUd1bXlXUy9BejlxR1BYQ2xzN0NNcHpFbmpuMXllNUpQaTJzTHBVL2xGdGViMS8zUXJXCkJFMFRQczQ2c1U3RVNvZlc4cll4dDk1WDFaOVBiakZ4dUZETkxTTzc5N3RkR3BnK09BdFFETXRpUDJjWDdpdS8KVm4rNzQwTHRlM1BUa2ZOT2Y1aWkyTVJld2tlVTlLYnpGdmVMZFdIZ01vS3hXVjY3WTNUWmx2eXVXVlNhd0s3SgptbDNkYTFweTNOMkoyR2hjaFIySkF3QTdUdlEydlZzb284MHZEU1p6NE1wMm55Q1l2a0F1UzllWlc3TVVxRElXCjd4TGRBZ01CQUFFd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFDOVd0Q3JZY01FVEpwU2w2QmFFSVlpZEZKNnoKYW1CdmFnakpwQlpsSmRsOVBUTkxzSEVVZU9FS3Y1RTJ2SGhId21FQ25paDROLzI5MEtCTEw3TU5jcHhraGxsVQozM1FpcFluSVQzbS9rV0RrRXQwbkUva0YzZFVVZFNtcTRBYnpESjF1MjFOMDlLb0psR2tyUnJRcGhXN1I1UTBWCnFHN082RDhNNjBORlZlSFpyYjdjY0RKNVJXTjNuYXZDeXF3VWxlM2pHSEU3TmpCb29WdWd3TldEYW9ZWURkUnkKQ243WFREZ1FrUEdmSTdjM1E0b09lcVRWUVZhLzk5MS9oanJ5YWlDT29JWEZyNTBFV0hUWmtIU2xKV1BHR3JDSgpCSnJqVlIxWVAxTTlvVXc0NUlQQ25zSzRyeTRzMzBxSXQ5VHFHQ25TcGs1UFZ0ck1PWWVEZ2xTMXdPdz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2d0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktrd2dnU2xBZ0VBQW9JQkFRRE16ZHZSUFFTUFlyeVkKME9JRnM5TWdGUkptYnByZklkVWRGSE9GMU9UeVEwT1Q1cUZ5OEVFRk5Vd0tsME5VSTc3eEhuYUVmMDRYV1RTNApDT2VweW1JVk1lRVF5cEJPTHVHdW15V1MvQXo5cUdQWENsczdDTXB6RW5qbjF5ZTVKUGkyc0xwVS9sRnRlYjEvCjNRcldCRTBUUHM0NnNVN0VTb2ZXOHJZeHQ5NVgxWjlQYmpGeHVGRE5MU083OTd0ZEdwZytPQXRRRE10aVAyY1gKN2l1L1ZuKzc0MEx0ZTNQVGtmTk9mNWlpMk1SZXdrZVU5S2J6RnZlTGRXSGdNb0t4V1Y2N1kzVFpsdnl1V1ZTYQp3SzdKbWwzZGExcHkzTjJKMkdoY2hSMkpBd0E3VHZRMnZWc29vODB2RFNaejRNcDJueUNZdmtBdVM5ZVpXN01VCnFESVc3eExkQWdNQkFBRUNnZ0VBRVQyZkxKMFRYakswcDdTbDRrOENEZWhZTlRGSWJsSTl5NFhtTjdUMVZRT2UKazd2TmlZeDZITU1nMUo5cE5wTVB4dUtHblo3TjV4OUdWZHZDRE1RUnY3RUVQbEtmRlVYVEQ4elZ1K3JsK1JDTQozeFJyRzZ3Z3h0RWVSbjRSUlArOHhEeGFZejlKZ1lySERoV0FqUVd0cTFvVktGRzJ6TVZ0YkFYZ21vemM5YzNLCkkwR29zc0g3YmhkZlFDck5MTDJKS1IyOGVuSjNRQ3hkYldoUUlvZWV5bVltbHBraW0yRjBMU1RQSGlsSFB2eUUKWklCd05RdGVaVjBBZ3o4WmtUc3VoTGVXb0NnaGFsQzFoWlVUMVIrZHlNSDNCbmhyK1duai9UL3ByNlBiL3o0WgpkeGJ5QU5JOHg4WU1LSGQvOFZrSjJ2djMrWEk4VWFmSTc4SkR5QmdnQVFLQmdRRC9wL1AySWJwMGlQdE1ZbWR2Cm11SDFQRVZiWEx1VVpySW1CODlJSHVBb3VVWTJqSXAyRkVTZUllWG05cDBaeWdLb091MDdSc1A4WVY0YSt0VzYKNGlwRGZNbG5ZWkVlT3lQOFBXdFdhb3RMdGVGUFg5UTg0YWlTQUprRWo4RmhnWnRwQTJ6MGZFd3pSN0dqSTFSRwpqNmxsSDFYR2NSWVdlU0ZnazVoWmdvbllBUUtCZ1FETkZHUjRvdmtxUThsSUZPN0JMVlNmTENIWndBdXNFbHBlCm9iSWs0QmMvVEVHWExjWFQ2a1I5a0Fwa2RoQkM4L242aCtITlU3ZElLR2JvbUhJaVV3WVpRUUo4MkhVcEx0bzQKR2dYSytacHJwWWhLUVBOeWxsL3dBMHlHSWNsUS8wekczVnZENTkxbGo4NEpUTUtDR1g0Wk5JNC9xOERKS0pOTApQWDIvVWYrYTNRS0JnUURUSkhVYVBIVHZ0Z3BGNWFlanh2a0RQd25SRU45akN3WHEzdHhVcGh0Znh0UzBUSkkyClB6c0VsdDUzU0FvcnVHbEZZNVYyTlZXNzVQYUJ0ZFE3Q25yNVRlQlEzNFdvd0JOU1NhK1NxVi90NFlMNXVSMWkKUXNTa0FKWmY3Qkk4WTN4azJJMXR4aEp3NzY5SUd1K0piekRwOFYwNERVRyt3Yi9OTVZqTDVFSFFBUUtCZ1FDVApOZ1E1SktPL1Z4RnhrTFVpTGl3RVptV1dMV2t6aDZrZkxPcjMxWFJhbDU2dHFzbkxLT3NwUnZCdTFPRXZibnNPCi8rTnl4SmxZVHNnd1J0NEhEWm5mSHU5dU51TkRRTUtjYXZHbGxpN20vdGdxbFIwc01BMkYrSmhCNEpibWNaem4KVTVhL3RmMFRIbnRENmJubU1lNTJvV2RMQlR0S0tyb3cxRjhqcXZUVWNRS0JnUUNuZEs4LzNITElJVkkyUWJBMApBY0x5Sjd1SW5ua3VMNGkrcmhvM1JvZ2hZNTRuTXJzdDRUNkdCVVhZT050akZsQ2hPQ3ZHWmlraWsxaHRkcCtMCjJhU05wRG9WV2JJVWl1bEFGZjA5NkNGWWsrNnpPU0FDQ0xHTy9NMjFnTEN5Njdia3VLRkFZMzZOa201ZUN3TTIKT2p2UC95TUJKNVdGS3kvWmc0QzVIRFI1akE9PQotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg==
kind: Secret
metadata:
managedFields:
- apiVersion: v1
name: tls-secret
type: kubernetes.io/tls8.2 批改 kubernetes ingress controller 配置
增加 --default-ssl-certificate=default/tls-secret 参数,示意默认的证书应用 tls-secret 的内容:
......
spec:
containers:
- args:
- /nginx-ingress-controller
- --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
- --election-id=ingress-controller-leader
- --ingress-class=nginx
- --default-ssl-certificate=default/tls-secret
- --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
......再次拜访 foo.bar.com,这次就是应用咱们本人的证书作为默认证书了:
curl -kv https://foo.bar.com:31252
* Trying 192.168.1.111...
* TCP_NODELAY set
* Connected to foo.bar.com (192.168.1.111) port 31252 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
#此时默认证书就改成咱们本人的
* subject: CN=nginxsvc; O=nginxsvc
* start date: Dec 19 04:08:07 2020 GMT
* expire date: Dec 19 04:08:07 2021 GMT
* issuer: CN=nginxsvc; O=nginxsvc
* SSL certificate verify result: self signed certificate (18), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fd300010e00)
> GET / HTTP/2
> Host: foo.bar.com:31252
> User-Agent: curl/7.64.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
< date: Sat, 19 Dec 2020 12:51:47 GMT
< content-type: text/plain
< strict-transport-security: max-age=15724800; includeSubDomains
<
Hostname: http-svc-6b7fcd49cc-xlx4d
Pod Information:
node name: containerd-worker1
pod name: http-svc-6b7fcd49cc-xlx4d
pod namespace: default
pod IP: 7.7.69.5
Server values:
server_version=nginx: 1.12.2 - lua: 10010
Request Information:
client_address=7.7.22.4
method=GET
real path=/
query=
request_version=1.1
request_scheme=http
request_uri=http://foo.bar.com:8080/
Request Headers:
accept=*/*
host=foo.bar.com:31252
user-agent=curl/7.64.1
x-forwarded-for=192.168.1.111
x-forwarded-host=foo.bar.com:31252
x-forwarded-port=443
x-forwarded-proto=https
x-real-ip=192.168.1.111
x-request-id=db4811e08800ad0c6320bad066e2f62c
x-scheme=https
Request Body:
-no body in request-
* Connection #0 to host foo.bar.com left intact
* Closing connection 09.ingress-nginx kubectl plugin 插件
K8s 社区的 Ingress 的因为这个 Ingress 的实现并不是间接在配置文件中写入 upstream, 所以咱们在调试时, 没法间接 cat 出文件,能够通过 ingress- 插件来读取 Ingress 配置:
参考网址:https://kubernetes.github.io/…
常用命令
# 获取 kubernetes ingress controller 后端服务器信息
kubectl ingress-nginx backends
# --list 只列出 upstream 的名字
kubectl ingress-nginx backends --list
# 获取 cr7.example.com 的 nginx 配置文件
kubectl ingress-nginx conf --host cr7.example.com
#获取 ingress 信息
kubectl ingress-nginx ingresses
INGRESS NAME HOST+PATH ADDRESSES TLS SERVICE SERVICE PORT ENDPOINTS
nginx-test foo.bar.com/ NO http-svc 80 1
nginx-test cr7.example.com/ YES nginx-svc 80 1
#获取 cr7.example.com 域名的证书信息
kubectl ingress-nginx certs --host cr7.example.com 获取证书信息例子
通过 ingress-nginx kubectl plugin 来获取域名所对应的证书
kubectl ingress-nginx certs --host cr7.example.com
-----BEGIN CERTIFICATE-----
MIIC9jCCApugAwIBAgIUErauO0ao2H0vLhcZPGCjjC9as2wwCgYIKoZIzj0EAwIw
SDELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNVBAcT
AkNBMRQwEgYDVQQDEwtleGFtcGxlLm5ldDAeFw0yMDEyMTkxMjI1MDBaFw0yMTEy
MTkxMjI1MDBaME0xCzAJBgNVBAYTAkNOMREwDwYDVQQIEwhTaGFuZ2hhaTERMA8G
A1UEBxMIU2hhbmdoYWkxGDAWBgNVBAMTD2NyNy5leGFtcGxlLmNvbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBANb3Ju5hY/gWu1osXSKj1DmMYQzKvFFZ
d2gK3YUHpxnWJHHs/gHVwMBu4yswKVeHv8+Mt1quPGW2GXItviuLXRoA5FU7wIYI
28IuXZXbXePOQsXbTlVoHzmQWUahlky7i36go8lekJb26ca945NvprH7ZFzDI/aJ
HINMa42JNtrhtZjfUlO+xvF7QwOrj2CkS+DnviSVbTEksnvI8nFX6Kq4xlMs1Wv2
KpnxFkg6I3zcfTFQ25OO3wkZ8dJdp2yPuydyNSMj2daWXwN51x2MkT4VbGN0Uyeq
y1shgQE5tkunTJasM7NxJvCWqHQ1hyb8/f4Vo+RBYCVxSt9vDvzxbpECAwEAAaOB
kjCBjzAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0T
AQH/BAIwADAdBgNVHQ4EFgQUAv50fyjzOgtHNSANxNbRKTVwOuAwHwYDVR0jBBgw
FoAUORZuzO4bNpnTCQncDGjYp/sdQyAwGgYDVR0RBBMwEYIPY3I3LmV4YW1wbGUu
Y29tMAoGCCqGSM49BAMCA0kAMEYCIQDwZ+pSfD3yikvvULWe8TicdLK3UfIT3gg2
Mi97uc+2agIhANif3PoMM94P/xUAWXv0N0wyJBqbxBVOVnC4H0bwVdxU
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA1vcm7mFj+Ba7WixdIqPUOYxhDMq8UVl3aArdhQenGdYkcez+
AdXAwG7jKzApV4e/z4y3Wq48ZbYZci2+K4tdGgDkVTvAhgjbwi5dldtd485CxdtO
VWgfOZBZRqGWTLuLfqCjyV6Qlvbpxr3jk2+msftkXMMj9okcg0xrjYk22uG1mN9S
U77G8XtDA6uPYKRL4Oe+JJVtMSSye8jycVfoqrjGUyzVa/YqmfEWSDojfNx9MVDb
k47fCRnx0l2nbI+7J3I1IyPZ1pZfA3nXHYyRPhVsY3RTJ6rLWyGBATm2S6dMlqwz
s3Em8JaodDWHJvz9/hWj5EFgJXFK328O/PFukQIDAQABAoIBADPvvs41ZYvZIibl
NRNbdbj5u7D1go49CWZvyZmMgcjyPhfwZGZZGJrlr6kNl894EtW4b8xO8HS6jGdT
ufCXWUUhFgmpyBgaJ85AmYfNWl/hw6w+Eiz8XR7xS0CPZdrgLRHJCglq+ZAf09ea
pVNH1ISH8nWfCB9WfTcTzaCCmGhFUst5Xd0o2UfekvIhHZ5GB20eQQUqWlAwZUpP
g8n2Tc9OS9V0YhTtn/LIOFTsmTDEaDQ21x7D2/K9AE9sJhadgkeC+o33tyhe1zZR
AwRFqSv5Cr6Q5Ba4En+0ZD4fs1VCU6j+tCPcNsv0Y1vfR5iNnoE2gsWeQfkcUNaL
cYeCY2ECgYEA42MZr/nxQzmJIqBFzmeofTqUuzZxUjdoc/2OIY6PIgknzcdqrSM1
0WUgH+kp5LMgBYXATOswNTprwu+UlaC1iYmIl3d6zfQIp35x3Ble2a90jGbEdekg
P2PP8vAYBD1b7jYRLlyTgJNmi2J3eE0GdDK+I2XlH2wwAdpg4odjX10CgYEA8gPo
eF7uv49VtOTNlky0tNPTUP9aiM92Het6c1kInB3D4X6ot4JYeQSRqfGwmFXR7Co0
s/Jm9kVmo95pp8nKE4dB5ARqt78lcRMDPO131sRNRrDdvNm3cOenX8lZB8L9lkOY
QQWBB8nAV0Tav4kB98lBg5iAzGxTAYMYMkvofMUCgYBIIgnmD03/22Krf1hlr/B9
OXYxJYYxZK5YDVlnP8gcLfdYiihHIGJUONZGCTtm94Py/IkSXZF/cTb6MfJavQ6Z
wO15z0c/ymhsaepIviuettAsMfWkyf2W3lz7XjrgLW7aVICCyo9oPFpNYUExAo5H
kklLBWn32+Qm0lXlxrk5aQKBgQCafu4vsYK+HRV8lje8BBmz+inDYk/8WFwx+3o/
Go5JgyLh18aC553tG4KVt6mhhd+t4L+mRE+AVYuRftF6AHKVBtqEYmFyDX8scRO3
GG1RWB1wzEWxYlcdp3SMzG+eadcSzvHqSEY3n46+50Cx1xe/g+XjyT4nwds3cuXG
bfjrdQKBgQCXyHwg7XSyoHz+sv5WhCUv/rvL5AYy4zv5qPPusGbpJi+GxsSdrzTQ
cPXmY6xxQEC7dO+QYD9KDfghVOxQ+Pjg3T9DV1CSCCiN3SR34Jy2X01eeTtvCxqU
bnZga6ChZj0xPV6UvY99hETH+qdx0aI2ZPRK7sL+mMo7cDdUNyDKgw==
-----END RSA PRIVATE KEY-----查看 secret 验证,因为 secret 是 base64 加密的,所以须要先解密:tls.crt 和 tls.key比拟特地,因为有一个 .,所以用\\ 来本义
# 获取服务器证书
❯ kubectl secrets cr7-secret -o jsonpath={.data.tls\\.crt} | base64 -d
-----BEGIN CERTIFICATE-----
MIIC9jCCApugAwIBAgIUErauO0ao2H0vLhcZPGCjjC9as2wwCgYIKoZIzj0EAwIw
SDELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNVBAcT
AkNBMRQwEgYDVQQDEwtleGFtcGxlLm5ldDAeFw0yMDEyMTkxMjI1MDBaFw0yMTEy
MTkxMjI1MDBaME0xCzAJBgNVBAYTAkNOMREwDwYDVQQIEwhTaGFuZ2hhaTERMA8G
A1UEBxMIU2hhbmdoYWkxGDAWBgNVBAMTD2NyNy5leGFtcGxlLmNvbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBANb3Ju5hY/gWu1osXSKj1DmMYQzKvFFZ
d2gK3YUHpxnWJHHs/gHVwMBu4yswKVeHv8+Mt1quPGW2GXItviuLXRoA5FU7wIYI
28IuXZXbXePOQsXbTlVoHzmQWUahlky7i36go8lekJb26ca945NvprH7ZFzDI/aJ
HINMa42JNtrhtZjfUlO+xvF7QwOrj2CkS+DnviSVbTEksnvI8nFX6Kq4xlMs1Wv2
KpnxFkg6I3zcfTFQ25OO3wkZ8dJdp2yPuydyNSMj2daWXwN51x2MkT4VbGN0Uyeq
y1shgQE5tkunTJasM7NxJvCWqHQ1hyb8/f4Vo+RBYCVxSt9vDvzxbpECAwEAAaOB
kjCBjzAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0T
AQH/BAIwADAdBgNVHQ4EFgQUAv50fyjzOgtHNSANxNbRKTVwOuAwHwYDVR0jBBgw
FoAUORZuzO4bNpnTCQncDGjYp/sdQyAwGgYDVR0RBBMwEYIPY3I3LmV4YW1wbGUu
Y29tMAoGCCqGSM49BAMCA0kAMEYCIQDwZ+pSfD3yikvvULWe8TicdLK3UfIT3gg2
Mi97uc+2agIhANif3PoMM94P/xUAWXv0N0wyJBqbxBVOVnC4H0bwVdxU
-----END CERTIFICATE-----
#获取服务器私钥
❯ kubectl get secrets cr7-secret -o jsonpath={.data.tls\\.key} | base64 -d
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA1vcm7mFj+Ba7WixdIqPUOYxhDMq8UVl3aArdhQenGdYkcez+
AdXAwG7jKzApV4e/z4y3Wq48ZbYZci2+K4tdGgDkVTvAhgjbwi5dldtd485CxdtO
VWgfOZBZRqGWTLuLfqCjyV6Qlvbpxr3jk2+msftkXMMj9okcg0xrjYk22uG1mN9S
U77G8XtDA6uPYKRL4Oe+JJVtMSSye8jycVfoqrjGUyzVa/YqmfEWSDojfNx9MVDb
k47fCRnx0l2nbI+7J3I1IyPZ1pZfA3nXHYyRPhVsY3RTJ6rLWyGBATm2S6dMlqwz
s3Em8JaodDWHJvz9/hWj5EFgJXFK328O/PFukQIDAQABAoIBADPvvs41ZYvZIibl
NRNbdbj5u7D1go49CWZvyZmMgcjyPhfwZGZZGJrlr6kNl894EtW4b8xO8HS6jGdT
ufCXWUUhFgmpyBgaJ85AmYfNWl/hw6w+Eiz8XR7xS0CPZdrgLRHJCglq+ZAf09ea
pVNH1ISH8nWfCB9WfTcTzaCCmGhFUst5Xd0o2UfekvIhHZ5GB20eQQUqWlAwZUpP
g8n2Tc9OS9V0YhTtn/LIOFTsmTDEaDQ21x7D2/K9AE9sJhadgkeC+o33tyhe1zZR
AwRFqSv5Cr6Q5Ba4En+0ZD4fs1VCU6j+tCPcNsv0Y1vfR5iNnoE2gsWeQfkcUNaL
cYeCY2ECgYEA42MZr/nxQzmJIqBFzmeofTqUuzZxUjdoc/2OIY6PIgknzcdqrSM1
0WUgH+kp5LMgBYXATOswNTprwu+UlaC1iYmIl3d6zfQIp35x3Ble2a90jGbEdekg
P2PP8vAYBD1b7jYRLlyTgJNmi2J3eE0GdDK+I2XlH2wwAdpg4odjX10CgYEA8gPo
eF7uv49VtOTNlky0tNPTUP9aiM92Het6c1kInB3D4X6ot4JYeQSRqfGwmFXR7Co0
s/Jm9kVmo95pp8nKE4dB5ARqt78lcRMDPO131sRNRrDdvNm3cOenX8lZB8L9lkOY
QQWBB8nAV0Tav4kB98lBg5iAzGxTAYMYMkvofMUCgYBIIgnmD03/22Krf1hlr/B9
OXYxJYYxZK5YDVlnP8gcLfdYiihHIGJUONZGCTtm94Py/IkSXZF/cTb6MfJavQ6Z
wO15z0c/ymhsaepIviuettAsMfWkyf2W3lz7XjrgLW7aVICCyo9oPFpNYUExAo5H
kklLBWn32+Qm0lXlxrk5aQKBgQCafu4vsYK+HRV8lje8BBmz+inDYk/8WFwx+3o/
Go5JgyLh18aC553tG4KVt6mhhd+t4L+mRE+AVYuRftF6AHKVBtqEYmFyDX8scRO3
GG1RWB1wzEWxYlcdp3SMzG+eadcSzvHqSEY3n46+50Cx1xe/g+XjyT4nwds3cuXG
bfjrdQKBgQCXyHwg7XSyoHz+sv5WhCUv/rvL5AYy4zv5qPPusGbpJi+GxsSdrzTQ
cPXmY6xxQEC7dO+QYD9KDfghVOxQ+Pjg3T9DV1CSCCiN3SR34Jy2X01eeTtvCxqU
bnZga6ChZj0xPV6UvY99hETH+qdx0aI2ZPRK7sL+mMo7cDdUNyDKgw==
-----END RSA PRIVATE KEY-----如果是 foo.bar.com 则回返回默认的证书信息。
欢送关注
正文完