乐趣区

关于云计算:使用-HTTPS-加密-Ingress-流量

1. 装置 cfssl

CFSSL 是 CloudFlare 开源的一款 PKI/TLS 工具。CFSSL 蕴含一个命令行工具 和一个用于 签名,验证并且捆绑 TLS 证书的 HTTP API 服务,应用 Go 语言编写。
下载地址:
https://pkg.cfssl.org/R1.2/cf…
https://pkg.cfssl.org/R1.2/cf…

2. 创立 CA 证书

# 失去的 json 文件放弃默认
cfssl print-defaults config > ca-config.json

{
    "signing": {
        "default": {"expiry": "168h"},
        "profiles": {
            "www": {  #前面生成服务器证书 --profile 应用的是这里的 www
                "expiry": "8760h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth"
                ]
            },
            "client": {
                "expiry": "8760h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "client auth"
                ]
            }
        }
    }
}
#失去的 json 文件放弃默认
cfssl print-defaults csr > ca-csr.json
{
    "CN": "example.net",
    "hosts": [    #这里的 hosts 无所谓
        "example.net",
        "www.example.net"
    ],
    "key": {
        "algo": "ecdsa",
        "size": 256
    },
    "names": [
        {
            "C": "US",
            "L": "CA",
            "ST": "San Francisco"
        }
    ]
}
#生成 CA,失去 ca.csr,ca.pem,ca-key.pem,
cfssl gencert -initca ca-csr.json | cfssljson -bare ca  
字段名 字段值
专用名称 (Common Name) 简称:CN 字段,对于 SSL 证书,个别为网站域名;而对于代码签名证书则为申请单位名称;而对于客户端证书则为证书申请者的姓名;
单位名称 (Organization Name) 简称:O 字段,对于 SSL 证书,个别为网站域名;而对于代码签名证书则为申请单位名称;而对于客户端单位证书则为证书申请者所在单位名称;
所在城市 (Locality) 简称:L 字段
所在省份 (State/Provice) 简称:S 字段
所在国家 (Country) 简称:C 字段,只能是国家字母缩写,如中国:CN

3. 创立服务器证书

{
    "CN": "cr7.example.com",
    "hosts": ["cr7.example.com" // 这里的 hosts 很重要,要和前面的 ingress 中定义的 hosts 一样,当客户端拜访该 hosts 时才会动静加载 ssl 证书],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Shanghai",
            "ST": "Shanghai"
        }
    ]
}
  • -ca:指明 ca 的证书
  • -ca-key:指明 ca 的私钥文件
  • -config:指明申请证书的 json 文件
  • -profile:与 -config 中的 profile 对应,是指依据 config 中的 profile 段来生成证书的相干信息
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem --config=ca-config.json --profile www cr7-csr.json  | cfssljson -bare cr7

4. 依据服务器证书创立 secret

依据服务器私钥和证书创立 secret

[root@containerd-master1 cert]# kubectl create secret tls cr7-secret --cert=cr7.pem --key=cr7-key.pem 
secret/cr7-secret created

5.kubernetes ingress controller 装置

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm install ingress-nginx ingress-nginx

6. 创立 ingress

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: nginx-test
spec:
   tls:
     - hosts:
        - cr7.example.com #hosts 和 cr7-csr.json 的统一
          # This assumes cr7-secret exists and the SSL
          # certificate contains a CN for cr7-example.com
       secretName: cr7-secret  #应用服务器证书创立进去的 secret
   rules:
    - host: foo.bar.com  #不加载后面创立的服务器证书
      http:
        paths:
        - path: /
          backend:
            serviceName: http-svc
            servicePort: 80
    - host: cr7.example.com  #加载后面创立的服务器证书
      http:
        paths:
        - path: /
          backend:
            serviceName: nginx-svc
            servicePort: 80

7. 拜访测试

当拜访的 host 为 cr7.example.com 满足 ingress 中 hosts 和 cr7-csr.json 中 hosts 值时,kubernetes ingress controller 会动静地加载 ssl 证书:

#31252 是裸露 ingress controller 的 NodePort 的端口
curl -kv https://cr7.example.com:31252                              

*   Trying 192.168.1.111...
* TCP_NODELAY set
* Connected to cr7.example.com (192.168.1.111) port 31252 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:  #能够看到应用了咱们本人的的证书
*  subject: C=CN; ST=Shanghai; L=Shanghai; CN=cr7.example.com
*  start date: Dec 19 12:25:00 2020 GMT
*  expire date: Dec 19 12:25:00 2021 GMT
*  issuer: C=US; ST=San Francisco; L=CA; CN=example.net
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f963100dc00)
> GET / HTTP/2
> Host: cr7.example.com:31252
> User-Agent: curl/7.64.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
< date: Sat, 19 Dec 2020 12:37:39 GMT
< content-type: text/html
< content-length: 612
< last-modified: Tue, 15 Dec 2020 13:59:38 GMT
< etag: "5fd8c14a-264"
< accept-ranges: bytes
< strict-transport-security: max-age=15724800; includeSubDomains
<
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>
* Connection #0 to host cr7.example.com left intact
* Closing connection 0

然而拜访另一个不满足条件的域名,则应用 nginx ingress controller 默认的证书:

curl -kv https://foo.bar.com:31252 
                                 
*   Trying 192.168.1.111...
* TCP_NODELAY set
* Connected to foo.bar.com (192.168.1.111) port 31252 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate: #应用了 kubernetes ingress controller 默认的证书
*  subject: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
*  start date: Dec 19 12:39:47 2020 GMT
*  expire date: Dec 19 12:39:47 2021 GMT
*  issuer: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f99fb80dc00)
> GET / HTTP/2
> Host: foo.bar.com:31252
> User-Agent: curl/7.64.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
< date: Sat, 19 Dec 2020 12:40:03 GMT
< content-type: text/plain
< strict-transport-security: max-age=15724800; includeSubDomains
<

Hostname: http-svc-6b7fcd49cc-xlx4d

Pod Information:
    node name:    containerd-worker1
    pod name:    http-svc-6b7fcd49cc-xlx4d
    pod namespace:    default
    pod IP:    7.7.69.5

Server values:
    server_version=nginx: 1.12.2 - lua: 10010

Request Information:
    client_address=7.7.69.6
    method=GET
    real path=/
    query=
    request_version=1.1
    request_scheme=http
    request_uri=http://foo.bar.com:8080/

Request Headers:
    accept=*/*
    host=foo.bar.com:31252
    user-agent=curl/7.64.1
    x-forwarded-for=192.168.1.111
    x-forwarded-host=foo.bar.com:31252
    x-forwarded-port=443
    x-forwarded-proto=https
    x-real-ip=192.168.1.111
    x-request-id=3780eb8ddd12bc150d3a6a2a5c967f7e
    x-scheme=https

Request Body:
    -no body in request-

* Connection #0 to host foo.bar.com left intact
* Closing connection 0

8. 批改默认证书

8.1 创立 secret

依照后面雷同的形式创立出服务器的证书和私钥,而后创立 secret:

apiVersion: v1
data:
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJBQ0NRQzFOUllWRHhIREJ6QU5CZ2txaGtpRzl3MEJBUXNGQURBbU1SRXdEd1lEVlFRRERBaHUKWjJsdWVITjJZekVSTUE4R0ExVUVDZ3dJYm1kcGJuaHpkbU13SGhjTk1qQXhNakU1TURRd09EQTNXaGNOTWpFeApNakU1TURRd09EQTNXakFtTVJFd0R3WURWUVFEREFodVoybHVlSE4yWXpFUk1BOEdBMVVFQ2d3SWJtZHBibmh6CmRtTXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFETXpkdlJQUVNQWXJ5WTBPSUYKczlNZ0ZSSm1icHJmSWRVZEZIT0YxT1R5UTBPVDVxRnk4RUVGTlV3S2wwTlVJNzd4SG5hRWYwNFhXVFM0Q09lcAp5bUlWTWVFUXlwQk9MdUd1bXlXUy9BejlxR1BYQ2xzN0NNcHpFbmpuMXllNUpQaTJzTHBVL2xGdGViMS8zUXJXCkJFMFRQczQ2c1U3RVNvZlc4cll4dDk1WDFaOVBiakZ4dUZETkxTTzc5N3RkR3BnK09BdFFETXRpUDJjWDdpdS8KVm4rNzQwTHRlM1BUa2ZOT2Y1aWkyTVJld2tlVTlLYnpGdmVMZFdIZ01vS3hXVjY3WTNUWmx2eXVXVlNhd0s3SgptbDNkYTFweTNOMkoyR2hjaFIySkF3QTdUdlEydlZzb284MHZEU1p6NE1wMm55Q1l2a0F1UzllWlc3TVVxRElXCjd4TGRBZ01CQUFFd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFDOVd0Q3JZY01FVEpwU2w2QmFFSVlpZEZKNnoKYW1CdmFnakpwQlpsSmRsOVBUTkxzSEVVZU9FS3Y1RTJ2SGhId21FQ25paDROLzI5MEtCTEw3TU5jcHhraGxsVQozM1FpcFluSVQzbS9rV0RrRXQwbkUva0YzZFVVZFNtcTRBYnpESjF1MjFOMDlLb0psR2tyUnJRcGhXN1I1UTBWCnFHN082RDhNNjBORlZlSFpyYjdjY0RKNVJXTjNuYXZDeXF3VWxlM2pHSEU3TmpCb29WdWd3TldEYW9ZWURkUnkKQ243WFREZ1FrUEdmSTdjM1E0b09lcVRWUVZhLzk5MS9oanJ5YWlDT29JWEZyNTBFV0hUWmtIU2xKV1BHR3JDSgpCSnJqVlIxWVAxTTlvVXc0NUlQQ25zSzRyeTRzMzBxSXQ5VHFHQ25TcGs1UFZ0ck1PWWVEZ2xTMXdPdz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2d0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktrd2dnU2xBZ0VBQW9JQkFRRE16ZHZSUFFTUFlyeVkKME9JRnM5TWdGUkptYnByZklkVWRGSE9GMU9UeVEwT1Q1cUZ5OEVFRk5Vd0tsME5VSTc3eEhuYUVmMDRYV1RTNApDT2VweW1JVk1lRVF5cEJPTHVHdW15V1MvQXo5cUdQWENsczdDTXB6RW5qbjF5ZTVKUGkyc0xwVS9sRnRlYjEvCjNRcldCRTBUUHM0NnNVN0VTb2ZXOHJZeHQ5NVgxWjlQYmpGeHVGRE5MU083OTd0ZEdwZytPQXRRRE10aVAyY1gKN2l1L1ZuKzc0MEx0ZTNQVGtmTk9mNWlpMk1SZXdrZVU5S2J6RnZlTGRXSGdNb0t4V1Y2N1kzVFpsdnl1V1ZTYQp3SzdKbWwzZGExcHkzTjJKMkdoY2hSMkpBd0E3VHZRMnZWc29vODB2RFNaejRNcDJueUNZdmtBdVM5ZVpXN01VCnFESVc3eExkQWdNQkFBRUNnZ0VBRVQyZkxKMFRYakswcDdTbDRrOENEZWhZTlRGSWJsSTl5NFhtTjdUMVZRT2UKazd2TmlZeDZITU1nMUo5cE5wTVB4dUtHblo3TjV4OUdWZHZDRE1RUnY3RUVQbEtmRlVYVEQ4elZ1K3JsK1JDTQozeFJyRzZ3Z3h0RWVSbjRSUlArOHhEeGFZejlKZ1lySERoV0FqUVd0cTFvVktGRzJ6TVZ0YkFYZ21vemM5YzNLCkkwR29zc0g3YmhkZlFDck5MTDJKS1IyOGVuSjNRQ3hkYldoUUlvZWV5bVltbHBraW0yRjBMU1RQSGlsSFB2eUUKWklCd05RdGVaVjBBZ3o4WmtUc3VoTGVXb0NnaGFsQzFoWlVUMVIrZHlNSDNCbmhyK1duai9UL3ByNlBiL3o0WgpkeGJ5QU5JOHg4WU1LSGQvOFZrSjJ2djMrWEk4VWFmSTc4SkR5QmdnQVFLQmdRRC9wL1AySWJwMGlQdE1ZbWR2Cm11SDFQRVZiWEx1VVpySW1CODlJSHVBb3VVWTJqSXAyRkVTZUllWG05cDBaeWdLb091MDdSc1A4WVY0YSt0VzYKNGlwRGZNbG5ZWkVlT3lQOFBXdFdhb3RMdGVGUFg5UTg0YWlTQUprRWo4RmhnWnRwQTJ6MGZFd3pSN0dqSTFSRwpqNmxsSDFYR2NSWVdlU0ZnazVoWmdvbllBUUtCZ1FETkZHUjRvdmtxUThsSUZPN0JMVlNmTENIWndBdXNFbHBlCm9iSWs0QmMvVEVHWExjWFQ2a1I5a0Fwa2RoQkM4L242aCtITlU3ZElLR2JvbUhJaVV3WVpRUUo4MkhVcEx0bzQKR2dYSytacHJwWWhLUVBOeWxsL3dBMHlHSWNsUS8wekczVnZENTkxbGo4NEpUTUtDR1g0Wk5JNC9xOERKS0pOTApQWDIvVWYrYTNRS0JnUURUSkhVYVBIVHZ0Z3BGNWFlanh2a0RQd25SRU45akN3WHEzdHhVcGh0Znh0UzBUSkkyClB6c0VsdDUzU0FvcnVHbEZZNVYyTlZXNzVQYUJ0ZFE3Q25yNVRlQlEzNFdvd0JOU1NhK1NxVi90NFlMNXVSMWkKUXNTa0FKWmY3Qkk4WTN4azJJMXR4aEp3NzY5SUd1K0piekRwOFYwNERVRyt3Yi9OTVZqTDVFSFFBUUtCZ1FDVApOZ1E1SktPL1Z4RnhrTFVpTGl3RVptV1dMV2t6aDZrZkxPcjMxWFJhbDU2dHFzbkxLT3NwUnZCdTFPRXZibnNPCi8rTnl4SmxZVHNnd1J0NEhEWm5mSHU5dU51TkRRTUtjYXZHbGxpN20vdGdxbFIwc01BMkYrSmhCNEpibWNaem4KVTVhL3RmMFRIbnRENmJubU1lNTJvV2RMQlR0S0tyb3cxRjhqcXZUVWNRS0JnUUNuZEs4LzNITElJVkkyUWJBMApBY0x5Sjd1SW5ua3VMNGkrcmhvM1JvZ2hZNTRuTXJzdDRUNkdCVVhZT050akZsQ2hPQ3ZHWmlraWsxaHRkcCtMCjJhU05wRG9WV2JJVWl1bEFGZjA5NkNGWWsrNnpPU0FDQ0xHTy9NMjFnTEN5Njdia3VLRkFZMzZOa201ZUN3TTIKT2p2UC95TUJKNVdGS3kvWmc0QzVIRFI1akE9PQotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg==
kind: Secret
metadata:
  managedFields:
  - apiVersion: v1
  name: tls-secret
type: kubernetes.io/tls

8.2 批改 kubernetes ingress controller 配置

增加 --default-ssl-certificate=default/tls-secret 参数,示意默认的证书应用 tls-secret 的内容:

......
    spec:
      containers:
      - args:
        - /nginx-ingress-controller
        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
        - --election-id=ingress-controller-leader
        - --ingress-class=nginx
        - --default-ssl-certificate=default/tls-secret
        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
        - --validating-webhook=:8443
        - --validating-webhook-certificate=/usr/local/certificates/cert
        - --validating-webhook-key=/usr/local/certificates/key
        env:
        - name: POD_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.name
......

再次拜访 foo.bar.com,这次就是应用咱们本人的证书作为默认证书了:

curl -kv https://foo.bar.com:31252  
                                                                                                               
*   Trying 192.168.1.111...
* TCP_NODELAY set
* Connected to foo.bar.com (192.168.1.111) port 31252 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
#此时默认证书就改成咱们本人的
*  subject: CN=nginxsvc; O=nginxsvc
*  start date: Dec 19 04:08:07 2020 GMT
*  expire date: Dec 19 04:08:07 2021 GMT
*  issuer: CN=nginxsvc; O=nginxsvc
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fd300010e00)
> GET / HTTP/2
> Host: foo.bar.com:31252
> User-Agent: curl/7.64.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
< date: Sat, 19 Dec 2020 12:51:47 GMT
< content-type: text/plain
< strict-transport-security: max-age=15724800; includeSubDomains
<


Hostname: http-svc-6b7fcd49cc-xlx4d

Pod Information:
    node name:    containerd-worker1
    pod name:    http-svc-6b7fcd49cc-xlx4d
    pod namespace:    default
    pod IP:    7.7.69.5

Server values:
    server_version=nginx: 1.12.2 - lua: 10010

Request Information:
    client_address=7.7.22.4
    method=GET
    real path=/
    query=
    request_version=1.1
    request_scheme=http
    request_uri=http://foo.bar.com:8080/

Request Headers:
    accept=*/*
    host=foo.bar.com:31252
    user-agent=curl/7.64.1
    x-forwarded-for=192.168.1.111
    x-forwarded-host=foo.bar.com:31252
    x-forwarded-port=443
    x-forwarded-proto=https
    x-real-ip=192.168.1.111
    x-request-id=db4811e08800ad0c6320bad066e2f62c
    x-scheme=https

Request Body:
    -no body in request-

* Connection #0 to host foo.bar.com left intact
* Closing connection 0

9.ingress-nginx kubectl plugin 插件

K8s 社区的 Ingress 的因为这个 Ingress 的实现并不是间接在配置文件中写入 upstream, 所以咱们在调试时, 没法间接 cat 出文件,能够通过 ingress- 插件来读取 Ingress 配置:
参考网址:https://kubernetes.github.io/…

常用命令

# 获取 kubernetes ingress controller 后端服务器信息 
kubectl ingress-nginx backends
# --list 只列出 upstream 的名字
kubectl ingress-nginx backends --list
# 获取 cr7.example.com 的 nginx 配置文件
kubectl ingress-nginx conf --host cr7.example.com
#获取 ingress 信息
kubectl ingress-nginx ingresses                 
INGRESS NAME   HOST+PATH          ADDRESSES   TLS   SERVICE     SERVICE PORT   ENDPOINTS
nginx-test     foo.bar.com/                   NO    http-svc    80             1
nginx-test     cr7.example.com/               YES   nginx-svc   80             1
#获取 cr7.example.com 域名的证书信息
kubectl ingress-nginx certs --host cr7.example.com  

获取证书信息例子

通过 ingress-nginx kubectl plugin 来获取域名所对应的证书

kubectl ingress-nginx certs --host cr7.example.com    

-----BEGIN CERTIFICATE-----
MIIC9jCCApugAwIBAgIUErauO0ao2H0vLhcZPGCjjC9as2wwCgYIKoZIzj0EAwIw
SDELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNVBAcT
AkNBMRQwEgYDVQQDEwtleGFtcGxlLm5ldDAeFw0yMDEyMTkxMjI1MDBaFw0yMTEy
MTkxMjI1MDBaME0xCzAJBgNVBAYTAkNOMREwDwYDVQQIEwhTaGFuZ2hhaTERMA8G
A1UEBxMIU2hhbmdoYWkxGDAWBgNVBAMTD2NyNy5leGFtcGxlLmNvbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBANb3Ju5hY/gWu1osXSKj1DmMYQzKvFFZ
d2gK3YUHpxnWJHHs/gHVwMBu4yswKVeHv8+Mt1quPGW2GXItviuLXRoA5FU7wIYI
28IuXZXbXePOQsXbTlVoHzmQWUahlky7i36go8lekJb26ca945NvprH7ZFzDI/aJ
HINMa42JNtrhtZjfUlO+xvF7QwOrj2CkS+DnviSVbTEksnvI8nFX6Kq4xlMs1Wv2
KpnxFkg6I3zcfTFQ25OO3wkZ8dJdp2yPuydyNSMj2daWXwN51x2MkT4VbGN0Uyeq
y1shgQE5tkunTJasM7NxJvCWqHQ1hyb8/f4Vo+RBYCVxSt9vDvzxbpECAwEAAaOB
kjCBjzAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0T
AQH/BAIwADAdBgNVHQ4EFgQUAv50fyjzOgtHNSANxNbRKTVwOuAwHwYDVR0jBBgw
FoAUORZuzO4bNpnTCQncDGjYp/sdQyAwGgYDVR0RBBMwEYIPY3I3LmV4YW1wbGUu
Y29tMAoGCCqGSM49BAMCA0kAMEYCIQDwZ+pSfD3yikvvULWe8TicdLK3UfIT3gg2
Mi97uc+2agIhANif3PoMM94P/xUAWXv0N0wyJBqbxBVOVnC4H0bwVdxU
-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA1vcm7mFj+Ba7WixdIqPUOYxhDMq8UVl3aArdhQenGdYkcez+
AdXAwG7jKzApV4e/z4y3Wq48ZbYZci2+K4tdGgDkVTvAhgjbwi5dldtd485CxdtO
VWgfOZBZRqGWTLuLfqCjyV6Qlvbpxr3jk2+msftkXMMj9okcg0xrjYk22uG1mN9S
U77G8XtDA6uPYKRL4Oe+JJVtMSSye8jycVfoqrjGUyzVa/YqmfEWSDojfNx9MVDb
k47fCRnx0l2nbI+7J3I1IyPZ1pZfA3nXHYyRPhVsY3RTJ6rLWyGBATm2S6dMlqwz
s3Em8JaodDWHJvz9/hWj5EFgJXFK328O/PFukQIDAQABAoIBADPvvs41ZYvZIibl
NRNbdbj5u7D1go49CWZvyZmMgcjyPhfwZGZZGJrlr6kNl894EtW4b8xO8HS6jGdT
ufCXWUUhFgmpyBgaJ85AmYfNWl/hw6w+Eiz8XR7xS0CPZdrgLRHJCglq+ZAf09ea
pVNH1ISH8nWfCB9WfTcTzaCCmGhFUst5Xd0o2UfekvIhHZ5GB20eQQUqWlAwZUpP
g8n2Tc9OS9V0YhTtn/LIOFTsmTDEaDQ21x7D2/K9AE9sJhadgkeC+o33tyhe1zZR
AwRFqSv5Cr6Q5Ba4En+0ZD4fs1VCU6j+tCPcNsv0Y1vfR5iNnoE2gsWeQfkcUNaL
cYeCY2ECgYEA42MZr/nxQzmJIqBFzmeofTqUuzZxUjdoc/2OIY6PIgknzcdqrSM1
0WUgH+kp5LMgBYXATOswNTprwu+UlaC1iYmIl3d6zfQIp35x3Ble2a90jGbEdekg
P2PP8vAYBD1b7jYRLlyTgJNmi2J3eE0GdDK+I2XlH2wwAdpg4odjX10CgYEA8gPo
eF7uv49VtOTNlky0tNPTUP9aiM92Het6c1kInB3D4X6ot4JYeQSRqfGwmFXR7Co0
s/Jm9kVmo95pp8nKE4dB5ARqt78lcRMDPO131sRNRrDdvNm3cOenX8lZB8L9lkOY
QQWBB8nAV0Tav4kB98lBg5iAzGxTAYMYMkvofMUCgYBIIgnmD03/22Krf1hlr/B9
OXYxJYYxZK5YDVlnP8gcLfdYiihHIGJUONZGCTtm94Py/IkSXZF/cTb6MfJavQ6Z
wO15z0c/ymhsaepIviuettAsMfWkyf2W3lz7XjrgLW7aVICCyo9oPFpNYUExAo5H
kklLBWn32+Qm0lXlxrk5aQKBgQCafu4vsYK+HRV8lje8BBmz+inDYk/8WFwx+3o/
Go5JgyLh18aC553tG4KVt6mhhd+t4L+mRE+AVYuRftF6AHKVBtqEYmFyDX8scRO3
GG1RWB1wzEWxYlcdp3SMzG+eadcSzvHqSEY3n46+50Cx1xe/g+XjyT4nwds3cuXG
bfjrdQKBgQCXyHwg7XSyoHz+sv5WhCUv/rvL5AYy4zv5qPPusGbpJi+GxsSdrzTQ
cPXmY6xxQEC7dO+QYD9KDfghVOxQ+Pjg3T9DV1CSCCiN3SR34Jy2X01eeTtvCxqU
bnZga6ChZj0xPV6UvY99hETH+qdx0aI2ZPRK7sL+mMo7cDdUNyDKgw==
-----END RSA PRIVATE KEY-----

查看 secret 验证,因为 secret 是 base64 加密的,所以须要先解密:
tls.crt 和 tls.key比拟特地,因为有一个 .,所以用\\ 来本义

# 获取服务器证书
❯ kubectl secrets cr7-secret -o jsonpath={.data.tls\\.crt} | base64 -d
-----BEGIN CERTIFICATE-----
MIIC9jCCApugAwIBAgIUErauO0ao2H0vLhcZPGCjjC9as2wwCgYIKoZIzj0EAwIw
SDELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNVBAcT
AkNBMRQwEgYDVQQDEwtleGFtcGxlLm5ldDAeFw0yMDEyMTkxMjI1MDBaFw0yMTEy
MTkxMjI1MDBaME0xCzAJBgNVBAYTAkNOMREwDwYDVQQIEwhTaGFuZ2hhaTERMA8G
A1UEBxMIU2hhbmdoYWkxGDAWBgNVBAMTD2NyNy5leGFtcGxlLmNvbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBANb3Ju5hY/gWu1osXSKj1DmMYQzKvFFZ
d2gK3YUHpxnWJHHs/gHVwMBu4yswKVeHv8+Mt1quPGW2GXItviuLXRoA5FU7wIYI
28IuXZXbXePOQsXbTlVoHzmQWUahlky7i36go8lekJb26ca945NvprH7ZFzDI/aJ
HINMa42JNtrhtZjfUlO+xvF7QwOrj2CkS+DnviSVbTEksnvI8nFX6Kq4xlMs1Wv2
KpnxFkg6I3zcfTFQ25OO3wkZ8dJdp2yPuydyNSMj2daWXwN51x2MkT4VbGN0Uyeq
y1shgQE5tkunTJasM7NxJvCWqHQ1hyb8/f4Vo+RBYCVxSt9vDvzxbpECAwEAAaOB
kjCBjzAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0T
AQH/BAIwADAdBgNVHQ4EFgQUAv50fyjzOgtHNSANxNbRKTVwOuAwHwYDVR0jBBgw
FoAUORZuzO4bNpnTCQncDGjYp/sdQyAwGgYDVR0RBBMwEYIPY3I3LmV4YW1wbGUu
Y29tMAoGCCqGSM49BAMCA0kAMEYCIQDwZ+pSfD3yikvvULWe8TicdLK3UfIT3gg2
Mi97uc+2agIhANif3PoMM94P/xUAWXv0N0wyJBqbxBVOVnC4H0bwVdxU
-----END CERTIFICATE-----

#获取服务器私钥
❯ kubectl get  secrets cr7-secret -o jsonpath={.data.tls\\.key} | base64 -d

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA1vcm7mFj+Ba7WixdIqPUOYxhDMq8UVl3aArdhQenGdYkcez+
AdXAwG7jKzApV4e/z4y3Wq48ZbYZci2+K4tdGgDkVTvAhgjbwi5dldtd485CxdtO
VWgfOZBZRqGWTLuLfqCjyV6Qlvbpxr3jk2+msftkXMMj9okcg0xrjYk22uG1mN9S
U77G8XtDA6uPYKRL4Oe+JJVtMSSye8jycVfoqrjGUyzVa/YqmfEWSDojfNx9MVDb
k47fCRnx0l2nbI+7J3I1IyPZ1pZfA3nXHYyRPhVsY3RTJ6rLWyGBATm2S6dMlqwz
s3Em8JaodDWHJvz9/hWj5EFgJXFK328O/PFukQIDAQABAoIBADPvvs41ZYvZIibl
NRNbdbj5u7D1go49CWZvyZmMgcjyPhfwZGZZGJrlr6kNl894EtW4b8xO8HS6jGdT
ufCXWUUhFgmpyBgaJ85AmYfNWl/hw6w+Eiz8XR7xS0CPZdrgLRHJCglq+ZAf09ea
pVNH1ISH8nWfCB9WfTcTzaCCmGhFUst5Xd0o2UfekvIhHZ5GB20eQQUqWlAwZUpP
g8n2Tc9OS9V0YhTtn/LIOFTsmTDEaDQ21x7D2/K9AE9sJhadgkeC+o33tyhe1zZR
AwRFqSv5Cr6Q5Ba4En+0ZD4fs1VCU6j+tCPcNsv0Y1vfR5iNnoE2gsWeQfkcUNaL
cYeCY2ECgYEA42MZr/nxQzmJIqBFzmeofTqUuzZxUjdoc/2OIY6PIgknzcdqrSM1
0WUgH+kp5LMgBYXATOswNTprwu+UlaC1iYmIl3d6zfQIp35x3Ble2a90jGbEdekg
P2PP8vAYBD1b7jYRLlyTgJNmi2J3eE0GdDK+I2XlH2wwAdpg4odjX10CgYEA8gPo
eF7uv49VtOTNlky0tNPTUP9aiM92Het6c1kInB3D4X6ot4JYeQSRqfGwmFXR7Co0
s/Jm9kVmo95pp8nKE4dB5ARqt78lcRMDPO131sRNRrDdvNm3cOenX8lZB8L9lkOY
QQWBB8nAV0Tav4kB98lBg5iAzGxTAYMYMkvofMUCgYBIIgnmD03/22Krf1hlr/B9
OXYxJYYxZK5YDVlnP8gcLfdYiihHIGJUONZGCTtm94Py/IkSXZF/cTb6MfJavQ6Z
wO15z0c/ymhsaepIviuettAsMfWkyf2W3lz7XjrgLW7aVICCyo9oPFpNYUExAo5H
kklLBWn32+Qm0lXlxrk5aQKBgQCafu4vsYK+HRV8lje8BBmz+inDYk/8WFwx+3o/
Go5JgyLh18aC553tG4KVt6mhhd+t4L+mRE+AVYuRftF6AHKVBtqEYmFyDX8scRO3
GG1RWB1wzEWxYlcdp3SMzG+eadcSzvHqSEY3n46+50Cx1xe/g+XjyT4nwds3cuXG
bfjrdQKBgQCXyHwg7XSyoHz+sv5WhCUv/rvL5AYy4zv5qPPusGbpJi+GxsSdrzTQ
cPXmY6xxQEC7dO+QYD9KDfghVOxQ+Pjg3T9DV1CSCCiN3SR34Jy2X01eeTtvCxqU
bnZga6ChZj0xPV6UvY99hETH+qdx0aI2ZPRK7sL+mMo7cDdUNyDKgw==
-----END RSA PRIVATE KEY-----

如果是 foo.bar.com 则回返回默认的证书信息。

欢送关注

退出移动版