关于云计算:使用-HTTPS-加密-Ingress-流量

1.装置cfssl

CFSSL是CloudFlare开源的一款PKI/TLS工具。 CFSSL 蕴含一个命令行工具和一个用于签名，验证并且捆绑TLS证书的 HTTP API 服务，应用Go语言编写。
下载地址：
https://pkg.cfssl.org/R1.2/cf...
https://pkg.cfssl.org/R1.2/cf...

2.创立CA证书

#失去的json文件放弃默认cfssl print-defaults config > ca-config.json{    "signing": {        "default": {            "expiry": "168h"        },        "profiles": {            "www": {  #前面生成服务器证书--profile应用的是这里的www                "expiry": "8760h",                "usages": [                    "signing",                    "key encipherment",                    "server auth"                ]            },            "client": {                "expiry": "8760h",                "usages": [                    "signing",                    "key encipherment",                    "client auth"                ]            }        }    }}#失去的json文件放弃默认cfssl print-defaults csr > ca-csr.json{    "CN": "example.net",    "hosts": [    #这里的hosts无所谓        "example.net",        "www.example.net"    ],    "key": {        "algo": "ecdsa",        "size": 256    },    "names": [        {            "C": "US",            "L": "CA",            "ST": "San Francisco"        }    ]}#生成CA，失去ca.csr,ca.pem,ca-key.pem,cfssl gencert -initca ca-csr.json | cfssljson -bare ca

字段名	字段值
专用名称 (Common Name)	简称：CN 字段，对于 SSL 证书，个别为网站域名；而对于代码签名证书则为申请单位名称；而对于客户端证书则为证书申请者的姓名；
单位名称 (Organization Name)	简称：O 字段，对于 SSL 证书，个别为网站域名；而对于代码签名证书则为申请单位名称；而对于客户端单位证书则为证书申请者所在单位名称；
所在城市 (Locality)	简称：L 字段
所在省份 (State/Provice)	简称：S 字段
所在国家 (Country)	简称：C 字段，只能是国家字母缩写，如中国：CN

3.创立服务器证书

{    "CN": "cr7.example.com",    "hosts": [        "cr7.example.com" //这里的hosts很重要，要和前面的ingress中定义的hosts一样，当客户端拜访该hosts时才会动静加载ssl证书    ],    "key": {        "algo": "rsa",        "size": 2048    },    "names": [        {            "C": "CN",            "L": "Shanghai",            "ST": "Shanghai"        }    ]}

-ca：指明ca的证书
-ca-key：指明ca的私钥文件
-config：指明申请证书的json文件
-profile：与-config中的profile对应，是指依据config中的profile段来生成证书的相干信息

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem --config=ca-config.json --profile www cr7-csr.json  | cfssljson -bare cr7

4.依据服务器证书创立secret

依据服务器私钥和证书创立secret

[root@containerd-master1 cert]# kubectl create secret tls cr7-secret --cert=cr7.pem --key=cr7-key.pem secret/cr7-secret created

5.kubernetes ingress controller装置

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginxhelm install ingress-nginx ingress-nginx

6.创立ingress

apiVersion: networking.k8s.io/v1beta1kind: Ingressmetadata:  name: nginx-testspec:   tls:     - hosts:        - cr7.example.com #hosts和cr7-csr.json的统一          # This assumes cr7-secret exists and the SSL          # certificate contains a CN for cr7-example.com       secretName: cr7-secret  #应用服务器证书创立进去的secret   rules:    - host: foo.bar.com  #不加载后面创立的服务器证书      http:        paths:        - path: /          backend:            serviceName: http-svc            servicePort: 80    - host: cr7.example.com  #加载后面创立的服务器证书      http:        paths:        - path: /          backend:            serviceName: nginx-svc            servicePort: 80

7.拜访测试

当拜访的host为cr7.example.com满足ingress中hosts和cr7-csr.json中hosts值时，kubernetes ingress controller会动静地加载ssl证书：

#31252是裸露ingress controller的NodePort的端口curl -kv https://cr7.example.com:31252                              *   Trying 192.168.1.111...* TCP_NODELAY set* Connected to cr7.example.com (192.168.1.111) port 31252 (#0)* ALPN, offering h2* ALPN, offering http/1.1* successfully set certificate verify locations:*   CAfile: /etc/ssl/cert.pem  CApath: none* TLSv1.2 (OUT), TLS handshake, Client hello (1):* TLSv1.2 (IN), TLS handshake, Server hello (2):* TLSv1.2 (IN), TLS handshake, Certificate (11):* TLSv1.2 (IN), TLS handshake, Server key exchange (12):* TLSv1.2 (IN), TLS handshake, Server finished (14):* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):* TLSv1.2 (OUT), TLS handshake, Finished (20):* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):* TLSv1.2 (IN), TLS handshake, Finished (20):* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256* ALPN, server accepted to use h2* Server certificate:  #能够看到应用了咱们本人的的证书*  subject: C=CN; ST=Shanghai; L=Shanghai; CN=cr7.example.com*  start date: Dec 19 12:25:00 2020 GMT*  expire date: Dec 19 12:25:00 2021 GMT*  issuer: C=US; ST=San Francisco; L=CA; CN=example.net*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.* Using HTTP2, server supports multi-use* Connection state changed (HTTP/2 confirmed)* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0* Using Stream ID: 1 (easy handle 0x7f963100dc00)> GET / HTTP/2> Host: cr7.example.com:31252> User-Agent: curl/7.64.1> Accept: */*>* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!< HTTP/2 200< date: Sat, 19 Dec 2020 12:37:39 GMT< content-type: text/html< content-length: 612< last-modified: Tue, 15 Dec 2020 13:59:38 GMT< etag: "5fd8c14a-264"< accept-ranges: bytes< strict-transport-security: max-age=15724800; includeSubDomains<<!DOCTYPE html><html><head><title>Welcome to nginx!</title><style>    body {        width: 35em;        margin: 0 auto;        font-family: Tahoma, Verdana, Arial, sans-serif;    }</style></head><body><h1>Welcome to nginx!</h1><p>If you see this page, the nginx web server is successfully installed andworking. Further configuration is required.</p><p>For online documentation and support please refer to<a href="http://nginx.org/">nginx.org</a>.<br/>Commercial support is available at<a href="http://nginx.com/">nginx.com</a>.</p><p><em>Thank you for using nginx.</em></p></body></html>* Connection #0 to host cr7.example.com left intact* Closing connection 0

然而拜访另一个不满足条件的域名，则应用nginx ingress controller默认的证书：

curl -kv https://foo.bar.com:31252                                  *   Trying 192.168.1.111...* TCP_NODELAY set* Connected to foo.bar.com (192.168.1.111) port 31252 (#0)* ALPN, offering h2* ALPN, offering http/1.1* successfully set certificate verify locations:*   CAfile: /etc/ssl/cert.pem  CApath: none* TLSv1.2 (OUT), TLS handshake, Client hello (1):* TLSv1.2 (IN), TLS handshake, Server hello (2):* TLSv1.2 (IN), TLS handshake, Certificate (11):* TLSv1.2 (IN), TLS handshake, Server key exchange (12):* TLSv1.2 (IN), TLS handshake, Server finished (14):* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):* TLSv1.2 (OUT), TLS handshake, Finished (20):* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):* TLSv1.2 (IN), TLS handshake, Finished (20):* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256* ALPN, server accepted to use h2* Server certificate: #应用了kubernetes ingress controller默认的证书*  subject: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate*  start date: Dec 19 12:39:47 2020 GMT*  expire date: Dec 19 12:39:47 2021 GMT*  issuer: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.* Using HTTP2, server supports multi-use* Connection state changed (HTTP/2 confirmed)* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0* Using Stream ID: 1 (easy handle 0x7f99fb80dc00)> GET / HTTP/2> Host: foo.bar.com:31252> User-Agent: curl/7.64.1> Accept: */*>* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!< HTTP/2 200< date: Sat, 19 Dec 2020 12:40:03 GMT< content-type: text/plain< strict-transport-security: max-age=15724800; includeSubDomains<Hostname: http-svc-6b7fcd49cc-xlx4dPod Information:    node name:    containerd-worker1    pod name:    http-svc-6b7fcd49cc-xlx4d    pod namespace:    default    pod IP:    7.7.69.5Server values:    server_version=nginx: 1.12.2 - lua: 10010Request Information:    client_address=7.7.69.6    method=GET    real path=/    query=    request_version=1.1    request_scheme=http    request_uri=http://foo.bar.com:8080/Request Headers:    accept=*/*    host=foo.bar.com:31252    user-agent=curl/7.64.1    x-forwarded-for=192.168.1.111    x-forwarded-host=foo.bar.com:31252    x-forwarded-port=443    x-forwarded-proto=https    x-real-ip=192.168.1.111    x-request-id=3780eb8ddd12bc150d3a6a2a5c967f7e    x-scheme=httpsRequest Body:    -no body in request-* Connection #0 to host foo.bar.com left intact* Closing connection 0

8.批改默认证书

8.1创立secret

依照后面雷同的形式创立出服务器的证书和私钥，而后创立secret：

apiVersion: v1data:  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJBQ0NRQzFOUllWRHhIREJ6QU5CZ2txaGtpRzl3MEJBUXNGQURBbU1SRXdEd1lEVlFRRERBaHUKWjJsdWVITjJZekVSTUE4R0ExVUVDZ3dJYm1kcGJuaHpkbU13SGhjTk1qQXhNakU1TURRd09EQTNXaGNOTWpFeApNakU1TURRd09EQTNXakFtTVJFd0R3WURWUVFEREFodVoybHVlSE4yWXpFUk1BOEdBMVVFQ2d3SWJtZHBibmh6CmRtTXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFETXpkdlJQUVNQWXJ5WTBPSUYKczlNZ0ZSSm1icHJmSWRVZEZIT0YxT1R5UTBPVDVxRnk4RUVGTlV3S2wwTlVJNzd4SG5hRWYwNFhXVFM0Q09lcAp5bUlWTWVFUXlwQk9MdUd1bXlXUy9BejlxR1BYQ2xzN0NNcHpFbmpuMXllNUpQaTJzTHBVL2xGdGViMS8zUXJXCkJFMFRQczQ2c1U3RVNvZlc4cll4dDk1WDFaOVBiakZ4dUZETkxTTzc5N3RkR3BnK09BdFFETXRpUDJjWDdpdS8KVm4rNzQwTHRlM1BUa2ZOT2Y1aWkyTVJld2tlVTlLYnpGdmVMZFdIZ01vS3hXVjY3WTNUWmx2eXVXVlNhd0s3SgptbDNkYTFweTNOMkoyR2hjaFIySkF3QTdUdlEydlZzb284MHZEU1p6NE1wMm55Q1l2a0F1UzllWlc3TVVxRElXCjd4TGRBZ01CQUFFd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFDOVd0Q3JZY01FVEpwU2w2QmFFSVlpZEZKNnoKYW1CdmFnakpwQlpsSmRsOVBUTkxzSEVVZU9FS3Y1RTJ2SGhId21FQ25paDROLzI5MEtCTEw3TU5jcHhraGxsVQozM1FpcFluSVQzbS9rV0RrRXQwbkUva0YzZFVVZFNtcTRBYnpESjF1MjFOMDlLb0psR2tyUnJRcGhXN1I1UTBWCnFHN082RDhNNjBORlZlSFpyYjdjY0RKNVJXTjNuYXZDeXF3VWxlM2pHSEU3TmpCb29WdWd3TldEYW9ZWURkUnkKQ243WFREZ1FrUEdmSTdjM1E0b09lcVRWUVZhLzk5MS9oanJ5YWlDT29JWEZyNTBFV0hUWmtIU2xKV1BHR3JDSgpCSnJqVlIxWVAxTTlvVXc0NUlQQ25zSzRyeTRzMzBxSXQ5VHFHQ25TcGs1UFZ0ck1PWWVEZ2xTMXdPdz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2d0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktrd2dnU2xBZ0VBQW9JQkFRRE16ZHZSUFFTUFlyeVkKME9JRnM5TWdGUkptYnByZklkVWRGSE9GMU9UeVEwT1Q1cUZ5OEVFRk5Vd0tsME5VSTc3eEhuYUVmMDRYV1RTNApDT2VweW1JVk1lRVF5cEJPTHVHdW15V1MvQXo5cUdQWENsczdDTXB6RW5qbjF5ZTVKUGkyc0xwVS9sRnRlYjEvCjNRcldCRTBUUHM0NnNVN0VTb2ZXOHJZeHQ5NVgxWjlQYmpGeHVGRE5MU083OTd0ZEdwZytPQXRRRE10aVAyY1gKN2l1L1ZuKzc0MEx0ZTNQVGtmTk9mNWlpMk1SZXdrZVU5S2J6RnZlTGRXSGdNb0t4V1Y2N1kzVFpsdnl1V1ZTYQp3SzdKbWwzZGExcHkzTjJKMkdoY2hSMkpBd0E3VHZRMnZWc29vODB2RFNaejRNcDJueUNZdmtBdVM5ZVpXN01VCnFESVc3eExkQWdNQkFBRUNnZ0VBRVQyZkxKMFRYakswcDdTbDRrOENEZWhZTlRGSWJsSTl5NFhtTjdUMVZRT2UKazd2TmlZeDZITU1nMUo5cE5wTVB4dUtHblo3TjV4OUdWZHZDRE1RUnY3RUVQbEtmRlVYVEQ4elZ1K3JsK1JDTQozeFJyRzZ3Z3h0RWVSbjRSUlArOHhEeGFZejlKZ1lySERoV0FqUVd0cTFvVktGRzJ6TVZ0YkFYZ21vemM5YzNLCkkwR29zc0g3YmhkZlFDck5MTDJKS1IyOGVuSjNRQ3hkYldoUUlvZWV5bVltbHBraW0yRjBMU1RQSGlsSFB2eUUKWklCd05RdGVaVjBBZ3o4WmtUc3VoTGVXb0NnaGFsQzFoWlVUMVIrZHlNSDNCbmhyK1duai9UL3ByNlBiL3o0WgpkeGJ5QU5JOHg4WU1LSGQvOFZrSjJ2djMrWEk4VWFmSTc4SkR5QmdnQVFLQmdRRC9wL1AySWJwMGlQdE1ZbWR2Cm11SDFQRVZiWEx1VVpySW1CODlJSHVBb3VVWTJqSXAyRkVTZUllWG05cDBaeWdLb091MDdSc1A4WVY0YSt0VzYKNGlwRGZNbG5ZWkVlT3lQOFBXdFdhb3RMdGVGUFg5UTg0YWlTQUprRWo4RmhnWnRwQTJ6MGZFd3pSN0dqSTFSRwpqNmxsSDFYR2NSWVdlU0ZnazVoWmdvbllBUUtCZ1FETkZHUjRvdmtxUThsSUZPN0JMVlNmTENIWndBdXNFbHBlCm9iSWs0QmMvVEVHWExjWFQ2a1I5a0Fwa2RoQkM4L242aCtITlU3ZElLR2JvbUhJaVV3WVpRUUo4MkhVcEx0bzQKR2dYSytacHJwWWhLUVBOeWxsL3dBMHlHSWNsUS8wekczVnZENTkxbGo4NEpUTUtDR1g0Wk5JNC9xOERKS0pOTApQWDIvVWYrYTNRS0JnUURUSkhVYVBIVHZ0Z3BGNWFlanh2a0RQd25SRU45akN3WHEzdHhVcGh0Znh0UzBUSkkyClB6c0VsdDUzU0FvcnVHbEZZNVYyTlZXNzVQYUJ0ZFE3Q25yNVRlQlEzNFdvd0JOU1NhK1NxVi90NFlMNXVSMWkKUXNTa0FKWmY3Qkk4WTN4azJJMXR4aEp3NzY5SUd1K0piekRwOFYwNERVRyt3Yi9OTVZqTDVFSFFBUUtCZ1FDVApOZ1E1SktPL1Z4RnhrTFVpTGl3RVptV1dMV2t6aDZrZkxPcjMxWFJhbDU2dHFzbkxLT3NwUnZCdTFPRXZibnNPCi8rTnl4SmxZVHNnd1J0NEhEWm5mSHU5dU51TkRRTUtjYXZHbGxpN20vdGdxbFIwc01BMkYrSmhCNEpibWNaem4KVTVhL3RmMFRIbnRENmJubU1lNTJvV2RMQlR0S0tyb3cxRjhqcXZUVWNRS0JnUUNuZEs4LzNITElJVkkyUWJBMApBY0x5Sjd1SW5ua3VMNGkrcmhvM1JvZ2hZNTRuTXJzdDRUNkdCVVhZT050akZsQ2hPQ3ZHWmlraWsxaHRkcCtMCjJhU05wRG9WV2JJVWl1bEFGZjA5NkNGWWsrNnpPU0FDQ0xHTy9NMjFnTEN5Njdia3VLRkFZMzZOa201ZUN3TTIKT2p2UC95TUJKNVdGS3kvWmc0QzVIRFI1akE9PQotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg==kind: Secretmetadata:  managedFields:  - apiVersion: v1  name: tls-secrettype: kubernetes.io/tls

8.2批改kubernetes ingress controller配置

增加--default-ssl-certificate=default/tls-secret参数，示意默认的证书应用tls-secret的内容：

......    spec:      containers:      - args:        - /nginx-ingress-controller        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller        - --election-id=ingress-controller-leader        - --ingress-class=nginx        - --default-ssl-certificate=default/tls-secret        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller        - --validating-webhook=:8443        - --validating-webhook-certificate=/usr/local/certificates/cert        - --validating-webhook-key=/usr/local/certificates/key        env:        - name: POD_NAME          valueFrom:            fieldRef:              apiVersion: v1              fieldPath: metadata.name......

再次拜访foo.bar.com，这次就是应用咱们本人的证书作为默认证书了：

curl -kv https://foo.bar.com:31252                                                                                                                 *   Trying 192.168.1.111...* TCP_NODELAY set* Connected to foo.bar.com (192.168.1.111) port 31252 (#0)* ALPN, offering h2* ALPN, offering http/1.1* successfully set certificate verify locations:*   CAfile: /etc/ssl/cert.pem  CApath: none* TLSv1.2 (OUT), TLS handshake, Client hello (1):* TLSv1.2 (IN), TLS handshake, Server hello (2):* TLSv1.2 (IN), TLS handshake, Certificate (11):* TLSv1.2 (IN), TLS handshake, Server key exchange (12):* TLSv1.2 (IN), TLS handshake, Server finished (14):* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):* TLSv1.2 (OUT), TLS handshake, Finished (20):* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):* TLSv1.2 (IN), TLS handshake, Finished (20):* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256* ALPN, server accepted to use h2* Server certificate:#此时默认证书就改成咱们本人的*  subject: CN=nginxsvc; O=nginxsvc*  start date: Dec 19 04:08:07 2020 GMT*  expire date: Dec 19 04:08:07 2021 GMT*  issuer: CN=nginxsvc; O=nginxsvc*  SSL certificate verify result: self signed certificate (18), continuing anyway.* Using HTTP2, server supports multi-use* Connection state changed (HTTP/2 confirmed)* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0* Using Stream ID: 1 (easy handle 0x7fd300010e00)> GET / HTTP/2> Host: foo.bar.com:31252> User-Agent: curl/7.64.1> Accept: */*>* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!< HTTP/2 200< date: Sat, 19 Dec 2020 12:51:47 GMT< content-type: text/plain< strict-transport-security: max-age=15724800; includeSubDomains<Hostname: http-svc-6b7fcd49cc-xlx4dPod Information:    node name:    containerd-worker1    pod name:    http-svc-6b7fcd49cc-xlx4d    pod namespace:    default    pod IP:    7.7.69.5Server values:    server_version=nginx: 1.12.2 - lua: 10010Request Information:    client_address=7.7.22.4    method=GET    real path=/    query=    request_version=1.1    request_scheme=http    request_uri=http://foo.bar.com:8080/Request Headers:    accept=*/*    host=foo.bar.com:31252    user-agent=curl/7.64.1    x-forwarded-for=192.168.1.111    x-forwarded-host=foo.bar.com:31252    x-forwarded-port=443    x-forwarded-proto=https    x-real-ip=192.168.1.111    x-request-id=db4811e08800ad0c6320bad066e2f62c    x-scheme=httpsRequest Body:    -no body in request-* Connection #0 to host foo.bar.com left intact* Closing connection 0

9.ingress-nginx kubectl plugin插件

K8s社区的Ingress的因为这个Ingress的实现并不是间接在配置文件中写入upstream, 所以咱们在调试时, 没法间接cat出文件，能够通过ingress-插件来读取Ingress配置：
参考网址：https://kubernetes.github.io/...

常用命令

# 获取kubernetes ingress controller后端服务器信息 kubectl ingress-nginx backends# --list只列出upstream的名字kubectl ingress-nginx backends --list# 获取cr7.example.com的nginx配置文件kubectl ingress-nginx conf --host cr7.example.com#获取ingress信息kubectl ingress-nginx ingresses                 INGRESS NAME   HOST+PATH          ADDRESSES   TLS   SERVICE     SERVICE PORT   ENDPOINTSnginx-test     foo.bar.com/                   NO    http-svc    80             1nginx-test     cr7.example.com/               YES   nginx-svc   80             1#获取cr7.example.com域名的证书信息kubectl ingress-nginx certs --host cr7.example.com

获取证书信息例子

通过ingress-nginx kubectl plugin来获取域名所对应的证书

kubectl ingress-nginx certs --host cr7.example.com    -----BEGIN CERTIFICATE-----MIIC9jCCApugAwIBAgIUErauO0ao2H0vLhcZPGCjjC9as2wwCgYIKoZIzj0EAwIwSDELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNVBAcTAkNBMRQwEgYDVQQDEwtleGFtcGxlLm5ldDAeFw0yMDEyMTkxMjI1MDBaFw0yMTEyMTkxMjI1MDBaME0xCzAJBgNVBAYTAkNOMREwDwYDVQQIEwhTaGFuZ2hhaTERMA8GA1UEBxMIU2hhbmdoYWkxGDAWBgNVBAMTD2NyNy5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANb3Ju5hY/gWu1osXSKj1DmMYQzKvFFZd2gK3YUHpxnWJHHs/gHVwMBu4yswKVeHv8+Mt1quPGW2GXItviuLXRoA5FU7wIYI28IuXZXbXePOQsXbTlVoHzmQWUahlky7i36go8lekJb26ca945NvprH7ZFzDI/aJHINMa42JNtrhtZjfUlO+xvF7QwOrj2CkS+DnviSVbTEksnvI8nFX6Kq4xlMs1Wv2KpnxFkg6I3zcfTFQ25OO3wkZ8dJdp2yPuydyNSMj2daWXwN51x2MkT4VbGN0Uyeqy1shgQE5tkunTJasM7NxJvCWqHQ1hyb8/f4Vo+RBYCVxSt9vDvzxbpECAwEAAaOBkjCBjzAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUAv50fyjzOgtHNSANxNbRKTVwOuAwHwYDVR0jBBgwFoAUORZuzO4bNpnTCQncDGjYp/sdQyAwGgYDVR0RBBMwEYIPY3I3LmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDwZ+pSfD3yikvvULWe8TicdLK3UfIT3gg2Mi97uc+2agIhANif3PoMM94P/xUAWXv0N0wyJBqbxBVOVnC4H0bwVdxU-----END CERTIFICATE----------BEGIN RSA PRIVATE KEY-----MIIEpAIBAAKCAQEA1vcm7mFj+Ba7WixdIqPUOYxhDMq8UVl3aArdhQenGdYkcez+AdXAwG7jKzApV4e/z4y3Wq48ZbYZci2+K4tdGgDkVTvAhgjbwi5dldtd485CxdtOVWgfOZBZRqGWTLuLfqCjyV6Qlvbpxr3jk2+msftkXMMj9okcg0xrjYk22uG1mN9SU77G8XtDA6uPYKRL4Oe+JJVtMSSye8jycVfoqrjGUyzVa/YqmfEWSDojfNx9MVDbk47fCRnx0l2nbI+7J3I1IyPZ1pZfA3nXHYyRPhVsY3RTJ6rLWyGBATm2S6dMlqwzs3Em8JaodDWHJvz9/hWj5EFgJXFK328O/PFukQIDAQABAoIBADPvvs41ZYvZIiblNRNbdbj5u7D1go49CWZvyZmMgcjyPhfwZGZZGJrlr6kNl894EtW4b8xO8HS6jGdTufCXWUUhFgmpyBgaJ85AmYfNWl/hw6w+Eiz8XR7xS0CPZdrgLRHJCglq+ZAf09eapVNH1ISH8nWfCB9WfTcTzaCCmGhFUst5Xd0o2UfekvIhHZ5GB20eQQUqWlAwZUpPg8n2Tc9OS9V0YhTtn/LIOFTsmTDEaDQ21x7D2/K9AE9sJhadgkeC+o33tyhe1zZRAwRFqSv5Cr6Q5Ba4En+0ZD4fs1VCU6j+tCPcNsv0Y1vfR5iNnoE2gsWeQfkcUNaLcYeCY2ECgYEA42MZr/nxQzmJIqBFzmeofTqUuzZxUjdoc/2OIY6PIgknzcdqrSM10WUgH+kp5LMgBYXATOswNTprwu+UlaC1iYmIl3d6zfQIp35x3Ble2a90jGbEdekgP2PP8vAYBD1b7jYRLlyTgJNmi2J3eE0GdDK+I2XlH2wwAdpg4odjX10CgYEA8gPoeF7uv49VtOTNlky0tNPTUP9aiM92Het6c1kInB3D4X6ot4JYeQSRqfGwmFXR7Co0s/Jm9kVmo95pp8nKE4dB5ARqt78lcRMDPO131sRNRrDdvNm3cOenX8lZB8L9lkOYQQWBB8nAV0Tav4kB98lBg5iAzGxTAYMYMkvofMUCgYBIIgnmD03/22Krf1hlr/B9OXYxJYYxZK5YDVlnP8gcLfdYiihHIGJUONZGCTtm94Py/IkSXZF/cTb6MfJavQ6ZwO15z0c/ymhsaepIviuettAsMfWkyf2W3lz7XjrgLW7aVICCyo9oPFpNYUExAo5HkklLBWn32+Qm0lXlxrk5aQKBgQCafu4vsYK+HRV8lje8BBmz+inDYk/8WFwx+3o/Go5JgyLh18aC553tG4KVt6mhhd+t4L+mRE+AVYuRftF6AHKVBtqEYmFyDX8scRO3GG1RWB1wzEWxYlcdp3SMzG+eadcSzvHqSEY3n46+50Cx1xe/g+XjyT4nwds3cuXGbfjrdQKBgQCXyHwg7XSyoHz+sv5WhCUv/rvL5AYy4zv5qPPusGbpJi+GxsSdrzTQcPXmY6xxQEC7dO+QYD9KDfghVOxQ+Pjg3T9DV1CSCCiN3SR34Jy2X01eeTtvCxqUbnZga6ChZj0xPV6UvY99hETH+qdx0aI2ZPRK7sL+mMo7cDdUNyDKgw==-----END RSA PRIVATE KEY-----

查看secret验证，因为secret是base64加密的，所以须要先解密：
tls.crt和tls.key比拟特地，因为有一个.，所以用\\来本义

#获取服务器证书❯ kubectl secrets cr7-secret -o jsonpath={.data.tls\\.crt} | base64 -d-----BEGIN CERTIFICATE-----MIIC9jCCApugAwIBAgIUErauO0ao2H0vLhcZPGCjjC9as2wwCgYIKoZIzj0EAwIwSDELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNVBAcTAkNBMRQwEgYDVQQDEwtleGFtcGxlLm5ldDAeFw0yMDEyMTkxMjI1MDBaFw0yMTEyMTkxMjI1MDBaME0xCzAJBgNVBAYTAkNOMREwDwYDVQQIEwhTaGFuZ2hhaTERMA8GA1UEBxMIU2hhbmdoYWkxGDAWBgNVBAMTD2NyNy5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANb3Ju5hY/gWu1osXSKj1DmMYQzKvFFZd2gK3YUHpxnWJHHs/gHVwMBu4yswKVeHv8+Mt1quPGW2GXItviuLXRoA5FU7wIYI28IuXZXbXePOQsXbTlVoHzmQWUahlky7i36go8lekJb26ca945NvprH7ZFzDI/aJHINMa42JNtrhtZjfUlO+xvF7QwOrj2CkS+DnviSVbTEksnvI8nFX6Kq4xlMs1Wv2KpnxFkg6I3zcfTFQ25OO3wkZ8dJdp2yPuydyNSMj2daWXwN51x2MkT4VbGN0Uyeqy1shgQE5tkunTJasM7NxJvCWqHQ1hyb8/f4Vo+RBYCVxSt9vDvzxbpECAwEAAaOBkjCBjzAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUAv50fyjzOgtHNSANxNbRKTVwOuAwHwYDVR0jBBgwFoAUORZuzO4bNpnTCQncDGjYp/sdQyAwGgYDVR0RBBMwEYIPY3I3LmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDwZ+pSfD3yikvvULWe8TicdLK3UfIT3gg2Mi97uc+2agIhANif3PoMM94P/xUAWXv0N0wyJBqbxBVOVnC4H0bwVdxU-----END CERTIFICATE-----#获取服务器私钥❯ kubectl get  secrets cr7-secret -o jsonpath={.data.tls\\.key} | base64 -d-----BEGIN RSA PRIVATE KEY-----MIIEpAIBAAKCAQEA1vcm7mFj+Ba7WixdIqPUOYxhDMq8UVl3aArdhQenGdYkcez+AdXAwG7jKzApV4e/z4y3Wq48ZbYZci2+K4tdGgDkVTvAhgjbwi5dldtd485CxdtOVWgfOZBZRqGWTLuLfqCjyV6Qlvbpxr3jk2+msftkXMMj9okcg0xrjYk22uG1mN9SU77G8XtDA6uPYKRL4Oe+JJVtMSSye8jycVfoqrjGUyzVa/YqmfEWSDojfNx9MVDbk47fCRnx0l2nbI+7J3I1IyPZ1pZfA3nXHYyRPhVsY3RTJ6rLWyGBATm2S6dMlqwzs3Em8JaodDWHJvz9/hWj5EFgJXFK328O/PFukQIDAQABAoIBADPvvs41ZYvZIiblNRNbdbj5u7D1go49CWZvyZmMgcjyPhfwZGZZGJrlr6kNl894EtW4b8xO8HS6jGdTufCXWUUhFgmpyBgaJ85AmYfNWl/hw6w+Eiz8XR7xS0CPZdrgLRHJCglq+ZAf09eapVNH1ISH8nWfCB9WfTcTzaCCmGhFUst5Xd0o2UfekvIhHZ5GB20eQQUqWlAwZUpPg8n2Tc9OS9V0YhTtn/LIOFTsmTDEaDQ21x7D2/K9AE9sJhadgkeC+o33tyhe1zZRAwRFqSv5Cr6Q5Ba4En+0ZD4fs1VCU6j+tCPcNsv0Y1vfR5iNnoE2gsWeQfkcUNaLcYeCY2ECgYEA42MZr/nxQzmJIqBFzmeofTqUuzZxUjdoc/2OIY6PIgknzcdqrSM10WUgH+kp5LMgBYXATOswNTprwu+UlaC1iYmIl3d6zfQIp35x3Ble2a90jGbEdekgP2PP8vAYBD1b7jYRLlyTgJNmi2J3eE0GdDK+I2XlH2wwAdpg4odjX10CgYEA8gPoeF7uv49VtOTNlky0tNPTUP9aiM92Het6c1kInB3D4X6ot4JYeQSRqfGwmFXR7Co0s/Jm9kVmo95pp8nKE4dB5ARqt78lcRMDPO131sRNRrDdvNm3cOenX8lZB8L9lkOYQQWBB8nAV0Tav4kB98lBg5iAzGxTAYMYMkvofMUCgYBIIgnmD03/22Krf1hlr/B9OXYxJYYxZK5YDVlnP8gcLfdYiihHIGJUONZGCTtm94Py/IkSXZF/cTb6MfJavQ6ZwO15z0c/ymhsaepIviuettAsMfWkyf2W3lz7XjrgLW7aVICCyo9oPFpNYUExAo5HkklLBWn32+Qm0lXlxrk5aQKBgQCafu4vsYK+HRV8lje8BBmz+inDYk/8WFwx+3o/Go5JgyLh18aC553tG4KVt6mhhd+t4L+mRE+AVYuRftF6AHKVBtqEYmFyDX8scRO3GG1RWB1wzEWxYlcdp3SMzG+eadcSzvHqSEY3n46+50Cx1xe/g+XjyT4nwds3cuXGbfjrdQKBgQCXyHwg7XSyoHz+sv5WhCUv/rvL5AYy4zv5qPPusGbpJi+GxsSdrzTQcPXmY6xxQEC7dO+QYD9KDfghVOxQ+Pjg3T9DV1CSCCiN3SR34Jy2X01eeTtvCxqUbnZga6ChZj0xPV6UvY99hETH+qdx0aI2ZPRK7sL+mMo7cDdUNyDKgw==-----END RSA PRIVATE KEY-----

如果是foo.bar.com则回返回默认的证书信息。