我的 kubernetes 入口不接受自簽名證書,而是在 Firefox 上打開 url 時添加了Kubernetes 入口控制器假證書。
在 Kali Linus 中使用 minikube 在 pc 上本地完成所有事情。Kali linus 通過 VMWare 軟體在虛擬機中運行。我指的檔案是 - https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-multi-ssl
Ingress Yaml 檔案。
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: first-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
tls:
- secretName: myssl
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: first-service
port:
number: 8080
“192.168.49.2”是入口 IP 地址。所以https://192.68.49.2在瀏覽器上打開我的應用程式。
證書是使用 Openssl 使用以下命令生成的:
openssl genrsa -out s.key 2048
openssl req -new -key s.key -out s.csr -subj "/CN=example.com"
openssl x509 -req -days 365 -in s.csr -signkey s.key -out s.crt
證書被添加到 k8s secret 中。
kubectl create secret tls myssl --cert s.crt --key s.key
curl -kv https://192.168.49.2命令輸出為:
* Trying 192.168.49.2:443...
* Connected to 192.168.49.2 (192.168.49.2) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted h2
* Server certificate:
* subject: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
* start date: Oct 22 09:57:19 2022 GMT
* expire date: Oct 22 09:57:19 2023 GMT
* issuer: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
* SSL certificate verify result: self-signed certificate (18), continuing anyway.
* Using HTTP2, server supports multiplexing
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* h2h3 [:method: GET]
* h2h3 [:path: /]
* h2h3 [:scheme: https]
* h2h3 [:authority: 192.168.49.2]
* h2h3 [user-agent: curl/7.85.0]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x561c242ff950)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET / HTTP/2
> Host: 192.168.49.2
> user-agent: curl/7.85.0
> accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 200
< date: Sat, 22 Oct 2022 10:05:50 GMT
< content-type: text/html; charset=utf-8
..... html of the page
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection #0 to host 192.168.49.2 left intact
請幫忙。
2天后更新:
我除錯并發現我已經使用以下命令安裝了 nginx 入口:
minikube addons enable ingress
它在命名空間中安裝入口,ingress-nginx而我的秘密在default命名空間中。這可能是問題,如果是這樣,解決方案是什么?
uj5u.com熱心網友回復:
您的入口清單中有一個錯誤,這里:
rules:
- host: example.com
- http:
paths:
您創建了兩個規則,第一個匹配host: example.com但未定義路徑或后端;第二個匹配路徑/但不設定 a host。你要:
rules:
- host: example.com
http:
paths:
它將入口安裝在 ingress-nginx 命名空間中,而我的秘密位于默認命名空間中。這可能是問題,如果是這樣,解決方案是什么?
這不是問題:這是預期的配置。您的 SSL 機密應安裝在與您的應用程式和 Ingress 相同的命名空間中。
在過去的幾天里,我一直在玩這個,我不確定你是否可以在不使用主機名的情況下讓它按照你想要的方式運行。幸運的是,設定在本地開發期間使用的主機名相對簡單。
在大多數情況下,您可以編輯您的/etc/hosts檔案。例如,如果您的應用程式托管在 192.168.49.2 上,那么您將添加這樣的條目/etc/hosts來訪問您的應用程式https://example.com:
192.168.49.2 example.com
您可以添加多個主機名別名,這允許您在集群上使用多個基于主機名的 Ingress 資源:
192.168.49.2 example.com myapp.internal anotherapp.dev
當您使用 進行測驗時curl,您可以使用該--resolve選項來完成同樣的事情:
curl --resolve example.com:443:192.168.49.2 -kv https://example.com
例如,如果我在本地集群上部署以下 Ingress:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: whoami
spec:
tls:
- secretName: myssl
hosts:
- example.com
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: whoami
port:
name: http
使用以下條目/etc/hosts:
$ grep example.com /etc/hosts
193.168.1.200 example.com
運行curl -skv https://example.com顯示入口正在使用我的自定義證書而不是默認入口證書:
[...]
* Server certificate:
* subject: CN=example.com
* start date: Oct 23 12:52:45 2022 GMT
* expire date: Oct 23 12:52:45 2023 GMT
* issuer: CN=example.com
[...]
轉載請註明出處,本文鏈接:https://www.uj5u.com/caozuo/522359.html
上一篇:對數-線性值轉換