- 創建ca證書籤名請求文件
ca-cst.json
{
"CN": "www.abc.com",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "yngwie",
"OU": "ops"
}
]
}
- 生成ca證書和私鑰
../cfssl_1.4.1_linux_amd64 gencert -initca ca-cst.json | ../cfssljson_1.4.1_linux_amd64 -bare ca
- 創建網站證書籤名請求文件
csr.json
{
"hosts": [
"example.com",
"www.example.com"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "San Francisco",
"O": "Internet Widgets, Inc.",
"OU": "WWW",
"ST": "California"
}
]
}
- 生成網站證書的私鑰和簽名請求
../cfssl_1.4.1_linux_amd64 genkey csr.json | ../cfssljson_1.4.1_linux_amd64 -bare server
- 用ca簽署網站證書,得到網站證書的公鑰
../cfssl_1.4.1_linux_amd64 sign -ca=ca.pem -ca-key=ca-key.pem -csr=server.csr | ../cfssljson_1.4.1_linux_amd64 -bare server
- 創建secret,包含網站證書和其私鑰
kubectl create secret generic https --from-file=server.pem --from-file=server-key.pem
- 創建nginx的https配置
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx
data:
my-nginx-config.conf: |
server {
listen 80;
listen 443 ssl;
server_name www.example.com;
ssl_certificate certs/server.pem;
ssl_certificate_key certs/server-key.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
- 創建pod掛載secret和cm
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- name: web-server
image: nginx:1.7.9
imagePullPolicy: IfNotPresent
volumeMounts:
- name: config
mountPath: /etc/nginx/conf.d
readOnly: true
- name: certs
mountPath: /etc/nginx/certs/
readOnly: true
ports:
- containerPort: 80
- containerPort: 443
volumes:
- name: config
configMap:
name: nginx
items:
- key: my-nginx-config.conf
path: https.conf
- name: certs
secret:
secretName: https
- 端口轉發
kubectl port-froward nginx 8443:443
- 不驗證證書請求
curl -k -v https://localhost:8443
- 驗證證書請求,先配置hosts文件,將網站證書的域名指向本機
/etc/hosts
127.0.0.1 www.example.com
再請求
curl --cacert ca.pem https://www.example.com