How to generate kubernetes user account token based on Alibaba Cloud free SSL certificate

  前段時間我們通過文章《How to build a kubernetes dashboard system step by step》主要介紹瞭如何基於手動創建的ssl證書完成kubernetes中User account token的生成，但是通常情況下在大部分瀏覽器上會提示該服務站點不安全，原因是瀏覽器通常對個人CA簽署的身份數字證書持不信任態度。那麼我們有沒有辦法改變這一現狀呢？答案是有的。我們可以基於知名CA完成服務站點的數字證書的簽署，然後再基於該數字證書完成Kubernetes中User account token的生成。

  考慮到阿里雲上是可以申請一個有效期爲一年的免費數字證書的，那麼今天，我們就結合阿里雲免費ssl數字證書來完成Kubernetes中User account token的生成。

大家按照上面的一系列圖的指引即可完成免費數字證書的申請，我們按上圖所示將其下載下來，解壓到目錄~/.tmp下面。

lwk@qwfys:~$ ll ~/.tmp/
total 20
drwxr-xr-x  5 lwk lwk 4096 Jun  3 09:52 ./
drwxr-xr-x 53 lwk lwk 4096 Jun  2 09:32 ../
drwxr-xr-x  2 lwk lwk 4096 Jun  2 13:59 3123459_k8s.qwfys.com_nginx/
drwxr-xr-x  2 lwk lwk 4096 Jun  2 09:53 3723459_k8s.qwfys.com_nginx/
drwxr-xr-x  2 lwk lwk 4096 Jun  3 09:52 4007298_k8s.qwfys.com_nginx/
lwk@qwfys:~$ ll ~/.tmp/4007298_k8s.qwfys.com_nginx/
total 16
drwxr-xr-x 2 lwk lwk 4096 Jun  3 09:52 ./
drwxr-xr-x 5 lwk lwk 4096 Jun  3 09:52 ../
-rw-rw-r-- 1 lwk lwk 1679 Jun  3 09:51 4007298_k8s.qwfys.com.key
-rw-rw-r-- 1 lwk lwk 3651 Jun  3 09:51 4007298_k8s.qwfys.com.pem
lwk@qwfys:~$ cat ~/.tmp/4007298_k8s.qwfys.com_nginx/4007298_k8s.qwfys.com.key 
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA7ODAuDSZ7KkLGHZf9vmIOympCFGY7+qpSuOFHI+WEW2qOvH4
7FUkjPbrrpX6IWJ0EFuO3uLBvsHtkuIJPU9BYFx1EQA6sPdnhxRMC1klJOFHlixl
Fy9jf7fF9mxyjJv/oXanIjZ106y19N/jUKfm1qRtjgWZ9lCHj3/vOain//KPK2yD
zrBCaS+O778e6l6zn7Mjz+pl9hW4vr3pLvcpGVqXDBtg+MLjyfg4dbVmGhz28K4f
FSrD9APzY6awg8SJiHBXg8KAvscawXmPWEBAFTEadiN7YpLKZFQe2IVqljDYp+MT
yyPnzqQIvgzk5V2PeyUX81x03PdIz4PFKVw77wIDAQABAoIBAEB7Lfr21q/FlG+k
SZtBcgQo4wqQq8Ejb9Ii/Sk5LPCxmZVSKSCsTLbSwHVV/jD4S//n7Ixfzb3PrIw/
W6SE3pcMlBF8rn1d26C5tbmhGqtfZ81JaHtXOw6ZSBo8izIbhQq+8eAuUwS8DwwJ
pidejUgAmpH+lFqosT4u5UAc2R6isqTXPP4VJlakiO1Hwmktyfmes2FFe8QrQcaQ
4AcxvhfCW0i6rbhsrIFa8Hw4wCAJAxENuXgvU+ZPQwhXxVHTAfxvnWL/RgxNUs+3
fuCwosGa7tIK5PpyZds+RICSaVUn/xb20a88PyU3WIQfoKduW0UbUWrMLTGk1rIQ
jDF+rYECgYEA9okgH0Gf+gYIhzmg8oDZwcOKzE+2LxqHOyZNC1id3VqIxTTxPMM7
7F/Bc8vpfb6khBQQTd6wVW0TUt4hbUUXlTiMfoGr58Lya1giCk65NYLJuvimX95e
sxOl1amhGTemBoH1uNNTPjWdawZR33Dx+woi/CLCGK722Vkznm1aX8UCgYEA9fi2
5jJXn7G/fQJVgroa03JrMolCuKuzJAbWtnXklcTIXNEcCyN4M5jx3OXReGrzsouO
vhJOLQLga9W5aiN2twSPNxruv2PKIvDirN6ZltK5VTOmGsBAfCRPPJJv//vL9yDK
j+r8xKtM57Z3OMh3eugTAVLRlAC99l2kcC0K1CMCgYEAzuTfHzv8nF9p0snrJvg5
RqHqnnGay8bwjBQlfgsdWIE83HsEpGCXrlPhzmLnDU7rU6he0mq7AsXp/JZL6R6d
nu35AcWi1XnF5Y3t60aLqbubvhwjy7qbMJ+hgUC84KPR4g44f6ZhaoimFgYUuXZY
rLuiBoTI7NwQbvCsIB1XRZ0CgYEA5X+2R3pZP2s9W4o99sdmGDv9wR1I3710W/z1
gTDmoscEm3WQUOQ7VwkxQgY8N7qyvrhv6vBxeJXihzrW0S1dqs3aQnQipviYtZlE
Jj9b1tmuisyyAuu2Px4xwDZxwcpSOLajyTxbs7SRAPHCs3x33nmCog1/9jPrCl+8
+d1M6TkCgYALbFclT1cgt9nn0j1D7TpdYs2tAWCsINrR414dBd8oB2Ssfm2Yzyxh
0pjw9ggU/iCbqPzKTtSmwE+l4aH3cWxvsx+heX8AuF+13ZYqZtc6wiQ4/TDM09qX
oJVrlo+xar2362RsTJZLCeN0Or/2ocWFJCMiR8lk4thljQqo7Yxn+w==
-----END RSA PRIVATE KEY-----
lwk@qwfys:~$ cat ~/.tmp/4007298_k8s.qwfys.com_nginx/4007298_k8s.qwfys.com.pem 
-----BEGIN CERTIFICATE-----
MIIFhDCCBGygAwIBAgIQDgkwZHq21r45c0fl36l0EjANBgkqhkiG9w0BAQsFADBu
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS0wKwYDVQQDEyRFbmNyeXB0aW9uIEV2ZXJ5d2hlcmUg
RFYgVExTIENBIC0gRzEwHhcNMjAwNjAzMDAwMDAwWhcNMjEwNjAzMTIwMDAwWjAY
MRYwFAYDVQQDEw1rOHMucXdmeXMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA7ODAuDSZ7KkLGHZf9vmIOympCFGY7+qpSuOFHI+WEW2qOvH47FUk
jPbrrpX6IWJ0EFuO3uLBvsHtkuIJPU9BYFx1EQA6sPdnhxRMC1klJOFHlixlFy9j
f7fF9mxyjJv/oXanIjZ106y19N/jUKfm1qRtjgWZ9lCHj3/vOain//KPK2yDzrBC
aS+O778e6l6zn7Mjz+pl9hW4vr3pLvcpGVqXDBtg+MLjyfg4dbVmGhz28K4fFSrD
9APzY6awg8SJiHBXg8KAvscawXmPWEBAFTEadiN7YpLKZFQe2IVqljDYp+MTyyPn
zqQIvgzk5V2PeyUX81x03PdIz4PFKVw77wIDAQABo4ICcjCCAm4wHwYDVR0jBBgw
FoAUVXRPsnJP9WC6UNHX5lFcmgGHGtcwHQYDVR0OBBYEFDceSeMnxj0PWrCkCUPw
Puu0OrgpMBgGA1UdEQQRMA+CDWs4cy5xd2Z5cy5jb20wDgYDVR0PAQH/BAQDAgWg
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBMBgNVHSAERTBDMDcGCWCG
SAGG/WwBAjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20v
Q1BTMAgGBmeBDAECATCBgAYIKwYBBQUHAQEEdDByMCQGCCsGAQUFBzABhhhodHRw
Oi8vb2NzcC5kaWdpY2VydC5jb20wSgYIKwYBBQUHMAKGPmh0dHA6Ly9jYWNlcnRz
LmRpZ2ljZXJ0LmNvbS9FbmNyeXB0aW9uRXZlcnl3aGVyZURWVExTQ0EtRzEuY3J0
MAkGA1UdEwQCMAAwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdgD2XJQv0XcwIhRU
GAgwlFaO400TGTO/3wwvIAvMTvFk4wAAAXJ319m/AAAEAwBHMEUCICyM364VYsms
O+Z536s4GKoibXMxqHjfS6YECwIi9h3sAiEAu+tlH+7j+nNdg5HxR/ILENSiPA3p
QTWXT9xBBP6lTOAAdwBc3EOS/uarRUSxXprUVuYQN/vV+kfcoXOUsl7m9scOygAA
AXJ319nfAAAEAwBIMEYCIQDXS9u57v2OAjDH/y9CI9ICGpB+Iv5PCyps/3Vgr3yg
WAIhANHJMDkfDhAN9Nxxc6THixkUwjFmVHPbyOHI4Vc+VvpvMA0GCSqGSIb3DQEB
CwUAA4IBAQAOkpkq6hUHEUsxV/Rzma+MwcHxeDk3r48pNV1yRTomSFISOjqXYskc
DVEIg+VZotXbkko3//2SmhoppdAVh5f/2ISPnULUaYXA0LBs4ZF+AH+Vd21e6h+x
mqF4nDUzb7BbPqxTlmm3IJJ5mq0KjjY4ihJVcGy4giqQEbg06ZXaUx+9gf1nP1gZ
Hm2ovJLR8X4KCEta9rKIFJz1Nrq/5uczfEyOXklS/qRdq42dU2xcWoR79JSqg9Ho
LQppMesasTZJ5gzZQ73CKq44QrNNak3fOWvkRR/7afAIacPsnOJcVFofCwINHKOh
GV36wPYM9O8KdAJSmBFwgtMrRLvoHvYl
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEqjCCA5KgAwIBAgIQAnmsRYvBskWr+YBTzSybsTANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0xNzExMjcxMjQ2MTBaFw0yNzExMjcxMjQ2MTBaMG4xCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xLTArBgNVBAMTJEVuY3J5cHRpb24gRXZlcnl3aGVyZSBEViBUTFMgQ0EgLSBH
MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALPeP6wkab41dyQh6mKc
oHqt3jRIxW5MDvf9QyiOR7VfFwK656es0UFiIb74N9pRntzF1UgYzDGu3ppZVMdo
lbxhm6dWS9OK/lFehKNT0OYI9aqk6F+U7cA6jxSC+iDBPXwdF4rs3KRyp3aQn6pj
pp1yr7IB6Y4zv72Ee/PlZ/6rK6InC6WpK0nPVOYR7n9iDuPe1E4IxUMBH/T33+3h
yuH3dvfgiWUOUkjdpMbyxX+XNle5uEIiyBsi4IvbcTCh8ruifCIi5mDXkZrnMT8n
wfYCV6v6kDdXkbgGRLKsR4pucbJtbKqIkUGxuZI2t7pfewKRc5nWecvDBZf3+p1M
pA8CAwEAAaOCAU8wggFLMB0GA1UdDgQWBBRVdE+yck/1YLpQ0dfmUVyaAYca1zAf
BgNVHSMEGDAWgBQD3lA1VtFMu2bwo+IbG8OXsj3RVTAOBgNVHQ8BAf8EBAMCAYYw
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8C
AQAwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdp
Y2VydC5jb20wQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NybDMuZGlnaWNlcnQu
Y29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNybDBMBgNVHSAERTBDMDcGCWCGSAGG
/WwBAjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BT
MAgGBmeBDAECATANBgkqhkiG9w0BAQsFAAOCAQEAK3Gp6/aGq7aBZsxf/oQ+TD/B
SwW3AU4ETK+GQf2kFzYZkby5SFrHdPomunx2HBzViUchGoofGgg7gHW0W3MlQAXW
M0r5LUvStcr82QDWYNPaUy4taCQmyaJ+VB+6wxHstSigOlSNF2a6vg4rgexixeiV
4YSB03Yqp2t3TeZHM9ESfkus74nQyW7pRGezj+TC44xCagCQQOzzNmzEAP2SnCrJ
sNE2DpRVMnL8J6xBRdjmOsC3N6cQuKuRXbzByVBjCqAA8t1L0I+9wXJerLPyErjy
rMKWaBFLmfK/AHNF4ZihwPGOc7w6UHczBZXH5RFzJNnww+WnKuTPI0HfnVH8lg==
-----END CERTIFICATE-----
lwk@qwfys:~$ 

通過與我此前的文章《How to manually generate ssl certificate for own site in Linux》做對比，我們發現這裏後綴名爲pem的文件與我此前給大家介紹的crt文件其實是一樣的，只是後綴名不同而已。既然如此，那麼接下來，我們將接着文章《How to build a kubernetes dashboard system step by step》的內容，繼續爲大家介紹如何生成我們想要的user account token。

lwk@qwfys:~$ scp -r ~/.tmp/4007298_k8s.qwfys.com_nginx [email protected]:/root/.tmp/ssl/
4007298_k8s.qwfys.com.pem                                                                                                                                                                                   100% 3651     1.9MB/s   00:00    
4007298_k8s.qwfys.com.key                                                                                                                                                                                   100% 1679     1.2MB/s   00:00    
lwk@qwfys:~$ 

[root@xtwj89 ~]# ll ~/.tmp/ssl/
total 4
drwxr-xr-x 3 root root   41 Jun  3 10:14 .
drwxr-xr-x 5 root root 4096 Jun  3 10:12 ..
drwxr-xr-x 2 root root   72 Jun  3 10:14 4007298_k8s.qwfys.com_nginx
[root@xtwj89 ~]#

刪除原有的證書secret

[root@xtwj89 ~]# kubectl delete secret kubernetes-dashboard-certs -n kubernetes-dashboard

創建新的證書secret

[root@xtwj89 ~]# kubectl create secret generic kubernetes-dashboard-certs --from-file=~/.tmp/ssl/4007298_k8s.qwfys.com_nginx/4007298_k8s.qwfys.com.key --from-file=~/.tmp/ssl/4007298_k8s.qwfys.com_nginx/4007298_k8s.qwfys.com.pem -n kubernetes-dashboard