My kubernetes ingress不接受自签名证书,而是在firefox上打开url时添加kubernetes ingress Controller Fake certificate。
所有的事情都是在电脑上用卡利林纳斯的minikube本地完成的。卡利linus是通过VMWare软件在虚拟机中运行的。医生我指的是-https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-multi-ssl
Ingress Yaml文件。
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: first-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
tls:
- hosts:
- example.com
secretName: myssl
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: first-service
port:
number: 8080
";192.168.49.2";是入口ip地址。所以https://192.68.49.2在浏览器上打开我的应用程序。
证书是使用Openssl通过以下命令生成的:
openssl genrsa -out s.key 2048
openssl req -new -key s.key -out s.csr -subj "/CN=example.com"
openssl x509 -req -days 365 -in s.csr -signkey s.key -out s.crt
证书已添加到k8s机密中。
kubectl create secret tls myssl --cert s.crt --key s.key
curl -kv https://192.168.49.2命令输出为:
* Trying 192.168.49.2:443...
* Connected to 192.168.49.2 (192.168.49.2) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted h2
* Server certificate:
* subject: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
* start date: Oct 22 09:57:19 2022 GMT
* expire date: Oct 22 09:57:19 2023 GMT
* issuer: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
* SSL certificate verify result: self-signed certificate (18), continuing anyway.
* Using HTTP2, server supports multiplexing
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* h2h3 [:method: GET]
* h2h3 [:path: /]
* h2h3 [:scheme: https]
* h2h3 [:authority: 192.168.49.2]
* h2h3 [user-agent: curl/7.85.0]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x561c242ff950)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET / HTTP/2
> Host: 192.168.49.2
> user-agent: curl/7.85.0
> accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 200
< date: Sat, 22 Oct 2022 10:05:50 GMT
< content-type: text/html; charset=utf-8
..... html of the page
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection #0 to host 192.168.49.2 left intact
请帮忙。
2天后更新:
我调试后发现我已经安装了nginxingress,命令是:
minikube addons enable ingress
它在ingress-nginx命名空间中安装ingress,而我的秘密在default命名空间中。这会是问题所在吗?如果是,解决方案是什么?
您的入口清单中有一个错误,这里是:
rules:
- host: example.com
- http:
paths:
您已经创建了两个规则,第一个匹配host: example.com,但没有定义路径或后端;第二匹配路径CCD_ 5但不设置CCD_。您想要:
rules:
- host: example.com
http:
paths:
它在ingress nginx命名空间中安装ingress,而我的秘密在默认命名空间中。这会是问题所在吗?如果是,解决方案是什么?
这不是问题:这是预期的配置。SSL机密应该安装在与应用程序和Ingress相同的命名空间中。
在过去的几天里,我一直在玩这个,我不确定你是否可以在不使用主机名的情况下让它按你想要的方式运行。幸运的是,设置主机名以在本地开发过程中使用相对简单。
在大多数情况下,您可以编辑/etc/hosts文件。例如,如果您的应用程序托管在192.168.49.2上,那么您可以向/etc/hosts添加这样的条目,以访问https://example.com:上的应用程序
192.168.49.2 example.com
您可以添加多个主机名别名,这允许您在集群上使用多个基于主机名的Ingress资源:
192.168.49.2 example.com myapp.internal anotherapp.dev
当您使用curl进行测试时,您可以使用--resolve选项来完成相同的事情:
curl --resolve example.com:443:192.168.49.2 -kv https://example.com
例如,如果我在本地集群上部署以下Ingress:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: whoami
spec:
tls:
- secretName: myssl
hosts:
- example.com
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: whoami
port:
name: http
/etc/hosts中有以下条目:
$ grep example.com /etc/hosts
193.168.1.200 example.com
运行curl -skv https://example.com表明ingress使用的是我的自定义证书,而不是默认的ingress证书:
[...]
* Server certificate:
* subject: CN=example.com
* start date: Oct 23 12:52:45 2022 GMT
* expire date: Oct 23 12:52:45 2023 GMT
* issuer: CN=example.com
[...]
重要的是,定义的TLS证书的主机名与证书中的使用者alt名称匹配。如果不是这种情况,
kubectl get all -n ingress-nginx
# search the controller pod name
kubectl logs pod/ingress-nginx-controller-84b9766c9c-bmlr2 -n ingress-nginx
W081523:00:44.109801 7控制器.go:1448]SSL证书";default/my-tls secret";不包含服务器的通用名称或主题替代名称";foolocalhost":x509:证书对localhost有效,而不是foo.localhost
在这种情况下,应该使用foo.localhost,但它是localhost。