一、需求描述
在本地签发自命名证书,用于K8S
集群的Ingress
的https配置。
前提条件:
- 完成
K8S
集群搭建。- 完成证书制作机器的
openssl
服务安装。
二、自签名证书制作
2.1 脚本及配置文件准备
2.1.1 CA.sh脚本准备
注意事项:
openssl
服务默认CA.sh
地址为:/etc/pki/tls/misc/CA.sh
,为证书拷贝方便基于原CA.sh
进行复制对其原部分路径改写(改为读取同路径下的openssl.cnf
文件)。
bash
#!/bin/sh
#
# CA - wrapper around ca to make it easier to use ... basically ca requires
# some setup stuff to be done before you can use it and this makes
# things easier between now and when Eric is convinced to fix it :-)
#
# CA -newca ... will setup the right stuff
# CA -newreq ... will generate a certificate request
# CA -sign ... will sign the generated request and output
#
# At the end of that grab newreq.pem and newcert.pem (one has the key
# and the other the certificate) and cat them together and that is what
# you want/need ... I'll make even this a little cleaner later.
#
#
# 12-Jan-96 tjh Added more things ... including CA -signcert which
# converts a certificate to a request and then signs it.
# 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG
# environment variable so this can be driven from
# a script.
# 25-Jul-96 eay Cleaned up filenames some more.
# 11-Jun-96 eay Fixed a few filename missmatches.
# 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'.
# 18-Apr-96 tjh Original hacking
#
# Tim Hudson
# tjh@cryptsoft.com
#
# default openssl.cnf file has setup as per the following
# demoCA ... where everything is stored
cp_pem() {
infile=$1
outfile=$2
bound=$3
flag=0
exec <$infile;
while read line; do
if [ $flag -eq 1 ]; then
echo $line|grep "^-----END.*$bound" 2>/dev/null 1>/dev/null
if [ $? -eq 0 ] ; then
echo $line >>$outfile
break
else
echo $line >>$outfile
fi
fi
echo $line|grep "^-----BEGIN.*$bound" 2>/dev/null 1>/dev/null
if [ $? -eq 0 ]; then
echo $line >$outfile
flag=1
fi
done
}
usage() {
echo "usage: $0 -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify" >&2
}
if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi
if [ -z "$DAYS" ] ; then DAYS="-days 365" ; fi # 1 year
CADAYS="-days 3650" # 10 years
REQ="$OPENSSL req $SSLEAY_CONFIG"
CA="$OPENSSL ca $SSLEAY_CONFIG"
VERIFY="$OPENSSL verify"
X509="$OPENSSL x509"
PKCS12="openssl pkcs12"
if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi
CAKEY=./cakey.pem
CAREQ=./careq.pem
CACERT=./cacert.pem
RET=0
while [ "$1" != "" ] ; do
case $1 in
-\?|-h|-help)
usage
exit 0
;;
-newcert)
# create a certificate
$REQ -config openssl.cnf -new -x509 -keyout newkey.pem -out newcert.pem $DAYS
RET=$?
echo "Certificate is in newcert.pem, private key is in newkey.pem"
;;
-newreq)
# create a certificate request
$REQ -config openssl.cnf -new -keyout newkey.pem -out newreq.pem $DAYS
RET=$?
echo "Request is in newreq.pem, private key is in newkey.pem"
;;
-newreq-nodes)
# create a certificate request
$REQ -config openssl.cnf -new -nodes -keyout newreq.pem -out newreq.pem $DAYS
RET=$?
echo "Request (and private key) is in newreq.pem"
;;
-newca)
# if explicitly asked for or it doesn't exist then setup the directory
# structure that Eric likes to manage things
NEW="1"
if [ "$NEW" -o ! -f ${CATOP}/serial ]; then
# create the directory hierarchy
mkdir -p ${CATOP}
mkdir -p ${CATOP}/certs
mkdir -p ${CATOP}/crl
mkdir -p ${CATOP}/newcerts
mkdir -p ${CATOP}/private
touch ${CATOP}/index.txt
fi
if [ ! -f ${CATOP}/private/$CAKEY ]; then
echo "CA certificate filename (or enter to create)"
read FILE
# ask user for existing CA certificate
if [ "$FILE" ]; then
cp_pem $FILE ${CATOP}/private/$CAKEY PRIVATE
cp_pem $FILE ${CATOP}/$CACERT CERTIFICATE
RET=$?
if [ ! -f "${CATOP}/serial" ]; then
$X509 -config openssl.cnf -in ${CATOP}/$CACERT -noout -next_serial \
-out ${CATOP}/serial
fi
else
echo "Making CA certificate ..."
$REQ -config openssl.cnf -new -keyout ${CATOP}/private/$CAKEY \
-out ${CATOP}/$CAREQ
$CA -config openssl.cnf -create_serial -out ${CATOP}/$CACERT $CADAYS -batch \
-keyfile ${CATOP}/private/$CAKEY -selfsign \
-extensions v3_ca \
-infiles ${CATOP}/$CAREQ
RET=$?
fi
fi
;;
-xsign)
$CA -config openssl.cnf -policy policy_anything -infiles newreq.pem
RET=$?
;;
-pkcs12)
if [ -z "$2" ] ; then
CNAME="My Certificate"
else
CNAME="$2"
fi
$PKCS12 -config openssl.cnf -in newcert.pem -inkey newreq.pem -certfile ${CATOP}/$CACERT \
-out newcert.p12 -export -name "$CNAME"
RET=$?
exit $RET
;;
-sign|-signreq)
$CA -config openssl.cnf -policy policy_anything -out newcert.pem -infiles newreq.pem
RET=$?
cat newcert.pem
echo "Signed certificate is in newcert.pem"
;;
-signCA)
$CA -config openssl.cnf -policy policy_anything -out newcert.pem -extensions v3_ca -infiles newreq.pem
RET=$?
echo "Signed CA certificate is in newcert.pem"
;;
-signcert)
echo "Cert passphrase will be requested twice - bug?"
$X509 -config openssl.cnf -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
$CA -config openssl.cnf -policy policy_anything -out newcert.pem -infiles tmp.pem
RET=$?
cat newcert.pem
echo "Signed certificate is in newcert.pem"
;;
-verify)
shift
if [ -z "$1" ]; then
$VERIFY -CAfile $CATOP/$CACERT newcert.pem
RET=$?
else
for j
do
$VERIFY -CAfile $CATOP/$CACERT $j
if [ $? != 0 ]; then
RET=$?
fi
done
fi
exit $RET
;;
*)
echo "Unknown arg $i" >&2
usage
exit 1
;;
esac
shift
done
exit $RET
命令参数选项 :
-newcert
:新证书-newreq
:新请求-newreq-nodes
:新请求节点-newca
:新的CA证书-sign
:签证-verify
:验证
2.1.2 配置文件openssl.cnf
cnf
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
subjectAltName=@alt_names
[alt_names]
DNS.1 = nginx.local
DNS.2 = *.nginx.local
IP.1 = 192.168.0.50
IP.2 = 192.168.0.51
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
####################################################################
[ tsa ]
default_tsa = tsa_config1 # the default TSA section
[ tsa_config1 ]
# These are used by the TSA reply generation only.
dir = ./demoCA # TSA root directory
serial = $dir/tsaserial # The current serial number (mandatory)
crypto_device = builtin # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem # The TSA signing certificate
# (optional)
certs = $dir/cacert.pem # Certificate chain to include in reply
# (optional)
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
default_policy = tsa_policy1 # Policy if request did not specify it
# (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = md5, sha1 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps?
# (optional, default: no)
tsa_name = yes # Must the TSA name be included in the reply?
# (optional, default: no)
ess_cert_id_chain = no # Must the ESS cert id chain be included?
# (optional, default: no)
通过以下配置:
rust
subjectAltName=@alt_names
[alt_names]
DNS.1 = nginx.local
DNS.2 = *.nginx.local
IP.1 = 192.168.0.50
IP.2 = 192.168.0.51
指定扩展属性(证书使用者可选名称)为:指定主域名、泛域名和本地IP
。
最新效果:
2.2 生成根CA
bash
[root@k8s-master openssl-CA]# sh CA.sh -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 2048 bit RSA private key
...................+++
...............................................................................................................+++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Heilongjiang
Locality Name (eg, city) []:haerbin
Organization Name (eg, company) [Internet Widgits Pty Ltd]:IT
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:rootca
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem:
139713450506128:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:831:You must type in 4 to 1023 characters
Enter pass phrase for ./demoCA/private/./cakey.pem:
139713450506128:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:831:You must type in 4 to 1023 characters
Enter pass phrase for ./demoCA/private/./cakey.pem:
139713450506128:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:831:You must type in 4 to 1023 characters
Enter pass phrase for ./demoCA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
e7:e3:fc:9f:64:e6:9c:c2
Validity
Not Before: Aug 18 06:15:34 2023 GMT
Not After : Aug 15 06:15:34 2033 GMT
Subject:
countryName = CN
stateOrProvinceName = Heilongjiang
organizationName = IT
commonName = rootca
X509v3 extensions:
X509v3 Subject Key Identifier:
99:D0:C2:47:62:E4:16:CE:83:2D:21:83:2C:21:6A:A9:63:7D:03:AA
X509v3 Authority Key Identifier:
keyid:99:D0:C2:47:62:E4:16:CE:83:2D:21:83:2C:21:6A:A9:63:7D:03:AA
X509v3 Basic Constraints:
CA:TRUE
X509v3 Subject Alternative Name:
DNS:nginx.local, DNS:*.nginx.local, IP Address:192.168.0.50, IP Address:192.168.0.51
Certificate is to be certified until Aug 15 06:15:34 2033 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
[root@k8s-master openssl-CA]#
注意事项:
- 提示
Enter PEM pass phrase:
时输入密码,自定义,请记住后续还需使用。
2.3 产生证书请求
bash
[root@k8s-master openssl-CA]# sh CA.sh -newreq
Generating a 2048 bit RSA private key
..................................................+++
....................+++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Heilong
Locality Name (eg, city) []:haerbin
Organization Name (eg, company) [Internet Widgits Pty Ltd]:IT
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:*.nginx.local
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem
[root@k8s-master openssl-CA]#
注意事项:
- 提示
Common Name (e.g. server FQDN or YOUR name) []:
时我输入的为*.nginx.local
泛域名。
2.4 签发证书
bash
[root@k8s-master openssl-CA]# sh CA.sh -signCA
Using configuration from openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
e7:e3:fc:9f:64:e6:9c:c3
Validity
Not Before: Aug 18 06:20:48 2023 GMT
Not After : Aug 15 06:20:48 2033 GMT
Subject:
countryName = CN
stateOrProvinceName = Heilong
localityName = haerbin
organizationName = IT
commonName = *.nginx.local
X509v3 extensions:
X509v3 Subject Key Identifier:
3E:AD:81:4C:AA:85:3E:D6:78:83:5B:63:3D:CA:A5:F2:59:97:42:14
X509v3 Authority Key Identifier:
keyid:99:D0:C2:47:62:E4:16:CE:83:2D:21:83:2C:21:6A:A9:63:7D:03:AA
X509v3 Basic Constraints:
CA:TRUE
X509v3 Subject Alternative Name:
DNS:nginx.local, DNS:*.nginx.local, IP Address:192.168.0.50, IP Address:192.168.0.51
Certificate is to be certified until Aug 15 06:20:48 2033 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed CA certificate is in newcert.pem
[root@k8s-master openssl-CA]#
2.5 导出私钥
注意事项:
- 避免出现:服务启动提示输入:
PEM pass phrase
情况,故将私钥导出。
bash
[root@k8s-master openssl-CA]# openssl rsa -in newkey.pem -out nginx.local.key
Enter pass phrase for newkey.pem:
writing RSA key
2.6 导出证书
bash
[root@k8s-master openssl-CA]# openssl x509 -in newcert.pem -out nginx.local.pem
[root@k8s-master openssl-CA]#
2.7 导出Windows平台能安装的根证书
bash
[root@k8s-master openssl-CA]# cd demoCA/
[root@k8s-master demoCA]# openssl x509 -in cacert.pem -out cacert.crt
[root@k8s-master demoCA]# cd ..
[root@k8s-master openssl-CA]#
2.8 导出Linux平台能安装的根证书
bash
[root@k8s-master openssl-CA]# openssl x509 -in demoCA/cacert.pem -out ca.pem
[root@k8s-master openssl-CA]#
查看根证书ca.pem
切换root
权限,将根证书内容追加到受信任根证书列表配置文件
bash
[root@k8s-master openssl-CA]#
[root@k8s-master openssl-CA]# cat ca.pem >> /etc/pki/tls/certs/ca-bundle.crt
三、自签名证书写入secret
bash
kubectl create secret tls nginx.local --key nginx.local.key --cert nginx.local.pem
四、Deployment具体配置
完整配置文件myapp-deployment.yaml
:
bash
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: myapp
namespace: default
annotations: {}
spec:
replicas: 5
selector:
matchLabels:
app: myapp
release: canary
template:
metadata:
creationTimestamp: null
labels:
app: myapp
release: canary
spec:
containers:
- name: myapp
image: 'ikubernetes/myapp:v2'
ports:
- name: httpd
containerPort: 80
protocol: TCP
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
imagePullPolicy: IfNotPresent
restartPolicy: Always
terminationGracePeriodSeconds: 30
dnsPolicy: ClusterFirst
securityContext: {}
schedulerName: default-scheduler
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 25%
maxSurge: 25%
revisionHistoryLimit: 10
progressDeadlineSeconds: 600
---
kind: Service
apiVersion: v1
metadata:
name: myapp
namespace: default
annotations: {}
spec:
ports:
- name: http
protocol: TCP
port: 80
targetPort: 80
selector:
app: myapp
release: canary
type: ClusterIP
sessionAffinity: None
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
internalTrafficPolicy: Cluster
---
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
name: myapp
namespace: default
spec:
ingressClassName: nginx-ingress
tls:
- hosts:
- myapp.nginx.local
secretName: nginx.local
rules:
- host: myapp.nginx.local
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: myapp
port:
number: 80
---
kind: Secret
apiVersion: v1
metadata:
name: nginx.local
namespace: default
data:
tls.crt: >-
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURvRENDQW9pZ0F3SUJBZ0lKQU9mai9KOWs1cHpETUEwR0NTcUdTSWIzRFFFQkN3VUFNRUl4Q3pBSkJnTlYKQkFZVEFrTk9NUlV3RXdZRFZRUUlEQXhJWldsc2IyNW5hbWxoYm1jeEN6QUpCZ05WQkFvTUFrbFVNUTh3RFFZRApWUVFEREFaeWIyOTBZMkV3SGhjTk1qTXdPREU0TURZeU1EUTRXaGNOTXpNd09ERTFNRFl5TURRNFdqQldNUXN3CkNRWURWUVFHRXdKRFRqRVFNQTRHQTFVRUNBd0hTR1ZwYkc5dVp6RVFNQTRHQTFVRUJ3d0hhR0ZsY21KcGJqRUwKTUFrR0ExVUVDZ3dDU1ZReEZqQVVCZ05WQkFNTURTb3VibWRwYm5ndWJHOWpZV3d3Z2dFaU1BMEdDU3FHU0liMwpEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUR1ZC83R0FSdlFzaHkwVnBrTE5Uam1pSzBTcThZdHhOQTFUbXNDCnQvT3RWR3k1NEVzVWUwdklManBWSFZ1UDhXZ0hFcWZia2RjdUlGTkJWeFVkcU5jZlpjeDhtOEZOclNtbS9HdUkKL0FsdjhWRTBtcFpqLzlvbXlOWURmbUw2dSs2b1RYbXJjSVU3N25IbGJRdkFzYkxEN2lmMUY5ODBTR3NPZnltMAplaXVMRmtwTFFvNGQxekdPOWVrbWg0L0FyQkwxREcycEpuTFZ4Y3lBeHhxS0MzaDd4RHFPNStTWVNWa1dhZWhNCmhpNlJOdXdQQmMvM0I5bzRZRm1xV2RlYTMxdlJtUW1nQ3picEF4WWQ4NFdNSWNKSVlJYXIwN1hOYlV2TE8zdjcKbmcwVTIyT080NFJmOFRONTdFN0JjZ0twS3dGMTZuakk5WHdLRWFON0h1a0ovOEZ2QWdNQkFBR2pnWVF3Z1lFdwpIUVlEVlIwT0JCWUVGRDZ0Z1V5cWhUN1dlSU5iWXozS3BmSlpsMElVTUI4R0ExVWRJd1FZTUJhQUZKblF3a2RpCjVCYk9neTBoZ3l3aGFxbGpmUU9xTUF3R0ExVWRFd1FGTUFNQkFmOHdNUVlEVlIwUkJDb3dLSUlMYm1kcGJuZ3UKYkc5allXeUNEU291Ym1kcGJuZ3ViRzlqWVd5SEJNQ29BREtIQk1Db0FETXdEUVlKS29aSWh2Y05BUUVMQlFBRApnZ0VCQUJhOXFBQVFIQm1WNFhyMWk4d3N6cXdLdXh3eXA4UWF5Z1p5aVAycGh0UytNWjVnWlN2WkVUMW55SHJRCllNbTVIeGpZaGVFSWdhUU5Fck9TRnRpbTJ0UUpNbmdkM3dvNEgvS3QvNzJYazc1ZnJXVXlUa1dFbGVDQVBXdXoKUXEweHpqdHdzeThXR2hMWW1KVFFVRnIrcU1qcjV5UTJhRUhMZ2FrU3dIUFdTdmlqRm1Lcmd5enc3MTlnay96egpybm5pRnZ0dHo5S1dtTXBXOUUrc0drVUhYWEhRY2pTbklNNmZwUzB4amhiS09HcHNSbDJlanUwN3JMNjQwRzhlClFBT1VaYXphNW9nVW5RRU93Wm5XQW5iZVp6ZGhBSVhsV1lRV3BKVFIzT2lZMnZkUmdMZ3lqRXAxVG5OK0JBRWQKOWlkYldEQTdtWDYyTGtuSS82VVlyWVpEMGIwPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
tls.key: >-
LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBN25mK3hnRWIwTEljdEZhWkN6VTQ1b2l0RXF2R0xjVFFOVTVyQXJmenJWUnN1ZUJMCkZIdEx5QzQ2VlIxYmovRm9CeEtuMjVIWExpQlRRVmNWSGFqWEgyWE1mSnZCVGEwcHB2eHJpUHdKYi9GUk5KcVcKWS8vYUpzaldBMzVpK3J2dXFFMTVxM0NGTys1eDVXMEx3TEd5dys0bjlSZmZORWhyRG44cHRIb3JpeFpLUzBLTwpIZGN4anZYcEpvZVB3S3dTOVF4dHFTWnkxY1hNZ01jYWlndDRlOFE2anVma21FbFpGbW5vVElZdWtUYnNEd1hQCjl3ZmFPR0JacWxuWG10OWIwWmtKb0FzMjZRTVdIZk9GakNIQ1NHQ0dxOU8xelcxTHl6dDcrNTRORk50amp1T0UKWC9FemVleE93WElDcVNzQmRlcDR5UFY4Q2hHamV4N3BDZi9CYndJREFRQUJBb0lCQUV6b1JqSjFpUkwxWG15Swp3VERzS1Qyd05xRWU1UHM5emloaThnQWVjMmdqSWkyUU9LYVNYUTVpV2syNCtoNmlMSHFiZWFkR2thOCtuWnNsCkNwcFdLWXJtdWR3MkgxRjkxMEVUaDFyV2JmUzhUd1E0RnVpSlMwSFc0NjZjeEM4NURPOGFqWExOQnlzYzYzNmkKZkhmWTExNTVJRW5iT1JFVGlmTlM3NUJWRmxYMGF1N2QrWG1TNE1kbW9Md3E5NUExbG1rUFVjOUxoSWdoTWZjaApMdythMnFSM0wva0hCQWJESGM1Tng0WFQrR2YycnpCOXRpUit2TkpacjkzNDZXb2JiMVZvOWZrcWxKTVdzaUd1Cmp3T1ZoM096VEtib05DaVl2aWJIYnFUU1NlTXhkUVlORllIMDQ0TjArNndzRjA0MzJBWll3SERHaWxPNGg3ZUQKU3d3YVFnRUNnWUVBL3VEWmhCek5KVit1dlMzQkgydm9wT3NUWGFsVko3aXY1b1pHRXc1bVVicWxkL3pZWUtSSAoyRTFUdE0vOTNjRDRNNi8wRHNsMDArWjkvWDZpdWpaNlZadkJnaWhjTnNNb3p1akt2NTNlL0JiTC9jUy95VjBLCnR5RnpSNVJ4cXBQZUxJUDVEbGJQZUk4LzhzTys3OUMyWFlHaTM2aytXYlZtNURodUNwNXV4TjhDZ1lFQTc0U28KZ0lPQmZnS2RzdEZMSkRxaXl1SEoxdGpseWdEcWozSTZ6U1JSZ0s2d0RQdjdBbFUwQnhFSmlMWWt1a2t1dmhrbAoxQ1NaeXA1YWZBM0QwTTY2WDFnOGpRL04xMGt1SUlxZENsQkR6YVBKb1RKbmdnbUV6TjV0RG5jTmxsKzJrekpzCmpMaVUrSEVQK3JGeDZzeWxBMUowRnBZSnY4S0RSTWgzM09DTmhYRUNnWUJnUVM0a05IUk0vdnVRdWl6SzN3ZTIKOElnWndROUZ0dnZIQlVLRmc5U2tYT2FNajlKdmZOc2RGdWJiekFqRnJGQ1B4STFZNEQvY25wbEtHSDcvNy83MwpRYUVzdEcxT3lSa3FPc1FHNVdvR3JkMVA4dk95Nmc1WDVxd1Foa0QrK0dUWlR1WEp3b01MdHAyaDRzYkM3b0ZRCmd0cXR1TTZ4Tms2ck5aeHBLamdPNVFLQmdRQ2xSTzhVQmluQzdrRXNVdmc3WG01WCthWlJKa2FndFRNa21kaHoKRnIxYVFxOWR0ajFFSmRDSms3cjFaMkUrWFNMd3J0K0lXMXozRDM4MkhEVmlqbExSV1V3bXRhSCtEQlBWQm5CSAozb3g2aDZxb0hPU0pPTkkybnIrM2ZIU1dyeUtHdlFOanNqV3duQ3MvZTFNMGhkTFMwUUVqV0pJUGpFTVJvaFg3CkJjTUJNUUtCZ0gvTU8wTEkzN3ZKeDg2U00xSVhVeVFmVzlTYjlBNHpkc1FqanJ1OUtYVjU0NW01R09QMUY5aEQKVDhFdmh2RkN6cno5ZmRuWitTcWo2OFB0UWtDbFdkSGd5Y2pFaXFDUjNJU1hHYmZVNkhwWVVaZitvajVPS0NsRgpMQXdHVi9kWnU5RjVTVlBUQjEwNk0wS0tCUldHaW5aVXdLUXJwZzBMZDQvNkR0cDVoNk12Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
type: kubernetes.io/tls
五、效果
将导出Windows
平台能安装的根证书进行安装。最后效果: