k8s ingress配置自签名证书，并解决Kubernetes Ingress Controller Fake Certificate

生成自签名证书

参考https://hknaruto.blog.csdn.net/article/details/79556245

得到密钥及证书文件：hknaruto.com.key， hknaruto.com.pem

 

创建k8s secret

[yeqiang@localhost openssl-CA]$ kubectl create secret tls hknaruto.com --cert=hknaruto.com.pem --key=hknaruto.com.key -n default
secret/hknaruto.com created

创建nginx服务

参考https://hknaruto.blog.csdn.net/article/details/106541725

部署ingress

编辑nginx_ingress.yml

kind: Ingress
apiVersion: extensions/v1beta1
metadata:
  name: nginx-ingress
  namespace: default  
  labels:
    app: nginx    
  annotations:
    ingress.kubernetes.io/proxy-body-size: '0'
    ingress.kubernetes.io/ssl-redirect: 'true'    
    nginx.ingress.kubernetes.io/proxy-body-size: '0'
    nginx.ingress.kubernetes.io/ssl-redirect: 'true'  
spec:
  tls:
    - hosts:
        - k8s.hknaruto.com
      secretName: hknaruto.com
  rules:
    - host: k8s.hknaruto.com
      http:
        paths:
          - path: /
            pathType: ImplementationSpecific
            backend:
              serviceName: nginx
              servicePort: 80

执行部署指令

[yeqiang@localhost openssl-CA]$ kubectl apply -f nginx_ingress.yml 
ingress.extensions/nginx-ingress created

查询ip地址

[yeqiang@localhost openssl-CA]$ kubectl get ingress 
NAME            CLASS    HOSTS              ADDRESS          PORTS     AGE
nginx-ingress   <none>   k8s.hknaruto.com   192.168.99.100   80, 443   38s

修改/etc/hosts，添加

192.168.99.100 k8s.hknaruto.com

Chrome访问测试

curl访问测试

[yeqiang@localhost openssl-CA]$ curl -vv https://k8s.hknaruto.com
*   Trying 192.168.99.100:443...
* TCP_NODELAY set
* Connected to k8s.hknaruto.com (192.168.99.100) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=CS; ST=Hunan; L=Changsha; O=gw; OU=dev; CN=*.hknaruto.com
*  start date: Aug  4 06:26:26 2020 GMT
*  expire date: Aug  2 06:26:26 2030 GMT
*  subjectAltName: host "k8s.hknaruto.com" matched cert's "*.hknaruto.com"
*  issuer: C=CS; ST=Hunan; O=gw; OU=dev; CN=opensslCA
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5559c10c8180)
> GET / HTTP/2
> Host: k8s.hknaruto.com
> User-Agent: curl/7.66.0
> Accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200 
< server: nginx/1.17.10
< date: Wed, 05 Aug 2020 01:32:55 GMT
< content-type: text/html
< content-length: 612
< vary: Accept-Encoding
< last-modified: Tue, 07 Jul 2020 15:52:25 GMT
< etag: "5f049a39-264"
< accept-ranges: bytes
< 
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>
* Connection #0 to host k8s.hknaruto.com left intact

注意：curl访问没有报ssl错误时因为把根证书ca.pem受到追加到系统受信任证书列表，参考：https://hknaruto.blog.csdn.net/article/details/107786300

附：

错误处理Kubernetes Ingress Controller Fake Certificate

原因：hknaruto.com.pem未从newcert.pem导出，newcert.pem文件包内容如下

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            3b:35:e4:4d:92:0a:43:84:87:86:23:f1:23:0d:37:ba:1b:b3:ca:fa
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CS, ST=Hunan, O=gw, OU=dev, CN=opensslCA
        Validity
            Not Before: Aug  4 06:26:26 2020 GMT
            Not After : Aug  2 06:26:26 2030 GMT
        Subject: C=CS, ST=Hunan, L=Changsha, O=gw, OU=dev, CN=*.hknaruto.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:f4:28:60:39:b8:91:b9:3a:e4:4f:96:07:a6:96:
                    6d:ab:bb:07:26:9f:0f:79:71:ee:f2:c9:11:51:ca:
                    6c:9b:3a:e5:2b:32:ff:aa:7a:3b:12:c9:33:45:8b:
                    0e:2f:89:e3:1c:65:e8:ee:f6:2a:65:0f:88:0d:82:
                    20:84:e4:2a:41:56:31:ce:b3:69:78:1a:77:be:be:
                    26:73:04:a7:90:3b:f3:0a:34:07:df:37:74:b9:f5:
                    b4:bd:2f:77:15:67:14:9c:32:95:08:0c:16:8f:44:
                    57:e5:7a:6a:e5:3f:59:ff:e3:f8:44:49:d2:72:cb:
                    96:a6:9e:ec:a6:bc:6f:b3:c9:37:b5:c7:0d:84:8f:
                    4c:a8:04:1e:02:e3:f2:7c:b6:b7:23:dd:b9:b8:8a:
                    1b:7e:68:b8:88:b5:b8:9e:ef:0e:e1:2e:77:42:bd:
                    f7:51:c6:2d:1d:ac:56:43:ea:3f:92:c9:17:10:e6:
                    e6:3e:30:b9:59:6d:f0:83:3c:76:08:ec:f6:5e:21:
                    0a:8b:a5:0f:08:2c:5d:4a:66:41:f0:39:2b:cd:fa:
                    78:f1:66:01:e0:b7:61:57:58:51:4a:90:60:d7:63:
                    50:67:87:a2:6e:28:af:33:43:d8:ff:49:14:6e:b6:
                    fb:77:eb:84:0d:47:f3:ea:27:e5:1d:43:22:80:01:
                    38:c3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                1E:00:C7:75:9A:42:60:17:D5:68:92:36:7E:64:00:73:05:79:CD:8A
            X509v3 Authority Key Identifier: 
                keyid:50:4E:05:3D:D7:CA:B3:ED:3B:D9:60:63:EE:2C:7F:FE:FF:EC:3A:E0

            X509v3 Basic Constraints: 
                CA:TRUE
            X509v3 Subject Alternative Name: 
                DNS:*.hknaruto.com, DNS:*.abc.com
    Signature Algorithm: sha256WithRSAEncryption
         6a:df:83:49:46:a6:d4:d6:51:50:8e:c2:cf:63:c2:f1:0c:e4:
         fd:cd:89:7f:f4:05:cd:bb:73:fe:26:3f:60:55:a3:13:ad:9c:
         e4:72:8b:a9:9f:77:d8:7f:50:6b:b9:f3:52:fb:78:b7:5f:c3:
         b2:e4:5b:87:bd:71:04:a5:06:0c:72:c1:1c:98:17:ba:59:fc:
         f1:ae:2b:f5:60:6e:52:c9:a7:42:dd:80:4e:bc:4b:b6:cc:3c:
         be:92:22:40:15:80:12:a9:71:7a:02:19:4b:b9:6e:eb:70:bd:
         09:ca:68:f9:20:b8:cc:08:69:da:8c:5b:b2:a5:a5:51:72:98:
         75:08:59:85:e5:c5:d0:05:de:7d:d9:5a:e5:8e:3e:67:5f:c9:
         2f:d8:f3:98:0f:40:d8:77:6a:91:42:7d:b8:58:54:ce:54:4f:
         f7:43:d4:ae:51:19:39:b9:17:aa:de:15:b9:10:45:46:d7:bf:
         3b:ad:04:f7:eb:96:ec:d0:96:f0:98:98:2d:b8:cb:c3:5f:65:
         63:7a:b6:bf:0c:91:62:b6:71:3e:ce:ce:fe:f7:98:85:12:be:
         08:28:5f:c9:9c:d8:f9:8a:9a:69:8a:7d:3f:ff:94:b9:47:26:
         40:e5:1f:3c:e0:bf:22:d8:3d:c1:ac:42:2f:4c:13:ce:64:90:
         96:7a:ce:2b
-----BEGIN CERTIFICATE-----
MIIDtDCCApygAwIBAgIUOzXkTZIKQ4SHhiPxIw03uhuzyvowDQYJKoZIhvcNAQEL
BQAwTDELMAkGA1UEBhMCQ1MxDjAMBgNVBAgMBUh1bmFuMQswCQYDVQQKDAJndzEM
MAoGA1UECwwDZGV2MRIwEAYDVQQDDAlvcGVuc3NsQ0EwHhcNMjAwODA0MDYyNjI2
WhcNMzAwODAyMDYyNjI2WjBkMQswCQYDVQQGEwJDUzEOMAwGA1UECAwFSHVuYW4x
ETAPBgNVBAcMCENoYW5nc2hhMQswCQYDVQQKDAJndzEMMAoGA1UECwwDZGV2MRcw
FQYDVQQDDA4qLmhrbmFydXRvLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAPQoYDm4kbk65E+WB6aWbau7ByafD3lx7vLJEVHKbJs65Ssy/6p6OxLJ
M0WLDi+J4xxl6O72KmUPiA2CIITkKkFWMc6zaXgad76+JnMEp5A78wo0B983dLn1
tL0vdxVnFJwylQgMFo9EV+V6auU/Wf/j+ERJ0nLLlqae7Ka8b7PJN7XHDYSPTKgE
HgLj8ny2tyPdubiKG35ouIi1uJ7vDuEud0K991HGLR2sVkPqP5LJFxDm5j4wuVlt
8IM8dgjs9l4hCoulDwgsXUpmQfA5K836ePFmAeC3YVdYUUqQYNdjUGeHom4orzND
2P9JFG62+3frhA1H8+on5R1DIoABOMMCAwEAAaN2MHQwHQYDVR0OBBYEFB4Ax3Wa
QmAX1WiSNn5kAHMFec2KMB8GA1UdIwQYMBaAFFBOBT3XyrPtO9lgY+4sf/7/7Drg
MAwGA1UdEwQFMAMBAf8wJAYDVR0RBB0wG4IOKi5oa25hcnV0by5jb22CCSouYWJj
LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAat+DSUam1NZRUI7Cz2PC8Qzk/c2Jf/QF
zbtz/iY/YFWjE62c5HKLqZ932H9Qa7nzUvt4t1/DsuRbh71xBKUGDHLBHJgXuln8
8a4r9WBuUsmnQt2ATrxLtsw8vpIiQBWAEqlxegIZS7lu63C9Ccpo+SC4zAhp2oxb
sqWlUXKYdQhZheXF0AXefdla5Y4+Z1/JL9jzmA9A2HdqkUJ9uFhUzlRP90PUrlEZ
ObkXqt4VuRBFRte/O60E9+uW7NCW8JiYLbjLw19lY3q2vwyRYrZxPs7O/veYhRK+
CChfyZzY+YqaaYp9P/+UuUcmQOUfPOC/Itg9waxCL0wTzmSQlnrOKw==
-----END CERTIFICATE-----

解决方案

[yeqiang@localhost openssl-CA]$ openssl x509 -in newcert.pem -out hknaruto.com.pem

hknaruto.com.pem内容如下

-----BEGIN CERTIFICATE-----
MIIDtDCCApygAwIBAgIUOzXkTZIKQ4SHhiPxIw03uhuzyvowDQYJKoZIhvcNAQEL
BQAwTDELMAkGA1UEBhMCQ1MxDjAMBgNVBAgMBUh1bmFuMQswCQYDVQQKDAJndzEM
MAoGA1UECwwDZGV2MRIwEAYDVQQDDAlvcGVuc3NsQ0EwHhcNMjAwODA0MDYyNjI2
WhcNMzAwODAyMDYyNjI2WjBkMQswCQYDVQQGEwJDUzEOMAwGA1UECAwFSHVuYW4x
ETAPBgNVBAcMCENoYW5nc2hhMQswCQYDVQQKDAJndzEMMAoGA1UECwwDZGV2MRcw
FQYDVQQDDA4qLmhrbmFydXRvLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAPQoYDm4kbk65E+WB6aWbau7ByafD3lx7vLJEVHKbJs65Ssy/6p6OxLJ
M0WLDi+J4xxl6O72KmUPiA2CIITkKkFWMc6zaXgad76+JnMEp5A78wo0B983dLn1
tL0vdxVnFJwylQgMFo9EV+V6auU/Wf/j+ERJ0nLLlqae7Ka8b7PJN7XHDYSPTKgE
HgLj8ny2tyPdubiKG35ouIi1uJ7vDuEud0K991HGLR2sVkPqP5LJFxDm5j4wuVlt
8IM8dgjs9l4hCoulDwgsXUpmQfA5K836ePFmAeC3YVdYUUqQYNdjUGeHom4orzND
2P9JFG62+3frhA1H8+on5R1DIoABOMMCAwEAAaN2MHQwHQYDVR0OBBYEFB4Ax3Wa
QmAX1WiSNn5kAHMFec2KMB8GA1UdIwQYMBaAFFBOBT3XyrPtO9lgY+4sf/7/7Drg
MAwGA1UdEwQFMAMBAf8wJAYDVR0RBB0wG4IOKi5oa25hcnV0by5jb22CCSouYWJj
LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAat+DSUam1NZRUI7Cz2PC8Qzk/c2Jf/QF
zbtz/iY/YFWjE62c5HKLqZ932H9Qa7nzUvt4t1/DsuRbh71xBKUGDHLBHJgXuln8
8a4r9WBuUsmnQt2ATrxLtsw8vpIiQBWAEqlxegIZS7lu63C9Ccpo+SC4zAhp2oxb
sqWlUXKYdQhZheXF0AXefdla5Y4+Z1/JL9jzmA9A2HdqkUJ9uFhUzlRP90PUrlEZ
ObkXqt4VuRBFRte/O60E9+uW7NCW8JiYLbjLw19lY3q2vwyRYrZxPs7O/veYhRK+
CChfyZzY+YqaaYp9P/+UuUcmQOUfPOC/Itg9waxCL0wTzmSQlnrOKw==
-----END CERTIFICATE-----