??前段时间我们通过文章《How to build a kubernetes dashboard system step by step》主要介绍了如何基于手动创建的ssl证书完成kubernetes中User account token的生成,但是通常情况下在大部分浏览器上会提示该服务站点不安全,原因是浏览器通常对个人CA签署的身份数字证书持不信任态度。那么我们有没有办法改变这一现状呢?答案是有的。我们可以基于知名CA完成服务站点的数字证书的签署,然后再基于该数字证书完成Kubernetes中User account token的生成。
??考虑到阿里云上是可以申请一个有效期为一年的免费数字证书的,那么今天,我们就结合阿里云免费ssl数字证书来完成Kubernetes中User account token的生成。
大家按照上面的一系列图的指引即可完成免费数字证书的申请,我们按上图所示将其下载下来,解压到目录~/.tmp下面。
lwk@qwfys:~$ ll ~/.tmp/
total 20
drwxr-xr-x 5 lwk lwk 4096 Jun 3 09:52 ./
drwxr-xr-x 53 lwk lwk 4096 Jun 2 09:32 ../
drwxr-xr-x 2 lwk lwk 4096 Jun 2 13:59 3123459_k8s.qwfys.com_nginx/
drwxr-xr-x 2 lwk lwk 4096 Jun 2 09:53 3723459_k8s.qwfys.com_nginx/
drwxr-xr-x 2 lwk lwk 4096 Jun 3 09:52 4007298_k8s.qwfys.com_nginx/
lwk@qwfys:~$ ll ~/.tmp/4007298_k8s.qwfys.com_nginx/
total 16
drwxr-xr-x 2 lwk lwk 4096 Jun 3 09:52 ./
drwxr-xr-x 5 lwk lwk 4096 Jun 3 09:52 ../
-rw-rw-r-- 1 lwk lwk 1679 Jun 3 09:51 4007298_k8s.qwfys.com.key
-rw-rw-r-- 1 lwk lwk 3651 Jun 3 09:51 4007298_k8s.qwfys.com.pem
lwk@qwfys:~$ cat ~/.tmp/4007298_k8s.qwfys.com_nginx/4007298_k8s.qwfys.com.key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA7ODAuDSZ7KkLGHZf9vmIOympCFGY7+qpSuOFHI+WEW2qOvH4
7FUkjPbrrpX6IWJ0EFuO3uLBvsHtkuIJPU9BYFx1EQA6sPdnhxRMC1klJOFHlixl
Fy9jf7fF9mxyjJv/oXanIjZ106y19N/jUKfm1qRtjgWZ9lCHj3/vOain//KPK2yD
zrBCaS+O778e6l6zn7Mjz+pl9hW4vr3pLvcpGVqXDBtg+MLjyfg4dbVmGhz28K4f
FSrD9APzY6awg8SJiHBXg8KAvscawXmPWEBAFTEadiN7YpLKZFQe2IVqljDYp+MT
yyPnzqQIvgzk5V2PeyUX81x03PdIz4PFKVw77wIDAQABAoIBAEB7Lfr21q/FlG+k
SZtBcgQo4wqQq8Ejb9Ii/Sk5LPCxmZVSKSCsTLbSwHVV/jD4S//n7Ixfzb3PrIw/
W6SE3pcMlBF8rn1d26C5tbmhGqtfZ81JaHtXOw6ZSBo8izIbhQq+8eAuUwS8DwwJ
pidejUgAmpH+lFqosT4u5UAc2R6isqTXPP4VJlakiO1Hwmktyfmes2FFe8QrQcaQ
4AcxvhfCW0i6rbhsrIFa8Hw4wCAJAxENuXgvU+ZPQwhXxVHTAfxvnWL/RgxNUs+3
fuCwosGa7tIK5PpyZds+RICSaVUn/xb20a88PyU3WIQfoKduW0UbUWrMLTGk1rIQ
jDF+rYECgYEA9okgH0Gf+gYIhzmg8oDZwcOKzE+2LxqHOyZNC1id3VqIxTTxPMM7
7F/Bc8vpfb6khBQQTd6wVW0TUt4hbUUXlTiMfoGr58Lya1giCk65NYLJuvimX95e
sxOl1amhGTemBoH1uNNTPjWdawZR33Dx+woi/CLCGK722Vkznm1aX8UCgYEA9fi2
5jJXn7G/fQJVgroa03JrMolCuKuzJAbWtnXklcTIXNEcCyN4M5jx3OXReGrzsouO
vhJOLQLga9W5aiN2twSPNxruv2PKIvDirN6ZltK5VTOmGsBAfCRPPJJv//vL9yDK
j+r8xKtM57Z3OMh3eugTAVLRlAC99l2kcC0K1CMCgYEAzuTfHzv8nF9p0snrJvg5
RqHqnnGay8bwjBQlfgsdWIE83HsEpGCXrlPhzmLnDU7rU6he0mq7AsXp/JZL6R6d
nu35AcWi1XnF5Y3t60aLqbubvhwjy7qbMJ+hgUC84KPR4g44f6ZhaoimFgYUuXZY
rLuiBoTI7NwQbvCsIB1XRZ0CgYEA5X+2R3pZP2s9W4o99sdmGDv9wR1I3710W/z1
gTDmoscEm3WQUOQ7VwkxQgY8N7qyvrhv6vBxeJXihzrW0S1dqs3aQnQipviYtZlE
Jj9b1tmuisyyAuu2Px4xwDZxwcpSOLajyTxbs7SRAPHCs3x33nmCog1/9jPrCl+8
+d1M6TkCgYALbFclT1cgt9nn0j1D7TpdYs2tAWCsINrR414dBd8oB2Ssfm2Yzyxh
0pjw9ggU/iCbqPzKTtSmwE+l4aH3cWxvsx+heX8AuF+13ZYqZtc6wiQ4/TDM09qX
oJVrlo+xar2362RsTJZLCeN0Or/2ocWFJCMiR8lk4thljQqo7Yxn+w==
-----END RSA PRIVATE KEY-----
lwk@qwfys:~$ cat ~/.tmp/4007298_k8s.qwfys.com_nginx/4007298_k8s.qwfys.com.pem
-----BEGIN CERTIFICATE-----
MIIFhDCCBGygAwIBAgIQDgkwZHq21r45c0fl36l0EjANBgkqhkiG9w0BAQsFADBu
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS0wKwYDVQQDEyRFbmNyeXB0aW9uIEV2ZXJ5d2hlcmUg
RFYgVExTIENBIC0gRzEwHhcNMjAwNjAzMDAwMDAwWhcNMjEwNjAzMTIwMDAwWjAY
MRYwFAYDVQQDEw1rOHMucXdmeXMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA7ODAuDSZ7KkLGHZf9vmIOympCFGY7+qpSuOFHI+WEW2qOvH47FUk
jPbrrpX6IWJ0EFuO3uLBvsHtkuIJPU9BYFx1EQA6sPdnhxRMC1klJOFHlixlFy9j
f7fF9mxyjJv/oXanIjZ106y19N/jUKfm1qRtjgWZ9lCHj3/vOain//KPK2yDzrBC
aS+O778e6l6zn7Mjz+pl9hW4vr3pLvcpGVqXDBtg+MLjyfg4dbVmGhz28K4fFSrD
9APzY6awg8SJiHBXg8KAvscawXmPWEBAFTEadiN7YpLKZFQe2IVqljDYp+MTyyPn
zqQIvgzk5V2PeyUX81x03PdIz4PFKVw77wIDAQABo4ICcjCCAm4wHwYDVR0jBBgw
FoAUVXRPsnJP9WC6UNHX5lFcmgGHGtcwHQYDVR0OBBYEFDceSeMnxj0PWrCkCUPw
Puu0OrgpMBgGA1UdEQQRMA+CDWs4cy5xd2Z5cy5jb20wDgYDVR0PAQH/BAQDAgWg
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBMBgNVHSAERTBDMDcGCWCG
SAGG/WwBAjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20v
Q1BTMAgGBmeBDAECATCBgAYIKwYBBQUHAQEEdDByMCQGCCsGAQUFBzABhhhodHRw
Oi8vb2NzcC5kaWdpY2VydC5jb20wSgYIKwYBBQUHMAKGPmh0dHA6Ly9jYWNlcnRz
LmRpZ2ljZXJ0LmNvbS9FbmNyeXB0aW9uRXZlcnl3aGVyZURWVExTQ0EtRzEuY3J0
MAkGA1UdEwQCMAAwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdgD2XJQv0XcwIhRU
GAgwlFaO400TGTO/3wwvIAvMTvFk4wAAAXJ319m/AAAEAwBHMEUCICyM364VYsms
O+Z536s4GKoibXMxqHjfS6YECwIi9h3sAiEAu+tlH+7j+nNdg5HxR/ILENSiPA3p
QTWXT9xBBP6lTOAAdwBc3EOS/uarRUSxXprUVuYQN/vV+kfcoXOUsl7m9scOygAA
AXJ319nfAAAEAwBIMEYCIQDXS9u57v2OAjDH/y9CI9ICGpB+Iv5PCyps/3Vgr3yg
WAIhANHJMDkfDhAN9Nxxc6THixkUwjFmVHPbyOHI4Vc+VvpvMA0GCSqGSIb3DQEB
CwUAA4IBAQAOkpkq6hUHEUsxV/Rzma+MwcHxeDk3r48pNV1yRTomSFISOjqXYskc
DVEIg+VZotXbkko3//2SmhoppdAVh5f/2ISPnULUaYXA0LBs4ZF+AH+Vd21e6h+x
mqF4nDUzb7BbPqxTlmm3IJJ5mq0KjjY4ihJVcGy4giqQEbg06ZXaUx+9gf1nP1gZ
Hm2ovJLR8X4KCEta9rKIFJz1Nrq/5uczfEyOXklS/qRdq42dU2xcWoR79JSqg9Ho
LQppMesasTZJ5gzZQ73CKq44QrNNak3fOWvkRR/7afAIacPsnOJcVFofCwINHKOh
GV36wPYM9O8KdAJSmBFwgtMrRLvoHvYl
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEqjCCA5KgAwIBAgIQAnmsRYvBskWr+YBTzSybsTANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0xNzExMjcxMjQ2MTBaFw0yNzExMjcxMjQ2MTBaMG4xCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xLTArBgNVBAMTJEVuY3J5cHRpb24gRXZlcnl3aGVyZSBEViBUTFMgQ0EgLSBH
MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALPeP6wkab41dyQh6mKc
oHqt3jRIxW5MDvf9QyiOR7VfFwK656es0UFiIb74N9pRntzF1UgYzDGu3ppZVMdo
lbxhm6dWS9OK/lFehKNT0OYI9aqk6F+U7cA6jxSC+iDBPXwdF4rs3KRyp3aQn6pj
pp1yr7IB6Y4zv72Ee/PlZ/6rK6InC6WpK0nPVOYR7n9iDuPe1E4IxUMBH/T33+3h
yuH3dvfgiWUOUkjdpMbyxX+XNle5uEIiyBsi4IvbcTCh8ruifCIi5mDXkZrnMT8n
wfYCV6v6kDdXkbgGRLKsR4pucbJtbKqIkUGxuZI2t7pfewKRc5nWecvDBZf3+p1M
pA8CAwEAAaOCAU8wggFLMB0GA1UdDgQWBBRVdE+yck/1YLpQ0dfmUVyaAYca1zAf
BgNVHSMEGDAWgBQD3lA1VtFMu2bwo+IbG8OXsj3RVTAOBgNVHQ8BAf8EBAMCAYYw
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8C
AQAwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdp
Y2VydC5jb20wQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NybDMuZGlnaWNlcnQu
Y29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNybDBMBgNVHSAERTBDMDcGCWCGSAGG
/WwBAjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BT
MAgGBmeBDAECATANBgkqhkiG9w0BAQsFAAOCAQEAK3Gp6/aGq7aBZsxf/oQ+TD/B
SwW3AU4ETK+GQf2kFzYZkby5SFrHdPomunx2HBzViUchGoofGgg7gHW0W3MlQAXW
M0r5LUvStcr82QDWYNPaUy4taCQmyaJ+VB+6wxHstSigOlSNF2a6vg4rgexixeiV
4YSB03Yqp2t3TeZHM9ESfkus74nQyW7pRGezj+TC44xCagCQQOzzNmzEAP2SnCrJ
sNE2DpRVMnL8J6xBRdjmOsC3N6cQuKuRXbzByVBjCqAA8t1L0I+9wXJerLPyErjy
rMKWaBFLmfK/AHNF4ZihwPGOc7w6UHczBZXH5RFzJNnww+WnKuTPI0HfnVH8lg==
-----END CERTIFICATE-----
lwk@qwfys:~$
通过与我此前的文章《How to manually generate ssl certificate for own site in Linux》做对比,我们发现这里后缀名为pem的文件与我此前给大家介绍的crt文件其实是一样的,只是后缀名不同而已。既然如此,那么接下来,我们将接着文章《How to build a kubernetes dashboard system step by step》的内容,继续为大家介绍如何生成我们想要的user account token。
lwk@qwfys:~$ scp -r ~/.tmp/4007298_k8s.qwfys.com_nginx root@inner89.qwfys.com:/root/.tmp/ssl/
4007298_k8s.qwfys.com.pem 100% 3651 1.9MB/s 00:00
4007298_k8s.qwfys.com.key 100% 1679 1.2MB/s 00:00
lwk@qwfys:~$
[root@xtwj89 ~]# ll ~/.tmp/ssl/
total 4
drwxr-xr-x 3 root root 41 Jun 3 10:14 .
drwxr-xr-x 5 root root 4096 Jun 3 10:12 ..
drwxr-xr-x 2 root root 72 Jun 3 10:14 4007298_k8s.qwfys.com_nginx
[root@xtwj89 ~]#
删除原有的证书secret
[root@xtwj89 ~]# kubectl delete secret kubernetes-dashboard-certs -n kubernetes-dashboard
创建新的证书secret
[root@xtwj89 ~]# kubectl create secret generic kubernetes-dashboard-certs --from-file=~/.tmp/ssl/4007298_k8s.qwfys.com_nginx/4007298_k8s.qwfys.com.key --from-file=~/.tmp/ssl/4007298_k8s.qwfys.com_nginx/4007298_k8s.qwfys.com.pem -n kubernetes-dashboard