k8s ingress配置自签名证书，并解决Kubernetes Ingress Controller Fake Certificate_综合

生成自签名证书

参考https://hknaruto.blog.csdn.net/article/details/79556245

得到密钥及证书文件：hknaruto.com.key， hknaruto.com.pem

创建k8s secret

[yeqiang@localhost openssl-CA]$ kubectl create secret tls hknaruto.com --cert=hknaruto.com.pem --key=hknaruto.com.key -n default
secret/hknaruto.com created

创建nginx服务

参考https://hknaruto.blog.csdn.net/article/details/106541725

部署ingress

编辑nginx_ingress.yml

kind: Ingress
apiVersion: extensions/v1beta1
metadata:name: nginx-ingressnamespace: default  labels:app: nginx    annotations:ingress.kubernetes.io/proxy-body-size: '0'ingress.kubernetes.io/ssl-redirect: 'true'    nginx.ingress.kubernetes.io/proxy-body-size: '0'nginx.ingress.kubernetes.io/ssl-redirect: 'true'  
spec:tls:- hosts:- k8s.hknaruto.comsecretName: hknaruto.comrules:- host: k8s.hknaruto.comhttp:paths:- path: /pathType: ImplementationSpecificbackend:serviceName: nginxservicePort: 80

执行部署指令

[yeqiang@localhost openssl-CA]$ kubectl apply -f nginx_ingress.yml 
ingress.extensions/nginx-ingress created

查询ip地址

[yeqiang@localhost openssl-CA]$ kubectl get ingress 
NAME            CLASS    HOSTS              ADDRESS          PORTS     AGE
nginx-ingress   <none>   k8s.hknaruto.com   192.168.99.100   80, 443   38s

修改/etc/hosts，添加

192.168.99.100 k8s.hknaruto.com

Chrome访问测试

curl访问测试

[yeqiang@localhost openssl-CA]$ curl -vv https://k8s.hknaruto.com
*   Trying 192.168.99.100:443...
* TCP_NODELAY set
* Connected to k8s.hknaruto.com (192.168.99.100) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crtCApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=CS; ST=Hunan; L=Changsha; O=gw; OU=dev; CN=*.hknaruto.com
*  start date: Aug  4 06:26:26 2020 GMT
*  expire date: Aug  2 06:26:26 2030 GMT
*  subjectAltName: host "k8s.hknaruto.com" matched cert's "*.hknaruto.com"
*  issuer: C=CS; ST=Hunan; O=gw; OU=dev; CN=opensslCA
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5559c10c8180)
> GET / HTTP/2
> Host: k8s.hknaruto.com
> User-Agent: curl/7.66.0
> Accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200 
< server: nginx/1.17.10
< date: Wed, 05 Aug 2020 01:32:55 GMT
< content-type: text/html
< content-length: 612
< vary: Accept-Encoding
< last-modified: Tue, 07 Jul 2020 15:52:25 GMT
< etag: "5f049a39-264"
< accept-ranges: bytes
< 
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>body {width: 35em;margin: 0 auto;font-family: Tahoma, Verdana, Arial, sans-serif;}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p><p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p><p><em>Thank you for using nginx.</em></p>
</body>
</html>
* Connection #0 to host k8s.hknaruto.com left intact

注意：curl访问没有报ssl错误时因为把根证书ca.pem受到追加到系统受信任证书列表，参考：https://hknaruto.blog.csdn.net/article/details/107786300

附：

错误处理Kubernetes Ingress Controller Fake Certificate

原因：hknaruto.com.pem未从newcert.pem导出，newcert.pem文件包内容如下

Certificate:Data:Version: 3 (0x2)Serial Number:3b:35:e4:4d:92:0a:43:84:87:86:23:f1:23:0d:37:ba:1b:b3:ca:faSignature Algorithm: sha256WithRSAEncryptionIssuer: C=CS, ST=Hunan, O=gw, OU=dev, CN=opensslCAValidityNot Before: Aug  4 06:26:26 2020 GMTNot After : Aug  2 06:26:26 2030 GMTSubject: C=CS, ST=Hunan, L=Changsha, O=gw, OU=dev, CN=*.hknaruto.comSubject Public Key Info:Public Key Algorithm: rsaEncryptionRSA Public-Key: (2048 bit)Modulus:00:f4:28:60:39:b8:91:b9:3a:e4:4f:96:07:a6:96:6d:ab:bb:07:26:9f:0f:79:71:ee:f2:c9:11:51:ca:6c:9b:3a:e5:2b:32:ff:aa:7a:3b:12:c9:33:45:8b:0e:2f:89:e3:1c:65:e8:ee:f6:2a:65:0f:88:0d:82:20:84:e4:2a:41:56:31:ce:b3:69:78:1a:77:be:be:26:73:04:a7:90:3b:f3:0a:34:07:df:37:74:b9:f5:b4:bd:2f:77:15:67:14:9c:32:95:08:0c:16:8f:44:57:e5:7a:6a:e5:3f:59:ff:e3:f8:44:49:d2:72:cb:96:a6:9e:ec:a6:bc:6f:b3:c9:37:b5:c7:0d:84:8f:4c:a8:04:1e:02:e3:f2:7c:b6:b7:23:dd:b9:b8:8a:1b:7e:68:b8:88:b5:b8:9e:ef:0e:e1:2e:77:42:bd:f7:51:c6:2d:1d:ac:56:43:ea:3f:92:c9:17:10:e6:e6:3e:30:b9:59:6d:f0:83:3c:76:08:ec:f6:5e:21:0a:8b:a5:0f:08:2c:5d:4a:66:41:f0:39:2b:cd:fa:78:f1:66:01:e0:b7:61:57:58:51:4a:90:60:d7:63:50:67:87:a2:6e:28:af:33:43:d8:ff:49:14:6e:b6:fb:77:eb:84:0d:47:f3:ea:27:e5:1d:43:22:80:01:38:c3Exponent: 65537 (0x10001)X509v3 extensions:X509v3 Subject Key Identifier: 1E:00:C7:75:9A:42:60:17:D5:68:92:36:7E:64:00:73:05:79:CD:8AX509v3 Authority Key Identifier: keyid:50:4E:05:3D:D7:CA:B3:ED:3B:D9:60:63:EE:2C:7F:FE:FF:EC:3A:E0X509v3 Basic Constraints: CA:TRUEX509v3 Subject Alternative Name: DNS:*.hknaruto.com, DNS:*.abc.comSignature Algorithm: sha256WithRSAEncryption6a:df:83:49:46:a6:d4:d6:51:50:8e:c2:cf:63:c2:f1:0c:e4:fd:cd:89:7f:f4:05:cd:bb:73:fe:26:3f:60:55:a3:13:ad:9c:e4:72:8b:a9:9f:77:d8:7f:50:6b:b9:f3:52:fb:78:b7:5f:c3:b2:e4:5b:87:bd:71:04:a5:06:0c:72:c1:1c:98:17:ba:59:fc:f1:ae:2b:f5:60:6e:52:c9:a7:42:dd:80:4e:bc:4b:b6:cc:3c:be:92:22:40:15:80:12:a9:71:7a:02:19:4b:b9:6e:eb:70:bd:09:ca:68:f9:20:b8:cc:08:69:da:8c:5b:b2:a5:a5:51:72:98:75:08:59:85:e5:c5:d0:05:de:7d:d9:5a:e5:8e:3e:67:5f:c9:2f:d8:f3:98:0f:40:d8:77:6a:91:42:7d:b8:58:54:ce:54:4f:f7:43:d4:ae:51:19:39:b9:17:aa:de:15:b9:10:45:46:d7:bf:3b:ad:04:f7:eb:96:ec:d0:96:f0:98:98:2d:b8:cb:c3:5f:65:63:7a:b6:bf:0c:91:62:b6:71:3e:ce:ce:fe:f7:98:85:12:be:08:28:5f:c9:9c:d8:f9:8a:9a:69:8a:7d:3f:ff:94:b9:47:26:40:e5:1f:3c:e0:bf:22:d8:3d:c1:ac:42:2f:4c:13:ce:64:90:96:7a:ce:2b
-----BEGIN CERTIFICATE-----
MIIDtDCCApygAwIBAgIUOzXkTZIKQ4SHhiPxIw03uhuzyvowDQYJKoZIhvcNAQEL
BQAwTDELMAkGA1UEBhMCQ1MxDjAMBgNVBAgMBUh1bmFuMQswCQYDVQQKDAJndzEM
MAoGA1UECwwDZGV2MRIwEAYDVQQDDAlvcGVuc3NsQ0EwHhcNMjAwODA0MDYyNjI2
WhcNMzAwODAyMDYyNjI2WjBkMQswCQYDVQQGEwJDUzEOMAwGA1UECAwFSHVuYW4x
ETAPBgNVBAcMCENoYW5nc2hhMQswCQYDVQQKDAJndzEMMAoGA1UECwwDZGV2MRcw
FQYDVQQDDA4qLmhrbmFydXRvLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAPQoYDm4kbk65E+WB6aWbau7ByafD3lx7vLJEVHKbJs65Ssy/6p6OxLJ
M0WLDi+J4xxl6O72KmUPiA2CIITkKkFWMc6zaXgad76+JnMEp5A78wo0B983dLn1
tL0vdxVnFJwylQgMFo9EV+V6auU/Wf/j+ERJ0nLLlqae7Ka8b7PJN7XHDYSPTKgE
HgLj8ny2tyPdubiKG35ouIi1uJ7vDuEud0K991HGLR2sVkPqP5LJFxDm5j4wuVlt
8IM8dgjs9l4hCoulDwgsXUpmQfA5K836ePFmAeC3YVdYUUqQYNdjUGeHom4orzND
2P9JFG62+3frhA1H8+on5R1DIoABOMMCAwEAAaN2MHQwHQYDVR0OBBYEFB4Ax3Wa
QmAX1WiSNn5kAHMFec2KMB8GA1UdIwQYMBaAFFBOBT3XyrPtO9lgY+4sf/7/7Drg
MAwGA1UdEwQFMAMBAf8wJAYDVR0RBB0wG4IOKi5oa25hcnV0by5jb22CCSouYWJj
LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAat+DSUam1NZRUI7Cz2PC8Qzk/c2Jf/QF
zbtz/iY/YFWjE62c5HKLqZ932H9Qa7nzUvt4t1/DsuRbh71xBKUGDHLBHJgXuln8
8a4r9WBuUsmnQt2ATrxLtsw8vpIiQBWAEqlxegIZS7lu63C9Ccpo+SC4zAhp2oxb
sqWlUXKYdQhZheXF0AXefdla5Y4+Z1/JL9jzmA9A2HdqkUJ9uFhUzlRP90PUrlEZ
ObkXqt4VuRBFRte/O60E9+uW7NCW8JiYLbjLw19lY3q2vwyRYrZxPs7O/veYhRK+
CChfyZzY+YqaaYp9P/+UuUcmQOUfPOC/Itg9waxCL0wTzmSQlnrOKw==
-----END CERTIFICATE-----

解决方案

[yeqiang@localhost openssl-CA]$ openssl x509 -in newcert.pem -out hknaruto.com.pem

hknaruto.com.pem内容如下