如何在Kubernetes ingress TLS配置中添加中间SSL证书?

rjee0c15  于 2023-05-16  发布在  Kubernetes
关注(0)|答案(7)|浏览(175)

文档未指定如何添加中间SSL证书:https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
我想下一步是阅读Kubernetes源代码。

qvsjd97n

qvsjd97n1#

如果您在Kubernetes TLS Ingress配置中的tls.cert密钥中添加多个证书。请这样做

-----BEGIN CERTIFICATE-----
<put your certificate value in a single line >
-----END CERTIFICATE-----
-----BEGIN INTERMEDIATE CERTIFICATE-----
<put your certificate value in a single line>
-----END INTERMEDIATE CERTIFICATE-----

否则,你会在ssl证书链验证中得到一个错误。
始终将主证书放在第一位。

bt1cpqcv

bt1cpqcv2#

必须将其附加到证书值。就像nginx一样。

egmofgnx

egmofgnx3#

使用此命令创建证书
kubectl create secret generic tlscert_with_ca --from-file=tls.crt=your_cert.crt --from-file=tls.key=your_key.key --from-file=ca.crt=your_ca.crt
顺便说一句,your_ca.crt也可以是中间证书
对我来说,nginx-inginx-controller中的cert应该是这样的

-----BEGIN CERTIFICATE-----
your_cert
-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY-----
your_key
-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
your_intermediate
-----END CERTIFICATE-----

参考official doc

cpjpxq1n

cpjpxq1n4#

萨兰为我提出的解决方案,除了我不得不在第二部分中删除“中间”

-----BEGIN CERTIFICATE-----
<put your certificate value in a single line >
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<put your **intermediate** certificate value in a single line>
-----END CERTIFICATE-----

遵循萨兰的指示=>始终将主证书放在第一位。

carvr3hs

carvr3hs5#

中间SSL证书(ca.intermediate.crt)作为第二个证书包含在k8s tls.crt字段中。
tls.crt包含三个文件,由\n分隔:server.crtca.intermediate.crtca.crt
下面是一个设置证书的Ansible任务:

- hosts: localhost
  connection: local
  vars:
     wildcard_foo_com_ssl_tls_crt:
       - "{{ lookup('file', './ssl_certs/star_foo_com/server.crt') }}"
       - "{{ lookup('file', './ssl_certs/star_foo_com/ca.intermediate.crt') }}"
       - "{{ lookup('file', './ssl_certs/star_foo_com/ca.crt') }}"
     wildcard_foo_com_ssl_tls_key: "{{ lookup('file', './ssl_certs/star_foo_com/server.key') }}"

  - name: Set up foo.com Certs
    k8s:
      state: present
      definition:
        apiVersion: v1
        kind: Secret
        metadata:
          name: name-com-wildcard-foo-com
          namespace: prod
        type: kubernetes.io/tls
        data:
          tls.crt: "{{ wildcard_foo_com_ssl_tls_crt | join('\n') | b64encode }}"
          tls.key: "{{ wildcard_foo_com_ssl_tls_key | b64encode }}"
          # ca.crt: this key seems to be ignored
gr8qqesn

gr8qqesn6#

假设:您有三个文件:

  • privkey.pem
  • 根证书
  • 中间证书
  1. openssl x509 -inform DER -in root_cert.cer -out root_cert.pem -outform PEM
  2. openssl x509 -inform DER -in interm_cert.cer -out interm_cert.pem -outform PEM
    如果命令1和2不起作用,证书文件可能已经是pem格式。在这种情况下,您可以跳过步骤1和2。
  3. cat root_cert.pem interm_cert.pem > full.pem
  4. kubectl create secret tls tls-ssl-ingress -n ingress --cert=/path/to/full.pem --key=/path/to/privkey.pem
    secrets(在步骤中称为 tls-ssl-ingress)名称应与ingress的部署文件中指定的名称匹配。
s3fp2yjn

s3fp2yjn7#

在crt文件中,按以下顺序添加证书:

-----BEGIN CERTIFICATE-----
{Certificate issued to you}
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
{Intermediate certificate}
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
{Root certificate}
-----END CERTIFICATE-----

要立即应用更改,请重新启动nginx控制器(假设您正在使用此ingress控制器):

kubectl rollout restart deployment ingress-nginx-controller -n ingress-nginx

相关问题