设为首页收藏本站
开启辅助访问

OpenShift4

 您所在的位置:网站首页 island第三季剧情介绍 OpenShift4

OpenShift4

#OpenShift4| 来源: 网络整理| 查看: 265

《OpenShift 4.x HOL教程汇总》 说明:本文已经在OpenShift 4.7环境中验证

文章目录 Service Certificate的作用Service CA Operator、Service CA 运行环境Service CA 构成组件Serving Cert SignerConfigMap cabundle injectorGeneric cabundle injector 为Service生成包含证书的Secret参考

Service Certificate的作用

无论是在应用服务之间还是OpenShift内部服务之间,在 OpenShift 中存在大量 service-service 的通讯。为此,可以使用OpenShift 的Service CA提供的自签名证书确保访问通讯安全。以下OpenShift资源户使用 Service CA 生成的证书:

cluster-autoscaler-operatorcluster-monitoring-operatorcluster-authentication-operatorcluster-image-registry-operatorcluster-ingress-operatorcluster-kube-apiserver-operatorcluster-kube-controller-manager-operatorcluster-kube-scheduler-operatorcluster-networking-operatorcluster-openshift-apiserver-operatorcluster-openshift-controller-manager-operatorcluster-samples-operatormachine-config-operatorconsole-operatorinsights-operatormachine-api-operatoroperator-lifecycle-manager

OpenShift 使用 Service CA operator 管理 Service CA 控制器的运行,而 Service CA 控制器可以根据需要动态生成 Service CA Certificate。Service CA Certificate 在 26 个月内有效,并在有效期少于 6 个月时进行自动轮转。轮转后,以前的Service CA Certificate 配置仍会被信任直到其过期为止。这将为所有受影响的服务建立一个宽限期,以在过期前刷新其密钥内容。如果没有在这个宽限期内对集群进行升级(升级会重启服务并刷新其密钥),需要手动重启服务以避免在上一个Service CA Certificate 过期后出现故障。

Service CA Operator、Service CA 运行环境

Service CA 控制器的是通过Service CA Operator创建的。

执行命令查看Service CA Operator。 $ oc get clusteroperator service-ca NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE service-ca 4.7.11 True False False 6d22h 查看Service CA Operator相关的对象,其中有一个名为cluster的servicecas对象。 $ oc get clusteroperator service-ca -ojsonpath='{.status.relatedObjects}' |j q [ { "group": "operator.openshift.io", "name": "cluster", "resource": "servicecas" }, { "group": "", "name": "openshift-config", "resource": "namespaces" }, { "group": "", "name": "openshift-config-managed", "resource": "namespaces" }, { "group": "", "name": "openshift-service-ca-operator", "resource": "namespaces" }, { "group": "", "name": "openshift-service-ca", "resource": "namespaces" } ] 运行在OpenShift 集群范围的CDR:servicecas 。另外从该对象的“status.generations”也能看出承载当前CDR的运行环境是openshift-service-ca项目中名为service-ca的Deployment 。 $ oc get servicecas cluster NAME AGE cluster 6d23h Service CA Operator是运行在openshift-service-ca-operator项目中 $ oc get pod -n openshift-service-ca-operator NAME READY STATUS RESTARTS AGE service-ca-operator-6455cbfc5d-bdh7r 1/1 Running 0 33h Service CA 是,它是运行在openshift-service-ca项目中 $ oc get pod -n openshift-service-ca NAME READY STATUS RESTARTS AGE service-ca-85db7c54b9-gqlh7 1/1 Running 0 33h Service CA 构成组件

在Service CA 中有以下三个组件分别用来生成CA证书和向当前已有对象注入证书。

Serving Cert Signer

负责生成一副被签名的证书/密钥对。

ConfigMap cabundle injector

监控configmap对象的Annotation是否有’service.beta.openshift.io/inject-cabundle=true’,如果有,则在该configmap中的data中增加service-ca.crt内容,并在openshift-service-ca项目的signing-key对象中增加与证书对应的PEM格式的私钥。

创建一个configmap对象 $ oc create configmap test-cm --from-literal=key1=foo configmap/test-cm created $ oc get configmap/test-cm -ojsonpath='{.data}' | jq { "key1": "foo" } 执行命令,对名为test-cm的configmap增加annotation,确认在configmap中生成了service-ca.crt(公钥证书),但是原有"key1": "foo"被自动删除了。另外,service-ca.crt对应的签名数据(私钥)会以secret的形式存放在openshift-service-ca项目中的signing-key对象。 $ oc annotate configmap test-cm service.beta.openshift.io/inject-cabundle="true" configmap/test-cm annotated $ oc get configmap test-cm -ojsonpath='{.data}' | jq { "service-ca.crt": "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIIb91oaMmFhtswDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE\nAwwrb3BlbnNoaWZ0LXNlcnZpY2Utc2VydmluZy1zaWduZXJAMTYyMDk5NzcyODAe\nFw0yMTA1MTQxMzA4NDdaFw0yMzA3MTMxMzA4NDhaMDYxNDAyBgNVBAMMK29wZW5z\naGlmdC1zZXJ2aWNlLXNlcnZpbmctc2lnbmVyQDE2MjA5OTc3MjgwggEiMA0GCSqG\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDP4uAFYdrz6pvDKKh9FRWVVx6hZQ0MH5Gc\nCxo9qXjdJRxEyOLgJtfYVlQennP/05LytIKR2iCphd6elo2PLgstMQjn4VC21JH1\nv7k+M60oIkFGAxEui6TmZpH75L3Q23ZtVCsGrqOkfDkIZek7KNnGUKQQIo26j/Fh\nuhPQui6rGKF3Tm14jYg8mLgAvs0D33yfgq9RpM0c1Vmz3LNarRaTYIL+TBLeJQ29\nCmnKZsVaT6KqLfjZ0l4OzVLKFlOq5LS2+pXAPg4oH5Zv7hTVmUxETVvgEJ2YUUGK\nI8DE5QBCgdrh08k9zncz77c/vOeMKAQKSGMyzgweqdnxdrCbOZUPAgMBAAGjYzBh\nMA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTjxC2I\nZGz3qBQclh+XLmSUR+4OHzAfBgNVHSMEGDAWgBTjxC2IZGz3qBQclh+XLmSUR+4O\nHzANBgkqhkiG9w0BAQsFAAOCAQEAQzU1atZUr/UHLCn1wu7vKdi/mV5eFrfb+ox/\nCXhv0V/3S626+0VUJowb3bqpnAzjB4leMFHZiNITaVh4A0Kj+j8XM0pkWxjipMoB\nbX3rKFMnChtbZo4WZVv10o3QevVMtykbcuHO8S9b2SxxEqxidAmb50VrNl7WrZPl\nx9QK41+9P+1r5XFrL5tV+Qs35o4CkZDMOFKHmsWctZAc1TGdIaiF5bhnPd8vItPr\n7p0vZEseJ/MXMqNUkIQ58T+XOEvBjoBw3qhCfMH6SPkgLzvS6JbPuWHEE6dw1tOV\n/nvntOlkI/JEza7XXcZ/sB4o+R5lLjp/z6lOQw26AJUicP94aA==\n-----END CERTIFICATE-----\n" } 查看test-cm中包括的Service CA证书数据。其中包含有效期、签名主体 $ oc get configmap foobar -o jsonpath="{.data['service-ca\.crt']}" | openssl x509 -text Certificate: Data: Version: 3 (0x2) Serial Number: 8060713707329914587 (0x6fdd6868c98586db) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=openshift-service-serving-signer@1620997728 Validity Not Before: May 14 13:08:47 2021 GMT Not After : Jul 13 13:08:48 2023 GMT Subject: CN=openshift-service-serving-signer@1620997728 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:cf:e2:e0:05:61:da:f3:ea:9b:c3:28:a8:7d:15: 15:95:57:1e:a1:65:0d:0c:1f:91:9c:0b:1a:3d:a9: 78:dd:25:1c:44:c8:e2:e0:26:d7:d8:56:54:1e:9e: 73:ff:d3:92:f2:b4:82:91:da:20:a9:85:de:9e:96: 8d:8f:2e:0b:2d:31:08:e7:e1:50:b6:d4:91:f5:bf: b9:3e:33:ad:28:22:41:46:03:11:2e:8b:a4:e6:66: 91:fb:e4:bd:d0:db:76:6d:54:2b:06:ae:a3:a4:7c: 39:08:65:e9:3b:28:d9:c6:50:a4:10:22:8d:ba:8f: f1:61:ba:13:d0:ba:2e:ab:18:a1:77:4e:6d:78:8d: 88:3c:98:b8:00:be:cd:03:df:7c:9f:82:af:51:a4: cd:1c:d5:59:b3:dc:b3:5a:ad:16:93:60:82:fe:4c: 12:de:25:0d:bd:0a:69:ca:66:c5:5a:4f:a2:aa:2d: f8:d9:d2:5e:0e:cd:52:ca:16:53:aa:e4:b4:b6:fa: 95:c0:3e:0e:28:1f:96:6f:ee:14:d5:99:4c:44:4d: 5b:e0:10:9d:98:51:41:8a:23:c0:c4:e5:00:42:81: da:e1:d3:c9:3d:ce:77:33:ef:b7:3f:bc:e7:8c:28: 04:0a:48:63:32:ce:0c:1e:a9:d9:f1:76:b0:9b:39: 95:0f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment, Certificate Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: E3:C4:2D:88:64:6C:F7:A8:14:1C:96:1F:97:2E:64:94:47:EE:0E:1F X509v3 Authority Key Identifier: keyid:E3:C4:2D:88:64:6C:F7:A8:14:1C:96:1F:97:2E:64:94:47:EE:0E:1F Signature Algorithm: sha256WithRSAEncryption 43:35:35:6a:d6:54:af:f5:07:2c:29:f5:c2:ee:ef:29:d8:bf: 99:5e:5e:16:b7:db:fa:8c:7f:09:78:6f:d1:5f:f7:4b:ad:ba: fb:45:54:26:8c:1b:dd:ba:a9:9c:0c:e3:07:89:5e:30:51:d9: 88:d2:13:69:58:78:03:42:a3:fa:3f:17:33:4a:64:5b:18:e2: a4:ca:01:6d:7d:eb:28:53:27:0a:1b:5b:66:8e:16:65:5b:f5: d2:8d:d0:7a:f5:4c:b7:29:1b:72:e1:ce:f1:2f:5b:d9:2c:71: 12:ac:62:74:09:9b:e7:45:6b:36:5e:d6:ad:93:e5:c7:d4:0a: e3:5f:bd:3f:ed:6b:e5:71:6b:2f:9b:55:f9:0b:37:e6:8e:02: 91:90:cc:38:52:87:9a:c5:9c:b5:90:1c:d5:31:9d:21:a8:85: e5:b8:67:3d:df:2f:22:d3:eb:ee:9d:2f:64:4b:1e:27:f3:17: 32:a3:54:90:84:39:f1:3f:97:38:4b:c1:8e:80:70:de:a8:42: 7c:c1:fa:48:f9:20:2f:3b:d2:e8:96:cf:b9:61:c4:13:a7:70: d6:d3:95:fe:7b:e7:b4:e9:64:23:f2:44:cd:ae:d7:5d:c6:7f: b0:1e:28:f9:1e:65:2e:3a:7f:cf:a9:4e:43:0d:ba:00:95:22: 70:ff:78:68 -----BEGIN CERTIFICATE----- MIIDUTCCAjmgAwIBAgIIb91oaMmFhtswDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE Awwrb3BlbnNoaWZ0LXNlcnZpY2Utc2VydmluZy1zaWduZXJAMTYyMDk5NzcyODAe Fw0yMTA1MTQxMzA4NDdaFw0yMzA3MTMxMzA4NDhaMDYxNDAyBgNVBAMMK29wZW5z aGlmdC1zZXJ2aWNlLXNlcnZpbmctc2lnbmVyQDE2MjA5OTc3MjgwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDP4uAFYdrz6pvDKKh9FRWVVx6hZQ0MH5Gc Cxo9qXjdJRxEyOLgJtfYVlQennP/05LytIKR2iCphd6elo2PLgstMQjn4VC21JH1 v7k+M60oIkFGAxEui6TmZpH75L3Q23ZtVCsGrqOkfDkIZek7KNnGUKQQIo26j/Fh uhPQui6rGKF3Tm14jYg8mLgAvs0D33yfgq9RpM0c1Vmz3LNarRaTYIL+TBLeJQ29 CmnKZsVaT6KqLfjZ0l4OzVLKFlOq5LS2+pXAPg4oH5Zv7hTVmUxETVvgEJ2YUUGK I8DE5QBCgdrh08k9zncz77c/vOeMKAQKSGMyzgweqdnxdrCbOZUPAgMBAAGjYzBh MA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTjxC2I ZGz3qBQclh+XLmSUR+4OHzAfBgNVHSMEGDAWgBTjxC2IZGz3qBQclh+XLmSUR+4O HzANBgkqhkiG9w0BAQsFAAOCAQEAQzU1atZUr/UHLCn1wu7vKdi/mV5eFrfb+ox/ CXhv0V/3S626+0VUJowb3bqpnAzjB4leMFHZiNITaVh4A0Kj+j8XM0pkWxjipMoB bX3rKFMnChtbZo4WZVv10o3QevVMtykbcuHO8S9b2SxxEqxidAmb50VrNl7WrZPl x9QK41+9P+1r5XFrL5tV+Qs35o4CkZDMOFKHmsWctZAc1TGdIaiF5bhnPd8vItPr 7p0vZEseJ/MXMqNUkIQ58T+XOEvBjoBw3qhCfMH6SPkgLzvS6JbPuWHEE6dw1tOV /nvntOlkI/JEza7XXcZ/sB4o+R5lLjp/z6lOQw26AJUicP94aA== -----END CERTIFICATE----- 导出test-cm中包括的Service CA证书数据。 $ oc get configmap test-cm -o jsonpath="{.data['service-ca\.crt']}" > ~/ca1.crt 从signing-key中获取私钥数据,其中tls.crt是service-ca.crt证书的PEM格式(base64编码数据),而tls.key是对应PEM格式的私钥数据。 $ oc get secrets signing-key -n openshift-service-ca -o jsonpath="{.data['tls\.crt']}" | base64 -d > ~/ca2.crt $ oc get secrets signing-key -n openshift-service-ca -o jsonpath="{.data['tls\.key']}" | base64 -d > ~/ca2.key 执行命令,确service-ca.crt证书和私钥中tls.crt包含的数据是匹配的。 $ openssl md5 ~/ca1.crt MD5(~/ca1.crt)= 4072c8d1c32d38bb659cc506f14a81d1 $ openssl md5 ~/ca2.crt MD5(~/ca2.crt)= 4072c8d1c32d38bb659cc506f14a81d1

注意,service-ca.crt、tls.crt和tls.key的关系:openshift-service-ca项目中的signing-key对象包含的私钥tls.key是固定的内容。而OpenShift只是将signing-key对象包含的tls.crt经过base64-decode后放到带有’service.beta.openshift.io/inject-cabundle=true’的configmap对象中的data区域的“service-ca.crt”字段中。

Generic cabundle injector

监控OpenShift集群的apiservice对象、ValidatingWebhookConfiguration 对象、MutatingWebhookConfiguration 对象、CustomResourceDefinition 对象,是否有’service.beta.openshift.io/inject-cabundle=true’ 的Annotation。如果有将证书添加到对象的”spec.caBundle”位置。

执行命令,确认名为‘v1.build.openshift.io’的apiservice对象中包含“service.alpha.openshift.io/inject-cabundle=true"的Annotation。 oc get apiservice/v1.build.openshift.io -o jsonpath='{.metadata.annotations}'|jq { "service.alpha.openshift.io/inject-cabundle": "true" } 执行命令,确认名为‘v1.build.openshift.io’的apiservice对象中包含由Service CA签发的公钥证书。证书内容和上一节向Configmap中嵌入的证书内容一样。 $ oc get apiservice/v1.build.openshift.io -o jsonpath='{.spec.caBundle}' | base64 -d > ca3.crt $ openssl md5 ~/ca3.crt MD5(/root/ca3.crt)= 74a147543bb2e0cef035b885f1387118 为Service生成包含证书的Secret

利用以上Service CA功能,还可以为Service生成包含证书的secret,以便在pod中使用。

在test项目中部署http应用,然后确认已经生对应的Service。 $ oc project test $ oc new-app --name=httpd centos/httpd-24-centos7~https://github.com/sclorg/httpd-ex.git $ oc get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE httpd ClusterIP 172.30.31.234 8080/TCP,8443/TCP 7s 向Service增加“service.beta.openshift.io/serving-cert-secret-name”,并指定生成secret的名称。执行后OpenShift会自动在本项目中生成secret对象。 $ oc annotate service httpd service.beta.openshift.io/serving-cert-secret-name=httpd service/httpd annotated 查看系统生成的secret,然后删除它,确认系统还可自动创建新的secret。 $ oc get secret httpd $ oc delete secret httpd $ oc get secret httpd 查看生成的secret,确认它包括2个数据:证书tls.crt和私钥tls.key。确认证书有效期为2年。 $ oc describe secret httpd Name: httpd Namespace: test Labels: Annotations: service.alpha.openshift.io/expiry: 2023-05-22T08:25:44Z service.beta.openshift.io/expiry: 2023-05-22T08:25:44Z service.beta.openshift.io/originating-service-name: httpd service.beta.openshift.io/originating-service-uid: f3b30c3d-1f8a-4f94-a46d-a1283c389b29 Type: kubernetes.io/tls Data ==== tls.crt: 2562 bytes tls.key: 1679 bytes 查看secret中的公钥证书内容。 $ oc get secret httpd -oyaml -ojsonpath="{.data['tls\.crt']}" | base64 -d | openssl x509 -text Certificate: Data: Version: 3 (0x2) Serial Number: 2544919971929901676 (0x23515f3b1cadca6c) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=openshift-service-serving-signer@1620997728 Validity Not Before: May 22 08:25:43 2021 GMT Not After : May 22 08:25:44 2023 GMT Subject: CN=httpd.test.svc Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d8:21:1b:e2:fd:86:b3:39:fe:21:da:72:2c:e6: b7:23:36:13:2c:7c:d0:fd:8f:94:56:05:00:75:7b: da:db:4c:0f:e7:a7:9a:eb:77:b7:b0:91:02:a9:21: 0b:0f:5a:03:db:ca:57:d9:62:af:7e:6d:a8:42:91: 76:ce:0b:9c:ce:9f:a0:9d:bf:96:e3:c9:e5:a7:d0: ba:7a:4b:e6:2d:62:df:4a:4e:c9:5a:a1:87:c9:8a: 30:65:8d:f9:a1:22:2a:37:99:80:31:f1:cf:da:e1: fc:a9:45:d3:61:84:05:e5:cc:a2:c3:1a:65:eb:f5: ed:69:50:91:cf:6b:5b:3e:39:be:a2:18:16:b7:13: 78:18:de:3a:d4:69:e3:53:fb:33:44:88:1a:57:9d: 7b:bf:5a:6c:66:d2:fa:65:96:19:1a:02:75:87:2c: 3b:2f:6e:86:b5:a5:b8:59:27:50:70:5f:aa:18:8b: 38:3c:5d:64:27:0f:3b:74:fe:d6:8c:d8:89:3c:9f: 91:a7:a6:76:8a:6a:34:82:8a:d0:0d:d6:88:15:32: 66:ce:c3:d8:08:ba:9e:e8:37:1f:d8:64:13:d6:ae: 53:a9:22:bf:6e:02:4f:90:8a:3f:11:02:bf:3e:a3: 62:b1:9b:c6:dd:ad:59:98:38:da:92:25:40:d9:57: 5e:83 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 73:AA:BB:49:81:96:DD:98:40:CB:01:9B:60:10:E1:D8:75:1E:3C:52 X509v3 Authority Key Identifier: keyid:E3:C4:2D:88:64:6C:F7:A8:14:1C:96:1F:97:2E:64:94:47:EE:0E:1F X509v3 Subject Alternative Name: DNS:httpd.test.svc, DNS:httpd.test.svc.cluster.local 1.3.6.1.4.1.2312.17.100.2.1: .$5204b66a-a785-4061-b1b1-bc81e3544c9a Signature Algorithm: sha256WithRSAEncryption cb:53:59:4f:37:89:b4:81:63:50:2c:93:5b:ff:5a:5a:ba:98: ae:3f:11:4c:83:fc:31:8a:ad:4f:98:d5:42:ac:99:f3:bf:d3: f9:d7:93:76:73:ce:b5:b5:25:87:71:ed:ca:d0:52:05:8f:aa: 1f:72:d7:d4:5b:5f:7e:90:97:76:63:2d:3c:c0:fc:96:48:c0: 34:0e:99:15:64:54:ec:9c:04:41:3c:cf:5c:48:68:c0:23:6f: cd:2a:ab:5a:2e:a7:79:44:59:8c:83:2d:90:cd:35:13:e3:28: 78:03:31:a9:51:22:3b:79:78:58:c5:2f:55:6e:cd:bd:8b:8f: 87:65:17:86:a8:e7:08:ab:fc:10:89:48:d8:af:37:19:84:36: 11:06:60:53:e4:de:7a:e8:8b:7d:5a:d4:74:0a:a3:09:c1:b7: ab:40:97:5b:2d:08:f2:76:05:e3:52:dc:dd:83:9d:0d:04:c5: 1d:8f:7b:ae:a6:2d:ec:a6:d2:8b:00:88:2f:04:3b:25:5e:16: d1:e5:65:62:18:33:43:a0:de:06:a4:4d:97:5c:85:23:3f:77: ac:e2:44:75:6a:66:6f:dc:56:92:ab:34:f3:29:0f:ed:88:65: e0:93:c3:48:b8:09:b0:1e:12:ba:65:9f:4d:7a:a8:9a:18:0f: 03:4f:42:0b -----BEGIN CERTIFICATE----- MIID0DCCArigAwIBAgIII1FfOxytymwwDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE Awwrb3BlbnNoaWZ0LXNlcnZpY2Utc2VydmluZy1zaWduZXJAMTYyMDk5NzcyODAe Fw0yMTA1MjIwODI1NDNaFw0yMzA1MjIwODI1NDRaMCExHzAdBgNVBAMTFmh0dHBk LWV4LWdpdC50ZXN0MS5zdmMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDYIRvi/YazOf4h2nIs5rcjNhMsfND9j5RWBQB1e9rbTA/np5rrd7ewkQKpIQsP WgPbylfZYq9+bahCkXbOC5zOn6Cdv5bjyeWn0Lp6S+YtYt9KTslaoYfJijBljfmh Iio3mYAx8c/a4fypRdNhhAXlzKLDGmXr9e1pUJHPa1s+Ob6iGBa3E3gY3jrUaeNT +zNEiBpXnXu/Wmxm0vpllhkaAnWHLDsvboa1pbhZJ1BwX6oYizg8XWQnDzt0/taM 2Ik8n5GnpnaKajSCitAN1ogVMmbOw9gIup7oNx/YZBPWrlOpIr9uAk+Qij8RAr8+ o2Kxm8bdrVmYONqSJUDZV16DAgMBAAGjgfYwgfMwDgYDVR0PAQH/BAQDAgWgMBMG A1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFHOqu0mB lt2YQMsBm2AQ4dh1HjxSMB8GA1UdIwQYMBaAFOPELYhkbPeoFByWH5cuZJRH7g4f MEcGA1UdEQRAMD6CFmh0dHBkLWV4LWdpdC50ZXN0MS5zdmOCJGh0dHBkLWV4LWdp dC50ZXN0MS5zdmMuY2x1c3Rlci5sb2NhbDA1BgsrBgEEAZIIEWQCAQQmEyQ1MjA0 YjY2YS1hNzg1LTQwNjEtYjFiMS1iYzgxZTM1NDRjOWEwDQYJKoZIhvcNAQELBQAD ggEBAMtTWU83ibSBY1Ask1v/Wlq6mK4/EUyD/DGKrU+Y1UKsmfO/0/nXk3ZzzrW1 JYdx7crQUgWPqh9y19RbX36Ql3ZjLTzA/JZIwDQOmRVkVOycBEE8z1xIaMAjb80q q1oup3lEWYyDLZDNNRPjKHgDMalRIjt5eFjFL1Vuzb2Lj4dlF4ao5wir/BCJSNiv NxmENhEGYFPk3nroi31a1HQKownBt6tAl1stCPJ2BeNS3N2DnQ0ExR2Pe66mLeym 0osAiC8EOyVeFtHlZWIYM0Og3gakTZdchSM/d6ziRHVqZm/cVpKrNPMpD+2IZeCT w0i4CbAeErpln016qJoYDwNPQgs= -----END CERTIFICATE----- 查看secret中的证书的发行主体。 $ oc get secret httpd -oyaml -ojsonpath="{.data['tls\.crt']}" | base64 -d > httpd.pem $ openssl crl2pkcs7 -nocrl -certfile httpd.pem | openssl pkcs7 -print_certs -noout subject=/CN=httpd.test.svc issuer=/CN=openshift-service-serving-signer@1620997728 subject=/CN=openshift-service-serving-signer@1620997728 issuer=/CN=openshift-service-serving-signer@1620997728 修改httpd的Deployment,在“spec.template.spec”下增加以下“volumes”的全部内容,在“spec.template.spec.containers”下增加以下’volumeMounts‘全部内容。 spec: containers: - image: image-registry.openshift-image-registry.svc:5000/test/httpd@sha256:02a3a7bf8cf602557ca1780e26e812217760718aea28d468d4dafc8bf723b513 。。。 volumeMounts: - mountPath: /etc/mysecret name: mysecret dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler securityContext: {} terminationGracePeriodSeconds: 30 volumes: - name: mysecret secret: secretName: httpd 执行以下命令,确认在pod中已经可以访问到和service对应的证书tls.crt和私钥tls.key $ oc get pod NAME READY STATUS RESTARTS AGE httpd-1-build 0/1 Completed 0 20m httpd-7d4789674c-lzz2k 1/1 Running 0 11m $ oc rsh httpd-7d4789674c-lzz2k sh-4.2$ ls /etc/mysecret tls.crt tls.key 参考

https://docs.openshift.com/container-platform/4.7/security/certificate_types_descriptions/service-ca-certificates.html https://access.redhat.com/documentation/zh-cn/openshift_container_platform/4.7/html/security_and_compliance/add-service-serving https://github.com/redhat-cop/cert-operator https://docs.openshift.com/container-platform/4.7/security/certificates/service-serving-certificate.html#add-service-certificate-apiservice_service-serving-certificate https://docs.openshift.com/container-platform/4.7/nodes/pods/nodes-pods-secrets.html https://rcarrata.com/openshift/service-serving-certificates/



【本文地址】


今日新闻

推荐新闻

    CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3