我们一些特定的业务场景需要用到https的双向认证,下面我们说说如何在nginx-ingress配置下https的双向认证。
创建自签名ca证书 1 2 3 4 5 # openssl req -x509 -sha256 -newkey rsa:4096 -keyout ca .key -out ca .crt -days 356 -nodes -subj '/CN=Fern Cert Authority' a 4096 bit RSA private key
创建server端证书 生成请求文件
1 2 3 4 5 6 # openssl req -new -newkey rsa:4096 -keyout server.key -out server.csr -nodes -subj '/CN=test.ingress.com' writing new private key to 'server.key' -----
利用生成的请求文件生成server端证书
1 2 3 4 # openssl x509 -req -sha256 -days 365 -in server.csr -CA ca .crt -CAkey ca .key -set_serial 01 -out server.crttest .ingress.comCA Private Key
创建客户端证书 首先生成客户端请求文件
1 2 3 4 5 6 7 # openssl req -new -newkey rsa:4096 -keyout client.key -out client.csr -nodes -subj '/CN=Fern' writing new private key to 'client.key' -----
利用生成的客户端请求文件生成客户端证书
1 2 3 4 # openssl x509 -req -sha256 -days 365 -in client.csr -CA ca .crt -CAkey ca .key -set_serial 02 -out client.crtCA Private Key
检查证书文件 执行完上面命令,会生成如下证书文件
1 2 3 4 5 6 7 8 9 10 [niewx@VM-0-4-centos ingress-https-two]$ ll 1 niewx niewx 1814 Apr 8 13:42 ca.crt 1 niewx niewx 3268 Apr 8 13:42 ca.key 1 niewx niewx 1667 Apr 8 13:43 client.crt 1 niewx niewx 1578 Apr 8 13:43 client.csr 1 niewx niewx 3272 Apr 8 13:43 client.key 1 niewx niewx 1684 Apr 8 13:43 server.crt 1 niewx niewx 1594 Apr 8 13:43 server.csr 1 niewx niewx 3272 Apr 8 13:43 server.key
secret挂载ca证书 k8s的资源,我都是部署在weixnie这个命名空间下,所以加上对应的namespace
1 # kubectl create secret generic ca -secret --from-file =ca .crt=ca .crt -n weixnie
secret挂载服务端证书 1 # kubectl create secret generic tls-secret --from -file =tls.crt=server.crt --from -file =tls.key =server.key -n weixnie
创建ingress 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 apiVersion : networking.k8s.io/v1beta1 kind : Ingress metadata : annotations : nginx.ingress.kubernetes.io/auth-tls-verify-client : "on" nginx.ingress.kubernetes.io/auth-tls-secret : "weixnie/ca-secret" nginx.ingress.kubernetes.io/auth-tls-verify-depth : "1" nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream : "true" kubernetes.io/ingress.class : nginx-intranet name : nginx-test-https namespace : weixnie spec : rules : - host: test.ingress.com http : paths : - backend: serviceName : nginx servicePort : 80 path : / tls : - hosts: - foo.bar.com secretName : tls-secret
测试访问 因为域名是随便写的,这里测试需要先配置下hosts
1 # sudo echo "172.16.0.14 test.ingress.com" >> /etc/hosts
接下来我们用域名访问下服务看看,首先不带客户端证书访问
1 2 3 4 5 6 7 8 9 <html> <head> <title> 400 No required SSL certificate was sent</title> </head> <body> <center> <h1> 400 Bad Request</h1> </center> <center> No required SSL certificate was sent</center> <hr> <center> nginx</center> </body> </html>
不带客户端证书访问会报错400,接下来我们测试配置客户端证书来访问看看
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 # curl -k --cacert ./ca.crt --cert ./client.crt --key ./client.key https://test.ingress.com<!DOCTYPE html > <html > <head > <title > Welcome to nginx!</title > <style > html { color -scheme: light dark; }body { width : 35em ; margin : 0 auto;font-family : Tahoma, Verdana, Arial, sans-serif; }</style > </head > <body > <h1 > Welcome to nginx!</h1 > <p > If you see this page, the nginx web server is successfully installed and</p > <p > For online documentation and support please refer to<a href ="http://nginx.org/" > nginx.org</a > .<br /> <a href ="http://nginx.com/" > nginx.com</a > .</p > <p > <em > Thank you for using nginx.</em > </p > </body > </html >
携带客户端证书访问后正常,这里说明我们的双向认证配置成功了。