数字证书的标准:
数字证书的常见格式:
单向认证,只有一方需要验证对方的身份。通常是客户端验证服务器的身份。这种情况下,客户端会检查服务器提供的数字证书是否有效,以确定服务器是否合法。服务器不会验证客户端的身份。这种情况下,客户端可以确认它正在与合法的服务器进行通信,但服务器不能确定其与合法客户端通信。单向认证通常用于一些对服务器身份验证要求较高,但对客户端身份验证要求相对较低的场景,如网站访问。
单向认证原理:
双向认证要求通信双方都需要验证对方的身份。即客户端验证服务器的身份,同时服务器也验证客户端的身份。这种情况下,双方都会使用数字证书来证明自己的身份。客户端在连接到服务器时会发送自己的数字证书,服务器会验证该证书的合法性。同时,服务器也会发送数字证书给客户端,客户端会验证服务器的证书。只有在双方都通过了身份验证,通信才会继续进行。双向认证通常用于对通信双方身份验证要求较高的场景,如安全敏感的数据交换、金融交易等。
双向认证原理:
生成CA证书:
# 生成CA根证书私钥:为保证安全,生成一个4096位的私钥,并使用aes方式加密
$ openssl genrsa -aes256 -out kubesre-ca.key 4096
Enter PEM pass phrase: # 密码:12345678
Verifying - Enter PEM pass phrase:
# 通过CA根私钥签发CA根证书
$ openssl req -new -x509 -days 3650 -sha256 -extensions v3_ca -key kubesre-ca.key -out kubesre-ca.cer -subj "/C=CN/ST=shanghai/L=shanghai/O=kubesre/OU=kubesre/CN=*.kubesre.com"
Enter pass phrase for kubesre-ca.key: # 密码:12345678
生成服务端证书:
# 生成服务端证书私钥
$ openssl genrsa -out kubesre-server.key 2048
# 生成签发请求csr
$openssl req -new -key kubesre-server.key -out kubesre-server.csr -subj "/C=CN/ST=shanghai/L=shanghai/O=kubesre/OU=kubesre/CN=demo.kubesre.com"
# 用CA证书签发服务端证书
$ openssl x509 -req -days 3650 -sha256 -CA kubesre-ca.cer -CAkey kubesre-ca.key -in kubesre-server.csr -out kubesre-server.cer
Certificate request self-signature ok
subject=C = CN, ST = shanghai, L = shanghai, O = kubesre, OU = kubesre, CN = demo.kubesre.com
Enter pass phrase for kubesre-ca.key: # 密码:12345678
$ ll
total 40
-rw-r--r--@ 1 chuanzhang staff 2.0K 8 13 15:24 kubesre-ca.cer
-rw-------@ 1 chuanzhang staff 3.4K 8 13 15:22 kubesre-ca.key
-rw-r--r--@ 1 chuanzhang staff 1.6K 8 13 15:31 kubesre-server.cer
-rw-r--r--@ 1 chuanzhang staff 1.0K 8 13 15:28 kubesre-server.csr
-rw-------@ 1 chuanzhang staff 1.7K 8 13 15:27 kubesre-server.key
创建证书Secret(证书基于Kubernetes Secret进行存储):
$ kubectl create secret tls kubesre-tls --key kubesre-server.key --cert kubesre-server.cer
secret/kubesre-tls created
$ kubectl get secret
NAME TYPE DATA AGE
kubesre-tls kubernetes.io/tls 2 18s
创建Ingress资源:
$ cat ingress.yml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: demo
spec:
tls:
- hosts:
- demo.kubesre.com
secretName: kubesre-tls # 创建的证书Secret
rules:
- host: demo.kubesre.com
http:
paths:
- path: /info
pathType: Prefix
backend:
service:
name: demo-svc
port:
number: 8080
ingressClassName: nginx
$ kubectl apply -f ingress.yml
ingress.networking.k8s.io/demo configured
验证:
curl -k https://demo.kubesre.com/info
{"message":"云原生运维圈!"}
上一步,已经签发了服务端证书,接下来,咱们来签发客户端证书即可!
# 生成客户端证书私钥
$ openssl genrsa -out kubesre-client.key 2048
# 生成签发请求csr
$ openssl req -new -key kubesre-client.key -out kubesre-client.csr -subj "/C=CN/ST=shanghai/L=shanghai/O=kubesre/OU=kubesre/CN=client.kubesre.com"
# 用CA证书签发客户端证书
$ openssl x509 -req -days 3650 -sha256 -CA kubesre-ca.cer -CAkey kubesre-ca.key -in kubesre-client.csr -out kubesre-client.cer
Certificate request self-signature ok
subject=C = CN, ST = shanghai, L = shanghai, O = kubesre, OU = kubesre, CN = client.kubesre.com
Enter pass phrase for kubesre-ca.key: # 密码:12345678
$ ls -l | grep client
-rw-r--r--@ 1 chuanzhang staff 1590 8 13 15:46 kubesre-client.cer
-rw-r--r--@ 1 chuanzhang staff 1021 8 13 15:46 kubesre-client.csr
-rw-------@ 1 chuanzhang staff 1704 8 13 15:46 kubesre-client.key
创建CA证书的Secret:
kubectl create secret generic ca-secret --from-file=ca.crt=kubesre-ca.cer
secret/ca-secret created
$ kubectl get secret
NAME TYPE DATA AGE
ca-secret Opaque 1 74s
kubesre-tls kubernetes.io/tls 2 28m
创建Ingress资源:
$ cat ingress.yml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" # 开启客户端认证
nginx.ingress.kubernetes.io/auth-tls-secret: "default/ca-secret" # 配置CA证书
nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" # 提供的客户证书和证书颁发机构链之间的验证深度
nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" # 指示是否应将收到的证书传递给上游服务器。默认情况下是禁用的。
name: demo
name: demo
spec:
tls:
- hosts:
- demo.kubesre.com
secretName: kubesre-tls
rules:
- host: demo.kubesre.com
http:
paths:
- path: /info
pathType: Prefix
backend:
service:
name: demo-svc
port:
number: 8080
ingressClassName: nginx
$ kubectl apply -f ingress.yml
ingress.networking.k8s.io/demo configured
验证:
# 出现400错误代码,表示没有传客户端证书过去
$ curl -k https://demo.kubesre.com/info
<html>
<head><title>400 No required SSL certificate was sent</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>No required SSL certificate was sent</center>
<hr><center>nginx</center>
</body>
</html>
# 带上客户端证书继续访问,则可以访问成功
$ curl ./kubesre-ca.cer --cert ./kubesre-client.cer --key ./kubesre-client.key https://demo.kubesre.com/info
{"message":"云原生运维圈!"}
本文介绍了单向认证与双向认证的原理,并以企业实战的方式从证书签发到部署证书以及测试验证完整流程进行讲解以及Kubernetes中证书通过Secret进行存储管理。下一章将讲解Ingress重写与正则的高级玩法,请敬请期待!