《OpenShift 4.x HOL教程汇总》
说明:本文已经在OpenShift 4.7环境中验证

文章目录

  • Service Certificate的作用
  • Service CA Operator、Service CA 运行环境
  • Service CA 构成组件
    • Serving Cert Signer
    • ConfigMap cabundle injector
    • Generic cabundle injector
  • 为Service生成包含证书的Secret
  • 参考

Service Certificate的作用

无论是在应用服务之间还是OpenShift内部服务之间,在 OpenShift 中存在大量 service-service 的通讯。为此,可以使用OpenShift 的Service CA提供的自签名证书确保访问通讯安全。以下OpenShift资源户使用 Service CA 生成的证书:

  • cluster-autoscaler-operator
  • cluster-monitoring-operator
  • cluster-authentication-operator
  • cluster-image-registry-operator
  • cluster-ingress-operator
  • cluster-kube-apiserver-operator
  • cluster-kube-controller-manager-operator
  • cluster-kube-scheduler-operator
  • cluster-networking-operator
  • cluster-openshift-apiserver-operator
  • cluster-openshift-controller-manager-operator
  • cluster-samples-operator
  • machine-config-operator
  • console-operator
  • insights-operator
  • machine-api-operator
  • operator-lifecycle-manager

OpenShift 使用 Service CA operator 管理 Service CA 控制器的运行,而 Service CA 控制器可以根据需要动态生成 Service CA Certificate。Service CA Certificate 在 26 个月内有效,并在有效期少于 6 个月时进行自动轮转。轮转后,以前的Service CA Certificate 配置仍会被信任直到其过期为止。这将为所有受影响的服务建立一个宽限期,以在过期前刷新其密钥内容。如果没有在这个宽限期内对集群进行升级(升级会重启服务并刷新其密钥),需要手动重启服务以避免在上一个Service CA Certificate 过期后出现故障。

Service CA Operator、Service CA 运行环境

Service CA 控制器的是通过Service CA Operator创建的。

  1. 执行命令查看Service CA Operator。
$ oc get clusteroperator service-ca
NAME         VERSION   AVAILABLE   PROGRESSING   DEGRADED   SINCE
service-ca   4.7.11    True        False         False      6d22h
  1. 查看Service CA Operator相关的对象,其中有一个名为cluster的servicecas对象。
$ oc get clusteroperator service-ca -ojsonpath='{.status.relatedObjects}' |j q
[{"group": "operator.openshift.io","name": "cluster","resource": "servicecas"},{"group": "","name": "openshift-config","resource": "namespaces"},{"group": "","name": "openshift-config-managed","resource": "namespaces"},{"group": "","name": "openshift-service-ca-operator","resource": "namespaces"},{"group": "","name": "openshift-service-ca","resource": "namespaces"}
]
  1. 运行在OpenShift 集群范围的CDR:servicecas 。另外从该对象的“status.generations”也能看出承载当前CDR的运行环境是openshift-service-ca项目中名为service-ca的Deployment 。
$ oc get servicecas cluster
NAME      AGE
cluster   6d23h
  1. Service CA Operator是运行在openshift-service-ca-operator项目中
$ oc get pod -n openshift-service-ca-operator
NAME                                   READY   STATUS    RESTARTS   AGE
service-ca-operator-6455cbfc5d-bdh7r   1/1     Running   0          33h
  1. Service CA 是,它是运行在openshift-service-ca项目中
$ oc get pod -n openshift-service-ca
NAME                          READY   STATUS    RESTARTS   AGE
service-ca-85db7c54b9-gqlh7   1/1     Running   0          33h

Service CA 构成组件

在Service CA 中有以下三个组件分别用来生成CA证书和向当前已有对象注入证书。

Serving Cert Signer

负责生成一副被签名的证书/密钥对。

ConfigMap cabundle injector

监控configmap对象的Annotation是否有’service.beta.openshift.io/inject-cabundle=true’,如果有,则在该configmap中的data中增加service-ca.crt内容,并在openshift-service-ca项目的signing-key对象中增加与证书对应的PEM格式的私钥。

  1. 创建一个configmap对象
$ oc create configmap test-cm --from-literal=key1=foo
configmap/test-cm created
$ oc get configmap/test-cm -ojsonpath='{.data}' | jq
{"key1": "foo"
}
  1. 执行命令,对名为test-cm的configmap增加annotation,确认在configmap中生成了service-ca.crt(公钥证书),但是原有"key1": "foo"被自动删除了。另外,service-ca.crt对应的签名数据(私钥)会以secret的形式存放在openshift-service-ca项目中的signing-key对象。
$ oc annotate configmap test-cm service.beta.openshift.io/inject-cabundle="true"
configmap/test-cm annotated
$ oc get configmap test-cm -ojsonpath='{.data}' | jq
{"service-ca.crt": "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIIb91oaMmFhtswDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE\nAwwrb3BlbnNoaWZ0LXNlcnZpY2Utc2VydmluZy1zaWduZXJAMTYyMDk5NzcyODAe\nFw0yMTA1MTQxMzA4NDdaFw0yMzA3MTMxMzA4NDhaMDYxNDAyBgNVBAMMK29wZW5z\naGlmdC1zZXJ2aWNlLXNlcnZpbmctc2lnbmVyQDE2MjA5OTc3MjgwggEiMA0GCSqG\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDP4uAFYdrz6pvDKKh9FRWVVx6hZQ0MH5Gc\nCxo9qXjdJRxEyOLgJtfYVlQennP/05LytIKR2iCphd6elo2PLgstMQjn4VC21JH1\nv7k+M60oIkFGAxEui6TmZpH75L3Q23ZtVCsGrqOkfDkIZek7KNnGUKQQIo26j/Fh\nuhPQui6rGKF3Tm14jYg8mLgAvs0D33yfgq9RpM0c1Vmz3LNarRaTYIL+TBLeJQ29\nCmnKZsVaT6KqLfjZ0l4OzVLKFlOq5LS2+pXAPg4oH5Zv7hTVmUxETVvgEJ2YUUGK\nI8DE5QBCgdrh08k9zncz77c/vOeMKAQKSGMyzgweqdnxdrCbOZUPAgMBAAGjYzBh\nMA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTjxC2I\nZGz3qBQclh+XLmSUR+4OHzAfBgNVHSMEGDAWgBTjxC2IZGz3qBQclh+XLmSUR+4O\nHzANBgkqhkiG9w0BAQsFAAOCAQEAQzU1atZUr/UHLCn1wu7vKdi/mV5eFrfb+ox/\nCXhv0V/3S626+0VUJowb3bqpnAzjB4leMFHZiNITaVh4A0Kj+j8XM0pkWxjipMoB\nbX3rKFMnChtbZo4WZVv10o3QevVMtykbcuHO8S9b2SxxEqxidAmb50VrNl7WrZPl\nx9QK41+9P+1r5XFrL5tV+Qs35o4CkZDMOFKHmsWctZAc1TGdIaiF5bhnPd8vItPr\n7p0vZEseJ/MXMqNUkIQ58T+XOEvBjoBw3qhCfMH6SPkgLzvS6JbPuWHEE6dw1tOV\n/nvntOlkI/JEza7XXcZ/sB4o+R5lLjp/z6lOQw26AJUicP94aA==\n-----END CERTIFICATE-----\n"
}
  1. 查看test-cm中包括的Service CA证书数据。其中包含有效期、签名主体
$ oc get configmap foobar -o jsonpath="{.data['service-ca\.crt']}" | openssl x509 -text
Certificate:Data:Version: 3 (0x2)Serial Number: 8060713707329914587 (0x6fdd6868c98586db)Signature Algorithm: sha256WithRSAEncryptionIssuer: CN=openshift-service-serving-signer@1620997728ValidityNot Before: May 14 13:08:47 2021 GMTNot After : Jul 13 13:08:48 2023 GMTSubject: CN=openshift-service-serving-signer@1620997728Subject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (2048 bit)Modulus:00:cf:e2:e0:05:61:da:f3:ea:9b:c3:28:a8:7d:15:15:95:57:1e:a1:65:0d:0c:1f:91:9c:0b:1a:3d:a9:78:dd:25:1c:44:c8:e2:e0:26:d7:d8:56:54:1e:9e:73:ff:d3:92:f2:b4:82:91:da:20:a9:85:de:9e:96:8d:8f:2e:0b:2d:31:08:e7:e1:50:b6:d4:91:f5:bf:b9:3e:33:ad:28:22:41:46:03:11:2e:8b:a4:e6:66:91:fb:e4:bd:d0:db:76:6d:54:2b:06:ae:a3:a4:7c:39:08:65:e9:3b:28:d9:c6:50:a4:10:22:8d:ba:8f:f1:61:ba:13:d0:ba:2e:ab:18:a1:77:4e:6d:78:8d:88:3c:98:b8:00:be:cd:03:df:7c:9f:82:af:51:a4:cd:1c:d5:59:b3:dc:b3:5a:ad:16:93:60:82:fe:4c:12:de:25:0d:bd:0a:69:ca:66:c5:5a:4f:a2:aa:2d:f8:d9:d2:5e:0e:cd:52:ca:16:53:aa:e4:b4:b6:fa:95:c0:3e:0e:28:1f:96:6f:ee:14:d5:99:4c:44:4d:5b:e0:10:9d:98:51:41:8a:23:c0:c4:e5:00:42:81:da:e1:d3:c9:3d:ce:77:33:ef:b7:3f:bc:e7:8c:28:04:0a:48:63:32:ce:0c:1e:a9:d9:f1:76:b0:9b:39:95:0fExponent: 65537 (0x10001)X509v3 extensions:X509v3 Key Usage: criticalDigital Signature, Key Encipherment, Certificate SignX509v3 Basic Constraints: criticalCA:TRUEX509v3 Subject Key Identifier:E3:C4:2D:88:64:6C:F7:A8:14:1C:96:1F:97:2E:64:94:47:EE:0E:1FX509v3 Authority Key Identifier:keyid:E3:C4:2D:88:64:6C:F7:A8:14:1C:96:1F:97:2E:64:94:47:EE:0E:1FSignature Algorithm: sha256WithRSAEncryption43:35:35:6a:d6:54:af:f5:07:2c:29:f5:c2:ee:ef:29:d8:bf:99:5e:5e:16:b7:db:fa:8c:7f:09:78:6f:d1:5f:f7:4b:ad:ba:fb:45:54:26:8c:1b:dd:ba:a9:9c:0c:e3:07:89:5e:30:51:d9:88:d2:13:69:58:78:03:42:a3:fa:3f:17:33:4a:64:5b:18:e2:a4:ca:01:6d:7d:eb:28:53:27:0a:1b:5b:66:8e:16:65:5b:f5:d2:8d:d0:7a:f5:4c:b7:29:1b:72:e1:ce:f1:2f:5b:d9:2c:71:12:ac:62:74:09:9b:e7:45:6b:36:5e:d6:ad:93:e5:c7:d4:0a:e3:5f:bd:3f:ed:6b:e5:71:6b:2f:9b:55:f9:0b:37:e6:8e:02:91:90:cc:38:52:87:9a:c5:9c:b5:90:1c:d5:31:9d:21:a8:85:e5:b8:67:3d:df:2f:22:d3:eb:ee:9d:2f:64:4b:1e:27:f3:17:32:a3:54:90:84:39:f1:3f:97:38:4b:c1:8e:80:70:de:a8:42:7c:c1:fa:48:f9:20:2f:3b:d2:e8:96:cf:b9:61:c4:13:a7:70:d6:d3:95:fe:7b:e7:b4:e9:64:23:f2:44:cd:ae:d7:5d:c6:7f:b0:1e:28:f9:1e:65:2e:3a:7f:cf:a9:4e:43:0d:ba:00:95:22:70:ff:78:68
-----BEGIN CERTIFICATE-----
MIIDUTCCAjmgAwIBAgIIb91oaMmFhtswDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE
Awwrb3BlbnNoaWZ0LXNlcnZpY2Utc2VydmluZy1zaWduZXJAMTYyMDk5NzcyODAe
Fw0yMTA1MTQxMzA4NDdaFw0yMzA3MTMxMzA4NDhaMDYxNDAyBgNVBAMMK29wZW5z
aGlmdC1zZXJ2aWNlLXNlcnZpbmctc2lnbmVyQDE2MjA5OTc3MjgwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDP4uAFYdrz6pvDKKh9FRWVVx6hZQ0MH5Gc
Cxo9qXjdJRxEyOLgJtfYVlQennP/05LytIKR2iCphd6elo2PLgstMQjn4VC21JH1
v7k+M60oIkFGAxEui6TmZpH75L3Q23ZtVCsGrqOkfDkIZek7KNnGUKQQIo26j/Fh
uhPQui6rGKF3Tm14jYg8mLgAvs0D33yfgq9RpM0c1Vmz3LNarRaTYIL+TBLeJQ29
CmnKZsVaT6KqLfjZ0l4OzVLKFlOq5LS2+pXAPg4oH5Zv7hTVmUxETVvgEJ2YUUGK
I8DE5QBCgdrh08k9zncz77c/vOeMKAQKSGMyzgweqdnxdrCbOZUPAgMBAAGjYzBh
MA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTjxC2I
ZGz3qBQclh+XLmSUR+4OHzAfBgNVHSMEGDAWgBTjxC2IZGz3qBQclh+XLmSUR+4O
HzANBgkqhkiG9w0BAQsFAAOCAQEAQzU1atZUr/UHLCn1wu7vKdi/mV5eFrfb+ox/
CXhv0V/3S626+0VUJowb3bqpnAzjB4leMFHZiNITaVh4A0Kj+j8XM0pkWxjipMoB
bX3rKFMnChtbZo4WZVv10o3QevVMtykbcuHO8S9b2SxxEqxidAmb50VrNl7WrZPl
x9QK41+9P+1r5XFrL5tV+Qs35o4CkZDMOFKHmsWctZAc1TGdIaiF5bhnPd8vItPr
7p0vZEseJ/MXMqNUkIQ58T+XOEvBjoBw3qhCfMH6SPkgLzvS6JbPuWHEE6dw1tOV
/nvntOlkI/JEza7XXcZ/sB4o+R5lLjp/z6lOQw26AJUicP94aA==
-----END CERTIFICATE-----
  1. 导出test-cm中包括的Service CA证书数据。
$ oc get configmap test-cm -o jsonpath="{.data['service-ca\.crt']}" > ~/ca1.crt
  1. 从signing-key中获取私钥数据,其中tls.crt是service-ca.crt证书的PEM格式(base64编码数据),而tls.key是对应PEM格式的私钥数据。
$ oc get secrets signing-key -n openshift-service-ca -o jsonpath="{.data['tls\.crt']}" | base64 -d > ~/ca2.crt
$ oc get secrets signing-key -n openshift-service-ca -o jsonpath="{.data['tls\.key']}" | base64 -d > ~/ca2.key
  1. 执行命令,确service-ca.crt证书和私钥中tls.crt包含的数据是匹配的。
$ openssl md5 ~/ca1.crt
MD5(~/ca1.crt)= 4072c8d1c32d38bb659cc506f14a81d1
$ openssl md5 ~/ca2.crt
MD5(~/ca2.crt)= 4072c8d1c32d38bb659cc506f14a81d1

注意,service-ca.crt、tls.crt和tls.key的关系:openshift-service-ca项目中的signing-key对象包含的私钥tls.key是固定的内容。而OpenShift只是将signing-key对象包含的tls.crt经过base64-decode后放到带有’service.beta.openshift.io/inject-cabundle=true’的configmap对象中的data区域的“service-ca.crt”字段中。

Generic cabundle injector

监控OpenShift集群的apiservice对象、ValidatingWebhookConfiguration 对象、MutatingWebhookConfiguration 对象、CustomResourceDefinition 对象,是否有’service.beta.openshift.io/inject-cabundle=true’ 的Annotation。如果有将证书添加到对象的”spec.caBundle”位置。

  1. 执行命令,确认名为‘v1.build.openshift.io’的apiservice对象中包含“service.alpha.openshift.io/inject-cabundle=true"的Annotation。
 oc get apiservice/v1.build.openshift.io -o jsonpath='{.metadata.annotations}'|jq
{"service.alpha.openshift.io/inject-cabundle": "true"
}
  1. 执行命令,确认名为‘v1.build.openshift.io’的apiservice对象中包含由Service CA签发的公钥证书。证书内容和上一节向Configmap中嵌入的证书内容一样。
$ oc get apiservice/v1.build.openshift.io -o jsonpath='{.spec.caBundle}' | base64 -d > ca3.crt
$ openssl md5 ~/ca3.crt
MD5(/root/ca3.crt)= 74a147543bb2e0cef035b885f1387118

为Service生成包含证书的Secret

利用以上Service CA功能,还可以为Service生成包含证书的secret,以便在pod中使用。

  1. 在test项目中部署http应用,然后确认已经生对应的Service。
$ oc project test
$ oc new-app --name=httpd centos/httpd-24-centos7~https://github.com/sclorg/httpd-ex.git
$ oc get svc
NAME    TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)             AGE
httpd   ClusterIP   172.30.31.234   <none>        8080/TCP,8443/TCP   7s
  1. 向Service增加“service.beta.openshift.io/serving-cert-secret-name”,并指定生成secret的名称。执行后OpenShift会自动在本项目中生成secret对象。
$ oc annotate service httpd service.beta.openshift.io/serving-cert-secret-name=httpd
service/httpd annotated
  1. 查看系统生成的secret,然后删除它,确认系统还可自动创建新的secret。
$ oc get secret httpd
$ oc delete secret httpd
$ oc get secret httpd
  1. 查看生成的secret,确认它包括2个数据:证书tls.crt和私钥tls.key。确认证书有效期为2年。
$ oc describe secret httpd
Name:         httpd
Namespace:    test
Labels:       <none>
Annotations:  service.alpha.openshift.io/expiry: 2023-05-22T08:25:44Zservice.beta.openshift.io/expiry: 2023-05-22T08:25:44Zservice.beta.openshift.io/originating-service-name: httpdservice.beta.openshift.io/originating-service-uid: f3b30c3d-1f8a-4f94-a46d-a1283c389b29Type:  kubernetes.io/tlsData
====
tls.crt:  2562 bytes
tls.key:  1679 bytes
  1. 查看secret中的公钥证书内容。
$ oc get secret httpd -oyaml -ojsonpath="{.data['tls\.crt']}" | base64 -d | openssl x509 -text
Certificate:Data:Version: 3 (0x2)Serial Number: 2544919971929901676 (0x23515f3b1cadca6c)Signature Algorithm: sha256WithRSAEncryptionIssuer: CN=openshift-service-serving-signer@1620997728ValidityNot Before: May 22 08:25:43 2021 GMTNot After : May 22 08:25:44 2023 GMTSubject: CN=httpd.test.svcSubject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (2048 bit)Modulus:00:d8:21:1b:e2:fd:86:b3:39:fe:21:da:72:2c:e6:b7:23:36:13:2c:7c:d0:fd:8f:94:56:05:00:75:7b:da:db:4c:0f:e7:a7:9a:eb:77:b7:b0:91:02:a9:21:0b:0f:5a:03:db:ca:57:d9:62:af:7e:6d:a8:42:91:76:ce:0b:9c:ce:9f:a0:9d:bf:96:e3:c9:e5:a7:d0:ba:7a:4b:e6:2d:62:df:4a:4e:c9:5a:a1:87:c9:8a:30:65:8d:f9:a1:22:2a:37:99:80:31:f1:cf:da:e1:fc:a9:45:d3:61:84:05:e5:cc:a2:c3:1a:65:eb:f5:ed:69:50:91:cf:6b:5b:3e:39:be:a2:18:16:b7:13:78:18:de:3a:d4:69:e3:53:fb:33:44:88:1a:57:9d:7b:bf:5a:6c:66:d2:fa:65:96:19:1a:02:75:87:2c:3b:2f:6e:86:b5:a5:b8:59:27:50:70:5f:aa:18:8b:38:3c:5d:64:27:0f:3b:74:fe:d6:8c:d8:89:3c:9f:91:a7:a6:76:8a:6a:34:82:8a:d0:0d:d6:88:15:32:66:ce:c3:d8:08:ba:9e:e8:37:1f:d8:64:13:d6:ae:53:a9:22:bf:6e:02:4f:90:8a:3f:11:02:bf:3e:a3:62:b1:9b:c6:dd:ad:59:98:38:da:92:25:40:d9:57:5e:83Exponent: 65537 (0x10001)X509v3 extensions:X509v3 Key Usage: criticalDigital Signature, Key EnciphermentX509v3 Extended Key Usage:TLS Web Server AuthenticationX509v3 Basic Constraints: criticalCA:FALSEX509v3 Subject Key Identifier:73:AA:BB:49:81:96:DD:98:40:CB:01:9B:60:10:E1:D8:75:1E:3C:52X509v3 Authority Key Identifier:keyid:E3:C4:2D:88:64:6C:F7:A8:14:1C:96:1F:97:2E:64:94:47:EE:0E:1FX509v3 Subject Alternative Name:DNS:httpd.test.svc, DNS:httpd.test.svc.cluster.local1.3.6.1.4.1.2312.17.100.2.1:.$5204b66a-a785-4061-b1b1-bc81e3544c9aSignature Algorithm: sha256WithRSAEncryptioncb:53:59:4f:37:89:b4:81:63:50:2c:93:5b:ff:5a:5a:ba:98:ae:3f:11:4c:83:fc:31:8a:ad:4f:98:d5:42:ac:99:f3:bf:d3:f9:d7:93:76:73:ce:b5:b5:25:87:71:ed:ca:d0:52:05:8f:aa:1f:72:d7:d4:5b:5f:7e:90:97:76:63:2d:3c:c0:fc:96:48:c0:34:0e:99:15:64:54:ec:9c:04:41:3c:cf:5c:48:68:c0:23:6f:cd:2a:ab:5a:2e:a7:79:44:59:8c:83:2d:90:cd:35:13:e3:28:78:03:31:a9:51:22:3b:79:78:58:c5:2f:55:6e:cd:bd:8b:8f:87:65:17:86:a8:e7:08:ab:fc:10:89:48:d8:af:37:19:84:36:11:06:60:53:e4:de:7a:e8:8b:7d:5a:d4:74:0a:a3:09:c1:b7:ab:40:97:5b:2d:08:f2:76:05:e3:52:dc:dd:83:9d:0d:04:c5:1d:8f:7b:ae:a6:2d:ec:a6:d2:8b:00:88:2f:04:3b:25:5e:16:d1:e5:65:62:18:33:43:a0:de:06:a4:4d:97:5c:85:23:3f:77:ac:e2:44:75:6a:66:6f:dc:56:92:ab:34:f3:29:0f:ed:88:65:e0:93:c3:48:b8:09:b0:1e:12:ba:65:9f:4d:7a:a8:9a:18:0f:03:4f:42:0b
-----BEGIN CERTIFICATE-----
MIID0DCCArigAwIBAgIII1FfOxytymwwDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE
Awwrb3BlbnNoaWZ0LXNlcnZpY2Utc2VydmluZy1zaWduZXJAMTYyMDk5NzcyODAe
Fw0yMTA1MjIwODI1NDNaFw0yMzA1MjIwODI1NDRaMCExHzAdBgNVBAMTFmh0dHBk
LWV4LWdpdC50ZXN0MS5zdmMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDYIRvi/YazOf4h2nIs5rcjNhMsfND9j5RWBQB1e9rbTA/np5rrd7ewkQKpIQsP
WgPbylfZYq9+bahCkXbOC5zOn6Cdv5bjyeWn0Lp6S+YtYt9KTslaoYfJijBljfmh
Iio3mYAx8c/a4fypRdNhhAXlzKLDGmXr9e1pUJHPa1s+Ob6iGBa3E3gY3jrUaeNT
+zNEiBpXnXu/Wmxm0vpllhkaAnWHLDsvboa1pbhZJ1BwX6oYizg8XWQnDzt0/taM
2Ik8n5GnpnaKajSCitAN1ogVMmbOw9gIup7oNx/YZBPWrlOpIr9uAk+Qij8RAr8+
o2Kxm8bdrVmYONqSJUDZV16DAgMBAAGjgfYwgfMwDgYDVR0PAQH/BAQDAgWgMBMG
A1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFHOqu0mB
lt2YQMsBm2AQ4dh1HjxSMB8GA1UdIwQYMBaAFOPELYhkbPeoFByWH5cuZJRH7g4f
MEcGA1UdEQRAMD6CFmh0dHBkLWV4LWdpdC50ZXN0MS5zdmOCJGh0dHBkLWV4LWdp
dC50ZXN0MS5zdmMuY2x1c3Rlci5sb2NhbDA1BgsrBgEEAZIIEWQCAQQmEyQ1MjA0
YjY2YS1hNzg1LTQwNjEtYjFiMS1iYzgxZTM1NDRjOWEwDQYJKoZIhvcNAQELBQAD
ggEBAMtTWU83ibSBY1Ask1v/Wlq6mK4/EUyD/DGKrU+Y1UKsmfO/0/nXk3ZzzrW1
JYdx7crQUgWPqh9y19RbX36Ql3ZjLTzA/JZIwDQOmRVkVOycBEE8z1xIaMAjb80q
q1oup3lEWYyDLZDNNRPjKHgDMalRIjt5eFjFL1Vuzb2Lj4dlF4ao5wir/BCJSNiv
NxmENhEGYFPk3nroi31a1HQKownBt6tAl1stCPJ2BeNS3N2DnQ0ExR2Pe66mLeym
0osAiC8EOyVeFtHlZWIYM0Og3gakTZdchSM/d6ziRHVqZm/cVpKrNPMpD+2IZeCT
w0i4CbAeErpln016qJoYDwNPQgs=
-----END CERTIFICATE-----
  1. 查看secret中的证书的发行主体。
$ oc get secret httpd -oyaml -ojsonpath="{.data['tls\.crt']}" | base64 -d > httpd.pem
$ openssl crl2pkcs7 -nocrl -certfile httpd.pem | openssl pkcs7 -print_certs -noout
subject=/CN=httpd.test.svc
issuer=/CN=openshift-service-serving-signer@1620997728subject=/CN=openshift-service-serving-signer@1620997728
issuer=/CN=openshift-service-serving-signer@1620997728
  1. 修改httpd的Deployment,在“spec.template.spec”下增加以下“volumes”的全部内容,在“spec.template.spec.containers”下增加以下’volumeMounts‘全部内容。
    spec:containers:- image: image-registry.openshift-image-registry.svc:5000/test/httpd@sha256:02a3a7bf8cf602557ca1780e26e812217760718aea28d468d4dafc8bf723b513
。。。volumeMounts:- mountPath: /etc/mysecretname: mysecretdnsPolicy: ClusterFirstrestartPolicy: AlwaysschedulerName: default-schedulersecurityContext: {}terminationGracePeriodSeconds: 30volumes:- name: mysecretsecret:secretName: httpd
  1. 执行以下命令,确认在pod中已经可以访问到和service对应的证书tls.crt和私钥tls.key
$ oc get pod
NAME                     READY   STATUS      RESTARTS   AGE
httpd-1-build            0/1     Completed   0          20m
httpd-7d4789674c-lzz2k   1/1     Running     0          11m
$ oc rsh httpd-7d4789674c-lzz2k
sh-4.2$ ls /etc/mysecret
tls.crt  tls.key

参考

https://docs.openshift.com/container-platform/4.7/security/certificate_types_descriptions/service-ca-certificates.html
https://access.redhat.com/documentation/zh-cn/openshift_container_platform/4.7/html/security_and_compliance/add-service-serving
https://github.com/redhat-cop/cert-operator
https://docs.openshift.com/container-platform/4.7/security/certificates/service-serving-certificate.html#add-service-certificate-apiservice_service-serving-certificate
https://docs.openshift.com/container-platform/4.7/nodes/pods/nodes-pods-secrets.html
https://rcarrata.com/openshift/service-serving-certificates/

OpenShift4 - 使用 Service CA 证书增加内部通讯安全相关推荐

  1. Apache Httpd 2.2 配置CA证书,实现Https加密通讯

    什么是CA证书 关于什么是CA证书,以及如何使用Open-SSL申请和搭建CA证书,我们在之前的文章中已经有过介绍,这里不再赘述.若有疑问,可参考之前的文章. http://www.pojun.tec ...

  2. CA证书与ETCD集群

    目录 一.CA证书 二.制作K8S集群证书流程 1.制作官方颁发的证书 2.制作master端的证书 3.制作worker node端证书 (1)服务器单向认证 (3)双向 TLS 认证 三.K8S ...

  3. OpenShift 4 - 用CA证书或Token访问Internal Registry中的容器

    <OpenShift 4.x HOL教程汇总> 说明:本文已经在OpenShift 4.7环境中验证 文章目录 获得OpenShift Internal Registry的访问证书 准备环 ...

  4. No.8 CA证书和SSH服务

    1.创建私有CA并进行证书申请. 1.1 创建CA相关目录和文件 [22:05:51 root@centos8 data]#mkdir -pv /etc/pki/CA/{certs,crl,newce ...

  5. 微信企业支付 服务器根证书,微信支付服务器证书根ca证书有什么用

    随着现如今网络的不断发展,我们的生活跟网络密不可分,现在到处充斥着手机消费,只要你手机上有微信.支付宝不管到哪里都可以买你想买的东西,钱包已经在家里闲置多时.手机支付给我们的生活带来便利的同时也会伴随 ...

  6. Harbor .v1.10.2 私有镜像仓库的自签CA证书、安装使用【超详细官方文档翻译说明】...

    需求 在以前搭建docker镜像私有仓库的时候,我都是使用registery搭建.本篇章来尝试另一个新的镜像仓库Harbor. Harbor介绍 Harbor是由VMware公司开源的企业级的Dock ...

  7. ZA303学习笔记六管理应用程序的安全(密钥保管库,托管标识,管理应用程序,CA证书)

    管理应用程序的安全 部署和配置密钥库 Azure Key Vault密钥库 Azure Key Vault密钥库作用 Key Vault 对象 Azure密钥保管库高可用性 Azure Key Vau ...

  8. 深入浅出 SSL/CA 证书及其相关证书文件(pem、crt、cer、key、csr)

    互联网是虚拟的,通过互联网我们无法正确获取对方真实身份.数字证书是网络世界中的身份证,数字证书为实现双方安全通信提供了电子认证.数字证书中含有密钥对所有者的识别信息,通过验证识别信息的真伪实现对证书持 ...

  9. CA证书理解?CA证书的作用?

    CA证书顾名思义就是由CA(Certification Authority)机构发布的数字证书.要对CA证书完全理解及其作用,首先要理解SSL.SSL(security sockets layer,安 ...

最新文章

  1. 计量经济学建模_不了解计量经济学的前世今生,怎么能学会他
  2. python实现雪花飘落效果_jQuery实现雪花飘落效果
  3. AT3611-Tree MST【点分治,最小生成树】
  4. python股票自动买卖视频教程_十分钟学会用Python交易股票
  5. Qt中焦点策略FocusPolicy的使用
  6. 高性能javascript读书笔记(三.DOM 编程2)
  7. iOS及Android 启动页面(即欢迎页面),引导页面,及广告页面的加载
  8. OpenKG祝大家端午安康
  9. 利用shell脚本,实现腾讯云DNSPod进行DDNS动态域名解析ipv6地址
  10. r语言quantmond_R中的关于极值理论的包
  11. HBuilder X 连接逍遥Android模拟器
  12. methods: 68368 65536
  13. mysql主从skip1677_mysql主从复制部署
  14. 数据的封装与解封装:TCP/IP五层协议
  15. win10连接虚拟机ftp服务器配置,win10虚拟机ftp服务器
  16. CF14E Camels
  17. Cognos安装配置--单机环境
  18. butter中文意思_butter中文是什么意思
  19. 详解WPF 4 DataGrid控件的基本功能
  20. Ubuntu1804下的Melodic版本Moveit和OMPL的源码安装,并自定义规划算法在Moveit上使用

热门文章

  1. 5 好看的字体样式_嫌电脑字体样式太少,这款小软件几百种的样式随便你选择...
  2. mysql 触发器 new.id,mysql触发器的使用方法
  3. 为什么let在php中报错,ES6系列之声明变量let与const
  4. mfc远程连接mysql数据库连接_MFC连接mysql数据库(十分钟搞定)
  5. 常见的php 字符串函数,php 常用字符串函数总结
  6. APP界面设计的视觉思维!
  7. python中hub_PyHubWeekly | 第一期:Github上那些值得推荐的Python小工具
  8. 阿里云技术白皮书_2019年云计算发展白皮书发布 阿里云保持优势成亚太最大云服务商...
  9. vue 表格中有列需要异步加载_Vue中使用async/await解决异步请求问题
  10. cuSPARSE库:(七)cusparseCreate()的功能与作用