k8s-ssl证书安装

作者: 平头哥2 | 来源:发表于2019-12-23 13:15 被阅读0次

k8s-ssl证书安装
https 免费申请和安装
【other】Charles 安装证书
Charles https抓包乱码解决(Mac版本)
安装charles证书异常
Charles 抓起HTTPS请求证书配置
如何在Firefox和Chrome上安装Burpsuite证书
Charles 代理设置
iOS APP签名原理
手机安装 & 卸载CA证书

文章照抄：
https://www.cnblogs.com/jasonboren/p/11483458.html

集群配置

192.168.10.155 master
192.168.10.158 node01
192.168.10.157 node02

关闭防火前，开机不启动，selinux，设置免密登录

master

## 执行目录：
[root@localhost ssl]# pwd
/root/ssl
### 
yum install -y wget
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl-certinfo_linux-amd64 cfssljson_linux-amd64 cfssl_linux-amd64 
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo

生成ca-config.json证书

cat << EOF | tee ca-config.json
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF

生成ca-csr.json文件

cat << EOF | tee ca-csr.json
{
    "CN": "kubernetes",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Chengdu",
            "ST": "Chengdu",
             "O": "k8s",
            "OU": "System"
        }
    ]
}
EOF

生成ca-key.pem ca.pem

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

生成server-csr.json文件

cat << EOF | tee server-csr.json
{
    "CN": "kubernetes",
    "hosts": [
    "192.168.10.155",
    "192.168.10.158",   
    "192.168.10.157",
    "kubernetes",
    "kubernetes.default",
    "kubernetes.default.svc",
    "kubernetes.default.svc.cluster",
    "kubernetes.default.svc.cluster.local"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Chengdu",
            "ST": "Chengdu",
            "O": "k8s",     
            "OU": "System"
        }
    ]
}
EOF

生成server.pem,server-key.pem

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server

生成admin-csr.json文件

cat << EOF | tee admin-csr.json
{
    "CN": "admin",
    "hosts": [],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Chengdu",
            "ST": "Chengdu",
            "O": "system:masters",
            "OU": "System"
        }
    ]
}
EOF

最后生成admin证书---admin-key.pem ，admin.pem

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin

生成代理

cat << EOF | tee kube-proxy-csr.json
{
    "CN": "system:kube-proxy",
    "hosts": [],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Chengdu",
            "ST": "Chengdu",
        "O": "k8s",
        "OU": "System"
        }
    ]
}
EOF

生成代理证书 kube-proxy-key.pem , kube-proxy.pem

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy

当前目录得内容

[root@localhost ssl]# ll
total 68
-rw-r--r-- 1 root root 1009 Dec 23 00:01 admin.csr
-rw-r--r-- 1 root root  287 Dec 23 00:00 admin-csr.json
-rw------- 1 root root 1679 Dec 23 00:01 admin-key.pem
-rw-r--r-- 1 root root 1399 Dec 23 00:01 admin.pem
-rw-r--r-- 1 root root  294 Dec 22 23:43 ca-config.json
-rw-r--r-- 1 root root 1001 Dec 22 23:55 ca.csr
-rw-r--r-- 1 root root  265 Dec 22 23:54 ca-csr.json
-rw------- 1 root root 1675 Dec 22 23:55 ca-key.pem
-rw-r--r-- 1 root root 1359 Dec 22 23:55 ca.pem
-rw-r--r-- 1 root root 1009 Dec 23 00:03 kube-proxy.csr
-rw-r--r-- 1 root root  280 Dec 23 00:03 kube-proxy-csr.json
-rw------- 1 root root 1679 Dec 23 00:03 kube-proxy-key.pem
-rw-r--r-- 1 root root 1403 Dec 23 00:03 kube-proxy.pem
-rw-r--r-- 1 root root 1245 Dec 22 23:59 server.csr
-rw-r--r-- 1 root root  515 Dec 22 23:57 server-csr.json
-rw------- 1 root root 1679 Dec 22 23:59 server-key.pem
-rw-r--r-- 1 root root 1610 Dec 22 23:59 server.pem

删除除了pem文件之外的其他文件

ls | grep -v pem |xargs -i rm {}

统一整理执行得脚本：ssl.sh

cd ~
mkdir ssl
cd ssl/
yum install -y wget
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl-certinfo_linux-amd64 cfssljson_linux-amd64 cfssl_linux-amd64 
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo

cat << EOF | tee ca-config.json
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF

cat << EOF | tee ca-csr.json
{
    "CN": "kubernetes",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Chengdu",
            "ST": "Chengdu",
             "O": "k8s",
            "OU": "System"
        }
    ]
}
EOF

cat << EOF | tee server-csr.json
{
    "CN": "kubernetes",
    "hosts": [
    "172.16.163.131",
    "172.16.163.130",   
    "172.16.163.129",
    "kubernetes",
    "kubernetes.default",
    "kubernetes.default.svc",
    "kubernetes.default.svc.cluster",
    "kubernetes.default.svc.cluster.local"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Chengdu",
            "ST": "Chengdu",
            "O": "k8s",     
            "OU": "System"
        }
    ]
}
EOF

cat << EOF | tee admin-csr.json
{
    "CN": "admin",
    "hosts": [],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Chengdu",
            "ST": "Chengdu",
            "O": "system:masters",
            "OU": "System"
        }
    ]
}
EOF

cat << EOF | tee kube-proxy-csr.json
{
    "CN": "system:kube-proxy",
    "hosts": [],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Chengdu",
            "ST": "Chengdu",
        "O": "k8s",
        "OU": "System"
        }
    ]
}
EOF

#生成ca-key.pem     ca.pem
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

#生成server.pem,server-key.pem
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server

#生成admin证书---admin-key.pem ，admin.pem
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin

#生成代理证书 kube-proxy-key.pem , kube-proxy.pem
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy

k8s-ssl证书安装
文章照抄：https://www.cnblogs.com/jasonboren/p/11483458.html 集...
https 免费申请和安装
centos 安装apache + ssl证书免费证书申请和安装申请证书去阿里云平台找证书管理然后证书购买 ...
【other】Charles 安装证书
给 PC 安装证书安装证书Help -> SSL Proxying -> Install Charles Roo...
Charles https抓包乱码解决(Mac版本)
一、证书安装 1、安装证书，Help -> SSL Proxying -> Install Charles Roo...
安装charles证书异常
安装charles证书异常分为两种情况，一种是可以正常安装证书，另外一种是点击证书提示无法安装证书，下面就针对无...
Charles 抓起HTTPS请求证书配置
安装证书： 1，Mac证书，一般是已经安装，但是没有信任，需要手动信任一下 2，手机安装证书，iOS按照提示安装证...
如何在Firefox和Chrome上安装Burpsuite证书
一、Firefox上安装证书1、开启代理，访问http://burp/ 下载证书文件 2、安装证书，直接打开abo...
Charles 代理设置
安装证书
iOS APP签名原理
苹果打包应用的时候需要证书才能安装，windows、安卓可以静默安装，苹果的证书机制保证了应用安装的安全性。证书...
手机安装 & 卸载CA证书
1. 安装CA证书首先下载正确的证书。这里以安装burpsuite证书为例。 burpsuite为抓包软件，默认...