??前段时间我们通过文章《How to build a kubernetes dashboard system step by step》主要介绍了如何基于手动创建的ssl证书完成kubernetes中User account token的生成,但是通常情况下在大部分浏览器上会提示该服务站点不安全,原因是浏览器通常对个人CA签署的身份数字证书持不信任态度。那么我们有没有办法改变这一现状呢?答案是有的。我们可以基于知名CA完成服务站点的数字证书的签署,然后再基于该数字证书完成Kubernetes中User account token的生成。
??考虑到阿里云上是可以申请一个有效期为一年的免费数字证书的,那么今天,我们就结合阿里云免费ssl数字证书来完成Kubernetes中User account token的生成。
大家按照上面的一系列图的指引即可完成免费数字证书的申请,我们按上图所示将其下载下来,解压到目录~/.tmp下面。
lwk@qwfys:~$ ll ~/.tmp/total 20drwxr-xr-x 5 lwk lwk 4096 Jun 3 09:52 ./drwxr-xr-x 53 lwk lwk 4096 Jun 2 09:32 ../drwxr-xr-x 2 lwk lwk 4096 Jun 2 13:59 3123459_k8s.qwfys.com_nginx/drwxr-xr-x 2 lwk lwk 4096 Jun 2 09:53 3723459_k8s.qwfys.com_nginx/drwxr-xr-x 2 lwk lwk 4096 Jun 3 09:52 4007298_k8s.qwfys.com_nginx/lwk@qwfys:~$ ll ~/.tmp/4007298_k8s.qwfys.com_nginx/total 16drwxr-xr-x 2 lwk lwk 4096 Jun 3 09:52 ./drwxr-xr-x 5 lwk lwk 4096 Jun 3 09:52 ../-rw-rw-r– 1 lwk lwk 1679 Jun 3 09:51 4007298_k8s.qwfys.com.key-rw-rw-r– 1 lwk lwk 3651 Jun 3 09:51 4007298_k8s.qwfys.com.pemlwk@qwfys:~$ cat ~/.tmp/4007298_k8s.qwfys.com_nginx/4007298_k8s.qwfys.com.key —–BEGIN RSA PRIVATE KEY—–MIIEpAIBAAKCAQEA7ODAuDSZ7KkLGHZf9vmIOympCFGY7+qpSuOFHI+WEW2qOvH47FUkjPbrrpX6IWJ0EFuO3uLBvsHtkuIJPU9BYFx1EQA6sPdnhxRMC1klJOFHlixlFy9jf7fF9mxyjJv/oXanIjZ106y19N/jUKfm1qRtjgWZ9lCHj3/vOain//KPK2yDzrBCaS+O778e6l6zn7Mjz+pl9hW4vr3pLvcpGVqXDBtg+MLjyfg4dbVmGhz28K4fFSrD9APzY6awg8SJiHBXg8KAvscawXmPWEBAFTEadiN7YpLKZFQe2IVqljDYp+MTyyPnzqQIvgzk5V2PeyUX81x03PdIz4PFKVw77wIDAQABAoIBAEB7Lfr21q/FlG+kSZtBcgQo4wqQq8Ejb9Ii/Sk5LPCxmZVSKSCsTLbSwHVV/jD4S//n7Ixfzb3PrIw/W6SE3pcMlBF8rn1d26C5tbmhGqtfZ81JaHtXOw6ZSBo8izIbhQq+8eAuUwS8DwwJpidejUgAmpH+lFqosT4u5UAc2R6isqTXPP4VJlakiO1Hwmktyfmes2FFe8QrQcaQ4AcxvhfCW0i6rbhsrIFa8Hw4wCAJAxENuXgvU+ZPQwhXxVHTAfxvnWL/RgxNUs+3fuCwosGa7tIK5PpyZds+RICSaVUn/xb20a88PyU3WIQfoKduW0UbUWrMLTGk1rIQjDF+rYECgYEA9okgH0Gf+gYIhzmg8oDZwcOKzE+2LxqHOyZNC1id3VqIxTTxPMM77F/Bc8vpfb6khBQQTd6wVW0TUt4hbUUXlTiMfoGr58Lya1giCk65NYLJuvimX95esxOl1amhGTemBoH1uNNTPjWdawZR33Dx+woi/CLCGK722Vkznm1aX8UCgYEA9fi25jJXn7G/fQJVgroa03JrMolCuKuzJAbWtnXklcTIXNEcCyN4M5jx3OXReGrzsouOvhJOLQLga9W5aiN2twSPNxruv2PKIvDirN6ZltK5VTOmGsBAfCRPPJJv//vL9yDKj+r8xKtM57Z3OMh3eugTAVLRlAC99l2kcC0K1CMCgYEAzuTfHzv8nF9p0snrJvg5RqHqnnGay8bwjBQlfgsdWIE83HsEpGCXrlPhzmLnDU7rU6he0mq7AsXp/JZL6R6dnu35AcWi1XnF5Y3t60aLqbubvhwjy7qbMJ+hgUC84KPR4g44f6ZhaoimFgYUuXZYrLuiBoTI7NwQbvCsIB1XRZ0CgYEA5X+2R3pZP2s9W4o99sdmGDv9wR1I3710W/z1gTDmoscEm3WQUOQ7VwkxQgY8N7qyvrhv6vBxeJXihzrW0S1dqs3aQnQipviYtZlEJj9b1tmuisyyAuu2Px4xwDZxwcpSOLajyTxbs7SRAPHCs3x33nmCog1/9jPrCl+8+d1M6TkCgYALbFclT1cgt9nn0j1D7TpdYs2tAWCsINrR414dBd8oB2Ssfm2Yzyxh0pjw9ggU/iCbqPzKTtSmwE+l4aH3cWxvsx+heX8AuF+13ZYqZtc6wiQ4/TDM09qXoJVrlo+xar2362RsTJZLCeN0Or/2ocWFJCMiR8lk4thljQqo7Yxn+w==—–END RSA PRIVATE KEY—–lwk@qwfys:~$ cat ~/.tmp/4007298_k8s.qwfys.com_nginx/4007298_k8s.qwfys.com.pem —–BEGIN CERTIFICATE—–MIIFhDCCBGygAwIBAgIQDgkwZHq21r45c0fl36l0EjANBgkqhkiG9w0BAQsFADBuMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMS0wKwYDVQQDEyRFbmNyeXB0aW9uIEV2ZXJ5d2hlcmUgRFYgVExTIENBIC0gRzEwHhcNMjAwNjAzMDAwMDAwWhcNMjEwNjAzMTIwMDAwWjAYMRYwFAYDVQQDEw1rOHMucXdmeXMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7ODAuDSZ7KkLGHZf9vmIOympCFGY7+qpSuOFHI+WEW2qOvH47FUkjPbrrpX6IWJ0EFuO3uLBvsHtkuIJPU9BYFx1EQA6sPdnhxRMC1klJOFHlixlFy9jf7fF9mxyjJv/oXanIjZ106y19N/jUKfm1qRtjgWZ9lCHj3/vOain//KPK2yDzrBCaS+O778e6l6zn7Mjz+pl9hW4vr3pLvcpGVqXDBtg+MLjyfg4dbVmGhz28K4fFSrD9APzY6awg8SJiHBXg8KAvscawXmPWEBAFTEadiN7YpLKZFQe2IVqljDYp+MTyyPnzqQIvgzk5V2PeyUX81x03PdIz4PFKVw77wIDAQABo4ICcjCCAm4wHwYDVR0jBBgwFoAUVXRPsnJP9WC6UNHX5lFcmgGHGtcwHQYDVR0OBBYEFDceSeMnxj0PWrCkCUPwPuu0OrgpMBgGA1UdEQQRMA+CDWs4cy5xd2Z5cy5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBMBgNVHSAERTBDMDcGCWCGSAGG/WwBAjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAECATCBgAYIKwYBBQUHAQEEdDByMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wSgYIKwYBBQUHMAKGPmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9FbmNyeXB0aW9uRXZlcnl3aGVyZURWVExTQ0EtRzEuY3J0MAkGA1UdEwQCMAAwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdgD2XJQv0XcwIhRUGAgwlFaO400TGTO/3wwvIAvMTvFk4wAAAXJ319m/AAAEAwBHMEUCICyM364VYsmsO+Z536s4GKoibXMxqHjfS6YECwIi9h3sAiEAu+tlH+7j+nNdg5HxR/ILENSiPA3pQTWXT9xBBP6lTOAAdwBc3EOS/uarRUSxXprUVuYQN/vV+kfcoXOUsl7m9scOygAAAXJ319nfAAAEAwBIMEYCIQDXS9u57v2OAjDH/y9CI9ICGpB+Iv5PCyps/3Vgr3ygWAIhANHJMDkfDhAN9Nxxc6THixkUwjFmVHPbyOHI4Vc+VvpvMA0GCSqGSIb3DQEBCwUAA4IBAQAOkpkq6hUHEUsxV/Rzma+MwcHxeDk3r48pNV1yRTomSFISOjqXYskcDVEIg+VZotXbkko3//2SmhoppdAVh5f/2ISPnULUaYXA0LBs4ZF+AH+Vd21e6h+xmqF4nDUzb7BbPqxTlmm3IJJ5mq0KjjY4ihJVcGy4giqQEbg06ZXaUx+9gf1nP1gZHm2ovJLR8X4KCEta9rKIFJz1Nrq/5uczfEyOXklS/qRdq42dU2xcWoR79JSqg9HoLQppMesasTZJ5gzZQ73CKq44QrNNak3fOWvkRR/7afAIacPsnOJcVFofCwINHKOhGV36wPYM9O8KdAJSmBFwgtMrRLvoHvYl—–END 香港vps CERTIFICATE———-BEGIN CERTIFICATE—–MIIEqjCCA5KgAwIBAgIQAnmsRYvBskWr+YBTzSybsTANBgkqhkiG9w0BAQsFADBhMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBDQTAeFw0xNzExMjcxMjQ2MTBaFw0yNzExMjcxMjQ2MTBaMG4xCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xLTArBgNVBAMTJEVuY3J5cHRpb24gRXZlcnl3aGVyZSBEViBUTFMgQ0EgLSBHMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALPeP6wkab41dyQh6mKcoHqt3jRIxW5MDvf9QyiOR7VfFwK656es0UFiIb74N9pRntzF1UgYzDGu3ppZVMdolbxhm6dWS9OK/lFehKNT0OYI9aqk6F+U7cA6jxSC+iDBPXwdF4rs3KRyp3aQn6pjpp1yr7IB6Y4zv72Ee/PlZ/6rK6InC6WpK0nPVOYR7n9iDuPe1E4IxUMBH/T33+3hyuH3dvfgiWUOUkjdpMbyxX+XNle5uEIiyBsi4IvbcTCh8ruifCIi5mDXkZrnMT8nwfYCV6v6kDdXkbgGRLKsR4pucbJtbKqIkUGxuZI2t7pfewKRc5nWecvDBZf3+p1MpA8CAwEAAaOCAU8wggFLMB0GA1UdDgQWBBRVdE+yck/1YLpQ0dfmUVyaAYca1zAfBgNVHSMEGDAWgBQD3lA1VtFMu2bwo+IbG8OXsj3RVTAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8CAQAwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwBAjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAECATANBgkqhkiG9w0BAQsFAAOCAQEAK3Gp6/aGq7aBZsxf/oQ+TD/BSwW3AU4ETK+GQf2kFzYZkby5SFrHdPomunx2HBzViUchGoofGgg7gHW0W3MlQAXWM0r5LUvStcr82QDWYNPaUy4taCQmyaJ+VB+6wxHstSigOlSNF2a6vg4rgexixeiV4YSB03Yqp2t3TeZHM9ESfkus74nQyW7pRGezj+TC44xCagCQQOzzNmzEAP2SnCrJsNE2DpRVMnL8J6xBRdjmOsC3N6cQuKuRXbzByVBjCqAA8t1L0I+9wXJerLPyErjyrMKWaBFLmfK/AHNF4ZihwPGOc7w6UHczBZXH5RFzJNnww+WnKuTPI0HfnVH8lg==—–END CERTIFICATE—–lwk@qwfys:~$
通过与我此前的文章《How to manually generate ssl certificate for own site in Linux》做对比,我们发现这里后缀名为pem的文件与我此前给大家介绍的crt文件其实是一样的,只是后缀名不同而已。既然如此,那么接下来,我们将接着文章《How to build a kubernetes dashboard system step by step》的内容,继续为大家介绍如何生成我们想要的user account token。
lwk@qwfys:~$ scp -r ~/.tmp/4007298_k8s.qwfys.com_nginx root@inner89.qwfys.com:/root/.tmp/ssl/4007298_k8s.qwfys.com.pem 100% 3651 1.9MB/s 00:00 4007298_k8s.qwfys.com.key 100% 1679 1.2MB/s 00:00 lwk@qwfys:~$ [root@xtwj89 ~]# ll ~/.tmp/ssl/total 4drwxr-xr-x 3 root root 41 Jun 3 10:14 .drwxr-xr-x 5 root root 4096 Jun 3 10:12 ..drwxr-xr-x 2 root root 72 Jun 3 10:14 4007298_k8s.qwfys.com_nginx[root@xtwj89 ~]#
删除原有的证书secret
[root@xtwj89 ~]# kubectl delete secret kubernetes-dashboard-certs -n kubernetes-dashboard
创建新的证书secret
[root@xtwj89 ~]# kubectl create secret generic kubernetes-dashboard-certs –from-file=~/.tmp/ssl/4007298_k8s.qwfys.com_nginx/4007298_k8s.qwfys.com.key –from-file=~/.tmp/ssl/4007298_k8s.qwfys.com_nginx/4007298_k8s.qwfys.com.pem -n kubernetes-dashboard 07729704
