zh-update: /docs/tasks/traffic-management/ingress/ingress-sni-passthrough/index.md (#6401)

2020-02-05 23:23:31 +08:00 · 2020-02-05 23:23:31 +08:00 · 431cc8c60d
parent 21eb96814a
commit 431cc8c60d
1 changed files with 19 additions and 36 deletions
--- a/content/zh/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/index.md
+++ b/content/zh/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/index.md
@ -16,36 +16,20 @@ aliases:

 ## 生成客户端和服务端的证书和密钥{#generate-client-and-server-certificates-and-keys}

-1. 克隆仓库 <https://github.com/nicholasjackson/mtls-go-example>:
+对于此任务，您可以使用自己喜欢的工具来生成证书和密钥。以下命令使用
+[openssl](https://man.openbsd.org/openssl.1)
+
+1.  创建根证书和私钥来为您的服务签名证书：

    {{< text bash >}}
-    $ git clone https://github.com/nicholasjackson/mtls-go-example
+    $ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=example.com' -keyout example.com.key -out example.com.crt
    {{< /text >}}

-1. 进入仓库的目录：
+1.  为 `nginx.example.com` 创建证书和私钥：

    {{< text bash >}}
-    $ pushd mtls-go-example
-    {{< /text >}}
-
-1. 使用 password 为 `nginx.example.com` 生成证书：
-
-    {{< text bash >}}
-    $ ./generate.sh nginx.example.com <password>
-    {{< /text >}}
-
-    出现提示时，为所有问题选择 `y`。
-
-1.  将证书移动到目录 `nginx.example.com`:
-
-    {{< text bash >}}
-    $ mkdir ../nginx.example.com && mv 1_root 2_intermediate 3_application 4_client ../nginx.example.com
-    {{< /text >}}
-
-1.  回到根目录：
-
-    {{< text bash >}}
-    $ popd
+    $ openssl req -out nginx.example.com.csr -newkey rsa:2048 -nodes -keyout nginx.example.com.key -subj "/CN=nginx.example.com/O=some organization"
+    $ openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in nginx.example.com.csr -out nginx.example.com.crt
    {{< /text >}}

 ## 部署一个 NGINX 服务{#deploy-an-nginx-server}
@ -53,7 +37,7 @@ aliases:
 1.  创建一个 Kubernetes 的 [Secret](https://kubernetes.io/docs/concepts/configuration/secret/) 资源来保存服务的证书：

    {{< text bash >}}
-    $ kubectl create secret tls nginx-server-certs --key nginx.example.com/3_application/private/nginx.example.com.key.pem --cert nginx.example.com/3_application/certs/nginx.example.com.cert.pem
+    $ kubectl create secret tls nginx-server-certs --key nginx.example.com.key --cert nginx.example.com.crt
    {{< /text >}}

 1.  为 NGINX 服务创建一个配置文件：
@ -156,10 +140,10 @@ aliases:
      server certificate activation date OK
      certificate public key: RSA
      certificate version: #3
-      subject: C=US,ST=Denial,L=Springfield,O=Dis,CN=nginx.example.com
+      subject: CN=nginx.example.com; O=some organization
      start date: Wed, 15 Aug 2018 07:29:07 GMT
      expire date: Sun, 25 Aug 2019 07:29:07 GMT
-      issuer: C=US,ST=Denial,O=Dis,CN=nginx.example.com
+      issuer: O=example Inc.; CN=example.com

    > GET / HTTP/1.1
    > User-Agent: curl/7.35.0
@ -232,13 +216,12 @@ aliases:
 1.  从集群外访问 NGINX 服务。注意，服务端返回了正确的证书，并且该证书已成功验证（输出了 _SSL certificate verify ok_ ）。

    {{< text bash >}}
-    $ curl -v --resolve nginx.example.com:$SECURE_INGRESS_PORT:$INGRESS_HOST --cacert nginx.example.com/2_intermediate/certs/ca-chain.cert.pem https://nginx.example.com:$SECURE_INGRESS_PORT
+    $ curl -v --resolve nginx.example.com:$SECURE_INGRESS_PORT:$INGRESS_HOST --cacert example.com.crt https://nginx.example.com:$SECURE_INGRESS_PORT
    Server certificate:
-      subject: C=US; ST=Denial; L=Springfield; O=Dis; CN=nginx.example.com
-      start date: Aug 15 07:29:07 2018 GMT
-      expire date: Aug 25 07:29:07 2019 GMT
-      common name: nginx.example.com (matched)
-      issuer: C=US; ST=Denial; O=Dis; CN=nginx.example.com
+      subject: CN=nginx.example.com; O=some organization
+      start date: Wed, 15 Aug 2018 07:29:07 GMT
+      expire date: Sun, 25 Aug 2019 07:29:07 GMT
+      issuer: O=example Inc.; CN=example.com
      SSL certificate verify ok.

      < HTTP/1.1 200 OK
@ -262,14 +245,14 @@ aliases:
    $ kubectl delete virtualservice nginx
    {{< /text >}}

-1.  删除含有证书的目录以及用于生成证书的仓库
+1.  删除证书和密钥：

    {{< text bash >}}
-    $ rm -rf nginx.example.com mtls-go-example
+    $ rm example.com.crt example.com.key nginx.example.com.crt nginx.example.com.key nginx.example.com.csr
    {{< /text >}}

 1.  删除本示例中生成的配置文件：

    {{< text bash >}}
-    $ rm -f ./nginx.conf
+    $ rm ./nginx.conf
    {{< /text >}}