istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

zh-update: /docs/tasks/traffic-management/ingress/ingress-sni-passthrough/index.md (#6401)

This commit is contained in:
yuxiaobo96 2020-02-05 23:23:31 +08:00 committed by GitHub
parent 21eb96814a
commit 431cc8c60d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 19 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
content/zh/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/index.md
View File

@ -16,36 +16,20 @@ aliases:
## 生成客户端和服务端的证书和密钥{#generate-client-and-server-certificates-and-keys} ## 生成客户端和服务端的证书和密钥{#generate-client-and-server-certificates-and-keys}
1. 克隆仓库 <https://github.com/nicholasjackson/mtls-go-example>: 对于此任务,您可以使用自己喜欢的工具来生成证书和密钥。以下命令使用
[openssl](https://man.openbsd.org/openssl.1)
1. 创建根证书和私钥来为您的服务签名证书:
{{< text bash >}} {{< text bash >}}
$ git clone https://github.com/nicholasjackson/mtls-go-example $ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=example.com' -keyout example.com.key -out example.com.crt
{{< /text >}} {{< /text >}}
1. 进入仓库的目录 1. `nginx.example.com` 创建证书和私钥
{{< text bash >}} {{< text bash >}}
$ pushd mtls-go-example $ openssl req -out nginx.example.com.csr -newkey rsa:2048 -nodes -keyout nginx.example.com.key -subj "/CN=nginx.example.com/O=some organization"
{{< /text >}} $ openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in nginx.example.com.csr -out nginx.example.com.crt
1. 使用 password 为 `nginx.example.com` 生成证书:
{{< text bash >}}
$ ./generate.sh nginx.example.com <password>
{{< /text >}}
出现提示时,为所有问题选择 `y`
1. 将证书移动到目录 `nginx.example.com`:
{{< text bash >}}
$ mkdir ../nginx.example.com && mv 1_root 2_intermediate 3_application 4_client ../nginx.example.com
{{< /text >}}
1. 回到根目录:
{{< text bash >}}
$ popd
{{< /text >}} {{< /text >}}
## 部署一个 NGINX 服务{#deploy-an-nginx-server} ## 部署一个 NGINX 服务{#deploy-an-nginx-server}
@ -53,7 +37,7 @@ aliases:
1. 创建一个 Kubernetes 的 [Secret](https://kubernetes.io/docs/concepts/configuration/secret/) 资源来保存服务的证书: 1. 创建一个 Kubernetes 的 [Secret](https://kubernetes.io/docs/concepts/configuration/secret/) 资源来保存服务的证书:
{{< text bash >}} {{< text bash >}}
$ kubectl create secret tls nginx-server-certs --key nginx.example.com/3_application/private/nginx.example.com.key.pem --cert nginx.example.com/3_application/certs/nginx.example.com.cert.pem $ kubectl create secret tls nginx-server-certs --key nginx.example.com.key --cert nginx.example.com.crt
{{< /text >}} {{< /text >}}
1. 为 NGINX 服务创建一个配置文件: 1. 为 NGINX 服务创建一个配置文件:
@ -156,10 +140,10 @@ aliases:
server certificate activation date OK server certificate activation date OK
certificate public key: RSA certificate public key: RSA
certificate version: #3 certificate version: #3
subject: C=US,ST=Denial,L=Springfield,O=Dis,CN=nginx.example.com subject: CN=nginx.example.com; O=some organization
start date: Wed, 15 Aug 2018 07:29:07 GMT start date: Wed, 15 Aug 2018 07:29:07 GMT
expire date: Sun, 25 Aug 2019 07:29:07 GMT expire date: Sun, 25 Aug 2019 07:29:07 GMT
issuer: C=US,ST=Denial,O=Dis,CN=nginx.example.com issuer: O=example Inc.; CN=example.com
> GET / HTTP/1.1 > GET / HTTP/1.1
> User-Agent: curl/7.35.0 > User-Agent: curl/7.35.0
@ -232,13 +216,12 @@ aliases:
1. 从集群外访问 NGINX 服务。注意,服务端返回了正确的证书,并且该证书已成功验证(输出了 _SSL certificate verify ok_ )。 1. 从集群外访问 NGINX 服务。注意,服务端返回了正确的证书,并且该证书已成功验证(输出了 _SSL certificate verify ok_ )。
{{< text bash >}} {{< text bash >}}
$ curl -v --resolve nginx.example.com:$SECURE_INGRESS_PORT:$INGRESS_HOST --cacert nginx.example.com/2_intermediate/certs/ca-chain.cert.pem https://nginx.example.com:$SECURE_INGRESS_PORT $ curl -v --resolve nginx.example.com:$SECURE_INGRESS_PORT:$INGRESS_HOST --cacert example.com.crt https://nginx.example.com:$SECURE_INGRESS_PORT
Server certificate: Server certificate:
subject: C=US; ST=Denial; L=Springfield; O=Dis; CN=nginx.example.com subject: CN=nginx.example.com; O=some organization
start date: Aug 15 07:29:07 2018 GMT start date: Wed, 15 Aug 2018 07:29:07 GMT
expire date: Aug 25 07:29:07 2019 GMT expire date: Sun, 25 Aug 2019 07:29:07 GMT
common name: nginx.example.com (matched) issuer: O=example Inc.; CN=example.com
issuer: C=US; ST=Denial; O=Dis; CN=nginx.example.com
SSL certificate verify ok. SSL certificate verify ok.
< HTTP/1.1 200 OK < HTTP/1.1 200 OK
@ -262,14 +245,14 @@ aliases:
$ kubectl delete virtualservice nginx $ kubectl delete virtualservice nginx
{{< /text >}} {{< /text >}}
1. 删除含有证书的目录以及用于生成证书的仓库 1. 删除证书和密钥:
{{< text bash >}} {{< text bash >}}
$ rm -rf nginx.example.com mtls-go-example $ rm example.com.crt example.com.key nginx.example.com.crt nginx.example.com.key nginx.example.com.csr
{{< /text >}} {{< /text >}}
1. 删除本示例中生成的配置文件: 1. 删除本示例中生成的配置文件:
{{< text bash >}} {{< text bash >}}
$ rm -f ./nginx.conf $ rm ./nginx.conf
{{< /text >}} {{< /text >}}