kubernetes
/
ingress-nginx
mirror of https://github.com/kubernetes/ingress-nginx.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
ingress-nginx/examples/PREREQUISITES/index.html

1448 lines
39 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta http-equiv="x-ua-compatible" content="ie=edge">
<meta name="lang:clipboard.copy" content="Copy to clipboard">
<meta name="lang:clipboard.copied" content="Copied to clipboard">
<meta name="lang:search.language" content="en">
<meta name="lang:search.pipeline.stopwords" content="True">
<meta name="lang:search.pipeline.trimmer" content="True">
<meta name="lang:search.result.none" content="No matching documents">
<meta name="lang:search.result.one" content="1 matching document">
<meta name="lang:search.result.other" content="# matching documents">
<meta name="lang:search.tokenizer" content="[\s\-]+">
<link rel="shortcut icon" href="../../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.0.4, mkdocs-material-3.0.6">
<title>Prerequisites - NGINX Ingress Controller</title>
<link rel="stylesheet" href="../../assets/stylesheets/application.451f80e5.css">
<link rel="stylesheet" href="../../assets/stylesheets/application-palette.22915126.css">
<meta name="theme-color" content="#009688">
<script src="../../assets/javascripts/modernizr.1aa3b519.js"></script>
<link href="https://fonts.gstatic.com" rel="preconnect" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700|Roboto+Mono">
<style>body,input{font-family:"Roboto","Helvetica Neue",Helvetica,Arial,sans-serif}code,kbd,pre{font-family:"Roboto Mono","Courier New",Courier,monospace}</style>
<link rel="stylesheet" href="../../assets/fonts/material-icons.css">
<link rel="stylesheet" href="../../extra.css">
</head>
<body dir="ltr" data-md-color-primary="teal" data-md-color-accent="green">
<svg class="md-svg">
<defs>
<svg xmlns="http://www.w3.org/2000/svg" width="416" height="448"
viewBox="0 0 416 448" id="__github">
<path fill="currentColor" d="M160 304q0 10-3.125 20.5t-10.75 19-18.125
8.5-18.125-8.5-10.75-19-3.125-20.5 3.125-20.5 10.75-19 18.125-8.5
18.125 8.5 10.75 19 3.125 20.5zM320 304q0 10-3.125 20.5t-10.75
19-18.125 8.5-18.125-8.5-10.75-19-3.125-20.5 3.125-20.5 10.75-19
18.125-8.5 18.125 8.5 10.75 19 3.125 20.5zM360
304q0-30-17.25-51t-46.75-21q-10.25 0-48.75 5.25-17.75 2.75-39.25
2.75t-39.25-2.75q-38-5.25-48.75-5.25-29.5 0-46.75 21t-17.25 51q0 22 8
38.375t20.25 25.75 30.5 15 35 7.375 37.25 1.75h42q20.5 0
37.25-1.75t35-7.375 30.5-15 20.25-25.75 8-38.375zM416 260q0 51.75-15.25
82.75-9.5 19.25-26.375 33.25t-35.25 21.5-42.5 11.875-42.875 5.5-41.75
1.125q-19.5 0-35.5-0.75t-36.875-3.125-38.125-7.5-34.25-12.875-30.25-20.25-21.5-28.75q-15.5-30.75-15.5-82.75
0-59.25 34-99-6.75-20.5-6.75-42.5 0-29 12.75-54.5 27 0 47.5 9.875t47.25
30.875q36.75-8.75 77.25-8.75 37 0 70 8 26.25-20.5
46.75-30.25t47.25-9.75q12.75 25.5 12.75 54.5 0 21.75-6.75 42 34 40 34
99.5z" />
</svg>
</defs>
</svg>
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" data-md-component="overlay" for="__drawer"></label>
<a href="#prerequisites" tabindex="1" class="md-skip">
Skip to content
</a>
<header class="md-header" data-md-component="header">
<nav class="md-header-nav md-grid">
<div class="md-flex">
<div class="md-flex__cell md-flex__cell--shrink">
<a href="../.." title="NGINX Ingress Controller" class="md-header-nav__button md-logo">
<i class="md-icon">public</i>
</a>
</div>
<div class="md-flex__cell md-flex__cell--shrink">
<label class="md-icon md-icon--menu md-header-nav__button" for="__drawer"></label>
</div>
<div class="md-flex__cell md-flex__cell--stretch">
<div class="md-flex__ellipsis md-header-nav__title" data-md-component="title">
<span class="md-header-nav__topic">
NGINX Ingress Controller
</span>
<span class="md-header-nav__topic">
Prerequisites
</span>
</div>
</div>
<div class="md-flex__cell md-flex__cell--shrink">
<label class="md-icon md-icon--search md-header-nav__button" for="__search"></label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="query" data-md-state="active">
<label class="md-icon md-search__icon" for="__search"></label>
<button type="reset" class="md-icon md-search__icon" data-md-component="reset" tabindex="-1">
&#xE5CD;
</button>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" data-md-scrollfix>
<div class="md-search-result" data-md-component="result">
<div class="md-search-result__meta">
Type to start searching
</div>
<ol class="md-search-result__list"></ol>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="md-flex__cell md-flex__cell--shrink">
<div class="md-header-nav__source">
<a href="https://github.com/kubernetes/ingress-nginx/" title="Go to repository" class="md-source" data-md-source="github">
<div class="md-source__icon">
<svg viewBox="0 0 24 24" width="24" height="24">
<use xlink:href="#__github" width="24" height="24"></use>
</svg>
</div>
<div class="md-source__repository">
kubernetes/ingress-nginx
</div>
</a>
</div>
</div>
</div>
</nav>
</header>
<div class="md-container">
<nav class="md-tabs md-tabs--active" data-md-component="tabs">
<div class="md-tabs__inner md-grid">
<ul class="md-tabs__list">
<li class="md-tabs__item">
<a href="../.." title="Welcome" class="md-tabs__link">
Welcome
</a>
</li>
<li class="md-tabs__item">
<a href="../../deploy/" title="Deployment" class="md-tabs__link">
Deployment
</a>
</li>
<li class="md-tabs__item">
<a href="../../user-guide/nginx-configuration/" title="User guide" class="md-tabs__link">
User guide
</a>
</li>
<li class="md-tabs__item">
<a href="../" title="Examples" class="md-tabs__link md-tabs__link--active">
Examples
</a>
</li>
</ul>
</div>
</nav>
<main class="md-main">
<div class="md-main__inner md-grid" data-md-component="container">
<div class="md-sidebar md-sidebar--primary" data-md-component="navigation">
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary" data-md-level="0">
<label class="md-nav__title md-nav__title--site" for="__drawer">
<a href="../.." title="NGINX Ingress Controller" class="md-nav__button md-logo">
<i class="md-icon">public</i>
</a>
NGINX Ingress Controller
</label>
<div class="md-nav__source">
<a href="https://github.com/kubernetes/ingress-nginx/" title="Go to repository" class="md-source" data-md-source="github">
<div class="md-source__icon">
<svg viewBox="0 0 24 24" width="24" height="24">
<use xlink:href="#__github" width="24" height="24"></use>
</svg>
</div>
<div class="md-source__repository">
kubernetes/ingress-nginx
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--nested">
<input class="md-toggle md-nav__toggle" data-md-toggle="nav-1" type="checkbox" id="nav-1">
<label class="md-nav__link" for="nav-1">
Welcome
</label>
<nav class="md-nav" data-md-component="collapsible" data-md-level="1">
<label class="md-nav__title" for="nav-1">
Welcome
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../.." title="Welcome" class="md-nav__link">
Welcome
</a>
</li>
<li class="md-nav__item">
<a href="../../how-it-works/" title="How it works" class="md-nav__link">
How it works
</a>
</li>
<li class="md-nav__item">
<a href="../../troubleshooting/" title="Troubleshooting" class="md-nav__link">
Troubleshooting
</a>
</li>
<li class="md-nav__item">
<a href="../../development/" title="Development" class="md-nav__link">
Development
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-toggle md-nav__toggle" data-md-toggle="nav-2" type="checkbox" id="nav-2">
<label class="md-nav__link" for="nav-2">
Deployment
</label>
<nav class="md-nav" data-md-component="collapsible" data-md-level="1">
<label class="md-nav__title" for="nav-2">
Deployment
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../deploy/" title="Installation Guide" class="md-nav__link">
Installation Guide
</a>
</li>
<li class="md-nav__item">
<a href="../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
</a>
</li>
<li class="md-nav__item">
<a href="../../deploy/upgrade/" title="Upgrade" class="md-nav__link">
Upgrade
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-toggle md-nav__toggle" data-md-toggle="nav-3" type="checkbox" id="nav-3">
<label class="md-nav__link" for="nav-3">
User guide
</label>
<nav class="md-nav" data-md-component="collapsible" data-md-level="1">
<label class="md-nav__title" for="nav-3">
User guide
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--nested">
<input class="md-toggle md-nav__toggle" data-md-toggle="nav-3-1" type="checkbox" id="nav-3-1">
<label class="md-nav__link" for="nav-3-1">
NGINX Configuration
</label>
<nav class="md-nav" data-md-component="collapsible" data-md-level="2">
<label class="md-nav__title" for="nav-3-1">
NGINX Configuration
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../user-guide/nginx-configuration/" title="Introduction" class="md-nav__link">
Introduction
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/nginx-configuration/annotations/" title="Annotations" class="md-nav__link">
Annotations
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/nginx-configuration/configmap/" title="ConfigMap" class="md-nav__link">
ConfigMap
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/nginx-configuration/custom-template/" title="Custom NGINX template" class="md-nav__link">
Custom NGINX template
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/nginx-configuration/log-format/" title="Log format" class="md-nav__link">
Log format
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../../user-guide/cli-arguments/" title="Command line arguments" class="md-nav__link">
Command line arguments
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/custom-errors/" title="Custom errors" class="md-nav__link">
Custom errors
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/default-backend/" title="Default backend" class="md-nav__link">
Default backend
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/external-articles/" title="External Articles" class="md-nav__link">
External Articles
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/miscellaneous/" title="Miscellaneous" class="md-nav__link">
Miscellaneous
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/monitoring/" title="Prometheus and Grafana installation" class="md-nav__link">
Prometheus and Grafana installation
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/multiple-ingress/" title="Multiple Ingress controllers" class="md-nav__link">
Multiple Ingress controllers
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/tls/" title="TLS/HTTPS" class="md-nav__link">
TLS/HTTPS
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-toggle md-nav__toggle" data-md-toggle="nav-3-12" type="checkbox" id="nav-3-12">
<label class="md-nav__link" for="nav-3-12">
Third party addons
</label>
<nav class="md-nav" data-md-component="collapsible" data-md-level="2">
<label class="md-nav__title" for="nav-3-12">
Third party addons
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../user-guide/third-party-addons/modsecurity/" title="ModSecurity Web Application Firewall" class="md-nav__link">
ModSecurity Web Application Firewall
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/third-party-addons/opentracing/" title="OpenTracing" class="md-nav__link">
OpenTracing
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-toggle md-nav__toggle" data-md-toggle="nav-4" type="checkbox" id="nav-4" checked>
<label class="md-nav__link" for="nav-4">
Examples
</label>
<nav class="md-nav" data-md-component="collapsible" data-md-level="1">
<label class="md-nav__title" for="nav-4">
Examples
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../" title="Introduction" class="md-nav__link">
Introduction
</a>
</li>
<li class="md-nav__item md-nav__item--active">
<input class="md-toggle md-nav__toggle" data-md-toggle="toc" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
Prerequisites
</label>
<a href="./" title="Prerequisites" class="md-nav__link md-nav__link--active">
Prerequisites
</a>
<nav class="md-nav md-nav--secondary">
<label class="md-nav__title" for="__toc">Table of contents</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="#tls-certificates" title="TLS certificates" class="md-nav__link">
TLS certificates
</a>
</li>
<li class="md-nav__item">
<a href="#ca-authentication" title="CA Authentication" class="md-nav__link">
CA Authentication
</a>
<nav class="md-nav">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#generating-a-ca" title="Generating a CA" class="md-nav__link">
Generating a CA
</a>
</li>
<li class="md-nav__item">
<a href="#generating-the-client-certificate" title="Generating the client certificate" class="md-nav__link">
Generating the client certificate
</a>
</li>
<li class="md-nav__item">
<a href="#creating-the-ca-authentication-secret" title="Creating the CA Authentication secret" class="md-nav__link">
Creating the CA Authentication secret
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#test-http-service" title="Test HTTP Service" class="md-nav__link">
Test HTTP Service
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../affinity/cookie/" title="Sticky Sessions" class="md-nav__link">
Sticky Sessions
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-toggle md-nav__toggle" data-md-toggle="nav-4-4" type="checkbox" id="nav-4-4">
<label class="md-nav__link" for="nav-4-4">
Auth
</label>
<nav class="md-nav" data-md-component="collapsible" data-md-level="2">
<label class="md-nav__title" for="nav-4-4">
Auth
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../auth/basic/" title="Basic Authentication" class="md-nav__link">
Basic Authentication
</a>
</li>
<li class="md-nav__item">
<a href="../auth/client-certs/" title="Client Certificate Authentication" class="md-nav__link">
Client Certificate Authentication
</a>
</li>
<li class="md-nav__item">
<a href="../auth/external-auth/" title="External Basic Authentication" class="md-nav__link">
External Basic Authentication
</a>
</li>
<li class="md-nav__item">
<a href="../auth/oauth-external-auth/" title="External OAUTH Authentication" class="md-nav__link">
External OAUTH Authentication
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-toggle md-nav__toggle" data-md-toggle="nav-4-5" type="checkbox" id="nav-4-5">
<label class="md-nav__link" for="nav-4-5">
Customization
</label>
<nav class="md-nav" data-md-component="collapsible" data-md-level="2">
<label class="md-nav__title" for="nav-4-5">
Customization
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../customization/configuration-snippets/" title="Configuration Snippets" class="md-nav__link">
Configuration Snippets
</a>
</li>
<li class="md-nav__item">
<a href="../customization/custom-configuration/" title="Custom Configuration" class="md-nav__link">
Custom Configuration
</a>
</li>
<li class="md-nav__item">
<a href="../customization/custom-errors/" title="Custom Errors" class="md-nav__link">
Custom Errors
</a>
</li>
<li class="md-nav__item">
<a href="../customization/custom-headers/" title="Custom Headers" class="md-nav__link">
Custom Headers
</a>
</li>
<li class="md-nav__item">
<a href="../customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
</a>
</li>
<li class="md-nav__item">
<a href="../customization/ssl-dh-param/" title="Custom DH parameters for perfect forward secrecy" class="md-nav__link">
Custom DH parameters for perfect forward secrecy
</a>
</li>
<li class="md-nav__item">
<a href="../customization/sysctl/" title="Sysctl tuning" class="md-nav__link">
Sysctl tuning
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../docker-registry/" title="Docker registry" class="md-nav__link">
Docker registry
</a>
</li>
<li class="md-nav__item">
<a href="../grpc/" title="gRPC" class="md-nav__link">
gRPC
</a>
</li>
<li class="md-nav__item">
<a href="../multi-tls/" title="Multi TLS certificate termination" class="md-nav__link">
Multi TLS certificate termination
</a>
</li>
<li class="md-nav__item">
<a href="../rewrite/" title="Rewrite" class="md-nav__link">
Rewrite
</a>
</li>
<li class="md-nav__item">
<a href="../static-ip/" title="Static IPs" class="md-nav__link">
Static IPs
</a>
</li>
<li class="md-nav__item">
<a href="../tls-termination/" title="TLS termination" class="md-nav__link">
TLS termination
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="toc">
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary">
<label class="md-nav__title" for="__toc">Table of contents</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="#tls-certificates" title="TLS certificates" class="md-nav__link">
TLS certificates
</a>
</li>
<li class="md-nav__item">
<a href="#ca-authentication" title="CA Authentication" class="md-nav__link">
CA Authentication
</a>
<nav class="md-nav">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#generating-a-ca" title="Generating a CA" class="md-nav__link">
Generating a CA
</a>
</li>
<li class="md-nav__item">
<a href="#generating-the-client-certificate" title="Generating the client certificate" class="md-nav__link">
Generating the client certificate
</a>
</li>
<li class="md-nav__item">
<a href="#creating-the-ca-authentication-secret" title="Creating the CA Authentication secret" class="md-nav__link">
Creating the CA Authentication secret
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#test-http-service" title="Test HTTP Service" class="md-nav__link">
Test HTTP Service
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content">
<article class="md-content__inner md-typeset">
<a href="https://github.com/kubernetes/ingress-nginx/edit/master/docs/examples/PREREQUISITES.md" title="Edit this page" class="md-icon md-content__icon">&#xE3C9;</a>
<h1 id="prerequisites">Prerequisites<a class="headerlink" href="#prerequisites" title="Permanent link">&para;</a></h1>
<p>Many of the examples in this directory have common prerequisites.</p>
<h2 id="tls-certificates">TLS certificates<a class="headerlink" href="#tls-certificates" title="Permanent link">&para;</a></h2>
<p>Unless otherwise mentioned, the TLS secret used in examples is a 2048 bit RSA
key/cert pair with an arbitrarily chosen hostname, created as follows</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> openssl req -x509 -nodes -days <span class="m">365</span> -newkey rsa:2048 -keyout tls.key -out tls.crt -subj <span class="s2">&quot;/CN=nginxsvc/O=nginxsvc&quot;</span>
<span class="go">Generating a 2048 bit RSA private key</span>
<span class="go">................+++</span>
<span class="go">................+++</span>
<span class="go">writing new private key to &#39;tls.key&#39;</span>
<span class="go">-----</span>
<span class="gp">$</span> kubectl create secret tls tls-secret --key tls.key --cert tls.crt
<span class="go">secret &quot;tls-secret&quot; created</span>
</pre></div>
<h2 id="ca-authentication">CA Authentication<a class="headerlink" href="#ca-authentication" title="Permanent link">&para;</a></h2>
<p>You can act as your very own CA, or use an existing one. As an exercise / learning, we're going to generate our
own CA, and also generate a client certificate.</p>
<p>These instructions are based on CoreOS OpenSSL. <a href="https://coreos.com/kubernetes/docs/latest/openssl.html">See live doc.</a></p>
<h3 id="generating-a-ca">Generating a CA<a class="headerlink" href="#generating-a-ca" title="Permanent link">&para;</a></h3>
<p>First of all, you've to generate a CA. This is going to be the one who will sign your client certificates.
In real production world, you may face CAs with intermediate certificates, as the following:</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> openssl s_client -connect www.google.com:443
<span class="go">[...]</span>
<span class="go">---</span>
<span class="go">Certificate chain</span>
<span class="go"> 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com</span>
<span class="go"> i:/C=US/O=Google Inc/CN=Google Internet Authority G2</span>
<span class="go"> 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2</span>
<span class="go"> i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA</span>
<span class="go"> 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA</span>
<span class="go"> i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority</span>
</pre></div>
<p>To generate our CA Certificate, we've to run the following commands:</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> openssl genrsa -out ca.key <span class="m">2048</span>
<span class="gp">$</span> openssl req -x509 -new -nodes -key ca.key -days <span class="m">10000</span> -out ca.crt -subj <span class="s2">&quot;/CN=example-ca&quot;</span>
</pre></div>
<p>This will generate two files: A private key (ca.key) and a public key (ca.crt). This CA is valid for 10000 days.
The ca.crt can be used later in the step of creation of CA authentication secret.</p>
<h3 id="generating-the-client-certificate">Generating the client certificate<a class="headerlink" href="#generating-the-client-certificate" title="Permanent link">&para;</a></h3>
<p>The following steps generate a client certificate signed by the CA generated above. This client can be
used to authenticate in a tls-auth configured ingress.</p>
<p>First, we need to generate an 'openssl.cnf' file that will be used while signing the keys:</p>
<div class="codehilite"><pre><span></span><span class="go">[req]</span>
<span class="go">req_extensions = v3_req</span>
<span class="go">distinguished_name = req_distinguished_name</span>
<span class="go">[req_distinguished_name]</span>
<span class="go">[ v3_req ]</span>
<span class="go">basicConstraints = CA:FALSE</span>
<span class="go">keyUsage = nonRepudiation, digitalSignature, keyEncipherment</span>
</pre></div>
<p>Then, a user generates his very own private key (that he needs to keep secret)
and a CSR (Certificate Signing Request) that will be sent to the CA to sign and generate a certificate.</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> openssl genrsa -out client1.key <span class="m">2048</span>
<span class="gp">$</span> openssl req -new -key client1.key -out client1.csr -subj <span class="s2">&quot;/CN=client1&quot;</span> -config openssl.cnf
</pre></div>
<p>As the CA receives the generated 'client1.csr' file, it signs it and generates a client.crt certificate:</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> openssl x509 -req -in client1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client1.crt -days <span class="m">365</span> -extensions v3_req -extfile openssl.cnf
</pre></div>
<p>Then, you'll have 3 files: the client.key (user's private key), client.crt (user's public key) and client.csr (disposable CSR).</p>
<h3 id="creating-the-ca-authentication-secret">Creating the CA Authentication secret<a class="headerlink" href="#creating-the-ca-authentication-secret" title="Permanent link">&para;</a></h3>
<p>If you're using the CA Authentication feature, you need to generate a secret containing
all the authorized CAs. You must download them from your CA site in PEM format (like the following):</p>
<div class="codehilite"><pre><span></span>-----BEGIN CERTIFICATE-----
[....]
-----END CERTIFICATE-----
</pre></div>
<p>You can have as many certificates as you want. If they're in the binary DER format,
you can convert them as the following:</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> openssl x509 -in certificate.der -inform der -out certificate.crt -outform pem
</pre></div>
<p>Then, you've to concatenate them all in only one file, named 'ca.crt' as the following:</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> cat certificate1.crt certificate2.crt certificate3.crt &gt;&gt; ca.crt
</pre></div>
<p>The final step is to create a secret with the content of this file. This secret is going to be used in
the TLS Auth directive:</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create secret generic caingress --namespace<span class="o">=</span>default --from-file<span class="o">=</span>ca.crt<span class="o">=</span>&lt;ca.crt&gt;
</pre></div>
<p><strong>Note:</strong> You can also generate the CA Authentication Secret along with the TLS Secret by using:
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create secret generic caingress --namespace<span class="o">=</span>default --from-file<span class="o">=</span>ca.crt<span class="o">=</span>&lt;ca.crt&gt; --from-file<span class="o">=</span>tls.crt<span class="o">=</span>&lt;tls.crt&gt; --from-file<span class="o">=</span>tls.key<span class="o">=</span>&lt;tls.key&gt;
</pre></div></p>
<h2 id="test-http-service">Test HTTP Service<a class="headerlink" href="#test-http-service" title="Permanent link">&para;</a></h2>
<p>All examples that require a test HTTP Service use the standard http-svc pod,
which you can deploy as follows</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create -f http-svc.yaml
<span class="go">service &quot;http-svc&quot; created</span>
<span class="go">replicationcontroller &quot;http-svc&quot; created</span>
<span class="gp">$</span> kubectl get po
<span class="go">NAME READY STATUS RESTARTS AGE</span>
<span class="go">http-svc-p1t3t 1/1 Running 0 1d</span>
<span class="gp">$</span> kubectl get svc
<span class="go">NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE</span>
<span class="go">http-svc 10.0.122.116 &lt;pending&gt; 80:30301/TCP 1d</span>
</pre></div>
<p>You can test that the HTTP Service works by exposing it temporarily</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl patch svc http-svc -p <span class="s1">&#39;{&quot;spec&quot;:{&quot;type&quot;: &quot;LoadBalancer&quot;}}&#39;</span>
<span class="go">&quot;http-svc&quot; patched</span>
<span class="gp">$</span> kubectl get svc http-svc
<span class="go">NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE</span>
<span class="go">http-svc 10.0.122.116 &lt;pending&gt; 80:30301/TCP 1d</span>
<span class="gp">$</span> kubectl describe svc http-svc
<span class="go">Name: http-svc</span>
<span class="go">Namespace: default</span>
<span class="go">Labels: app=http-svc</span>
<span class="go">Selector: app=http-svc</span>
<span class="go">Type: LoadBalancer</span>
<span class="go">IP: 10.0.122.116</span>
<span class="go">LoadBalancer Ingress: 108.59.87.136</span>
<span class="go">Port: http 80/TCP</span>
<span class="go">NodePort: http 30301/TCP</span>
<span class="go">Endpoints: 10.180.1.6:8080</span>
<span class="go">Session Affinity: None</span>
<span class="go">Events:</span>
<span class="go"> FirstSeen LastSeen Count From SubObjectPath Type Reason Message</span>
<span class="go"> --------- -------- ----- ---- ------------- -------- ------ -------</span>
<span class="go"> 1m 1m 1 {service-controller } Normal Type ClusterIP -&gt; LoadBalancer</span>
<span class="go"> 1m 1m 1 {service-controller } Normal CreatingLoadBalancer Creating load balancer</span>
<span class="go"> 16s 16s 1 {service-controller } Normal CreatedLoadBalancer Created load balancer</span>
<span class="gp">$</span> curl <span class="m">108</span>.59.87.136
<span class="go">CLIENT VALUES:</span>
<span class="go">client_address=10.240.0.3</span>
<span class="go">command=GET</span>
<span class="go">real path=/</span>
<span class="go">query=nil</span>
<span class="go">request_version=1.1</span>
<span class="go">request_uri=http://108.59.87.136:8080/</span>
<span class="go">SERVER VALUES:</span>
<span class="go">server_version=nginx: 1.9.11 - lua: 10001</span>
<span class="go">HEADERS RECEIVED:</span>
<span class="go">accept=*/*</span>
<span class="go">host=108.59.87.136</span>
<span class="go">user-agent=curl/7.46.0</span>
<span class="go">BODY:</span>
<span class="go">-no body in request-</span>
<span class="gp">$</span> kubectl patch svc http-svc -p <span class="s1">&#39;{&quot;spec&quot;:{&quot;type&quot;: &quot;NodePort&quot;}}&#39;</span>
<span class="go">&quot;http-svc&quot; patched</span>
</pre></div>
</article>
</div>
</div>
</main>
<footer class="md-footer">
<div class="md-footer-nav">
<nav class="md-footer-nav__inner md-grid">
<a href="../" title="Introduction" class="md-flex md-footer-nav__link md-footer-nav__link--prev" rel="prev">
<div class="md-flex__cell md-flex__cell--shrink">
<i class="md-icon md-icon--arrow-back md-footer-nav__button"></i>
</div>
<div class="md-flex__cell md-flex__cell--stretch md-footer-nav__title">
<span class="md-flex__ellipsis">
<span class="md-footer-nav__direction">
Previous
</span>
Introduction
</span>
</div>
</a>
<a href="../affinity/cookie/" title="Sticky Sessions" class="md-flex md-footer-nav__link md-footer-nav__link--next" rel="next">
<div class="md-flex__cell md-flex__cell--stretch md-footer-nav__title">
<span class="md-flex__ellipsis">
<span class="md-footer-nav__direction">
Next
</span>
Sticky Sessions
</span>
</div>
<div class="md-flex__cell md-flex__cell--shrink">
<i class="md-icon md-icon--arrow-forward md-footer-nav__button"></i>
</div>
</a>
</nav>
</div>
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-footer-copyright">
powered by
<a href="https://www.mkdocs.org">MkDocs</a>
and
<a href="https://squidfunk.github.io/mkdocs-material/">
Material for MkDocs</a>
</div>
</div>
</div>
</footer>
</div>
<script src="../../assets/javascripts/application.5e60981f.js"></script>
<script>app.initialize({version:"1.0.4",url:{base:"../.."}})</script>
<script>!function(e,a,t,n,o,c,i){e.GoogleAnalyticsObject=o,e.ga=e.ga||function(){(e.ga.q=e.ga.q||[]).push(arguments)},e.ga.l=1*new Date,c=a.createElement(t),i=a.getElementsByTagName(t)[0],c.async=1,c.src="https://www.google-analytics.com/analytics.js",i.parentNode.insertBefore(c,i)}(window,document,"script",0,"ga"),ga("create","UA-118407822-1","kubernetes.github.io"),ga("set","anonymizeIp",!0),ga("send","pageview");var links=document.getElementsByTagName("a");if(Array.prototype.map.call(links,function(e){e.host!=document.location.host&&e.addEventListener("click",function(){var a=e.getAttribute("data-md-action")||"follow";ga("send","event","outbound",a,e.href)})}),document.forms.search){var query=document.forms.search.query;query.addEventListener("blur",function(){if(this.value){var e=document.location.pathname;ga("send","pageview",e+"?q="+this.value)}})}</script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink