Traefik在OpenShift上使用Ingress对象的自签名证书。

huangapple go评论64阅读模式
英文:

Traefik self signed certificate on openshift with the ingress object

问题

I have a problem where i can create an ingress object, and make it work with https but it does not provide a custom certificate I have created and specified in the "ingress" object.

我有一个问题,我可以创建一个入口对象,并使其在https下工作,但它没有提供我在“入口”对象中创建和指定的自定义证书。

I am using openshift as the orchestrator.
我正在使用Openshift作为编排器。

I am using "ingress" as a provider and the "ingress" object for traefik.
我使用“入口”作为提供者,并使用traefik的“入口”对象。

How can I create and enable a self-signed certificate that traefik will use?
我如何创建和启用traefik将使用的自签名证书?

In addition, how can I change the default certificate traefik gives me?
另外,我如何更改traefik提供给我的默认证书?

My configurations:
我的配置:

I have installed traefik via the default values.yaml file and via the helm chart here:
我通过默认的values.yaml文件和这里的helm图表安装了traefik:
https://github.com/traefik/traefik-helm-chart/tree/master

My ingress object:
我的入口对象:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: whoami-http
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
spec:
  tls:
  - hosts:
      - traefik.ben-tests.com
    secretName: my-tls
  rules:
    - host: traefik.ben-tests.com
      http:
        paths:
          - path: /iamben
            pathType: Prefix
            backend:
              service:
                name: whoami-svc
                port:
                  number: 80

When i do:
curl https://traefik.ben-tests.com/iamben -k or access via web i get the default traefik certificate.
当我执行:
curl https://traefik.ben-tests.com/iamben -k 或通过web访问时,我收到默认的traefik证书。

I have created the certificate via the following commands:
我通过以下命令创建了证书:

To create the certificate:
要创建证书:
openssl req -new -newkey rsa:2048 -nodes -keyout my.key -out my.crt

To create the secret:
要创建密钥:
oc create secret generic my-tls --from-file=tls.key=my.key --from-file=tls.crt=my.crt

What am i doing wrong?
我做错了什么?
Ty very much for the help.
非常感谢您的帮助。

英文:

I have a problem where i can create an ingress object, and make it work with https but it does not provide a custom certificate I have created and specified in the "ingress" object.

I am using openshift as the orchestrator.
I am using "ingress" as a provider and the "ingress" object for traefik.

How can I create and enable a self-signed certificate that traefik will use?
In addition, how can I change the default certificate traefik gives me?

My configurations:

I have installed traefik via the default values.yaml file and via the helm chart here:
https://github.com/traefik/traefik-helm-chart/tree/master

My ingress object:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: whoami-http
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
spec:
  tls:
  - hosts:
      - traefik.ben-tests.com
     secretName: my-tls
  rules:
    - host: traefik.ben-tests.com
      http:
        paths:
          - path: /iamben
            pathType: Prefix
            backend:
              service:
                name: whoami-svc
                port:
                  number: 80

When i do:
curl https://traefik.ben-tests.com/iamben -k or access via web i get the default traefik certificate.

I have created the certificate via the following commands:

To create the certificate:
openssl req -new -newkey rsa:2048 -nodes -keyout my.key -out my.crt

To create the secret:
oc create secret generic my-tls --from-file=tls.key=my.key --from-file=tls.crt=my.crt

What am i doing wrong?
Ty very much for the help.

答案1

得分: 0

当我签发证书时,它没有 SAN(Subject Alternative Name),所以证书无效,因此 traefik 提供了默认的证书。

通过 OpenSSL(版本 1.1.1)创建了一个新的有效证书。

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout my.key -out my.crt -subj "/CN=traefik.ben-tests.com" -addext "subjectAltName=DNS:*.traefik.ben-tests.com,DNS:traefik.ben-tests.com"

它起作用了 Traefik在OpenShift上使用Ingress对象的自签名证书。

英文:

When i signed the certificate it had no SAN so the certificate was not valid, thus traefik served the default one.

Created a new valid crt via openssl (version 1.1.1)

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout my.key -out my.crt -subj "/CN=traefik.ben-tests.com" -addext "subjectAltName=DNS:*.traefik.ben-tests.com,DNS:traefik.ben-tests.com"

And it worked Traefik在OpenShift上使用Ingress对象的自签名证书。

huangapple
  • 本文由 发表于 2023年5月21日 15:37:34
  • 转载请务必保留本文链接:https://go.coder-hub.com/76298796.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定