ingress 添加https 客户端双向认证 · kubernets native cloud 最佳实践总结

## 需求说明：公司内部一些业务系统对安全性要求比较高，例如mis、bi等，这些业务系统只允许公司内部人员访问，而且要求浏览器要安装证书登录，对公司入职有需求的人员开通证书，流失的人员注销证书。 ## 通常我们在nginx 配置https 双向证书有如下配置： ### Nginx HTTPS双向认证配置参考 server { listen 443 ssl; ssl_protocols TLSv1 TLSv1.1; server_name www.example.com; #域名 ssl_certificate www.example.com.crt; #第三方或自签发的证书 ssl_certificate_key www.example.com.key; #和证书配对的私钥 ssl_verify_client on; #验证请求来源 ssl_client_certificate ca.crt; #CA根证书 ssl_verify_depth 2; ssl_crl ssl/dr-crl.chain.pem; # 客户端证书链 location / { root html; index index.html index.htm; } } ### 创建一个CA证书 secret 一个完整的ca.crt 证书应该包含证书链和根证书 cat ca-chain.cert.pem dr-crl.chain.pem >> ca.crt kubectl create secret generic auth-tls-chain --from-file=ca.crt=ca.crt -n ftc-demo - ca-chain.cert.pem 根证书 - dr-crl.chain.pem 客户端证书链 [Github 参考链接：Creating the CA Authentication secret](https://github.com/kubernetes/ingress-nginx/blob/master/docs/examples/PREREQUISITES.md#creating-the-ca-authentication-secret) [Github 参考链接：Client Certificate Authentication](https://github.com/kubernetes/ingress-nginx/tree/master/docs/examples/auth/client-certs) ### 创建一个服务端证书secret kubectl create secret generic corp.dianrong.com-secret --from-file=tls.crt=corp.dianrong.com.crt --from-file=tls.key=corp.dianrong.com.pem.key -n dr-demo kubectl create secret tls corp.dianrong.com-secret --cert corp.dianrong.com.crt --key corp.dianrong.com.pem.key -n dr-demo ### 添加双向证书ingress 服务 # cat saas-admin-demo.corp.dalianyun.com.yaml apiVersion: extensions/v1beta1 kind: Ingress metadata: name: saas-admin-demo.corp.dalianyun.com-ingress namespace: ftc-demo annotations: kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/auth-tls-secret: ftc-demo/auth-tls-chain nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" nginx.ingress.kubernetes.io/auth-tls-verify-depth: "2" nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "false" spec: tls: - hosts: - saas-admin-demo.corp.dalianyun.com secretName: corp-dalianyun-secret rules: - host: saas-admin-demo.corp.dalianyun.com http: paths: - path: / backend: serviceName: ftc-saas-admin servicePort: 8080 ## 注意事项 kubespray 默认部署的ingress-nginx ssl-protocols 只开启了SSLv2 协议。我们需要添加TLSv1 TLSv1.1 TLSv1.2完整的 ssl 协议 cat ingress-nginx-cm.yml --- apiVersion: v1 kind: ConfigMap metadata: name: ingress-nginx namespace: kube-system labels: k8s-app: ingress-nginx data: map-hash-bucket-size: '128' ssl-protocols: "SSLv2 TLSv1 TLSv1.1 TLSv1.2" ### HTTPS 证书添加 kubectl create secret generic jiedai361.com-secret --from-file=tls.crt=jiedai361.com.pem --from-file=tls.key=jiedai361.com.key -n ftc-demo