Route

优质

小牛编辑

135浏览

2023-12-01

目的

部署应用到 OCP，并创建安全加密路由。

环境

openshift v3.11.16/kubernetes v1.11.0

步骤

创建工程

1. CLI 登录到 OCP

$ oc login https://master.example.com:8443 -u admin -p admin

2. 创建工程

$ oc new-project lab02

部署应用

1. S2I 部署 php 应用

$ oc new-app --name=lab02 -i php:7.0 https://github.com/redhat-china/php-helloworld.git

2. 查看运行 POD

$ oc get pods -o wide | grep Running
lab02-1-k7tq5   1/1       Running     0          2m        10.244.2.27   node1.example.com

创建自签名证书

1. 创建 private key

openssl genrsa -out lab02.apps.example.com.key 2048

2. 创建 CSR

openssl req -new -key lab02.apps.example.com.key -out lab02.apps.example.com.csr -subj "/C=CN/ST=BJ/L=BJ/O=IT/OU=IT/CN=lab02.apps.example.com"

3. 创建证书

openssl x509 -req -days 3650 -in lab02.apps.example.com.csr -signkey lab02.apps.example.com.key -out lab02.apps.example.com.crt

4. 查看创建的文件

# ls -l
total 12
-rw-r--r--. 1 root root 1188 Nov 28 10:45 lab02.apps.example.com.crt
-rw-r--r--. 1 root root  997 Nov 28 10:43 lab02.apps.example.com.csr
-rw-r--r--. 1 root root 1679 Nov 28 10:40 lab02.apps.example.com.key

创建安全加密路由

1. 创建安全加密路由

oc create route edge --service=lab02 --hostname=lab02.apps.example.com --key=lab02.apps.example.com.key --cert=lab02.apps.example.com.crt

2. 查看路由中证书和 key 信息

$ oc get route/lab02 -o yaml
  ...
  tls:
    certificate: |
      -----BEGIN CERTIFICATE-----
      MIIDQDCCAigCCQCbSN6iOkoAQDANBgkqhkiG9w0BAQsFADBiMQswCQYDVQQGEwJD
      TjELMAkGA1UECAwCQkoxCzAJBgNVBAcMAkJKMQswCQYDVQQKDAJJVDELMAkGA1UE
      CwwCSVQxHzAdBgNVBAMMFmxhYjAyLmFwcHMuZXhhbXBsZS5jb20wHhcNMTgxMTI4
      MDI0NTI1WhcNMjgxMTI1MDI0NTI1WjBiMQswCQYDVQQGEwJDTjELMAkGA1UECAwC
      QkoxCzAJBgNVBAcMAkJKMQswCQYDVQQKDAJJVDELMAkGA1UECwwCSVQxHzAdBgNV
      BAMMFmxhYjAyLmFwcHMuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
      DwAwggEKAoIBAQDJLiHDJsRjxgscUpl1xl4avolk5AlkZOgBo+gi/9bATjoF8jr6
      2sI7wFB7Ltaf8rJeD7ox4ffyecA0Sv45K6e6roylvNzMhFxhvT8fHgadXLiQsxVj
      Y7tF14rIJsqpXHSfWMGO9to/NJ06n4UPGIf3HXVx97bZQn+0lkJSYS+nbqr4TZqg
      VFJxl/By1h+b/kYceoX2aw0hnzbpf6MuD2rGbcIuwGmpPTIf5M/6BtVwUfjfeVA9
      HZXsnt5BVaSELs2bFY+czrSgZmnZ8ldOzoHjzj9fNpNgnM/iMe7vpbJadk8o3Oq/
      lJ1Xu9pSaT5v26gaysvBG7pHkPmnij5aDk9xAgMBAAEwDQYJKoZIhvcNAQELBQAD
      ggEBAJ63obJZ/yGH2Hi7TIcYsRZUXh2kScoSUpVKf8H3bZAp76WiegPiRUKR2Klx
      yaQSaPiW53+qrDXhdYPReMHBAnKr6+fl97pzNesmlrU7ZZsRWv4bsm1FOaCOiuDC
      KtCCacZIgDtUPxWaq4kdw0d4DA5U9rCFSTZi1fKDwzXnBrLo+KxhtPLXlHxpBIjT
      UzICknO7wyl6/SXHZ2XMKgROuxhfYKskc2kb4z3mkaCFmCyBY6RbSH29/lozOK1P
      XK2JTRPCRTnoJJWIRi1hR2cGfHSl9Ag8QTeDO7mjLJWXeClP8KVQOn9LfUqaDijK
      9rCb3elqp1tC2Khg19+3IB/H9fA=
      -----END CERTIFICATE-----
    key: |
      -----BEGIN RSA PRIVATE KEY-----
      MIIEpQIBAAKCAQEAyS4hwybEY8YLHFKZdcZeGr6JZOQJZGToAaPoIv/WwE46BfI6
      +trCO8BQey7Wn/KyXg+6MeH38nnANEr+OSunuq6MpbzczIRcYb0/Hx4GnVy4kLMV
      Y2O7RdeKyCbKqVx0n1jBjvbaPzSdOp+FDxiH9x11cfe22UJ/tJZCUmEvp26q+E2a
      oFRScZfwctYfm/5GHHqF9msNIZ826X+jLg9qxm3CLsBpqT0yH+TP+gbVcFH433lQ
      PR2V7J7eQVWkhC7NmxWPnM60oGZp2fJXTs6B484/XzaTYJzP4jHu76WyWnZPKNzq
      v5SdV7vaUmk+b9uoGsrLwRu6R5D5p4o+Wg5PcQIDAQABAoIBAGiHs7s2dWxyBmvc
      7yemvlafEbx+T/L+Cx5vD7q/u9GH09YrGkIlUC7Dqg2XNKU+8Ta2bURl6PLwF9IT
      9Su3Zxs0fpfPHdqWG3odXqLIcx9oge2NX1uZAkEz0URWA48kHuR8tXWXBac5q0g+
      gmBpmpvnjpJ852DTkI9AU42COcSAbCCIW954hJC0AELfm36QoElPtSqBIS88B7lQ
      Ls0YQA2aPKVVWjPPDxQJkNnyW0oWOou4SFp/RbtE2Wqfnpm1pmCUtPpOJRBLFdOz
      Bs4LVog3qS7SLi3DHLmxwwompSFrxDKyf65AZu7JHJOyw9i/4mw9ijUmiE0EYtyL
      DpjZaAECgYEA6Vf70OpA2hKd8CPome2cuihBycZZdJ5d9cGOMiMXlBhT48B/EMyz
      8c2bGf1rcm/G9ehgpJOMEWMthKVIgh4URmAkxbGlHrAeZ3BUiM/NB7MJ17n8Ya3e
      BTM94rMoMWjCffVq3jXV7fDzPle28RG23X1HdbfJczoY6wOPwNlluFECgYEA3Law
      a6A2B5+JQVychXwClsuYSMGRdngHbz7rJ95watRGW6b8RqjNrDH8czs43Nlg2Kt5
      l0hwlmkQ9xlKvfMT4bqpar/OQ0iKXJOXDT9jWzChZBQL0O2V9z5YqXtMGfK/iHBp
      GY2vAkj7dxr35DX4UluYo3Ng6VpMAMzzo+9SfSECgYEAnLuQVP9DmDaxBz/XWK0V
      fKTVq6YjKAXHru7XiC2yBLNihbQipTIaG+yypX5m0XLq/PmdEG5awsMPK+2pCl0R
      2UNy76cm9bnuciQtY8fQO7+yeMhgEWwrmOqWQtN7x9RJ7zkNEzyt+SjC+bkJFFuF
      rLgda6CLG26GljTKNgrQHEECgYEAmhsY3VzUvMfgrvl59B3dNOrc3lgBN+Wg00Ts
      Lj864OxsX8wdMzzjtkqEiPSdxF4nJ8G6uS2EJxEfHljTfgM+K4sIhZd87i+1I+SN
      QFu1BNPUrCrvAScSYbpvb46+WRPMNfi++W+a9Y59vfDfisFALEj2L5H85ZH9pUV1
      DE6qmuECgYEAheWEnVdkI2MT+sXZ7oxt+tHy6FucPIh0fR0EC/uZ6zHpEq3asS7a
      z4/SCG5LBEv+kXYyXoK9ES8H5wYGuxqsZpDbohLxy2FDlZSzjzMZ2lGqADJAkFE3
      QpgIERbP3iRMv0a6JTshekoPgBevGvU4ysbaRnLmaMxbVQJCnjraD9w=
      -----END RSA PRIVATE KEY-----
    termination: edge

访问测试

$ curl -k -vvv https://lab02.apps.example.com
* About to connect() to lab02.apps.example.com port 443 (#0)
*   Trying 10.66.208.102...
* Connected to lab02.apps.example.com (10.66.208.102) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* 	subject: CN=lab02.apps.example.com,OU=IT,O=IT,L=BJ,ST=BJ,C=CN
* 	start date: Nov 28 02:45:25 2018 GMT
* 	expire date: Nov 25 02:45:25 2028 GMT
* 	common name: lab02.apps.example.com
* 	issuer: CN=lab02.apps.example.com,OU=IT,O=IT,L=BJ,ST=BJ,C=CN
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: lab02.apps.example.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Wed, 28 Nov 2018 02:56:31 GMT
< Server: Apache/2.4.27 (Red Hat) OpenSSL/1.0.1e-fips
< Content-Length: 28
< Content-Type: text/html; charset=UTF-8
< Set-Cookie: fa30722b978c8486b7c69be5697d2aac=e017f926fb91967410580c9f8fd47487; path=/; HttpOnly; Secure
< Cache-control: private
<
Current php version: 7.0.27
* Connection #0 to host lab02.apps.example.com left intact