Route
优质
小牛编辑
137浏览
2023-12-01
目的
部署应用到 OCP,并创建安全加密路由。
环境
openshift v3.11.16
/kubernetes v1.11.0
步骤
创建工程
1. CLI 登录到 OCP$ oc login https://master.example.com:8443 -u admin -p admin
2. 创建工程$ oc new-project lab02
部署应用
1. S2I 部署 php 应用$ oc new-app --name=lab02 -i php:7.0 https://github.com/redhat-china/php-helloworld.git
2. 查看运行 POD$ oc get pods -o wide | grep Running
lab02-1-k7tq5 1/1 Running 0 2m 10.244.2.27 node1.example.com
创建自签名证书
1. 创建 private keyopenssl genrsa -out lab02.apps.example.com.key 2048
2. 创建 CSRopenssl req -new -key lab02.apps.example.com.key -out lab02.apps.example.com.csr -subj "/C=CN/ST=BJ/L=BJ/O=IT/OU=IT/CN=lab02.apps.example.com"
3. 创建证书openssl x509 -req -days 3650 -in lab02.apps.example.com.csr -signkey lab02.apps.example.com.key -out lab02.apps.example.com.crt
4. 查看创建的文件# ls -l
total 12
-rw-r--r--. 1 root root 1188 Nov 28 10:45 lab02.apps.example.com.crt
-rw-r--r--. 1 root root 997 Nov 28 10:43 lab02.apps.example.com.csr
-rw-r--r--. 1 root root 1679 Nov 28 10:40 lab02.apps.example.com.key
创建安全加密路由
1. 创建安全加密路由oc create route edge --service=lab02 --hostname=lab02.apps.example.com --key=lab02.apps.example.com.key --cert=lab02.apps.example.com.crt
2. 查看路由中证书和 key 信息$ oc get route/lab02 -o yaml
...
tls:
certificate: |
-----BEGIN CERTIFICATE-----
MIIDQDCCAigCCQCbSN6iOkoAQDANBgkqhkiG9w0BAQsFADBiMQswCQYDVQQGEwJD
TjELMAkGA1UECAwCQkoxCzAJBgNVBAcMAkJKMQswCQYDVQQKDAJJVDELMAkGA1UE
CwwCSVQxHzAdBgNVBAMMFmxhYjAyLmFwcHMuZXhhbXBsZS5jb20wHhcNMTgxMTI4
MDI0NTI1WhcNMjgxMTI1MDI0NTI1WjBiMQswCQYDVQQGEwJDTjELMAkGA1UECAwC
QkoxCzAJBgNVBAcMAkJKMQswCQYDVQQKDAJJVDELMAkGA1UECwwCSVQxHzAdBgNV
BAMMFmxhYjAyLmFwcHMuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDJLiHDJsRjxgscUpl1xl4avolk5AlkZOgBo+gi/9bATjoF8jr6
2sI7wFB7Ltaf8rJeD7ox4ffyecA0Sv45K6e6roylvNzMhFxhvT8fHgadXLiQsxVj
Y7tF14rIJsqpXHSfWMGO9to/NJ06n4UPGIf3HXVx97bZQn+0lkJSYS+nbqr4TZqg
VFJxl/By1h+b/kYceoX2aw0hnzbpf6MuD2rGbcIuwGmpPTIf5M/6BtVwUfjfeVA9
HZXsnt5BVaSELs2bFY+czrSgZmnZ8ldOzoHjzj9fNpNgnM/iMe7vpbJadk8o3Oq/
lJ1Xu9pSaT5v26gaysvBG7pHkPmnij5aDk9xAgMBAAEwDQYJKoZIhvcNAQELBQAD
ggEBAJ63obJZ/yGH2Hi7TIcYsRZUXh2kScoSUpVKf8H3bZAp76WiegPiRUKR2Klx
yaQSaPiW53+qrDXhdYPReMHBAnKr6+fl97pzNesmlrU7ZZsRWv4bsm1FOaCOiuDC
KtCCacZIgDtUPxWaq4kdw0d4DA5U9rCFSTZi1fKDwzXnBrLo+KxhtPLXlHxpBIjT
UzICknO7wyl6/SXHZ2XMKgROuxhfYKskc2kb4z3mkaCFmCyBY6RbSH29/lozOK1P
XK2JTRPCRTnoJJWIRi1hR2cGfHSl9Ag8QTeDO7mjLJWXeClP8KVQOn9LfUqaDijK
9rCb3elqp1tC2Khg19+3IB/H9fA=
-----END CERTIFICATE-----
key: |
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAyS4hwybEY8YLHFKZdcZeGr6JZOQJZGToAaPoIv/WwE46BfI6
+trCO8BQey7Wn/KyXg+6MeH38nnANEr+OSunuq6MpbzczIRcYb0/Hx4GnVy4kLMV
Y2O7RdeKyCbKqVx0n1jBjvbaPzSdOp+FDxiH9x11cfe22UJ/tJZCUmEvp26q+E2a
oFRScZfwctYfm/5GHHqF9msNIZ826X+jLg9qxm3CLsBpqT0yH+TP+gbVcFH433lQ
PR2V7J7eQVWkhC7NmxWPnM60oGZp2fJXTs6B484/XzaTYJzP4jHu76WyWnZPKNzq
v5SdV7vaUmk+b9uoGsrLwRu6R5D5p4o+Wg5PcQIDAQABAoIBAGiHs7s2dWxyBmvc
7yemvlafEbx+T/L+Cx5vD7q/u9GH09YrGkIlUC7Dqg2XNKU+8Ta2bURl6PLwF9IT
9Su3Zxs0fpfPHdqWG3odXqLIcx9oge2NX1uZAkEz0URWA48kHuR8tXWXBac5q0g+
gmBpmpvnjpJ852DTkI9AU42COcSAbCCIW954hJC0AELfm36QoElPtSqBIS88B7lQ
Ls0YQA2aPKVVWjPPDxQJkNnyW0oWOou4SFp/RbtE2Wqfnpm1pmCUtPpOJRBLFdOz
Bs4LVog3qS7SLi3DHLmxwwompSFrxDKyf65AZu7JHJOyw9i/4mw9ijUmiE0EYtyL
DpjZaAECgYEA6Vf70OpA2hKd8CPome2cuihBycZZdJ5d9cGOMiMXlBhT48B/EMyz
8c2bGf1rcm/G9ehgpJOMEWMthKVIgh4URmAkxbGlHrAeZ3BUiM/NB7MJ17n8Ya3e
BTM94rMoMWjCffVq3jXV7fDzPle28RG23X1HdbfJczoY6wOPwNlluFECgYEA3Law
a6A2B5+JQVychXwClsuYSMGRdngHbz7rJ95watRGW6b8RqjNrDH8czs43Nlg2Kt5
l0hwlmkQ9xlKvfMT4bqpar/OQ0iKXJOXDT9jWzChZBQL0O2V9z5YqXtMGfK/iHBp
GY2vAkj7dxr35DX4UluYo3Ng6VpMAMzzo+9SfSECgYEAnLuQVP9DmDaxBz/XWK0V
fKTVq6YjKAXHru7XiC2yBLNihbQipTIaG+yypX5m0XLq/PmdEG5awsMPK+2pCl0R
2UNy76cm9bnuciQtY8fQO7+yeMhgEWwrmOqWQtN7x9RJ7zkNEzyt+SjC+bkJFFuF
rLgda6CLG26GljTKNgrQHEECgYEAmhsY3VzUvMfgrvl59B3dNOrc3lgBN+Wg00Ts
Lj864OxsX8wdMzzjtkqEiPSdxF4nJ8G6uS2EJxEfHljTfgM+K4sIhZd87i+1I+SN
QFu1BNPUrCrvAScSYbpvb46+WRPMNfi++W+a9Y59vfDfisFALEj2L5H85ZH9pUV1
DE6qmuECgYEAheWEnVdkI2MT+sXZ7oxt+tHy6FucPIh0fR0EC/uZ6zHpEq3asS7a
z4/SCG5LBEv+kXYyXoK9ES8H5wYGuxqsZpDbohLxy2FDlZSzjzMZ2lGqADJAkFE3
QpgIERbP3iRMv0a6JTshekoPgBevGvU4ysbaRnLmaMxbVQJCnjraD9w=
-----END RSA PRIVATE KEY-----
termination: edge
访问测试
$ curl -k -vvv https://lab02.apps.example.com
* About to connect() to lab02.apps.example.com port 443 (#0)
* Trying 10.66.208.102...
* Connected to lab02.apps.example.com (10.66.208.102) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=lab02.apps.example.com,OU=IT,O=IT,L=BJ,ST=BJ,C=CN
* start date: Nov 28 02:45:25 2018 GMT
* expire date: Nov 25 02:45:25 2028 GMT
* common name: lab02.apps.example.com
* issuer: CN=lab02.apps.example.com,OU=IT,O=IT,L=BJ,ST=BJ,C=CN
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: lab02.apps.example.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Wed, 28 Nov 2018 02:56:31 GMT
< Server: Apache/2.4.27 (Red Hat) OpenSSL/1.0.1e-fips
< Content-Length: 28
< Content-Type: text/html; charset=UTF-8
< Set-Cookie: fa30722b978c8486b7c69be5697d2aac=e017f926fb91967410580c9f8fd47487; path=/; HttpOnly; Secure
< Cache-control: private
<
Current php version: 7.0.27
* Connection #0 to host lab02.apps.example.com left intact