Kubernetes Ingress return fabric8 证书与 curl 证书不同
Kubernetes Ingress return different certificate with fabric8 than with curl
使用 fabric8 kubernetes client,我在同一端点上收到了与 curl 不同的证书。
具体来说,我收到的是入口自签名证书(CN=Kubernetes Ingress Controller Fake Certificate),而不是指定的。
入口配置(kubectl edit ingress 的结果)
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
creationTimestamp: "2020-08-07T09:33:18Z"
generation: 1
labels:
app: dummy
app.kubernetes.io/component: dummy-component
app.kubernetes.io/instance: dummy-instance
app.kubernetes.io/managed-by: Dummy
app.kubernetes.io/name: dummy
app.kubernetes.io/part-of: dummy-sample
app.kubernetes.io/version: 1.12.0-SNAPSHOT
managedFields:
- apiVersion: extensions/v1beta1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:labels:
.: {}
f:app: {}
f:app.kubernetes.io/component: {}
f:app.kubernetes.io/instance: {}
f:app.kubernetes.io/managed-by: {}
f:app.kubernetes.io/name: {}
f:app.kubernetes.io/part-of: {}
f:app.kubernetes.io/version: {}
f:spec:
f:rules: {}
f:tls: {}
manager: okhttp
operation: Update
time: "2020-08-07T09:33:18Z"
- apiVersion: networking.k8s.io/v1beta1
fieldsType: FieldsV1
fieldsV1:
f:status:
f:loadBalancer:
f:ingress: {}
manager: nginx-ingress-controller
operation: Update
time: "2020-08-07T09:33:19Z"
name: dummy-instance
namespace: dummy-namespace
resourceVersion: "1887"
selfLink: /apis/extensions/v1beta1/namespaces/dummy-namespace/ingresses/dummy-instance
uid: 2b7839fa-da65-45f3-9f1f-8169cf1325d8
spec:
rules:
- host: minikube
http:
paths:
- backend:
serviceName: dummy-instance
servicePort: 9999
path: /dummy-instance
pathType: ImplementationSpecific
tls:
- hosts:
- minikube
secretName: minikube-tls-3
status:
loadBalancer:
ingress:
- ip: 172.17.0.3
我看不出 Ingress return 同一主机、同一端点、不同客户端的不同证书的原因。
我唯一的猜测是密钥中包含的证书与 fabric8 ClientHello(此处为 okhttp3)不兼容(或者密码的优先级较低?),但事实并非如此。
我运行没有调试的想法,所以如果你对此有猜测,欢迎!
客户端未在 ClientHello 上发送 SNI 扩展。
使用 fabric8 kubernetes client,我在同一端点上收到了与 curl 不同的证书。
具体来说,我收到的是入口自签名证书(CN=Kubernetes Ingress Controller Fake Certificate),而不是指定的。
入口配置(kubectl edit ingress 的结果)
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
creationTimestamp: "2020-08-07T09:33:18Z"
generation: 1
labels:
app: dummy
app.kubernetes.io/component: dummy-component
app.kubernetes.io/instance: dummy-instance
app.kubernetes.io/managed-by: Dummy
app.kubernetes.io/name: dummy
app.kubernetes.io/part-of: dummy-sample
app.kubernetes.io/version: 1.12.0-SNAPSHOT
managedFields:
- apiVersion: extensions/v1beta1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:labels:
.: {}
f:app: {}
f:app.kubernetes.io/component: {}
f:app.kubernetes.io/instance: {}
f:app.kubernetes.io/managed-by: {}
f:app.kubernetes.io/name: {}
f:app.kubernetes.io/part-of: {}
f:app.kubernetes.io/version: {}
f:spec:
f:rules: {}
f:tls: {}
manager: okhttp
operation: Update
time: "2020-08-07T09:33:18Z"
- apiVersion: networking.k8s.io/v1beta1
fieldsType: FieldsV1
fieldsV1:
f:status:
f:loadBalancer:
f:ingress: {}
manager: nginx-ingress-controller
operation: Update
time: "2020-08-07T09:33:19Z"
name: dummy-instance
namespace: dummy-namespace
resourceVersion: "1887"
selfLink: /apis/extensions/v1beta1/namespaces/dummy-namespace/ingresses/dummy-instance
uid: 2b7839fa-da65-45f3-9f1f-8169cf1325d8
spec:
rules:
- host: minikube
http:
paths:
- backend:
serviceName: dummy-instance
servicePort: 9999
path: /dummy-instance
pathType: ImplementationSpecific
tls:
- hosts:
- minikube
secretName: minikube-tls-3
status:
loadBalancer:
ingress:
- ip: 172.17.0.3
我看不出 Ingress return 同一主机、同一端点、不同客户端的不同证书的原因。
我唯一的猜测是密钥中包含的证书与 fabric8 ClientHello(此处为 okhttp3)不兼容(或者密码的优先级较低?),但事实并非如此。
我运行没有调试的想法,所以如果你对此有猜测,欢迎!
客户端未在 ClientHello 上发送 SNI 扩展。