如何为IP地址(不带域名)生成自签名证书?
How to generate self-signed certificate for IP address (without domain name)?
我在 google 云 k8s 集群中有一个私人 docker 注册表,可以 仅通过 IP .
访问
我尝试过的事情:
- 编写了生成自签名证书的脚本。
- 在 docker 注册表端使用生成的自签名客户端密钥和证书。
- 将每个k8s节点上的CA证书放到
/etc/ssl/certs/registry-proxy-ca.pem和运行update-ca-certificates && systemctl restart docker.
我希望客户端自签名证书在尝试创建 pods 并从 docker 注册表中提取图像时会得到 k8s 节点的批准。
但我仍然有一个错误:
x509: certificate signed by unknown authority
谁能帮助我理解我做错了什么?我的脚本:
IP=10.3.240.100
LIFESPAN_DAYS=35600
CERTS_DIR=platform/cert-customizations/certs
CA_KEY=$CERTS_DIR/registry-proxy-ca.key
CA_PEM=$CERTS_DIR/registry-proxy-ca.pem
OPENSSL_CONFIG=$CERTS_DIR/openssl.cnf
REGISTRY_CERT_DIR=platform/registry-proxy/certs
REGISTRY_CERT_KEY=$REGISTRY_CERT_DIR/tls.key
REGISTRY_CERT=$REGISTRY_CERT_DIR/tls.crt
REGISTRY_CSR=$REGISTRY_CERT_DIR/registry-proxy.csr
REGISTRY_EXTFILE=$REGISTRY_CERT_DIR/extfile.cnf
echo subjectAltName = IP:$IP > $REGISTRY_EXTFILE
cat >>$OPENSSL_CONFIG <<EOL
[ req ]
default_bits = 2048
req_extensions = req_ext
x509_extensions = x509_ext
string_mask = utf8only
distinguished_name = subject
[ subject ]
# For simplicity, I will skip over the contents.
# ...
[ x509_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
[ alternate_names ]
IP.1 = ${IP}
EOL
# Private key
openssl genrsa -out $CA_KEY 2048
# Public root CA
openssl req -subj "/CN=Nerdia Root CA" -x509 -new -nodes -key $CA_KEY -sha256 -days $LIFESPAN_DAYS -out $CA_PEM
# Create a cert for docker registry
openssl genrsa -out $REGISTRY_CERT_KEY 2048
openssl req -subj "/CN=${IP}" -config $OPENSSL_CONFIG -new -key $REGISTRY_CERT_KEY -out $REGISTRY_CSR
openssl x509 -req -in $REGISTRY_CSR -CA $CA_PEM -CAkey $CA_KEY -CAcreateserial -out $REGISTRY_CERT -days $LIFESPAN_DAYS -sha256 -extfile $REGISTRY_EXTFILE
这个特定问题中的问题与 GKE 正在使用的 CRI 有关。
引用稍微修改过的官方文档(部分):
OS
Node images
Description
Container-Optimized OS
Container-Optimized OS with Containerd (cos_containerd)
The cos_containerd image uses Containerd as the container runtime directly integrated with Kubernetes. For more information, see Using Containerd images
Container-Optimized OS with Docker (cos)
The cos image uses the Docker container runtime
-- Cloud.google.com: Kubernetes Engine: Docs: Concepts: Node images: Available Node images
具体图片:
gke-1199-gke1400-cos-85-13310-1209-12-v210407-c-pre
将 containerd 用作 CRI 而不是 Docker(请参阅 -c-)。因此: $ systemctl restart docker 没有给出预期的结果。解决方案是将 systemctl restart ....
中的 docker 替换为 containerd
您可以通过 运行:
检查您使用的是哪个 CRI
$ kubectl get nodes --output wide- 正在检查
Cloud Console(Web UI)
旁注!
Running Docker commands on Containerd nodes
While the Docker binary is currently available on Containerd nodes, we do not recommend using it after you migrate to Containerd. Docker does not manage the containers Kubernetes runs on Containerd nodes, thus you cannot use it to view or interact with running Kubernetes containers using Docker commands or the Docker API.
Warning: Docker cannot view or access containers or images managed by Kubernetes. Your applications should not interact with Docker directly. For general troubleshooting or debugging, use crictl instead.
-- Cloud.google.com: Kubernetes Engine: Docs: Concepts: Using containerd: Migrating
其他资源:
我在 google 云 k8s 集群中有一个私人 docker 注册表,可以 仅通过 IP .
访问我尝试过的事情:
- 编写了生成自签名证书的脚本。
- 在 docker 注册表端使用生成的自签名客户端密钥和证书。
- 将每个k8s节点上的CA证书放到
/etc/ssl/certs/registry-proxy-ca.pem和运行update-ca-certificates && systemctl restart docker.
我希望客户端自签名证书在尝试创建 pods 并从 docker 注册表中提取图像时会得到 k8s 节点的批准。
但我仍然有一个错误:
x509: certificate signed by unknown authority
谁能帮助我理解我做错了什么?我的脚本:
IP=10.3.240.100
LIFESPAN_DAYS=35600
CERTS_DIR=platform/cert-customizations/certs
CA_KEY=$CERTS_DIR/registry-proxy-ca.key
CA_PEM=$CERTS_DIR/registry-proxy-ca.pem
OPENSSL_CONFIG=$CERTS_DIR/openssl.cnf
REGISTRY_CERT_DIR=platform/registry-proxy/certs
REGISTRY_CERT_KEY=$REGISTRY_CERT_DIR/tls.key
REGISTRY_CERT=$REGISTRY_CERT_DIR/tls.crt
REGISTRY_CSR=$REGISTRY_CERT_DIR/registry-proxy.csr
REGISTRY_EXTFILE=$REGISTRY_CERT_DIR/extfile.cnf
echo subjectAltName = IP:$IP > $REGISTRY_EXTFILE
cat >>$OPENSSL_CONFIG <<EOL
[ req ]
default_bits = 2048
req_extensions = req_ext
x509_extensions = x509_ext
string_mask = utf8only
distinguished_name = subject
[ subject ]
# For simplicity, I will skip over the contents.
# ...
[ x509_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
[ alternate_names ]
IP.1 = ${IP}
EOL
# Private key
openssl genrsa -out $CA_KEY 2048
# Public root CA
openssl req -subj "/CN=Nerdia Root CA" -x509 -new -nodes -key $CA_KEY -sha256 -days $LIFESPAN_DAYS -out $CA_PEM
# Create a cert for docker registry
openssl genrsa -out $REGISTRY_CERT_KEY 2048
openssl req -subj "/CN=${IP}" -config $OPENSSL_CONFIG -new -key $REGISTRY_CERT_KEY -out $REGISTRY_CSR
openssl x509 -req -in $REGISTRY_CSR -CA $CA_PEM -CAkey $CA_KEY -CAcreateserial -out $REGISTRY_CERT -days $LIFESPAN_DAYS -sha256 -extfile $REGISTRY_EXTFILE
这个特定问题中的问题与 GKE 正在使用的 CRI 有关。
引用稍微修改过的官方文档(部分):
OS Node images Description Container-Optimized OS Container-Optimized OS with Containerd (cos_containerd) The cos_containerdimage uses Containerd as the container runtime directly integrated with Kubernetes. For more information, see Using Containerd imagesContainer-Optimized OS with Docker (cos) The cosimage uses the Docker container runtime-- Cloud.google.com: Kubernetes Engine: Docs: Concepts: Node images: Available Node images
具体图片:
gke-1199-gke1400-cos-85-13310-1209-12-v210407-c-pre
将 containerd 用作 CRI 而不是 Docker(请参阅 -c-)。因此: $ systemctl restart docker 没有给出预期的结果。解决方案是将 systemctl restart ....
docker 替换为 containerd
您可以通过 运行:
检查您使用的是哪个CRI
$ kubectl get nodes --output wide- 正在检查
Cloud Console(Web UI)
旁注!
Running Docker commands on Containerd nodes
While the Docker binary is currently available on Containerd nodes, we do not recommend using it after you migrate to Containerd. Docker does not manage the containers Kubernetes runs on Containerd nodes, thus you cannot use it to view or interact with running Kubernetes containers using Docker commands or the Docker API.
Warning: Docker cannot view or access containers or images managed by Kubernetes. Your applications should not interact with Docker directly. For general troubleshooting or debugging, use crictl instead.
-- Cloud.google.com: Kubernetes Engine: Docs: Concepts: Using containerd: Migrating
其他资源: