如何在 Kubernetes 中覆盖 Kong Gateway 默认证书

How to override Kong Gateway default certificates in Kubernetes

我正在尝试为安装在 Kubernetes 中的 Kong 2.7 设置 SSL 证书,但我没有让它按预期工作。我试着按照这个 guide. Even looking for additional help in discussion .

curl -X POST http://kong-admin:8001/certificates -F "cert=kong.lan.pem" -F "key=kong.lan.key" -F "snis[0]=mydomain.net"

这是我的回复:

{
  "fields": {
    "cert": "invalid certificate: x509.new: asn1/a_d2i_fp.c:197:error:0D06B08E:asn1 encoding routines:asn1_d2i_read_bio:not enough data",
    "key": "invalid key: pkey.new:load_key: asn1/a_d2i_fp.c:197:error:0D06B08E:asn1 encoding routines:asn1_d2i_read_bio:not enough data"
  },
  "message": "2 schema violations (cert: invalid certificate: x509.new: asn1/a_d2i_fp.c:197:error:0D06B08E:asn1 encoding routines:asn1_d2i_read_bio:not enough data; key: invalid key: pkey.new:load_key: asn1/a_d2i_fp.c:197:error:0D06B08E:asn1 encoding routines:asn1_d2i_read_bio:not enough data)",
  "name": "schema violation",
  "code": 2
}

使用 helm chart 部署的 Kong:

$ helm repo add kong https://charts.konghq.com
$ helm repo update

$ helm install kong/kong --generate-name --set ingressController.enabled=true --set admin.enabled=True --set admin.http.enabled=True --set ingress.enabled=True --set proxy.ingress.enabled=True --set admin.type=LoadBalancer --set proxy.type=LoadBalancer

你们中有人知道如何让它工作或如何将 tls.crt 和 tls.key 添加到 Kong 部署中吗?

您只是错过了 @ 上传文件的 curl 命令

curl -X POST http://kong-admin:8001/certificates -F "cert=@kong.lan.pem" -F "key=@kong.lan.key" -F "snis[0]=mydomain.net"
curl -X POST http://localhost:8001/certificates -F "cert=kong.lan.pem" -F "key=kong.lan.key" -F "snis[0]=mydomain.net"

将发送

POST /certificates HTTP/1.1
Host: localhost:8001
User-Agent: curl/7.68.0
Accept: */*
Content-Length: 363
Content-Type: multipart/form-data; boundary=------------------------d67ae21b533e5746

--------------------------d67ae21b533e5746
Content-Disposition: form-data; name="cert"

kong.lan.pem
--------------------------d67ae21b533e5746
Content-Disposition: form-data; name="key"

kong.lan.key
--------------------------d67ae21b533e5746
Content-Disposition: form-data; name="snis[0]"

mydomain.net
--------------------------d67ae21b533e5746--
echo "toto" >| kong.lan.pem
curl -X POST http://localhost:8001/certificates -F "cert=@kong.lan.pem" -F "key=kong.lan.key" -F "snis[0]=mydomain.net"

将发送

POST /certificates HTTP/1.1
Host: localhost:8001
User-Agent: curl/7.68.0
Accept: */*
Content-Length: 421
Content-Type: multipart/form-data; boundary=------------------------973b3467e461334a

--------------------------973b3467e461334a
Content-Disposition: form-data; name="cert"; filename="kong.lan.pem"
Content-Type: application/octet-stream

toto

--------------------------973b3467e461334a
Content-Disposition: form-data; name="key"

kong.lan.key
--------------------------973b3467e461334a
Content-Disposition: form-data; name="snis[0]"

mydomain.net
--------------------------973b3467e461334a--