Skip to content

Instantly share code, notes, and snippets.

@svanellewee
Created February 1, 2021 07:56
Show Gist options
  • Save svanellewee/2facc585152e81780c274d694b498542 to your computer and use it in GitHub Desktop.
Save svanellewee/2facc585152e81780c274d694b498542 to your computer and use it in GitHub Desktop.
TLS on ingress-nginx for great justice.
# OpenSSL needs this.
# ingress-nginx needs the SANS info (CN only seems to be deprecated for this purpose)
# HOWEVER, when I create a CSR with all my SANS info and then self-sign it with my CA
# the new cert doesnt' have the SAN info I specified!
# This config seems to help
# Based on this https://kubernetes.io/docs/concepts/cluster-administration/certificates/
# updated my hosts file to make the hosts file whatever the loadbalancer field in the ingress said it was.
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
CN = foo.bar.com
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = foo.bar.com
DNS.2 = http-svc.default.svc.cluster.local
IP.1 = 192.168.2.30
IP.2 = 192.168.2.31
IP.3 = 192.168.2.32
[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=@alt_names
apiVersion: v1
items:
- apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"networking.k8s.io/v1beta1","kind":"Ingress","metadata":{"annotations":{},"name":"nginx-test","namespace":"default"},"spec":{"rules":[{"host":"foo.bar.com","http":{"paths":[{"backend":{"serviceName":"http-svc","servicePort":80},"path":"/"}]}}],"tls":[{"hosts":["foo.bar.com"],"secretName":"tls-secret"}]}}
nginx.ingress.kubernetes.io/auth-tls-secret: default/my-certs
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
creationTimestamp: "2021-02-01T05:18:13Z"
generation: 6
managedFields:
- apiVersion: networking.k8s.io/v1beta1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.: {}
f:kubectl.kubernetes.io/last-applied-configuration: {}
f:spec:
f:rules: {}
manager: kubectl
operation: Update
time: "2021-02-01T05:18:13Z"
- apiVersion: networking.k8s.io/v1beta1
fieldsType: FieldsV1
fieldsV1:
f:status:
f:loadBalancer:
f:ingress: {}
manager: nginx-ingress-controller
operation: Update
time: "2021-02-01T05:18:50Z"
- apiVersion: extensions/v1beta1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
f:nginx.ingress.kubernetes.io/auth-tls-secret: {}
f:nginx.ingress.kubernetes.io/auth-tls-verify-client: {}
f:spec:
f:tls: {}
manager: kubectl
operation: Update
time: "2021-02-01T07:41:17Z"
name: nginx-test
namespace: default
resourceVersion: "103887"
selfLink: /apis/extensions/v1beta1/namespaces/default/ingresses/nginx-test
uid: 172708b4-91a6-437a-b1ed-578ecc2336e4
spec:
rules:
- host: foo.bar.com
http:
paths:
- backend:
serviceName: http-svc
servicePort: 80
path: /
pathType: ImplementationSpecific
tls:
- hosts:
- foo.bar.com
- 192.168.2.32
secretName: my-certs
status:
loadBalancer:
ingress:
- ip: 192.168.2.32
- apiVersion: v1
kind: Service
metadata:
creationTimestamp: "2021-02-01T05:10:14Z"
labels:
app: http-svc
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:labels:
.: {}
f:app: {}
f:spec:
f:ports:
.: {}
k:{"port":80,"protocol":"TCP"}:
.: {}
f:name: {}
f:port: {}
f:protocol: {}
f:targetPort: {}
f:selector:
.: {}
f:app: {}
f:sessionAffinity: {}
f:type: {}
manager: kubectl
operation: Update
time: "2021-02-01T05:10:14Z"
name: http-svc
namespace: default
resourceVersion: "77860"
selfLink: /api/v1/namespaces/default/services/http-svc
uid: a0c756b8-8e25-4749-a9d9-71366175c8ca
spec:
clusterIP: 10.96.183.188
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
selector:
app: http-svc
sessionAffinity: None
type: ClusterIP
status:
loadBalancer: {}
- apiVersion: v1
kind: Service
metadata:
creationTimestamp: "2021-01-31T10:03:24Z"
labels:
component: apiserver
provider: kubernetes
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:labels:
.: {}
f:component: {}
f:provider: {}
f:spec:
f:clusterIP: {}
f:ports:
.: {}
k:{"port":443,"protocol":"TCP"}:
.: {}
f:name: {}
f:port: {}
f:protocol: {}
f:targetPort: {}
f:sessionAffinity: {}
f:type: {}
manager: kube-apiserver
operation: Update
time: "2021-01-31T10:03:24Z"
name: kubernetes
namespace: default
resourceVersion: "150"
selfLink: /api/v1/namespaces/default/services/kubernetes
uid: 303bd1b4-99ed-48d9-9cae-2f6db612fe7c
spec:
clusterIP: 10.96.0.1
ports:
- name: https
port: 443
protocol: TCP
targetPort: 6443
sessionAffinity: None
type: ClusterIP
status:
loadBalancer: {}
- apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
deployment.kubernetes.io/revision: "1"
creationTimestamp: "2021-02-01T05:10:14Z"
generation: 1
managedFields:
- apiVersion: apps/v1
fieldsType: FieldsV1
fieldsV1:
f:spec:
f:progressDeadlineSeconds: {}
f:replicas: {}
f:revisionHistoryLimit: {}
f:selector:
f:matchLabels:
.: {}
f:app: {}
f:strategy:
f:rollingUpdate:
.: {}
f:maxSurge: {}
f:maxUnavailable: {}
f:type: {}
f:template:
f:metadata:
f:labels:
.: {}
f:app: {}
f:spec:
f:containers:
k:{"name":"http-svc"}:
.: {}
f:env:
.: {}
k:{"name":"NODE_NAME"}:
.: {}
f:name: {}
f:valueFrom:
.: {}
f:fieldRef:
.: {}
f:apiVersion: {}
f:fieldPath: {}
k:{"name":"POD_IP"}:
.: {}
f:name: {}
f:valueFrom:
.: {}
f:fieldRef:
.: {}
f:apiVersion: {}
f:fieldPath: {}
k:{"name":"POD_NAME"}:
.: {}
f:name: {}
f:valueFrom:
.: {}
f:fieldRef:
.: {}
f:apiVersion: {}
f:fieldPath: {}
k:{"name":"POD_NAMESPACE"}:
.: {}
f:name: {}
f:valueFrom:
.: {}
f:fieldRef:
.: {}
f:apiVersion: {}
f:fieldPath: {}
f:image: {}
f:imagePullPolicy: {}
f:name: {}
f:ports:
.: {}
k:{"containerPort":8080,"protocol":"TCP"}:
.: {}
f:containerPort: {}
f:protocol: {}
f:resources: {}
f:terminationMessagePath: {}
f:terminationMessagePolicy: {}
f:dnsPolicy: {}
f:restartPolicy: {}
f:schedulerName: {}
f:securityContext: {}
f:terminationGracePeriodSeconds: {}
manager: kubectl
operation: Update
time: "2021-02-01T05:10:14Z"
- apiVersion: apps/v1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.: {}
f:deployment.kubernetes.io/revision: {}
f:status:
f:availableReplicas: {}
f:conditions:
.: {}
k:{"type":"Available"}:
.: {}
f:lastTransitionTime: {}
f:lastUpdateTime: {}
f:message: {}
f:reason: {}
f:status: {}
f:type: {}
k:{"type":"Progressing"}:
.: {}
f:lastTransitionTime: {}
f:lastUpdateTime: {}
f:message: {}
f:reason: {}
f:status: {}
f:type: {}
f:observedGeneration: {}
f:readyReplicas: {}
f:replicas: {}
f:updatedReplicas: {}
manager: kube-controller-manager
operation: Update
time: "2021-02-01T05:10:16Z"
name: http-svc
namespace: default
resourceVersion: "77887"
selfLink: /apis/apps/v1/namespaces/default/deployments/http-svc
uid: 56658dd4-e88f-426a-803b-933f457a5569
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: http-svc
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
app: http-svc
spec:
containers:
- env:
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: POD_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
image: gcr.io/kubernetes-e2e-test-images/echoserver:2.1
imagePullPolicy: IfNotPresent
name: http-svc
ports:
- containerPort: 8080
protocol: TCP
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
status:
availableReplicas: 1
conditions:
- lastTransitionTime: "2021-02-01T05:10:16Z"
lastUpdateTime: "2021-02-01T05:10:16Z"
message: Deployment has minimum availability.
reason: MinimumReplicasAvailable
status: "True"
type: Available
- lastTransitionTime: "2021-02-01T05:10:14Z"
lastUpdateTime: "2021-02-01T05:10:16Z"
message: ReplicaSet "http-svc-64f85bcc78" has successfully progressed.
reason: NewReplicaSetAvailable
status: "True"
type: Progressing
observedGeneration: 1
readyReplicas: 1
replicas: 1
updatedReplicas: 1
- apiVersion: v1
data:
ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1ERXpNVEV3TURJMU9Wb1hEVE14TURFeU9URXdNREkxT1Zvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTEtFCkYzWldBeGI3R1k1YmRaZHV5VFc0Q0svOHJFUzAzU2dtV3RVVzRGRTVGa2lseGxTaHgwK3hKQ1pUamc1djM0QnEKQnNiWjFaWm94SXNSSkpjSWZLN3M0aEV4cEZNd2xxMk1aOEJFdWpFazFTMVdZWWI2NXVJVTJrOVUzaUVnTDNTUwo4SjMvMHAzd21Mdm5MRXh3UWlLakxGVGdNZjBHS2FTV0ZNdGN2WEdBelJPNWdHeXR2bmtwaTZrQzZLLzFpaXJxCkRlTERIY1dlTDR6enByQjJ4Zk9YU2ZybEl5NUhsQ0JQUlZjVWoyZmFmVzBPMjJod0xHZmx4c0IxMFkzUnhvY2QKWVNsTzUxTlplWVJoMWhIcno2K2NIRUdwejlGMExrMFFYQTZkR2tjN1NCcEVPZjc4bHVlUlBPV0I0NHU4bm92bApIL1o4bmY3WmErZUN4WTI1Y2cwQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFKT0lZRnNmaTFxclVGNTJ0L3FEaVMwVXBBMG8KajJrTDJyRU9FU0xTdVB4WTdjbm1BYjFVem52YmZlNXl4TE9aZDZZeVBhRXZRQkxNN1JzaTNLUmIzVktSZGkrdQpzWWJyamNLczNWU1p6MUZDOHA3eVNabkhicDdic2VWTThNcStNaUhFS3JzOHRKcEszOHpoZ2R6TFo2RVFHUk42CllKa0xsMzA5SGNmOFNDK2NuTzUwN0tUWG8vL0w5MXZCV2xwem03OUNnMCtsbzRWNmxBZjlmNnM5engraWZaR0YKcHF6N1hBb3JhZEg3blVMakhwd1RtUU11TXYvdFhMcEIvSUUvRHdRTFlBMGFjUkNDNHFIMVFhZ2tvT3JqV01USgpyQVZXVmVwdmYvYll2bmRnc1A5SHk2d21NRzZudEhrbEhVQ2tLaDZkQ3p1T1Y0bFJEbkRHMEltMitQND0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
namespace: ZGVmYXVsdA==
token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklqaGxiRU5PZVUxaFJWQnZNVGRSY1VkRU1YSnNka2czTUdreFoxWnJPREkxYjNScExWRllhbU5tYjI4aWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUprWldaaGRXeDBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpXTnlaWFF1Ym1GdFpTSTZJbVJsWm1GMWJIUXRkRzlyWlc0dFptZHhjRzBpTENKcmRXSmxjbTVsZEdWekxtbHZMM05sY25acFkyVmhZMk52ZFc1MEwzTmxjblpwWTJVdFlXTmpiM1Z1ZEM1dVlXMWxJam9pWkdWbVlYVnNkQ0lzSW10MVltVnlibVYwWlhNdWFXOHZjMlZ5ZG1salpXRmpZMjkxYm5RdmMyVnlkbWxqWlMxaFkyTnZkVzUwTG5WcFpDSTZJbVZsTWpNNU9UZzNMVGMxTldFdE5HSXlaUzA1TWpFd0xXWmpaV1F4TVdVd1kyWXhOQ0lzSW5OMVlpSTZJbk41YzNSbGJUcHpaWEoyYVdObFlXTmpiM1Z1ZERwa1pXWmhkV3gwT21SbFptRjFiSFFpZlEuUzlBX1lIT3k0UW84QV9LcXZBYWtmak5XVk1nTi1nSEtuV2RZWEdrQjNKa0N4UnZIeTE2d2FySzdEQ0NhMng5YjRnSThxUHJUTG02QngzNzBYWXdDMVRxcUJBelB0dk14ZVp0T05iaURFd3JkZ3F2eVk0V1VqU0JtaG1zQktoZUMtX1k2eHBvSTBKMDExeGxQbU1WbFAwT1pSaVdVMkg2dHVxU2t1MVpTTlN0UlFxamV0d3ZvS2hNUkVWc3pVZ2xUbEg0MmJyNjJhV1VwOFdYRDBkSU9DaEYtaVdDTDcxYXZTR0o0bFlLX3ZFZDlXS2ZBWnVRaTVVemlDTVk5X3ppSWdOYWM2UC1vWHZwWmxvNW5RMW4wc09ub0NJTHVXbFdKb3JNQzZWM3NDdXVlZ1FwTkgzZjQzeE83VkNiekZwWGphRmI0aS1QTkNIRm1WSXcwS0pEMHhn
kind: Secret
metadata:
annotations:
kubernetes.io/service-account.name: default
kubernetes.io/service-account.uid: ee239987-755a-4b2e-9210-fced11e0cf14
creationTimestamp: "2021-01-31T10:03:43Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:ca.crt: {}
f:namespace: {}
f:token: {}
f:metadata:
f:annotations:
.: {}
f:kubernetes.io/service-account.name: {}
f:kubernetes.io/service-account.uid: {}
f:type: {}
manager: kube-controller-manager
operation: Update
time: "2021-01-31T10:03:43Z"
name: default-token-fgqpm
namespace: default
resourceVersion: "374"
selfLink: /api/v1/namespaces/default/secrets/default-token-fgqpm
uid: 10721fa7-b33f-4891-a1a0-5bfce139db7b
type: kubernetes.io/service-account-token
- apiVersion: v1
data:
ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZIVENDQXdXZ0F3SUJBZ0lVZWY1VStBblVMdEZrMm5EMnBDYjRodnhQQzlVd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0hqRWNNQm9HQTFVRUF3d1RSbVZ5YmlCRFpYSjBJRUYxZEdodmNtbDBlVEFlRncweU1UQXlNREV3TmpJMQpOVFZhRncweU1qQXhNak13TmpJMU5UVmFNQjR4SERBYUJnTlZCQU1NRTBabGNtNGdRMlZ5ZENCQmRYUm9iM0pwCmRIa3dnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUtBb0lDQVFENW1YU29VRTRxOWpFdEx3WlUKR0VrY3hEM3ZYZjQvTVJFbzE4UjcyVFlEN2k5UkxEWVE2RERXMzd4KzlxRFVwSENnd2pYUXU0bE5mWmVhSythdwpsQkZWaDFlZjlsSnVOckxpN08wR05RUHVYVnFhTGZCMldLUmZLZEw3eFpJbmtVRXNpSDFESUIwWnB2QzAxZnJZCkNISTUzZXdqajBHY2tCNko3SzVOWEpWUnV4cEtsRlN3T0U4MkJIQjBkbWFoMU9jcVBiczJpemllQlhuWk5VM3oKclFvY0NBaFJFV21seUlEVTFLTGpiUVUzWlg2bzJRL3NzZE5adW5aZlcrZmNkWGczd3JEOFRwMk52cVg1N3RxSQplMXRoa0N6M05xS2JDYVMyNWU4MXlKNVgzZ3JBVlB3dEJNZTloZHRFeHZQOUFQM2czcEJNdzZEa3BVYjhPb2NxCmwwTlJ1cWdhOGd6Qi9PSnE0TThneVh0SzludmR6VjBqb1hybE1mVURHbDV2YnhpckFSSHBmdkV0ZXJzcTB5QVMKUXFuTC9FczJCUU1wV0hGVjZNd0dNZWs2aWJ2WHFwUFZkKy9NNFV4bW9kOGZKVm9mK1ZZTEc5TW1HbGFtV0JzbApZZ0RmeGJBYlA3TjlCeEJ1YzRENUwvaDk5N3RCUzMrcW15ekU1SGxXQ2tJbHJkdUpRMUt3Qm9rc2NNUU1CNFJZCnBFaW1zR1dTWkFLOExweW53cXBEM2MzWm9kRTVlNVNWMHROUUQzS0RQa3VaUXA2OHdvNkVYZDBsMEMzT1VsMXAKU1psd1ZHSUlmaFAvVHg4S2lCVkZaSzE5YU1FOFdSYlNHVThiWTgrdlB6K2J0Y0ZXbmJPb0FXRG9VUSsrU0Y4VwpVa21UaDBYTU9RZnE4K1ZUbXhoNzZpV1Btd0lEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVSEN0TXkxZ0ZHZC85CktscXhRaVF6NzN1T2QyQXdId1lEVlIwakJCZ3dGb0FVSEN0TXkxZ0ZHZC85S2xxeFFpUXo3M3VPZDJBd0R3WUQKVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FnRUFLdGl6NCtDRE1zeGtVakVMbXo1eApXY1g1MGdic0l1Uk1pRFVRcG9XRlprYm85ZGZ0cXNXYnVZUEFYaTVXYnpFNnVDYkZRUVQ0cFA0UXBleUlMdkkrCklDbFdkNzN2VUZSMEFpQmdWa1NNOW9LbUU4cFp6RXQyT2R4VTFuNGQ0NW5JakFzdzliWWwzaE5adFBvNWJSQUwKaEpSVEF3UWp0ODJHWU83RGpLTy9pcFVRb0xZWGVlS242SXJCdm5yTVJ1aVlBTVc5LzhBZ3REUHZvbHhTT2xMbAp2NWFSb1RDazlTT3kxRVRQd3o1b25JWm5GTGZ5MThKTW9pcmtaYTM4dXFxbkN2czZqbGtLalAyYWMxdE4zbVBwCkE4Z0k5OExQZmdKK3VKSWpJd3RCMzBpQzZTZWJ1SExTU2JidzcrZVhEaXZDMW54dzJmK2s2dlRLKytyR2hsc1kKNHJ6c3NjRGh5ODAyeTJlVW5KZCs4T2NFWVRwZWFiMkxGdTVNTURBcExKVmFQbWNKMklTRWpDQXJhTXFUWWtpLwpBRFJQeHRTNFp6a0pZZjVBNVNBdCthNzcyNFQ3QnFheUE4a0FBaHJGcUlCSW9qL0kza2d3RGUvS3RSR0lqQjQ0CmFQUFFwdDFQUjJlOUZNOFA5ek85WFlkUTJDQ0VmRjNSVXhwR2JsbUxibk51bERhUVYwR2piVXZoR3RKcjN5UDcKWnZVeWRraFFNYWpUT2w3TmR3Zk51eERrY09nclIvWXpITE83aUJtSU0rZXZMZ3JreEp6SUh3clhkbWxRdVh4UwpvUVJOYTdKcDVHNDIycmUxSjMyNVBYTUNlbkUzRXoyNVVDUUFtQWo1OTBaeENWVjhUNlZ4cGIrajRDT0NMaElRCkU0VHQwYjJlcDRETlBiZzY0SUk2cDNFPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVwakNDQW82Z0F3SUJBZ0lVYkl3NXNZZFZkbkZkbUova0t3V0RBeGRhRk5jd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0hqRWNNQm9HQTFVRUF3d1RSbVZ5YmlCRFpYSjBJRUYxZEdodmNtbDBlVEFlRncweU1UQXlNREV3TmpReApORFZhRncwME9EQTJNVGt3TmpReE5EVmFNQll4RkRBU0JnTlZCQU1NQzJadmJ5NWlZWEl1WTI5dE1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdISkZUSXMyUllodmQrekVkNllHVDM3NFlSVVYKeVJFa0dkSlU4UzFCN0s2TUxqVUpqelVVc01lTzFpUXRpWThrNmlERkV5QWhKV0RlbEZ4MHo2OVR3dU9HeFhOYQpMd3VET3grbjlXUUNUb2dxOEY3T2QyQnRVSEVQMnhYRGRVUHNWSkY0Sm8xK1lVd2dnVmd0VGd4QXRueXZKSnh2Cit6Z1NVV0xTTE1Sa0tPM0h3OHBsKzRMN2EyMlJ2aWhtalkwYmZrc1hzYmoxUFhUQnZhRmZ1ZHZyVlcxc3J1czcKbUppdG9xUDg0NThNTXRyVHFyeUNidGFxSEZDcFZGRU9WcGFBcTBwUW9hclNvb3ZKTUtCck83UUlLZTdyUVpsbQpwdy9Bbm9tczREeDZkZEQwbkJVenhJdlhtekNQeHNIS3BuZWxkclkyeGZPV0ZXTkh4NEtTS0pXTXF3SURBUUFCCm80SGpNSUhnTUZrR0ExVWRJd1JTTUZDQUZCd3JUTXRZQlJuZi9TcGFzVUlrTSs5N2puZGdvU0trSURBZU1Sd3cKR2dZRFZRUUREQk5HWlhKdUlFTmxjblFnUVhWMGFHOXlhWFI1Z2hSNS9sVDRDZFF1MFdUYWNQYWtKdmlHL0U4TAoxVEFKQmdOVkhSTUVBakFBTUFzR0ExVWREd1FFQXdJRU1EQWRCZ05WSFNVRUZqQVVCZ2dyQmdFRkJRY0RBUVlJCkt3WUJCUVVIQXdJd1RBWURWUjBSQkVVd1E0SUxabTl2TG1KaGNpNWpiMjJDSW1oMGRIQXRjM1pqTG1SbFptRjEKYkhRdWMzWmpMbU5zZFhOMFpYSXViRzlqWVd5SEJNQ29BaDZIQk1Db0FoK0hCTUNvQWlBd0RRWUpLb1pJaHZjTgpBUUVMQlFBRGdnSUJBQkYwZDgrOVRqYWVQMUl4YmJmY0hxN0lCSURJeVZBNjRLN3FzUlc1S2ZiL2QyazhleXdUCmZGWlYyOHE1NFhmWFVOb1Nxa2hSZ1hkbnU5ejNqcFhUcFkzelMvY1R2bzlRNDdVQVFGeW14cnc4RlEvWjVBZnEKSFRqV0hBZWlUNHJ4TXQxVGxSTVp3VVpYUUxuM1Q1QWttLzMxbjRLaDEwd3RmZ2hJblMxdzJvcmxoVTFxcWUwagpaU0dIQXRwelprUmljcVRhWjJTdUlFVWJzMlpJcXQ2YzlhZnpISU5pNFd2YmcwVk9Wb3FvczlRTk9ISVhqT3E2CjdrUTNjRlUzRzBISExzdlpsTytoT3NlbGxObC9CdmFjYTRBdEVsTUREZ25JclNiS1ZCak5YSDdRbFQraWdSTFAKV01EbjZiYzJiS2dMUW5QMUQzSlR0bEVtTk9uZlMyRHRaQ3Y4QlRBQlo3anZlREFNczE3K2Viclk2ZjZVaENyWgpPMjZiWUJoZUQ5aEZBS2pRU0dJY2dNSHM3dG1NcHNnY0Q2cHljdW5kbE5wa0NYNVFja3N2RjN6dGFURklJaFpYCjk4MjFBem9JK1RjTjJUYjI5d3ZWMWVoaFlWby9OcG9lajBnUVNEMGpCbCtNeWc4OFd6UGRtVEhSNXNzNjdvdlAKdCszUW5ibFdQMytHQU0zOTlKVEhYeFhPRFV3UkJYL3ExcGdLMGI1NkZBdTJqWlJkL3dUQzUyMzRmQk9jUHIwRgo0bC9FU0ZrY3FJVXhrYVJEdVlKSjNmOWw4UGo1Z2pCcUl2STRiZXIzeXF5alRDOUg3b2poZ1VzMkpudFVZNHlXCnZvckJaQVUyKzl5ZEZuNHNFVTM1Mmg5dDl0Tnp2OXBZZTRMZ3lPNGlOeG5vZVQ3VGczcjhNUmVECi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBd0hKRlRJczJSWWh2ZCt6RWQ2WUdUMzc0WVJVVnlSRWtHZEpVOFMxQjdLNk1MalVKCmp6VVVzTWVPMWlRdGlZOGs2aURGRXlBaEpXRGVsRngwejY5VHd1T0d4WE5hTHd1RE94K245V1FDVG9ncThGN08KZDJCdFVIRVAyeFhEZFVQc1ZKRjRKbzErWVV3Z2dWZ3RUZ3hBdG55dkpKeHYremdTVVdMU0xNUmtLTzNIdzhwbAorNEw3YTIyUnZpaG1qWTBiZmtzWHNiajFQWFRCdmFGZnVkdnJWVzFzcnVzN21KaXRvcVA4NDU4TU10clRxcnlDCmJ0YXFIRkNwVkZFT1ZwYUFxMHBRb2FyU29vdkpNS0JyTzdRSUtlN3JRWmxtcHcvQW5vbXM0RHg2ZGREMG5CVXoKeEl2WG16Q1B4c0hLcG5lbGRyWTJ4Zk9XRldOSHg0S1NLSldNcXdJREFRQUJBb0lCQUJTYUp5RVNwalM3Ym5PQQpQV2d4dGVzOHhJcGdIM3p2QU5aaTFnVWJ1enNEVks1OXJ4Qk50bkZXYTh3eEEwNytyQTBFaFJTUEUvMVVhWCtvCmhqalZwRG53OGJTaHJMM3NsWmYydzV4Wm9JV1h2a0VOWlQwU2JhRjIrU09US09HYzYrZ0J5c01WMHJuSDFKTUUKUlpWZGFuQWUyUUVxWGpLZXhoZEFaUSsxMXFNcTRZd29Zam5Tc1M5SHFiQlFxNzNRbE5mNlRWWmZWeUJHMEZORQplZ1lyeEJDZ0tvazFqbTFranUyUkJ2cEViZWxCRGJnQmQ3QWltK0hadExDUHZoamdzNWFaR2xjUTc2L2w2TTA3Ck5uZitpZUViMUhDZEJ0Sit3VjNnaFRINVVlaUxPUzdEKzc2OUEvRzBGSGpBRFFudTREbFhuU2FyVG00bDVNQ3AKTTVJUTFJRUNnWUVBL2RFU0ZpSTVSTjJFK0k3YmR4cExYUnpjRlVRb3NKK1VqSUxTbkVLQzNjQjE0dFhxWmtIdAp0eXJiMXJZbDdzUHBLcHo1UGMvYU5MTHBTYlVRdGo3Nnd4b0pjVnYrNmsrZ3djVFphbk9PQ3l4MlhPWVJyWW5sClpBZi9qdzRyb3BSM3ZHR3krcU1GanZtM1F4SUUrM0tWeWdtdyt5VkNxSnBrbEZMdi9HUVdERE1DZ1lFQXdob08KZTQzTUZhU2xiTkR0NnlCOWZLNkhDeWtXVitWM3J5dDBGSVRiS1NjT2U4azhyOTRBbi95WmtnL2QwTDlCWXovLwovc3dsd3kvOGx3QkxNWW5KYUJDazlnalYvTG9NUjlFMnF0aFA5RDd3NlBwRnhmbWtQSm41T0VyMzQ4ZkQvbHZECm9LaGJScUpaUWJxejEwMjRDVDh5aUhZT2NWNDdCUE1Lc2ZhTGhha0NnWUFWNEx5UFhkblQzc2hFYUlQd1N6cnQKeHJ3TnRUZFFxaUN5ejkvNWloNGZvU1JJTGlvck1FbWVQVHAvMG1tSW9DaHIvT1hhOXh5VzZFa0ZpbTdyVnBoawowc3kza2JkeVdQVEJYd2RpanAxU3h6MVltcGd4Zmk1Z3BmUFlUOTlnL3kwbTlzRG5xNytoNkZKc25KUURYSWdlCnh5RVROTTMvSEhmSTlURXNiekFiVXdLQmdIOVYvTDVOamQ5OC9oRmZGMVl6SUYvVlZ6NlpHOUZaOXFSeVMxclMKdGJ4UHBRN01QQVhjREdqb25BN1lYZHArUGZWUW5TNlkyd1VyeS9kNzk5aHQzalZwQmU5cWFJZTl2aVMzT2JmbQo1TDBGTmFLQjNaZzlaK05oMTc5NFh4dU5pQ1NzS3JDUkFpQmFqVmV6bGh2ZkhxYmlVTko1TUl4ckZ5anVFTXdqClEvRFJBb0dBRndOMi8vaDBybjVMYWNDc21BV1ZSUDBqN3R3RWRxMzRtNHR2dWlLdk1mZDl0U2hlVmlzbEZCZ2YKV0dHeWJzQXhwZ1Zsc2pVVi9kaDViYjJqUXhaUVhaSFBlSGZyUzdOeDlZT0hnbzVqZDEwVjFvT3JXcjFrTktEYQpLdGRyR0Z2R3ZFcWVOZi8zWlQrY3RQRVI2ZjFSVEJleVN6VlF3TlV0bHRoVklJL0RjbG89Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
kind: Secret
metadata:
creationTimestamp: "2021-02-01T06:42:31Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:ca.crt: {}
f:tls.crt: {}
f:tls.key: {}
f:type: {}
manager: kubectl
operation: Update
time: "2021-02-01T06:42:31Z"
name: my-certs
namespace: default
resourceVersion: "93274"
selfLink: /api/v1/namespaces/default/secrets/my-certs
uid: 40b2ce65-27fa-4512-983b-550a7793eb21
type: Opaque
kind: List
metadata:
resourceVersion: ""
selfLink: ""
apiVersion: v1
---
kind: Service
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"app.kubernetes.io/component":"controller","app.kubernetes.io/instance":"ingress-nginx","app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"ingress-nginx","app.kubernetes.io/version":"0.43.0","helm.sh/chart":"ingress-nginx-3.19.0"},"name":"ingress-nginx-controller","namespace":"ingress-nginx"},"spec":{"ports":[{"name":"http","port":80,"protocol":"TCP","targetPort":"http"},{"name":"https","port":443,"protocol":"TCP","targetPort":"https"}],"selector":{"app.kubernetes.io/component":"controller","app.kubernetes.io/instance":"ingress-nginx","app.kubernetes.io/name":"ingress-nginx"},"type":"NodePort"}}
creationTimestamp: "2021-01-31T11:54:45Z"
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/version: 0.43.0
helm.sh/chart: ingress-nginx-3.19.0
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.: {}
f:kubectl.kubernetes.io/last-applied-configuration: {}
f:labels:
.: {}
f:app.kubernetes.io/component: {}
f:app.kubernetes.io/instance: {}
f:app.kubernetes.io/managed-by: {}
f:app.kubernetes.io/name: {}
f:app.kubernetes.io/version: {}
f:helm.sh/chart: {}
f:spec:
f:externalTrafficPolicy: {}
f:ports:
.: {}
k:{"port":80,"protocol":"TCP"}:
.: {}
f:name: {}
f:port: {}
f:protocol: {}
f:targetPort: {}
k:{"port":443,"protocol":"TCP"}:
.: {}
f:name: {}
f:port: {}
f:protocol: {}
f:targetPort: {}
f:selector:
.: {}
f:app.kubernetes.io/component: {}
f:app.kubernetes.io/instance: {}
f:app.kubernetes.io/name: {}
f:sessionAffinity: {}
f:type: {}
manager: kubectl
operation: Update
time: "2021-01-31T11:54:45Z"
name: ingress-nginx-controller
namespace: ingress-nginx
resourceVersion: "17290"
selfLink: /api/v1/namespaces/ingress-nginx/services/ingress-nginx-controller
uid: d1fd8489-19a3-4ace-ab3a-b5f7e54d1247
spec:
clusterIP: 10.106.34.219
externalTrafficPolicy: Cluster
ports:
- name: http
nodePort: 31631
port: 80
protocol: TCP
targetPort: http
- name: https
nodePort: 31449
port: 443
protocol: TCP
targetPort: https
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
sessionAffinity: None
type: NodePort
status:
loadBalancer: {}
1 kubectl get po -A
2 docker ps
3 sudo docker ps
4 docker ps
5 sudo docker ps
6 kubectl get po -A
7 kubectl -v8 get po -A
8 cat /etc/hosts
9 ./shared/vagrant-scripts/setup-hosts
10 cat /etc/hosts
11 sudo ./shared/vagrant-scripts/setup-hosts
12 cat /etc/hosts
13 kubectl get po -A
14 docker ps
15 sudo docker ps
16 kubectl get po -A
17 kubectl get po -n kube-system
18 kubectl get po -n kube-system weave-net-65ck2
19 kubectl get po -n kube-system weave-net-65ck2 -o yaml
20 kubectl get po -n kube-system -lname=weave-net
21 kubectl get po -n kube-system -lname=weave-net | grep -v Running
22 kubectl get po -n kube-system -lname=weave-net | grep -v Running | tail -n +2
23 kubectl get po -n kube-system -lname=weave-net | grep -v Running | tail -n +2 |cut -d ' ' -f1 | xargs -I {} kubectl -n kube-system delete {}
24 kubectl get po -n kube-system -lname=weave-net | grep -v Running | tail -n +2 |cut -d ' ' -f1 | xargs -I {} kubectl -n kube-system delete po {}
25 kubectl get po -A
26 kubectl get po -A -o wide
27 kubectl get po -n kube-system -lname=weave-net | grep -v Running | tail -n +2 |cut -d ' ' -f1 | xargs -I {} kubectl -n kube-system delete po {}
28 kubectl get po -A -o wide
29 source <(kubectl completion bash)
30 kubectl get po -n kube-system weave-net-t4927 -o yaml
31 kubectl describe po -n kube-system weave-net-t4927
32 kubectl get po -A -o wide
33 kubectl -n kube-system drain worker-0
34 kubectl -n kube-system
35 kubectl get po -A -o wide
36 vim ~/.bashrc
37 kubectl get svc -n ingress-nginx
38 curl http://worker-0:31631
39 curl https://worker-0:31449
40 curl -k https://worker-0:31449
41 kubectl get svc -n blog
42 kubectl get svc,epo -n blog
43 kubectl get svc,ep -n blog
44 kubectl get svc,ep,po -n blog -o wide
45 kubectl get svc,ep,po,ingress -n blog -o wide
46 kubectl delete ns blog
47 ls
48 rm *cert*
49 ls
50 rm *key*
51 ls
52 rm bla
53 ls -ahtlr ./shared/
54 ls -ahtlr ./shared/vagrant-scripts/
55 source ./shared/vagrant-scripts/new-ca
56 vim ./shared/vagrant-scripts/new-ca
57 new-ca hello-stephan.com server
58 ls
59 kubectl create secret tls tls-hello-stephan --key=server.key --cert=server.crt
60 kubectl get secrets tls-hello-stephan
61 kubectl get secrets tls-hello-stephan -o yaml
62 kubectl create -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/http-svc.yaml
63 kubectl get deployments.apps http-svc
64 kubectl get deploy,svc http-svc
65 kubectl delete -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/http-svc.yaml
66 kubectl get po
67 kubectl delete po bla
68 openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/O=nginxsvc"
69 ls
70 kubectl create -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/http-svc.yaml
71 kubectl create secret tls tls-secret --key tls.key --cert tls.crt
72 kubectl get ingress
73 kubectl edit ingress meow-ingress
74 kubectl get -n ingress-nginx svc
75 curl -k https://worker-0:31449
76 curl -k https://worker-0:31631
77 curl -k http://worker-0:31631
78 curl http://worker-0:31631
79 curl -H "Host:meow.com" http://worker-0:31631
80 kubectl edit ingress meow-ingress
81 curl -H "Host: meow.com" http://worker-0:31631
82 curl -H "Host: meow.com" http://worker-0:31631/
83 kubectl get -n ingress-nginx svc
84 curl -H "Host: meow.com" http://worker-0:31631/
85 kubectl edit ingress meow-ingress
86 curl -H "Host: meow.com" http://worker-0:31631/
87 curl -H "Host: meow.com" http://worker-0:31631
88 source <(kubectl completion bash)
89 curl -H "Host: meow.com" http://worker-0:31631
90 kubectl get svc
91 kubectl edit ingress meow-ingress
92 curl -H "Host: meow.com" http://worker-0:31631
93 kubectl edit ingress meow-ingress
94 curl -H "Host: meow.com" http://worker-0:31631
95 curl http://worker-0:31631
96 curl http://worker-0:31631 -k
97 curl http://worker-0:31631
98 kubectl get po
99 kubectl logs http-svc-64f85bcc78-p9s6t
100 kubectl logs http-svc-64f85bcc78-p9s6t
101 kubectl logs http-svc-64f85bcc78-p9s6t -f
102 kubectl delete po bla
103 kubectl delete -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/http-svc.yaml
104 kubectl get po
105 kubectl get po -w
106 kubectl create -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/http-svc.yaml
107 kubectl get po -w
108 kubectl get po,ep,svc -w
109 kubectl get po,ep,svc
110 curl http://worker-0:31631
111 kubectl run bla --image=tutum/dnsutils -- sh
112 kubectl exec bla -it -- sh
113 kubectl get po
114 kubectl run bla2 --image=alpine -- sh
115 kubectl exec bla2 -it -- sh
116 kubectl get po
117 kubectl delete po bla2
118 kubectl run -it bla2 --image=alpine -- sh
119 kubectl get po
120 kubectl delete po bla
121 kubectl run -it bla --image=tutum/dnsutils -- sh
122 kubectl exec bla2 -it -- sh
123 kubectl get svc
124 curl http://worker-0:31631
125 curl http://worker-0:31631 /
126 curl http://worker-0:31631/
127 curl http://worker-0:31631/ -k
128 curl -H"Host: foo.bar.com" http://worker-0:31631/
129 curl -H"Host: foo.bar.com" http://worker-0:31631/ -k
130 curl -H"Host: foo.bar.com" http://worker-0:31631/ -l
131 curl -H"Host: foo.bar.com" http://worker-0:31631/ -L
132 dig
133 cat /etc/hosts
134 curl -H"Host: foo.bar.com" http://192.168.2.30:31631/ -L
135 curl -H"Host: foo.bar.com" http://192.168.2.30:31631/
136 curl -H"Host: foo.bar.com" http://192.168.2.31:31631/
137 curl -H"Host: foo.bar.com" http://192.168.2.32:31631/
138 kubectl get secrets
139 #openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/O=nginxsvc
140 rm *key *crt
141 ls
142 openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/O=nginxsvc
143 openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/O=nginxsvc"
144 kubectl create secret tls tls-secret --key tls.key --cert tls.crt
145 kubectl delete secrets my-certs
146 kubectl delete secrets tls-hello-stephan
147 kubectl delete secrets tls-secret
148 kubectl create secret tls tls-secret --key tls.key --cert tls.crt
149 curl -H"Host: foo.bar.com" http://192.168.2.32:31631/
150 echo 'curl -H"Host: foo.bar.com" http://192.168.2.32:31631/ ' > do-http
151 curl -H"Host: foo.bar.com" http://192.168.2.32:31449
152 echo 'curl -H"Host: foo.bar.com" http://192.168.2.32:31631/ ' > do-http
153 curl -H"Host: foo.bar.com" http://192.168.2.32:31449
154 curl -H"Host: foo.bar.com" http://192.168.2.32:31449 --key tls.key --cert tls.cert
155 openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=foo.bar.com/O=nginxsvc"
156 kubectl delete secrets tls-secret
157 ls -ahtlr
158 kubectl create secret tls tls-secret --key tls.key --cert tls.crt
159 curl -H"Host: foo.bar.com" http://192.168.2.32:31449 --key tls.key --cert tls.cert
160 openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=foo.bar.com/O=nginxsvc" -addext "subjectAltName=DNS:foo.bar.com,DNS:http-svc.default.svc.cluster.local"
161 openssl x509 -in tls.crt -noout -text
162 kubectl create secret tls tls-secret --key tls.key --cert tls.crt
163 kubectl delete secrets tls-secret
164 kubectl create secret tls tls-secret --key tls.key --cert tls.crt
165 curl -H"Host: foo.bar.com" http://192.168.2.32:31449 --key tls.key --cert tls.cert
166 curl -H"Host: foo.bar.com" https://192.168.2.32:31449 --key tls.key --cert tls.cert
167 curl -H"Host: foo.bar.com" https://192.168.2.32:31449
168 curl -H"Host: foo.bar.com" https://192.168.2.32:31449 -k
169 man curl
170 curl -H"Host: foo.bar.com" https://192.168.2.32:31449 --cacert tls.crt
171 openssl s_client -connect 192.168.2.32:31449
172 curl --resolve foo.bar.com:192.168.2.32:31449 https://foo.bar.com/
173 curl --resolve foo.bar.com:192.168.2.32:31449 https://foo.bar.com -k
174 curl --resolve foo.bar.com:192.168.2.32 https://192.168.2.32:31449
175 curl --resolve foo.bar.com:192.168.2.32 https://192.168.2.32:31449 -k
176 curl --resolve foo.bar.com:192.168.2.32 https://192.168.2.32:31449/ -k
177 curl --resolve foo.bar.com:443:192.168.2.32 https://192.168.2.32:31449/ -k
178 curl --resolve foo.bar.com:192.168.2.32 https://192.168.2.32:31449/ -k
179 curl --resolve foo.bar.com:443:192.168.2.32 https://192.168.2.32:31449/ -k
180 curl -vvv --resolve foo.bar.com:443:192.168.2.32 https://192.168.2.32:31449/ -k
181 curl -vvv --resolve foo.bar.com:443:192.168.2.32 https://192.168.2.32:31449 -k
182 curl -vvv --resolve foo.bar.com:192.168.2.32 https://192.168.2.32:31449 -k
183 kubectl get ingress -A
184 openssl s_client -connect 192.168.2.32:31449 -showcerts
185 kubectl edit ingress meow-ingress
186 kubectl edit ingress nginx-test
187 openssl x509 -in tls.crt -noout -text
188 curl -H"Host: foo.bar.com" https://192.168.2.32:31449 --cacert tls.crt
189 curl -H"Host: foo.bar.com" https://192.168.2.32:31449
190 curl -H"Host: foo.bar.com" https://192.168.2.32:31449 -l
191 curl -H"Host: foo.bar.com" https://192.168.2.32:31449 -k
192 openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=foo.bar.com/O=nginxsvc" -addext "subjectAltName=DNS:foo.bar.com,DNS:http-svc.default.svc.cluster.local,IP:192.168.2.32,IP:192.168.2.30,IP:192.168.2.31"
193 openssl x509 -in tls.crt -noout -text
194 kubectl delete secrets tls-secret
195 kubectl create secret tls tls-secret --key tls.key --cert tls.crt
196 curl -H"Host: foo.bar.com" https://192.168.2.32:31449 -k
197 curl -H"Host: foo.bar.com" https://192.168.2.32:31449
198 curl -H"Host: foo.bar.com" https://192.168.2.32:31449 --cert tls.crt
199 curl -H"Host: foo.bar.com" https://192.168.2.32:31449 --cert tls.crt --key tls.key
200 curl -H"Host: foo.bar.com" https://192.168.2.32:31449 --cert tls.crt --key tls.key --cacert tls.crt
201 openssl s_client -connect 192.168.2.32:31449 -showcerts
202 curl -H"Host: foo.bar.com" https://192.168.2.32:31449 --cert tls.crt --key tls.key --cacert tls.crt -k
203 curl -H"Host: foo.bar.com" https://192.168.2.32:31449 --cert tls.crt --key tls.key --cacert tls.crt
204 curl -H"Host: foo.bar.com" https://192.168.2.32:31449 --cert tls.crt --key tls.key --cacert tls.crt -k
205 ls
206 rm tls*
207 kubectl delete secrets tls-secret
208 openssl req -x509 -sha256 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 356 -nodes -subj '/CN=Fern Cert Authority'
209 openssl req -new -newkey rsa:4096 -keyout server.key -out server.csr -nodes -subj "/CN=foo.bar.com/O=nginxsvc" -addext "subjectAltName=DNS:foo.bar.com,DNS:http-svc.default.svc.cluster.local,IP:192.168.2.32,IP:192.168.2.30,IP:192.168.2.31"
210 openssl req -new -newkey rsa:4096 -keyout client.key -out client.csr -nodes -subj "/CN=foo.bar.com/O=nginxsvc" -addext "subjectAltName=DNS:foo.bar.com,DNS:http-svc.default.svc.cluster.local,IP:192.168.2.32,IP:192.168.2.30,IP:192.168.2.31"
211 ls
212 ls -ahtlr
213 openssl x509 -req -sha256 -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
214 openssl x509 -req -sha256 -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out client.crt
215 kubectl create secret generic my-certs --from-file=tls.crt=server.crt --from-file=tls.key=server.key --from-file=ca.crt=ca.crt
216 kubectl edit ingress nginx-test
217 kubectl delete secrets my-certs
218 kubectl create secret generic my-certs --from-file=tls.crt=server.crt --from-file=tls.key=server.key --from-file=ca.crt=ca.crt
219 openssl x509 -in server.crt -noout -text
220 ls
221 rm *crt *key
222 ls
223 rm *csr
224 openssl req -x509 -sha256 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 356 -nodes -subj '/CN=Fern Cert Authority'
225 openssl req -new -newkey rsa:4096 -keyout server.key -out server.csr -nodes -subj "/CN=foo.bar.com/O=nginxsvc" -addext "subjectAltName=DNS:foo.bar.com,DNS:http-svc.default.svc.cluster.local,IP:192.168.2.32,IP:192.168.2.30,IP:192.168.2.31"
226 openssl req -in server.csr -noout -text
227 openssl x509 -req -sha256 -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt -addext "subjectAltName=DNS:foo.bar.com,DNS:http-svc.default.svc.cl
228 uster.local,IP:192.168.2.32,IP:192.168.2.30,IP:192.168.2.31"
229 openssl x509 -req -sha256 -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt #-addext "subjectAltName=DNS:foo.bar.com,DNS:http-svc.default.svc.cl
230 uster.local,IP:192.168.2.32,IP:192.168.2.30,IP:192.168.2.31"
231 openssl x509 -req -sha256 -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
232 ls
233 rm server.crt
234 openssl x509 -req -sha256 -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
235 openssl x509 -in server.crt -noout -text
236 openssl x509 -req -sha256 -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt -extensions SAN
237 openssl x509 -in server.crt -noout -text
238 cfssl
239 sudo apt update && sudo apt install cfssl
240 curl -L https://github.com/cloudflare/cfssl/releases/download/v1.5.0/cfssl_1.5.0_linux_amd64 -o cfssl
241 { curl -L https://github.com/cloudflare/cfssl/releases/download/v1.5.0/cfssl_1.5.0_linux_amd64 -o cfssl; chmod +x cfssl; curl -L https://github.com/cloudflare/cfssl/releases/download/v1.5.0/cfssljson_1.5.0_linux_amd64 -o cfssljson; chmod +x cfssljson; curl -L https://github.com/cloudflare/cfssl/releases/download/v1.5.0/cfssl-certinfo_1.5.0_linux_amd64 -o cfssl-certinfo; chmod +x cfssl-certinf; }
242 { curl -L https://github.com/cloudflare/cfssl/releases/download/v1.5.0/cfssl_1.5.0_linux_amd64 -o cfssl; chmod +x cfssl; curl -L https://github.com/cloudflare/cfssl/releases/download/v1.5.0/cfssljson_1.5.0_linux_amd64 -o cfssljson; chmod +x cfssljson; curl -L https://github.com/cloudflare/cfssl/releases/download/v1.5.0/cfssl-certinfo_1.5.0_linux_amd64 -o cfssl-certinfo; chmod +x cfssl-certinfo; }
243 cat <<"EOF" > csr.conf
244 [ req ]
245 default_bits = 2048
246 prompt = no
247 default_md = sha256
248 req_extensions = req_ext
249 distinguished_name = dn
250 [ dn ]
251 C = <country>
252 ST = <state>
253 L = <city>
254 O = <organization>
255 OU = <organization unit>
256 CN = <MASTER_IP>
257 [ req_ext ]
258 subjectAltName = @alt_names
259 [ alt_names ]
260 DNS.1 = kubernetes
261 DNS.2 = kubernetes.default
262 DNS.3 = kubernetes.default.svc
263 DNS.4 = kubernetes.default.svc.cluster
264 DNS.5 = kubernetes.default.svc.cluster.local
265 IP.1 = <MASTER_IP>
266 IP.2 = <MASTER_CLUSTER_IP>
267 [ v3_ext ]
268 authorityKeyIdentifier=keyid,issuer:always
269 basicConstraints=CA:FALSE
270 keyUsage=keyEncipherment,dataEncipherment
271 extendedKeyUsage=serverAuth,clientAuth
272 subjectAltName=@alt_names
273 EOF
274 vim csr.conf
275 kubectl edit ingress nginx-test
276 vim csr.conf
277 cat /etc/hosts
278 vim csr.conf
279 ls
280 rm server.*
281 ls
282 openssl genrsa -out server.key 2048
283 openssl req -new -key server.key -out server.csr -config csr.conf
284 openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 10000 -extensions v3_ext -extfile csr.conf
285 openssl x509 -in server.crt -noout -text
286 kubectl delete secrets my-certs
287 kubectl create secret generic my-certs --from-file=tls.crt=server.crt --from-file=tls.key=server.key --from-file=ca.crt=ca.crt
288 kubectl delete secrets my-certs
289 kubectl create secret generic my-certs --from-file=tls.crt=server.crt --from-file=tls.key=server.key --from-file=ca.crt=ca.crt
290 curl -H"Host: foo.bar.com" https://192.168.2.32:31449 --cert tls.crt --key tls.key --cacert tls.crt -k
291 curl -H"Host: foo.bar.com" https://192.168.2.32:31449 --cert tls.crt --key tls.key --cacert tls.crt
292 curl -H"Host: foo.bar.com" https://192.168.2.32:31449 #--cert tls.crt --key tls.key --cacert tls.crt
293 curl -H"Host: foo.bar.com" https://192.168.2.32:31449 -k #--cert tls.crt --key tls.key --cacert tls.crt
294 curl -H"Host: foo.bar.com" https://192.168.2.32:31449 --cacert ca.crt #--cert tls.crt --key tls.key --cacert tls.crt
295 curl -H"Host: foo.bar.com" https://192.168.2.32:31449 --cacert ca.crt -k #--cert tls.crt --key tls.key --cacert tls.crt
296 curl -H"Host: foo.bar.com" https://192.168.2.32:31449 --cacert ca.crt --cert server.crt --key server.key #--cert tls.crt --key tls.key --cacert tls.crt
297 curl -H"Host: foo.bar.com" https://192.168.2.32:31449 --cacert ca.crt --cert server.crt --key server.key
298 kubectl edit ingress nginx-test
299 kubectl edit secrets my-certs
300 openssl s_client -connect 192.168.2.32:31449 -showcerts
301 curl -vvv -H"Host: foo.bar.com" https://192.168.2.32:31449 --cacert ca.crt --cert server.crt --key server.key
302 sudo vim /etc/hosts
303 curl https://foo.bar.com:31449 --cacert ca.crt --cert server.crt --key server.key
304 curl https://foo.bar.com:31449 --cacert ca.crt --cert server.crt --key server.key -k
305 curl http://foo.bar.com:31449 --cacert ca.crt --cert server.crt --key server.key -k
306 kubectl edit ingress nginx-test
307 curl http://foo.bar.com:31449 --cacert ca.crt --cert server.crt --key server.key -k
308 curl https://foo.bar.com:31449 --cacert ca.crt --cert server.crt --key server.key -k
309 curl https://foo.bar.com:31449 --cacert ca.crt --cert server.crt --key server.key
310 curl https://192.168.2.30:31449 --cacert ca.crt --cert server.crt --key server.key
311 cat /etc/hosts
312 curl https://192.168.2.31:31449 --cacert ca.crt --cert server.crt --key server.key
313 curl https://192.168.2.31:31449 --cacert ca.crt --cert server.crt --key server.key -k
314 curl https://192.168.2.30:31449 --cacert ca.crt --cert server.crt --key server.key -k
315 kubectl edit ingress nginx-test
316 curl https://192.168.2.32:31449 --cacert ca.crt --cert server.crt --key server.key -k
317 curl https://192.168.2.32:31449 --cacert ca.crt --cert server.crt --key server.key
318 sudo vim /etc/hosts
319 curl https://192.168.2.32:31449 --cacert ca.crt --cert server.crt --key server.key
320 curl https://foo.bar.com:31449 --cacert ca.crt --cert server.crt --key server.key -k
321 curl https://foo.bar.com:31449 --cacert ca.crt --cert server.crt --key server.key
322 openssl s_client -connect foo.bar.com:31449 #--cacert ca.crt --cert server.crt --key server.key
323 curl https://foo.bar.com:31449 --cacert ca.crt --cert server.crt --key server.key
324 curl https://foo.bar.com:31449 --cacert ca.crt #--cert server.crt --key server.key
325 curl https://foo.bar.com:31449 # --cacert ca.crt #--cert server.crt --key server.key
326 curl -k https://foo.bar.com:31449 # --cacert ca.crt #--cert server.crt --key server.key
327 curl -k https://foo.bar.com:31449 --cert server.crt --key server.key
328 openssl x509 -in server.crt -noout -text
329 openssl verify -CAfile ca.crt server.crt
330 openssl verify -CAfile ca.crt ca.crt
331 openssl verify -CAfile server.crt server.crt
332 kubectl get secrets my-certs -o yaml
333 kubectl get secrets my-certs -o jsonpath="{.data['ca\.crt']}
334 kubectl get secrets my-certs -o jsonpath="{.data['ca\.crt']}"
335 kubectl get secrets my-certs -o jsonpath="{.data['ca\.crt']}" | base64 -d
336 kubectl get secrets my-certs -o jsonpath="{.data['tls\.crt']}" | base64 -d | openssl x509 -in - -noout -text
337 kubectl get secrets my-certs -o jsonpath="{.data['ca\.crt']}" | base64 -d | openssl x509 -in - -noout -text
338 kubectl edit ingress nginx-test
339 openssl req -new -newkey rsa:4096 -keyout client.key -out client.csr -nodes -subj '/CN=Fern'
340 openssl x509 -req -sha256 -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out client.crt
341 curl -k https://foo.bar.com:31449 --cert client.crt --key client.key
342 curl https://foo.bar.com:31449 --cert client.crt --key client.key
343 curl https://foo.bar.com:31449 --cert client.crt --key client.key --cacert ca.crt
344 curl https://worker-0:31449 --cert client.crt --key client.key --cacert ca.crt
345 curl -H "Host: foo.bar.com" https://worker-0:31449 --cert client.crt --key client.key --cacert ca.crt
346 curl https://foo.bar.com:31449 --cert client.crt --key client.key --cacert ca.crt
347 curl -H "Host: foo.bar.com" https://worker-2:31449 --cert client.crt --key client.key --cacert ca.crt
348 curl https://foo.bar.com:31449 --cert client.crt --key client.key --cacert ca.crt
349 curl -H "Host: foo.bar.com" https://192.168.2.32:31449 --cert client.crt --key client.key --cacert ca.crt
350 curl -H "Host: foo.bar.com" https://192.168.2.32:31449 --cert client.crt --key client.key --cacert ca.crt -k
351 curl -H "Host: foo.bar.com" https://192.168.2.32:31449 --cert client.crt --key client.key --cacert ca.crt
352 curl https://foo.bar.com:31449 --cert client.crt --key client.key --cacert ca.crt
353 curl --resolve foo.bar.com:192.158.2.32 https://192.168.2.32:31449 --cert client.crt --key client.key --cacert ca.crt
354 curl --resolve foo.bar.com:192.168.2.32 https://192.168.2.32:31449 --cert client.crt --key client.key --cacert ca.crt
355 curl --resolve foo.bar.com:31449:192.168.2.32 https://192.168.2.32:31449 --cert client.crt --key client.key --cacert ca.crt
356 curl https://foo.bar.com:31449 --cert client.crt --key client.key --cacert ca.crt
357 curl -H "Host: foo.bar.com" https://192.168.2.32:31449 --cert client.crt --key client.key --cacert ca.crt
358 curl -H "Host: foo.bar.com" https://192.168.2.32:31449 --cert client.crt --key client.key --cacert ca.crt -k
359 curl https://foo.bar.com:31449 --cert client.crt --key client.key --cacert ca.crt
360 kubectl edit ingress nginx-test
361 curl -H "Host: foo.bar.com" https://192.168.2.32:31449 --cert client.crt --key client.key --cacert ca.crt -k
362 curl https://192.168.2.32:31449 --cert client.crt --key client.key --cacert ca.crt -k
363 curl https://foo.bar.com:31449 --cert client.crt --key client.key --cacert ca.crt
364 cat /etc/hosts
365 curl https://foo.bar.com:31449 --cert client.crt --key client.key --cacert ca.crt
366 cat csr.conf
367 curl https://foo.bar.com:31449 --cert client.crt --key client.key --cacert ca.crt
368 curl https://foo.bar.com:31449 --cacert ca.crt
369 curl https://foo.bar.com:31449 --cert client.crt --key client.key --cacert ca.crt
370 kubectl edit ingress nginx-test
371 curl https://foo.bar.com:31449 --cert client.crt --key client.key --cacert ca.crt
372 curl https://foo.bar.com:31449 --cacert ca.crt
373 kubectl edit ingress nginx-test
374 curl https://foo.bar.com:31449 --cacert ca.crt
375 curl https://foo.bar.com:31449 # --cacert ca.crt
376 curl https://foo.bar.com:31449 --cacert ca.crt
377 curl https://192.168.2.32:31449 --cacert ca.crt
378 curl https://foo.bar.com:31449 --cacert ca.crt
379 curl https://foo.bar.com:31449 --cacert ca.crt --cert client.crt
380 curl https://foo.bar.com:31449 --cacert ca.crt --cert client.crt --key client.key
381 history
382 history > ./shared/tls-hackathon
@svanellewee
Copy link
Author

For some reason the setting the Host header does not do the same thing as changing the hosts entry:
This fails:

curl -vvv -H "Host: foo.bar.com"     https://192.168.2.32:31449 --cacert ca.crt --cert client.crt --key client.key  

This works

  curl -vvv     https://foo.bar.com:31449   --cacert ca.crt  --cert client.crt --key client.key 

@svanellewee
Copy link
Author

I have a reason for this ! SNI! https://en.wikipedia.org/wiki/Server_Name_Indication
Due to sni the server name sent will decide the cert being asked for.

SO first SNI happens, then the cert to use is determined. That's why the first one will go to the default "Fake" ingress-nginx cert because it started off.

Using a hostname addition to my hosts file seems to set the SNI up in the right way.

Another way to do the above (without hosts mod) is

curl   --resolve foo.bar.com:31449:192.168.2.32     https://foo.bar.com:31449 --cacert ca.crt --cert client.crt --key client.key  

Then the https port becomes nonstandard 31449

@svanellewee
Copy link
Author

https://stackoverflow.com/questions/50279275/curl-how-to-specify-target-hostname-for-https-request Says:

Indeed SNI in TLS does not work like that. SNI, as everything related to TLS, happens before any kind of HTTP traffic, hence the Host header is not taken into account at that step (but will be useful later on for the webserver to know which host you are connecting too).

@svanellewee
Copy link
Author

vagrant@controller-0:~$ curl   --resolve foo.bar.com:31449:192.168.2.32     https://foo.bar.com:31449 --cacert ca.crt --cert client.crt --key client.key  


Hostname: http-svc-64f85bcc78-bvj2x

Pod Information:
        node name:      worker-1
        pod name:       http-svc-64f85bcc78-bvj2x
        pod namespace:  default
        pod IP: 10.42.0.1

Server values:
        server_version=nginx: 1.12.2 - lua: 10010

Request Information:
        client_address=10.47.0.1
        method=GET
        real path=/
        query=
        request_version=1.1
        request_scheme=http
        request_uri=http://foo.bar.com:8080/

Request Headers:
        accept=*/*
        host=foo.bar.com:31449
        ssl-client-issuer-dn=CN=Fern Cert Authority
        ssl-client-subject-dn=CN=Fern
        ssl-client-verify=SUCCESS
        user-agent=curl/7.64.0
        x-forwarded-for=10.47.0.0
        x-forwarded-host=foo.bar.com:31449
        x-forwarded-port=443
        x-forwarded-proto=https
        x-real-ip=10.47.0.0
        x-request-id=ac7f3b346a9f3641ecef2039d1f47051
        x-scheme=https

Request Body:
        -no body in request-

@svanellewee
Copy link
Author

Also be skeptical of the default auth-tls-verify-client For some reason mine was "default on" not "off"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment