ssl - openssl 给 Kubernetes Ingress Controller 假证书

问题描述

我已经配置了 ssl 证书，如果我访问https://<domain>.com，我看到我的证书配置成功但是当我尝试通过以下命令检查证书时

openssl s_client -connect <domain>.com:443 | openssl x509 -noout -subject -issuer

我正进入（状态Kubernetes Ingress Controller Fake Certificate

我的 ingres 配置是：

  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: 'true'
    nginx.ingress.kubernetes.io/from-to-www-redirect: 'true'
  name: nginx-echo
spec:
  tls:
    - hosts:
      - domain.com
      secretName: domain.com
  rules:
    - host: domain.com
      http:
        paths:
        - path: /
          pathType: Prefix
          backend:
            service:
                name: website-lorem
                port:
                    number: 80

with 命令给出相同的假证书： openssl s_client -connect <domain>.com:443 -servername <domain> | openssl x509 -noout -subject -issuer

日志：

 6 flags.go:205] Watching for Ingress class: nginx
W1029 22:02:36.331841       6 flags.go:210] Ingresses with an empty class will also be processed by this Ingress controllernginx
W1029 22:02:36.332409       6 flags.go:252] SSL certificate chain completion is disabled (--enable-ssl-chain-completion=false)
W1029 22:02:36.332525       6 client_config.go:552] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
I1029 22:02:36.332855       6 main.go:231] Creating API client for https://<ip>:443
I1029 22:02:36.342532       6 main.go:275] Running in Kubernetes cluster version v1.19 (v1.19.2) - git (clean) commit f57430*** - platform linux/amd64
I1029 22:02:36.470142       6 main.go:105] SSL fake certificate created /etc/ingress-controller/ssl/default-fake-certificate.pem
I1029 22:02:36.472357       6 main.go:113] Enabling new Ingress features available since Kubernetes v1.18
W1029 22:02:36.476751       6 main.go:125] No IngressClass resource with name nginx found. Only annotation will be used.
I1029 22:02:36.485119       6 ssl.go:528] loading tls certificate from certificate path /usr/local/certificates/cert and key path /usr/local/certificates/key
I1029 22:02:36.544518       6 nginx.go:263] Starting NGINX Ingress controller

标签： sslopenglkuberneteskubernetes-ingress