以前有透過Freenom註冊了一個邊緣網域,這次就設定了一個homelab domain,將A Record設定在我的固定IP上。
Router的部分也要設定Port-forward 80/443 對應我昨天開的LoadBalancerIP
就可以打開瀏覽器
接者使用cfssl處理自簽憑證
wget https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssljson_1.6.1_linux_amd64
sudo mv cfssljson_1.6.1_linux_amd64 /usr/local/bin/cfssljson
chmod +x /usr/local/bin/cfssljson
wget https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl_1.6.1_linux_amd64
sudo mv cfssl_1.6.1_linux_amd64 /usr/local/bin/cfssl
chmod +x /usr/local/bin/cfssl
cat > ca-config.json << EOF
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"Homelab": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "8760h"
}
}
}
}
EOF
cat > ca-csr.json << EOF
{
"CN": "Homelab Root CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "TW",
"L": "Taipei",
"O": "Homelab",
"OU": "Homelab Root CA",
"ST": "Xizhi"
}
]
}
EOF
cfssl gencert --initca ca-csr.json | cfssljson -bare ca
cat > homelab-csr.json << EOF
{
"CN": "homelab.gurubear.cf",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "TW",
"L": "Taipei",
"O": "Homelab",
"OU": "Homelab CA",
"ST": "Xizhi"
}
],
"hosts": [
"homelab.gurubear.cf"
]
}
EOF
cfssl gencert -ca ca.pem -ca-key ca-key.pem -config ca-config.json -profile=Homelab homelab-csr.json | cfssljson -bare homelab
kubectl create secret tls gurubear-tls --cert=homelab.pem --key=homelab-key.pem -n ithomelab
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/rewrite-target: /
name: ithomelab-ing
namespace: ithomelab
spec:
rules:
- host: homelab.gurubear.cf
http:
paths:
- backend:
service:
name: ithomelab-react-deployment
port:
number: 80
path: /
pathType: Prefix
- backend:
service:
name: ithomelab-api-deployment
port:
number: 80
path: /API
pathType: Prefix
tls:
- hosts:
- homelab.gurubear.cf
secretName: gurubear-tls
可以看到仍然為不安全,因為並不認得這個ROOT CA
這邊要想辦法去信任這個自簽的CA
ubuntu透過update-ca-certificate,chromium則要透過介面or指令
windows點兩下CA放進可信任的授權單位......
再打開瀏覽器可以發現這台電腦瀏覽器顯示已經是安全了~
原本預計是要寫cert-manager的,但因為domain有些問題處理不定,就決定先用自簽憑證來擋一下。可能會在之後的章節再度挑戰。