正文

以前有透過Freenom註冊了一個邊緣網域，這次就設定了一個homelab domain，將A Record設定在我的固定IP上。

Router的部分也要設定Port-forward 80/443 對應我昨天開的LoadBalancerIP

就可以打開瀏覽器

接者使用cfssl處理自簽憑證

wget https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssljson_1.6.1_linux_amd64
sudo mv cfssljson_1.6.1_linux_amd64 /usr/local/bin/cfssljson
chmod +x /usr/local/bin/cfssljson

wget https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl_1.6.1_linux_amd64
sudo mv cfssl_1.6.1_linux_amd64 /usr/local/bin/cfssl
chmod +x /usr/local/bin/cfssl

cat > ca-config.json << EOF
{
  "signing": {
    "default": {
      "expiry": "8760h"
    },
    "profiles": {
      "Homelab": {
        "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ],
        "expiry": "8760h"
      }
    }
  } 
}
EOF

cat > ca-csr.json << EOF
{
    "CN": "Homelab Root CA",
    "key": {
      "algo": "rsa",
      "size": 2048
    },
    "names": [
    {
      "C": "TW",
      "L": "Taipei",
      "O": "Homelab",
      "OU": "Homelab Root CA",
      "ST": "Xizhi"
    }
   ]
}
EOF

cfssl gencert --initca ca-csr.json | cfssljson -bare ca

cat > homelab-csr.json << EOF
{
    "CN": "homelab.gurubear.cf",
    "key": {
      "algo": "rsa",
      "size": 2048
    },
    "names": [
    {
      "C": "TW",
      "L": "Taipei",
      "O": "Homelab",
      "OU": "Homelab CA",
      "ST": "Xizhi"
    }
    ],
    "hosts": [
      "homelab.gurubear.cf"
    ]
  }
EOF

cfssl gencert -ca ca.pem -ca-key ca-key.pem -config ca-config.json -profile=Homelab homelab-csr.json | cfssljson -bare homelab

kubectl create secret tls gurubear-tls  --cert=homelab.pem --key=homelab-key.pem -n ithomelab

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/rewrite-target: /
  name: ithomelab-ing
  namespace: ithomelab
spec:
  rules:
    - host: homelab.gurubear.cf
      http:
        paths:
          - backend:
              service:
                name: ithomelab-react-deployment
                port:
                  number: 80
            path: /
            pathType: Prefix
          - backend:
              service:
                name: ithomelab-api-deployment
                port:
                  number: 80
            path: /API
            pathType: Prefix

  tls:
    - hosts:
      - homelab.gurubear.cf
      secretName: gurubear-tls

可以看到仍然為不安全，因為並不認得這個ROOT CA

這邊要想辦法去信任這個自簽的CA

ubuntu透過update-ca-certificate，chromium則要透過介面or指令
windows點兩下CA放進可信任的授權單位......

再打開瀏覽器可以發現這台電腦瀏覽器顯示已經是安全了~

閒聊

原本預計是要寫cert-manager的，但因為domain有些問題處理不定，就決定先用自簽憑證來擋一下。可能會在之後的章節再度挑戰。