반응형
🍳머리말
k8s상에서 TLS/SSL secret 객체를 생성하는 방법을 설명한 글입니다.{}로 감싸진 부분은 직접 입력해야합니다. 인증서로 통신하는 보안 protocol이 TSL이며 과거 SSL이라는 명칭으로 사용되었습니다.
📕Prerequisites
📔 Openssl설치
사설 CA 인증기관이 아닌 이상 무료로 인증서를 받을 수 있는 대표 기관 중 하나입니다. 맞는 OS에 설치해 openssl 명령어로 TLS 또는 SSL file을 생성할 수 있습니다.
📕생성
📔 tls.crt, tls.key
다음 명령어로 원하는 곳에 간단히 file형태로 추가할 수 있습니다.
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=foo.bar.com"tls.crt와 tls.key 두 개 file이 생성되었다면 성공입니다.
명령어는 다음과 같은 구성입니다.
인증서는 기본으로 base64 encoding되어 있으므로 x509 option을 사용합니다.
만료일은 days option으로 1년으로 설정했습니다.
RSA암호로 2048bit의 암호 문자열을 생성해
두 file로 write하여 export 후 생성하게 됩니다.
생성시 필요한 각 항목은 test 용이므로 subj option이용해 예시 문자열로 입력했습니다.
📔 k8s상에 secret 추가
📑 명령어로 추가
kubectl create secret tls test-tls --key="tls.key" --cert="tls.crt"📑 yaml file 작성 후 추가
1. 다음 명령어로 base64 encode된 문자열 값을 한 줄로 만들어 각각 메모장에 복사해 놓습니다.
cat tls.crt | base64 | xargs echo | sed 's/ //g'
cat tls.key | base64 | xargs echo | sed 's/ //g'
2. secret yaml file을 작성합니다.
server쪽이므로 private cert와 key를 입력한 예시입니다.
apiVersion: v1
kind: Secret
metadata:
name: tls-cert
type: kubernetes.io/tls
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRE1vTzlOV2NGZkE3ckthWUpCcE4zZ0IvVDBJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qSXdOREU1TURNeE1qSTRXaGNOTWpNdwpOREU1TURNeE1qSTRXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNSkdoMFVrTEY4M1puemdJUlJiZkRtMFZBeVBSSFg5ekExaVNrY00KTzg2OUFDNllvblNVQUFxdkcvN3JueUx3aE50eDJ5QUppTjl3R3pyZWhVK2hMV3F4dU1IS1R6TmhGNHNOYXpaRgo5dkpXRmVQT3pFTXdka05OL1pmQmR2enMyL0c2T3oveDRXRUJrekU1QVRCeXN1RlY4K2Zsb3Y2MFBUOE9La3cyCnowK1gzdU9tTmI5Yk52bWl5YzZWV0tWNUNnd2k0MG9YeGRaMFBtRGNyd04xejNUUEM5Z0cxZ3kyOEJvMjAxTWwKcmozT2VndGkvalRkbUZSbC9mMGZCZkZqcjRITFN4a1RscG1oYmtzYlIvMWhVSlN6T3UxZnFES0gzM2MxaW5oNgozNEI5QmkwdFgyNUlEYXBqeEZuTktjNW5zLzJ4Y21nYTA2Tmhqb1J2dGp4YVkvMENBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRkx5dnpVOUg1TWVBdlVwRW5nRkdpVFFPWnNkb01COEdBMVVkSXdRWU1CYUFGTHl2elU5SDVNZUEKdlVwRW5nRkdpVFFPWnNkb01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBTHFjMVk1all0bHFJQmZKMUc3QTU2WjVHa3BEU1pIMnczYlp4b0o3TGwycy9mVm54RnhmNHlGblpQUi9TY3I2CnNweEtEckRGSDkxd3hhWDZZNlA5alRJaExQa3ZRUmFTNVpNcGZYa2t4VDIwdGp2V3liS0xnSjVGUW01d2hyZEIKdzVXVmszYm1EV3RvQWl3bnF3LzhyN2dpRWN2QTZYeWFCYWFvbDB4eE1nMUpKeEg3VzNHcUxIOGZmamVnOUROWQoyZElQUVFYNlEyNWU2cGd0VEtsMktublhIeFhCbUR0SFlRSk9GRjhHdGpWbHd4RmtVVXYzVjZhUm5NOUEzWVpuCmdHSjBVYnhhY2JTNW12azZxazRHRzRHRVBaa0RML0ZhU2Q5MnJWWERtVDdsckEzcVROMEVMaW1aVzBEUGgzcU0KMkx0aUFVb0F5ZUVJTEhCOUFVVU05cWM9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2QUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktZd2dnU2lBZ0VBQW9JQkFRRENSb2RGSkN4Zk4yWjgKNENFVVczdzV0RlFNajBSMS9jd05Za3BIRER2T3ZRQXVtS0owbEFBS3J4dis2NThpOElUYmNkc2dDWWpmY0JzNgozb1ZQb1MxcXNiakJ5azh6WVJlTERXczJSZmJ5VmhYanpzeERNSFpEVGYyWHdYYjg3TnZ4dWpzLzhlRmhBWk14Ck9RRXdjckxoVmZQbjVhTCt0RDAvRGlwTU5zOVBsOTdqcGpXL1d6YjVvc25PbFZpbGVRb01JdU5LRjhYV2RENWcKM0s4RGRjOTB6d3ZZQnRZTXR2QWFOdE5USmE0OXpub0xZdjQwM1poVVpmMzlId1h4WTYrQnkwc1pFNWFab1c1TApHMGY5WVZDVXN6cnRYNmd5aDk5M05ZcDRldCtBZlFZdExWOXVTQTJxWThSWnpTbk9aN1A5c1hKb0d0T2pZWTZFCmI3WThXbVA5QWdNQkFBRUNnZ0VBTUhQWW50VGp3Q2VZQndMN0hSR29ETmc5c2hnMU1keEhmUHNMbldhZXIvUVIKVEkzQ3pxSnUxRHRTRnlUNnZvTVFENDc0NEtlZ0hHSGdXTEZRdkVodGhGT295YVJFVm9NYmxSR1dzS1dJYm00cgo3WElSSFp6RGtndXNlS0hHcEZRS2t1SW9qczByc2I3cnovWHdwdjJrUVhEbmNPbWoyalJucGdkSlkxSzBKNXhBCnFmNG9uRkh0U2p5N3J3ci9yOHRXZ01sSE1ZTzlteWovQWR4RWNtZzIveCtnQVNMY1E3eE9zaVBxM0pMQjBVMFkKRXBUT1Z3UXJCdDU1RFBGTVJ6VHBDODFUOWNYTTN6L0xCTW1CMHhBRVV3UjhidVNZRnhYRU1VNndidjhLN3VWSApPSUtGWGJPaXlJbEszekJjUFR0UUExNmdjUGxUdGVHMXJTNW0rREFqM1FLQmdRRG5HYjlJbitVb0hYeEQ4WjN0CjNKQ1pPYzN1aGtxWC9tOWxiMkxWNUp4NEVxMWk5MG50c2wraWxEMTdCV0lOQ1JqUmUvVzJXV2pJSlp5aG5PalMKdnl5WHBhRkFIdEFJNWgvNHludVl4M1JPbUJoS3puWi83THI5bkt4MW1OWlpzQ1BSTi93ZS9DWEt5UEdJaE1MWApob2tNWGJoN0VPL2I0K1F0RXQvSEZicWUwd0tCZ1FEWE5SRHdUMzBzd2JaUnppT20wbElVQVVadi83bjFwaXdRCks3UTdlQlVTS3BsVlNzSU40dFF2NWlGOHdnUCszWXptT2szbEMvUlZ1QUw3ejdTL2JhYU94Y2JuaEVDWlVtT2UKUHlHcithenRZK3FtNU1XZXJ6MjFmelhuT1JVZXRjUXBxeWtzQk11Z0paZDA0ZUUzaFRIUlVxZEtVMVdPOXMxbgorZnEvbzA5UDd3S0JnRTY3Rjg2dklvdTdGOVd4MytMa0xLTDI3WEJnY2RNOFRFa2JYR21RTzdvd2FyOTNqY2tiCjVyYmxsOWhzYWc0VTFrNnYwM0x2SE9KcTVlU3RKeWg5RnIwSElWdE41QVBVR25wUXlUQ3dhckJINHFiQmxkOVoKRUE5TXEvaFlQRlpMeXJnQlFiUndwSk5rUjkwQmxidUZTdlZhakhub3VENktjZmJsSWpXWjhuMGZBb0dBQklJegpHYVhBckpoZVZuWm9IczJYTko0V09MQjExK1NrVmE1a3R6NDd5c2Fqc2JyQU9BUkJoOE5kZmp5ZVVzK1hiUmRaCm5HdlVzWnNLVFBZOEJpcW82NkxQR1BpWFZkNzVBVTYzU09BUk5HUDhmWVNiYzBpZWxWZlY3RU13NHhUUnlFR3kKdWg1Ym1iNVAzdjRBZHVaT2RlRXlhZ2MyNnFqWEFzK2s1akRvcjNjQ2dZQnh1ZG5tRmRtK1ppcjlEaTV4L0twQwphZ0d2cTFNZnE3UGxJcFNzTXZvaGVhV2toc21aNUN2U211eGpNN3lzNU9odUw4dTd5MEcxeE8vaUV3Ty9lK2pKCnF2eXAxQXdkV2hQRzBSSndMdDB4UU5mMXJDUk44QnNzRXlXQ2FPN1JIUVhsT042ZHBEWUpCTDJpYVliVXdyczEKRVY3M3ovRFhJRlNteGJET1VVV1NGdz09Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K* data.tls.crt의 value는 한 줄로 되어야 합니다.
3. file apply
kubectl apply -f {만든 secret yaml file 명}📕참조
https://shocksolution.com/2018/12/14/creating-kubernetes-secrets-using-tls-ssl-as-an-example/
Creating Kubernetes Secrets Using TLS/SSL as an Example | shocksolution.com
Creating Kubernetes secrets isn’t intuitive the first time you do it. A common reason to use a secret is to add a SSL/TLS certificate to a cluster. Kubernetes provides two ways to add a secret: directly on the command line, and from a YAML source file. F
shocksolution.com
'Cloud' 카테고리의 다른 글
| (Terraform) - 용어 정리 (0) | 2022.04.28 |
|---|---|
| (Terraform) - Window에 설치 (0) | 2022.04.25 |
| (Kubernetes) - redis cluster statefulset예제 (0) | 2022.04.12 |
| (NGINX Ingress Controller) - TCP, UDP service 노출해 redis cluster와 연결하기 (0) | 2022.04.06 |
| (Kubernetes) - resouce 생성 예시 file (0) | 2022.03.31 |
