在 Kubernetes 中使用自定义 CA 签名的证书无效

在 Kubernetes 中使用自定义 CA 签名的证书无效

我正在尝试设置以下过程。

  1. Pod 启动并生成私钥和 csr
  2. 将 csr 提交到受密码保护的服务以进行签名和 IP 验证
  3. 服务返回有效的 crt,然后将其与步骤 1 中生成的私钥一起打包到 .p12 中

我在这里测试的设置是我尝试使用它,这样我就可以让 grafana 实例将 webhook 发送到服务,然后将其路由到 SNS(我不想使用 aws lambda,因为它会产生大量开销仅用于一条短信,以及能够将我的所有通知 Webhooks 保留在一个地方)。当尝试访问以下 URL 的 kubernetes 服务时

https://zevrant-notification-service/zevrant-notification-service/webhooks/serviceDown

我从 grafana 收到以下错误

Failed to send alert notifications" logger=context userId=1 orgId=1 uname=admin error="Post \"https://zevrant-notification-service/zevrant-notification-service/webhooks/serviceDown\": 
x509: certificate is not valid for any names, but wanted to match zevrant-notification-service" remote_addr=10.32.0.1

`

我尝试从 Pod 内部通过 wget 发出相同的请求,并收到类似的错误。

wget https://zevrant-notification-service/zevrant-notification-service/webhooks/serviceDown

Connecting to zevrant-notification-service (10.105.135.223:443)
ssl_client: zevrant-notification-service: name 'zevrant-notification-service' not present in 
server certificate
wget: error getting response: Connection reset by peer

`

据我所知,这是证书的问题,但是当我检查证书时,响应包含正确的 cname。该证书还包含 pod ip 作为 ip SAN

openssl x509 -noout -subject -in test.pem 

subject=C = US, ST = MI, O = Zevrant Services Inc, OU = MyDivision, CN = zevrant-notification-service

对我来说,这看起来是正确的,所以我不确定下一步要采取什么行动。完整的证书详细信息如下(示例证书,因为这些密钥是临时的,一旦 pod 终止就会被撤销)

-----BEGIN CERTIFICATE-----
MIIGBTCCA+2gAwIBAgICEl8wDQYJKoZIhvcNAQELBQAwgYUxCzAJBgNVBAYTAlVT
MQswCQYDVQQIDAJNSTERMA8GA1UEBwwIQmF5IENpdHkxHTAbBgNVBAoMFFpldnJh
bnQgU2VydmljZXMgSW5jMRUwEwYDVQQDDAwxOTIuMTY4LjEuMTcxIDAeBgkqhkiG
9w0BCQEWEWdlcmV0aGRAZ21haWwuY29tMB4XDTIxMDIyNTE3NDcyNVoXDTIyMDIy
NTE3NDcyNVowdTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1JMR0wGwYDVQQKDBRa
ZXZyYW50IFNlcnZpY2VzIEluYzETMBEGA1UECwwKTXlEaXZpc2lvbjElMCMGA1UE
AwwcemV2cmFudC1ub3RpZmljYXRpb24tc2VydmljZTCCAiIwDQYJKoZIhvcNAQEB
BQADggIPADCCAgoCggIBANJqXQocYHVTNzSDzVuUWbmuHAfncwayH8whnfDYaIHH
G1k1eO1wmbgpfAOGo6qa7XuXnh7KZGy13VOmBeULlLE6E1Y95N9v6x0h37NLcLJY
Yk/NJ1CyHpLTbkgWrPaEjcmOMJE60N3j6nP9i3S6QOndGj42apqFJz1dLdnlFhcG
BaBMiDXJp6XzNUuPNxjsY34u+8nUE3LQCfOdvHqoQ4eEtyyZbgzQhvqw+b9q5XpK
EBwC+OhvTtvev7PzCZKh3q9AgN+1XmZArLu8yAkvFfkiPjfm+h6tiDfxd7VZxulH
C7H5scAOTMMwgsJGetDr7MOFU7TxjfFInEjqe94sIO/Oz+Zr5Ov3I8QSlivAlbVW
sA2houU7du5uJ5gUlK6VzOHTasafoEw942G6XK7SWEJ6FXCjh9SzRqQgtVU58QIW
oRQ9DHwhHxy8WoZzUBdFJcHVPNiXnB2OD1I2NAnP/J018rXihfkDus5iwNlM+h1g
p3zoyBSw7LJtG402+j2JYPGxbCgvNNjgC4ZoofQYmCMeZMfUdXuhAtCUtsCxcpZF
mSR2HkqVp+Ybk3Fz3myVi+fl9UgYX47PicAzmWDs30W23it0NaEpiGsmN8F901Lp
4HSHoogjXYv0qP3AXwDq6f2AijzpRM0ttbEJb0mhcbPB1b02HD8J2pk9CUHO5UuF
AgMBAAGjgY0wgYowCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBH
ZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFEFjuMncgCmyWkqSQnWCs9he
RbLvMB8GA1UdIwQYMBaAFLeLCTFMxer6/up4upTdVgayS1tGMA8GA1UdEQQIMAaH
BAohAAgwDQYJKoZIhvcNAQELBQADggIBAHUVvGaJ41gWciY0stLHjkz06XbB1RNp
AUAoups7OHsoGTKGquwxfkq8bYi5k2EZmDzxW6lZOQKINMHQZ4Q97pD/rKtWDSSs
y5izW7nzb30bUQd8pKZU+QIHnUfl9pzDMRNUlfWRmDdlLm58FROFh+NAkeRjgH6u
keCVPDJk5yM+KxHkTA92dhTFFNBDf7kcldnhaj3QPaudyLK7b2urTFiAa7WHDADt
AG0T2LSUGrS/619w+PRS01Su6wECHwucAGVvHNXG1KW9cjeJ4WwUlZ3vVbijzkPW
Ibx8pgrWW8bc4a/h+1OA2l1kDwV0FlCF8wVDRoG7RqaB9N/cu0NGKS+6m39MnS3E
lERRLcJpx+T8YUJXs09lhV3vSPW4wBKyHuoAEXO6Vh2PJm00R6KMbXmEn3eM3J+K
xIKfeJLV7LyM4xOCJP2VnAU0BSHOzmMOtHsgF4N9DflMnUUQjSrSLJTRmvwtCWwm
odai4e0Z49m1+Io0muIlj0a1mRsifFw1E5/edH1Gfd3m37iIwaf5OB2gvra540xL
nXi6QetJBzn1rY1TBfQ1+HlIaBxiHZqv5MNNQ4+v3nZohkX95K95iS0t3CuA7bns
TXy9hOgMaCEyvQUFyOKKuQ1xSh3F1KD2icm0nfu5o7rkgSue4qp7NjzF7WyDQhI0
pKkeomX+f9mS
-----END CERTIFICATE-----

答案1

你就快到了,我的朋友。 SAN 必须包含原始 CN (zevrant-notification-service) 和备用名称 (10.105.135.223)

您当前的 SAN 为 10.105.135.223,这会使原始 CN (zevrant-notification-service) 失效。

相关内容