Day16，Domain&自签凭证

正文

以前有透过Freenom注册了一个边缘网域，这次就设定了一个homelab domain，将A Record设定在我的固定IP上。

Router的部分也要设定Port-forward 80/443 对应我昨天开的LoadBalancerIP

就可以打开浏览器

接者使用cfssl处理自签凭证

wget https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssljson_1.6.1_linux_amd64
sudo mv cfssljson_1.6.1_linux_amd64 /usr/local/bin/cfssljson
chmod +x /usr/local/bin/cfssljson

wget https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl_1.6.1_linux_amd64
sudo mv cfssl_1.6.1_linux_amd64 /usr/local/bin/cfssl
chmod +x /usr/local/bin/cfssl

cat > ca-config.json << EOF
{
  "signing": {
    "default": {
      "expiry": "8760h"
    },
    "profiles": {
      "Homelab": {
        "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ],
        "expiry": "8760h"
      }
    }
  } 
}
EOF

cat > ca-csr.json << EOF
{
    "CN": "Homelab Root CA",
    "key": {
      "algo": "rsa",
      "size": 2048
    },
    "names": [
    {
      "C": "TW",
      "L": "Taipei",
      "O": "Homelab",
      "OU": "Homelab Root CA",
      "ST": "Xizhi"
    }
   ]
}
EOF

cfssl gencert --initca ca-csr.json | cfssljson -bare ca

cat > homelab-csr.json << EOF
{
    "CN": "homelab.gurubear.cf",
    "key": {
      "algo": "rsa",
      "size": 2048
    },
    "names": [
    {
      "C": "TW",
      "L": "Taipei",
      "O": "Homelab",
      "OU": "Homelab CA",
      "ST": "Xizhi"
    }
    ],
    "hosts": [
      "homelab.gurubear.cf"
    ]
  }
EOF

cfssl gencert -ca ca.pem -ca-key ca-key.pem -config ca-config.json -profile=Homelab homelab-csr.json | cfssljson -bare homelab

kubectl create secret tls gurubear-tls  --cert=homelab.pem --key=homelab-key.pem -n ithomelab

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/rewrite-target: /
  name: ithomelab-ing
  namespace: ithomelab
spec:
  rules:
    - host: homelab.gurubear.cf
      http:
        paths:
          - backend:
              service:
                name: ithomelab-react-deployment
                port:
                  number: 80
            path: /
            pathType: Prefix
          - backend:
              service:
                name: ithomelab-api-deployment
                port:
                  number: 80
            path: /API
            pathType: Prefix

  tls:
    - hosts:
      - homelab.gurubear.cf
      secretName: gurubear-tls

可以看到仍然为不安全，因为并不认得这个ROOT CA

这边要想办法去信任这个自签的CA

ubuntu透过update-ca-certificate，chromium则要透过介面or指令
windows点两下CA放进可信任的授权单位......

再打开浏览器可以发现这台电脑浏览器显示已经是安全了~

闲聊

原本预计是要写cert-manager的，但因为domain有些问题处理不定，就决定先用自签凭证来挡一下。可能会在之後的章节再度挑战。