本文档详细介绍了如何在OpenShift中创建一个安全路由,涉及使用脚本生成安全证书,并通过`oc create route`命令配置边缘路由。步骤包括选择项目,创建应用,检查Pod和Deployment资源,生成并使用证书创建安全路由,最后验证通过安全路由访问应用的可行性。
1.oc project samples选择使用的项目。oc new-app --docker-image=workstation.lab.example.com:5000/openshift/hello-openshift --insecure-registry --name=greeter创建新应用,--docker-image=workstation.lab.example.com:5000/openshift/hello-openshift 指明镜像,--name=greeter指定名称。
[student@workstation wordpress]$ oc project samples
Now using project "samples" on server "https://master.lab.example.com:8443".
[student@workstation wordpress]$ oc new-app --docker-image=workstation.lab.example.com:5000/openshift/hello-openshift --insecure-registry --name=greeter
--> Found Docker image c97dc96 (23 months old) from workstation.lab.example.com:5000 for "workstation.lab.example.com:5000/openshift/hello-openshift"
* An image stream will be created as "greeter:latest" that will track this image
* This image will be deployed in deployment config "greeter"
* Ports 8080/tcp, 8888/tcp will be load balanced by service "greeter"
* Other containers can access this service through the hostname "greeter"
* WARNING: Image "workstation.lab.example.com:5000/openshift/hello-openshift" runs as the 'root' user which may not be permitted by your cluster administrator
--> Creating resources ...
imagestream "greeter" created
deploymentconfig "greeter" created
service "greeter" created
--> Success
Run 'oc status' to view your app.
2.oc get pods -o wide获取pod资源信息。oc describe pods greeter-1-93g8d查看pod详细信息。oc get dc -o wide获取部署资源信息。oc describe dc greeter查看部署资源你的详细信息。
[student@workstation wordpress]$ oc get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE
greeter-1-93g8d 1/1 Running 0 56s 10.129.0.21 node2.lab.example.com
[student@workstation wordpress]$ oc describe pods greeter-1-93g8d
Name: greeter-1-93g8d
Namespace: samples
Security Policy: restricted
Node: node2.lab.example.com/172.25.250.12
Start Time: Mon, 17 Dec 2018 10:55:49 +0800
Labels: app=greeter
deployment=greeter-1
deploymentconfig=greeter
Status: Running
IP: 10.129.0.21
Controllers: ReplicationController/greeter-1
Containers:
greeter:
Container ID: docker://b9e2b12c87b5f63e07c1be731b23e7552b79ddd203276349a35f8373ae995073
Image: workstation.lab.example.com:5000/openshift/hello-openshift@sha256:f77c72f76b3ea556538fa6ed5544d7288ebb5f7cbf86c1eb6bb052536cf5dad2
Image ID: docker-pullable://workstation.lab.example.com:5000/openshift/hello-openshift@sha256:f77c72f76b3ea556538fa6ed5544d7288ebb5f7cbf86c1eb6bb052536cf5dad2
Ports: 8888/TCP, 8080/TCP
State: Running
Started: Mon, 17 Dec 2018 10:55:51 +0800
Ready: True
Restart Count: 0
Volume Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from default-token-sdm5k (ro)
Environment Variables: <none>
Conditions:
Type Status
Initialized True
Ready True
PodScheduled True
Volumes:
default-token-sdm5k:
Type: Secret (a volume populated by a Secret)
SecretName: default-token-sdm5k
QoS Class: BestEffort
Tolerations: <none>
Events:
FirstSeen LastSeen Count From SubObjectPath Type Reason Message
--------- -------- ----- ---- ------------- -------- ------ -------
1m 1m 1 {default-scheduler } Normal Scheduled Successfully assigned greeter-1-93g8d to node2.lab.example.com
1m 1m 1 {kubelet node2.lab.example.com} spec.containers{greeter} Normal Pulling pulling image "workstation.lab.example.com:5000/openshift/hello-openshift@sha256:f77c72f76b3ea556538fa6ed5544d7288ebb5f7cbf86c1eb6bb052536cf5dad2"
1m 1m 1 {kubelet node2.lab.example.com} spec.containers{greeter} Normal Pulled Successfully pulled image "workstation.lab.example.com:5000/openshift/hello-openshift@sha256:f77c72f76b3ea556538fa6ed5544d7288ebb5f7cbf86c1eb6bb052536cf5dad2"
1m 1m 1 {kubelet node2.lab.example.com} spec.containers{greeter} Normal Created Created container with docker id b9e2b12c87b5; Security:[seccomp=unconfined]
1m 1m 1 {kubelet node2.lab.example.com} spec.containers{greeter} Normal Started Started container with docker id b9e2b12c87b5
[student@workstation wordpress]$ oc get dc -o wide
NAME REVISION DESIRED CURRENT TRIGGERED BY
greeter 1 1 1 config,image(greeter:latest)
[student@workstation wordpress]$ oc describe dc greeter
Name: greeter
Namespace: samples
Created: 3 minutes ago
Labels: app=greeter
Annotations: openshift.io/generated-by=OpenShiftNewApp
Latest Version: 1
Selector: app=greeter,deploymentconfig=greeter
Replicas: 1
Triggers: Config, Image(greeter@latest, auto=true)
Strategy: Rolling
Template:
Labels: app=greeter
deploymentconfig=greeter
Annotations: openshift.io/generated-by=OpenShiftNewApp
Containers:
greeter:
Image: workstation.lab.example.com:5000/openshift/hello-openshift@sha256:f77c72f76b3ea556538fa6ed5544d7288ebb5f7cbf86c1eb6bb052536cf5dad2
Ports: 8888/TCP, 8080/TCP
Volume Mounts: <none>
Environment Variables: <none>
No volumes.
Deployment #1 (latest):
Name: greeter-1
Created: 3 minutes ago
Status: Complete
Replicas: 1 current / 1 desired
Selector: app=greeter,deployment=greeter-1,deploymentconfig=greeter
Labels: app=greeter,openshift.io/deployment-config.name=greeter
Pods Status: 1 Running / 0 Waiting / 0 Succeeded / 0 Failed
Events:
FirstSeen LastSeen Count From SubObjectPath Type Reason Message
--------- -------- ----- ---- ------------- -------- ------ -------
3m 3m 1 {deploymentconfig-controller } Normal DeploymentCreated Created new replication controller "greeter-1" for version 1
3. lab secure-route setup使用脚本创建安全路由环境。cp /home/student/DO280/labs/secure-route/create-cert.sh ./将产生安全密匙的脚本复制到本地。 cat create-cert.sh 查看脚本,openssl genrsa -out hello.cloudapps.lab.example.com.key 2048产生私钥,openssl req -new -key hello.cloudapps.lab.example.com.key -out hello.cloudapps.lab.example.com.csr -subj "/C=US/ST=NC/L=Raleigh/O=RedHat/OU=RHT/CN=hello.cloudapps.lab.example.com"产生公钥并说明认证信息,openssl x509 -req -days 366 -in hello.cloudapps.lab.example.com.csr -signkey hello.cloudapps.lab.example.com.key -out hello.cloudapps.lab.example.com.crt生成一个认证。
[student@workstation ~]$ lab secure-route setup
Checking prerequisites for GE: Create a Route
Checking all VMs are running:
· master VM is up............................................. SUCCESS
· node1 VM is up.............................................. SUCCESS
· node2 VM is up.............................................. SUCCESS
Checking all OpenShift default pods are ready and running:
· Check router................................................ SUCCESS
· Check registry.............................................. SUCCESS
Downloading files for GE: Create a Route
· Downloading starter project................................. SUCCESS
· Downloading solution project................................ SUCCESS
Download successful.
Overall setup status........................................... SUCCESS
[student@workstation ~]$ cp /home/student/DO280/labs/secure-route/create-cert.sh ./
[student@workstation ~]$ cat create-cert.sh
#!/bin/bash
echo "Generating a private key..."
openssl genrsa -out hello.cloudapps.lab.example.com.key 2048
echo
echo "Generating a CSR..."
openssl req -new -key hello.cloudapps.lab.example.com.key -out hello.cloudapps.lab.example.com.csr -subj "/C=US/ST=NC/L=Raleigh/O=RedHat/OU=RHT/CN=hello.cloudapps.lab.example.com"
echo
echo "Generating a certificate..."
openssl x509 -req -days 366 -in hello.cloudapps.lab.example.com.csr -signkey hello.cloudapps.lab.example.com.key -out hello.cloudapps.lab.example.com.crt
echo
echo "DONE."
echo
4.bash create-cert.sh执行脚本。oc create route edge --service=greeter --hostname=greeter.samples.cloudapps.lab.example.com --key=hello.cloudapps.lab.example.com.key --cert=hello.cloudapps.lab.example.com.crt创建路由,--service=greeter指明使用的服务,--hostname=greeter.samples.cloudapps.lab.example.com指明使用的路由地址,--key=hello.cloudapps.lab.example.com.key指明使用的私钥, --cert=hello.cloudapps.lab.example.com.crt指明使用的公钥。
[student@workstation ~]$ bash create-cert.sh
Generating a private key...
Generating RSA private key, 2048 bit long modulus
........................................................................................................................+++
..+++
e is 65537 (0x10001)
Generating a CSR...
Generating a certificate...
Signature ok
subject=/C=US/ST=NC/L=Raleigh/O=RedHat/OU=RHT/CN=hello.cloudapps.lab.example.com
Getting Private key
DONE.
[student@workstation ~]$ oc create route edge --service=greeter --hostname=greeter.samples.cloudapps.lab.example.com --key=hello.cloudapps.lab.example.com.key --cert=hello.cloudapps.lab.example.com.crt
route "greeter" created
5.oc get route -o wide获取路由资源信息。 curl https://greeter.samples.cloudapps.lab.example.com -k -vvv访问路由网页并显示详细信息。
[student@workstation ~]$ oc get route -o wide
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
greeter greeter.samples.cloudapps.lab.example.com greeter 8080-tcp edge None
[student@workstation ~]$ curl https://greeter.samples.cloudapps.lab.example.com -k -vvv
* About to connect() to greeter.samples.cloudapps.lab.example.com port 443 (#0)
* Trying 172.25.250.11...
* Connected to greeter.samples.cloudapps.lab.example.com (172.25.250.11) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=hello.cloudapps.lab.example.com,OU=RHT,O=RedHat,L=Raleigh,ST=NC,C=US
* start date: Dec 17 03:02:51 2018 GMT
* expire date: Dec 18 03:02:51 2019 GMT
* common name: hello.cloudapps.lab.example.com
* issuer: CN=hello.cloudapps.lab.example.com,OU=RHT,O=RedHat,L=Raleigh,ST=NC,C=US
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: greeter.samples.cloudapps.lab.example.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Mon, 17 Dec 2018 03:07:48 GMT
< Content-Length: 17
< Content-Type: text/plain; charset=utf-8
< Set-Cookie: d71cbca4113d65212d97a689d3cf0612=a4da5e42ad433fef22833a6fcb6b7dc0; path=/; HttpOnly; Secure
< Cache-control: private
<
Hello OpenShift!
* Connection #0 to host greeter.samples.cloudapps.lab.example.com left intact
扫一扫
566
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
