安装dashboard

项目地址

生成自签名证书

主要是为了替换掉 dashboard 默认的空证书

创建自签名CA

# 生成ca私钥
openssl genrsa -out ca.key 2048
# 生成ca公钥, 签发的时候时间选择 825, 小于850. 不然 chrome 会认为失效
openssl req -new -x509 -key ca.key -out ca.crt -days 825 -subj "/C=CN/ST=GuangDong/L=ShenZheng/O=txzing.com/OU=datahub/CN=timking"
# 查看ca内容
openssl x509 -in ca.crt -noout -text

配置OpenSSL, 用于创建带有SubjectAltName的ssl请求

Chrome需要证书带有 SubjectAltName 信息

$ cat openssl.cnf
[ req ]
#default_bits           = 2048
#default_md             = sha256
#default_keyfile        = privkey.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
req_extensions = v3_req  # 这一行需要添加上去

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = State or Province Name (full name)
localityName                    = Locality Name (eg, city)
0.organizationName              = Organization Name (eg, company)
organizationalUnitName          = Organizational Unit Name (eg, section)
commonName                      = Common Name (eg, fully qualified host name)
commonName_max                  = 64
emailAddress                    = Email Address
emailAddress_max                = 64

[ req_attributes ]
challengePassword               = A challenge password
challengePassword_min           = 4
challengePassword_max           = 20

[ v3_req ]  # 增加v3_req配置
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = k8s.txzing.cn  # 这里填匹配的域名
IP.1 = 192.168.0.100
IP.2 = 192.168.0.212

签发dashboard证书

# 签发dashboard证书
openssl genrsa -out dashboard.key 2048
# 生成签发请求, subj这里 CN必须填写证书绑定的域名
openssl req -new -sha256 -key dashboard.key -out dashboard.csr -subj "/C=CN/ST=GuangDong/L=ShenZheng/O=txzing.com/OU=datahub/CN=k8s.txzing.cn" -config openssl.cnf
# 使用CA证书进行签发
openssl x509 -req -sha256 -days 825 -in dashboard.csr -out dashboard.crt -CA ca.crt -CAkey ca.key -CAcreateserial -extensions v3_req -extfile openssl.cnf
# 验证签发证书是否正确
openssl verify -CAfile ca.crt dashboard.crt

安装dashboard

创建secret

kubectl create ns kubernetes-dashboard

# 创建secret用于 kubernetes-dashboard 内部使用的证书
kubectl create secret generic kubernetes-dashboard-certs --from-file=../pki/dashboard.crt --from-file=../pki/dashboard.key -n kubernetes-dashboard

# 创建用于 ingress-nginx 转发 kubernetes-dashboard tls的 secret
kubectl create secret tls kubernetes-dashboard-ingress-tls --cert=../pki/dashboard.crt --key=../pki/dashboard.key -n kubernetes-dashboard

下载安装kubernetes-dashboard

wget <https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-rc5/aio/deploy/recommended.yaml>

# 修改镜像, 替换为国内源
sed -i -e "s?kubernetesui?registry.cn-hangzhou.aliyuncs.com/google_containers?g" recommended.yaml

# 重命名
mv recommended.yaml kubernetes-dashboard.yaml

kubectl apply -f kubernetes-dashboard.yaml

项目地址

生成自签名证书

创建自签名CA

配置OpenSSL, 用于创建带有SubjectAltName的ssl请求

签发dashboard证书

安装dashboard

创建secret

下载安装kubernetes-dashboard

创建用于暴露dashboard的ingress