consul 证书
2023-12-25 13:27 qgbo 阅读(28) 评论(0) 编辑 收藏 举报上面 consul cluster 启动 时会生成证书,一个是证书, 这CA-cert 是CA的,这是根证书。一个是私钥
# k get secrets consul-ca-cert -oyaml apiVersion: v1 data: tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURRVENDQXVpZ0F3SUJBZ0lVWm54b0hPNzNwSTY0NlRCMGhKQy9YR1dVTUt3d0NnWUlLb1pJemowRUF3SXcKZ1pFeEN6QUpCZ05WQkFZVEFsVlRNUXN3Q1FZRFZRUUlFd0pEUVRFV01CUUdBMVVFQnhNTlUyRnVJRVp5WVc1agphWE5qYnpFYU1CZ0dBMVVFQ1JNUk1UQXhJRk5sWTI5dVpDQlRkSEpsWlhReERqQU1CZ05WQkJFVEJUazBNVEExCk1SY3dGUVlEVlFRS0V3NUlZWE5vYVVOdmNuQWdTVzVqTGpFWU1CWUdBMVVFQXhNUFEyOXVjM1ZzSUVGblpXNTAKSUVOQk1CNFhEVEl6TVRJeU5UQXpNVEV5T1ZvWERUTXpNVEl5TWpBek1USXlPVm93Z1pFeEN6QUpCZ05WQkFZVApBbFZUTVFzd0NRWURWUVFJRXdKRFFURVdNQlFHQTFVRUJ4TU5VMkZ1SUVaeVlXNWphWE5qYnpFYU1CZ0dBMVVFCkNSTVJNVEF4SUZObFkyOXVaQ0JUZEhKbFpYUXhEakFNQmdOVkJCRVRCVGswTVRBMU1SY3dGUVlEVlFRS0V3NUkKWVhOb2FVTnZjbkFnU1c1akxqRVlNQllHQTFVRUF4TVBRMjl1YzNWc0lFRm5aVzUwSUVOQk1Ga3dFd1lIS29aSQp6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVJaUZ5MmYwb1dKWUIweGhZSjZGU2tReVZ0RXhJdHhzbjVHV1pReXA4Cm55ZVFEUUpvb1ZMQWllV21Vd0xKQW1JVXB2WW1HamhqRzREVStMWVc1d1hNcXFPQ0FSb3dnZ0VXTUE0R0ExVWQKRHdFQi93UUVBd0lCaGpBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUlLd1lCQlFVSEF3SXdEd1lEVlIwVApBUUgvQkFVd0F3RUIvekJvQmdOVkhRNEVZUVJmWlRZNlkyTTZNakU2WmpZNlpHVTZZekk2WTJFNk5EYzZOelk2Ck5UUTZaamM2TVRVNk16ZzZaVFk2WldFNk4ySTZOVGM2T0RrNk0yWTZNR1E2TnpjNk1qazZObVk2T1RjNk5HUTYKTXpJNlltTTZORGM2WmpFNk1EZzZNV0k2WVRZd2FnWURWUjBqQkdNd1lZQmZaVFk2WTJNNk1qRTZaalk2WkdVNgpZekk2WTJFNk5EYzZOelk2TlRRNlpqYzZNVFU2TXpnNlpUWTZaV0U2TjJJNk5UYzZPRGs2TTJZNk1HUTZOemM2Ck1qazZObVk2T1RjNk5HUTZNekk2WW1NNk5EYzZaakU2TURnNk1XSTZZVFl3Q2dZSUtvWkl6ajBFQXdJRFJ3QXcKUkFJZ2FTYUNuUkF2K2xMdDlFMnNwbUVhcURueVJWbXNvYnZQTU1uNHQxTWREOE1DSUhqdTk3OEErdmJ1YnlFVQpzMlJEUDBvRE1UQnNEOEJKeTdWTXhJaGkrZjJ0Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K kind: Secret
#k get screts consul-ca-key -oyaml apiVersion: v1 data: tls.key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUkrRlFYVk55anJPaWZzYlBuYzJJdXYyTDlLYkdkNVc5TjY4TExGTWh1Z3FvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFSWlGeTJmMG9XSllCMHhoWUo2RlNrUXlWdEV4SXR4c241R1daUXlwOG55ZVFEUUpvb1ZMQQppZVdtVXdMSkFtSVVwdlltR2poakc0RFUrTFlXNXdYTXFnPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= get secrets consul-server-cert -oyaml apiVersion: v1 data: tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURMakNDQXRTZ0F3SUJBZ0lVY212YzF4ckdTWWF5SWpvVjhqMWNMcCtxa0U0d0NnWUlLb1pJemowRUF3SXcKZ1pFeEN6QUpCZ05WQkFZVEFsVlRNUXN3Q1FZRFZRUUlFd0pEUVRFV01CUUdBMVVFQnhNTlUyRnVJRVp5WVc1agphWE5qYnpFYU1CZ0dBMVVFQ1JNUk1UQXhJRk5sWTI5dVpDQlRkSEpsWlhReERqQU1CZ05WQkJFVEJUazBNVEExCk1SY3dGUVlEVlFRS0V3NUlZWE5vYVVOdmNuQWdTVzVqTGpFWU1CWUdBMVVFQXhNUFEyOXVjM1ZzSUVGblpXNTAKSUVOQk1CNFhEVEl6TVRJeU5UQXpNVEV5T1ZvWERUSTFNVEl5TkRBek1USXlPVm93SERFYU1CZ0dBMVVFQXhNUgpjMlZ5ZG1WeUxtWnpieTVqYjI1emRXd3dXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CQndOQ0FBUnIybjFlCmw3MWJOVGMrZHh4a1Z3OFBsNEZ0MXdVdEdZM0NGcFliWEZXODFYVkNBTEVYaEtSZk1ya0lUeTFweUxFR0c0d1YKRTVERkZhQ3p5OFFSbmFUMW80SUJmRENDQVhnd0RnWURWUjBQQVFIL0JBUURBZ1dnTUIwR0ExVWRKUVFXTUJRRwpDQ3NHQVFVRkJ3TUJCZ2dyQmdFRkJRY0RBakFNQmdOVkhSTUJBZjhFQWpBQU1Hb0dBMVVkSXdSak1HR0FYMlUyCk9tTmpPakl4T21ZMk9tUmxPbU15T21OaE9qUTNPamMyT2pVME9tWTNPakUxT2pNNE9tVTJPbVZoT2pkaU9qVTMKT2pnNU9qTm1PakJrT2pjM09qSTVPalptT2prM09qUmtPak15T21Kak9qUTNPbVl4T2pBNE9qRmlPbUUyTUlITQpCZ05WSFJFRWdjUXdnY0dDRFdOdmJuTjFiQzF6WlhKMlpYS0NEeW91WTI5dWMzVnNMWE5sY25abGNvSVhLaTVqCmIyNXpkV3d0YzJWeWRtVnlMbU52Ym5OMWJET0NGV052Ym5OMWJDMXpaWEoyWlhJdVkyOXVjM1ZzTTRJYktpNWoKYjI1emRXd3RjMlZ5ZG1WeUxtTnZibk4xYkRNdWMzWmpnaGxqYjI1emRXd3RjMlZ5ZG1WeUxtTnZibk4xYkRNdQpjM1pqZ2hNcUxuTmxjblpsY2k1bWMyOHVZMjl1YzNWc2doRnpaWEoyWlhJdVpuTnZMbU52Ym5OMWJJSUpiRzlqCllXeG9iM04waHdSL0FBQUJNQW9HQ0NxR1NNNDlCQU1DQTBnQU1FVUNJQm9SZ2d6NjN5T3d6LytHTUE3VWlwSWYKalF1VFJ3Z1U3L2t0UzNhS09mVFFBaUVBOWxGR3dJdmV5NTUyM2hvMHpuU1EweU4ya0hLdUowOTc5djc3aTRLdwpNL2c9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K tls.key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSVAxcDJEeGtoVStIU1hUNWlzWFNuNVVLeFd4QTVhUE4xRlBHK29JdXd4Z1dvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFYTlwOVhwZTlXelUzUG5jY1pGY1BENWVCYmRjRkxSbU53aGFXRzF4VnZOVjFRZ0N4RjRTawpYeks1Q0U4dGFjaXhCaHVNRlJPUXhSV2dzOHZFRVoyazlRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= kind: Secret k get secrets consul-auth-method -oyaml apiVersion: v1 data: ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lJRXBKZEI0TDdVTVl3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TXpBNU1qQXdOek0xTVROYUZ3MHpNekE1TVRjd056UXdNVE5hTUJVeApFekFSQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUURsMVRwY2Z5U01SWnBqa2o0M2NVMS90QmJ1QytuOVRFQXNzSFgwSDgyNnRDaDRVMXNyWE1WQU1PTk4KWXRSN2ZtVHk0L3JZSGY3aXVWYU8zY08rWFBSbkFVY2V0Y0VydG5Md1BBVlJGRGh6cy9DdVhGRkRMSnZib3hLZQpYMWhVc001QUZmT2dVUDk4b1oxV2gwZlFtdk8yWWhGMzJxM0Y1M29PV0RrOG9xb29tSzlrMlRTY3RxYWRBdzBrCk5WcTFvNUtId05JSWl0WU5MdzB2UlIycVdjNkhBQkNTY0lha0dDb1N3Y29YMU1BUGJpRTBBeGpEczMvd2VwZW8KeUpjMm8yb0ZwbVNtZlp3SmdrTHVoVWlNNjJkaFVqYW5OY3A1aFR0ZExPekpVVENtSlBBUldZZGczMHh3anVHRQozQnRuODJiRStjRDN5MW9IRld1d3N3NTQ5eFhOQWdNQkFBR2pXVEJYTUE0R0ExVWREd0VCL3dRRUF3SUNwREFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJUTVNBM3h6UXVUZDZRNDJQSXRHL01JSWQ2ZDJ6QVYKQmdOVkhSRUVEakFNZ2dwcmRXSmxjbTVsZEdWek1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQytDbUZQbFVRUwpSSUNCazIxVXkzcFZDYmlObmZQYXZ0YjB2cEIyMThieDludjdSZGIwNFk1T05aZWtzcFU0NHV1b1kxNnM5c01UCjgzeCttUmYxTnNaa1Mybi9rYnZlUUJkem1GZlkxVFlrTTYrTmk0dkpBWXVmSjF1NldmQmV1ZHFqa0krc3B5dEcKMEVZczlzbmhCM0hJaVBiUEc3Zi9HMnlJWVlUUDVZY1dxK29iNHRHOUJqZUZxbkpLUkhBN01IbDE3VERqajVWUgpCOEltc1R3eEtFRnhZYzM5c2xKNThBQjU5Yi9hcGxwN1VaZGFnenNYV1d6M1Rha1JsYnA5Wk1tTVc1V2N1dnlYCnpsWHFTbkFWSjgyMkdZTWg2V25WTmhBUldxNGhQMXR1ODl3SkRhZVd4dTBmcXVkSVp3TERhbWNtRU5xTS9yQ2gKSERNdGpWbm5tMDEzCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K namespace: Y29uc3VsMw== token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklsa3dPR0pFT1daU01raEJPWGc0T1hoVlNFVkJjM1ZUZURKb2NGUnNWbUpzUmt4aWNXOVVURlk0ZW1NaWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUpqYjI1emRXd3pJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpXTnlaWFF1Ym1GdFpTSTZJbU52Ym5OMWJDMWhkWFJvTFcxbGRHaHZaQ0lzSW10MVltVnlibVYwWlhNdWFXOHZjMlZ5ZG1salpXRmpZMjkxYm5RdmMyVnlkbWxqWlMxaFkyTnZkVzUwTG01aGJXVWlPaUpqYjI1emRXd3RZWFYwYUMxdFpYUm9iMlFpTENKcmRXSmxjbTVsZEdWekxtbHZMM05sY25acFkyVmhZMk52ZFc1MEwzTmxjblpwWTJVdFlXTmpiM1Z1ZEM1MWFXUWlPaUppTjJSaFl6aGlZeTB6WVdNM0xUUTNaREl0T1RZMU5TMDJORFptTkRnM04ySTRNRGtpTENKemRXSWlPaUp6ZVhOMFpXMDZjMlZ5ZG1salpXRmpZMjkxYm5RNlkyOXVjM1ZzTXpwamIyNXpkV3d0WVhWMGFDMXRaWFJvYjJRaWZRLlQ4ZnNtclVtZy1zZ3N2Z2VIUEZsbEdhVnpkLS1oR0I1cEVmZ0RxdXk4bzR5SDc4MlQ1ZlpSTWhqRzQzam04aGVuQXQtaUFZRDZLV0ViQUdZWnA4MGlabC10aDU3Y3daNk9fY0pDQXdRcTgxbjZiblNtRjd1czlTRkhFVFd2eGtOQk5UWmUzMzRRN3E5X2V2QmRXdno4blA2eWZDTHJpSzA5RlJFOTB4MkludWJveWJZUHROOUhXSGNrN0x3U1Q3NnItWklfZ2ZIekpyS3pRQ09rR3owMDAyakw2TFBDMFdTZ0lPV3QxYkVNRVJsQ1c1bkgtVkQ5elNwMURyOXAzeGRqQnNuX0VILVJTM0ZnV3NEclZOUkY0eXhuVXNMUGs5b1JlQlB5ejF0YzB2eGxUS3FyYURhaVRzcEVaNUdSY0Nob211M1gtX0JpcTd4eW9oYmJWY1hfQQ== kind: Secret metadata:
上面公钥 先 base64 解码, 再 解析内容。 这里有公钥,签发者等信息。证书可以到处传,私钥只是自己保存
-----BEGIN CERTIFICATE----- MIIDQTCCAuigAwIBAgIUZnxoHO73pI646TB0hJC/XGWUMKwwCgYIKoZIzj0EAwIw gZExCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5j aXNjbzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1 MRcwFQYDVQQKEw5IYXNoaUNvcnAgSW5jLjEYMBYGA1UEAxMPQ29uc3VsIEFnZW50 IENBMB4XDTIzMTIyNTAzMTEyOVoXDTMzMTIyMjAzMTIyOVowgZExCzAJBgNVBAYT AlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEaMBgGA1UE CRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcwFQYDVQQKEw5I YXNoaUNvcnAgSW5jLjEYMBYGA1UEAxMPQ29uc3VsIEFnZW50IENBMFkwEwYHKoZI zj0CAQYIKoZIzj0DAQcDQgAEIiFy2f0oWJYB0xhYJ6FSkQyVtExItxsn5GWZQyp8 nyeQDQJooVLAieWmUwLJAmIUpvYmGjhjG4DU+LYW5wXMqqOCARowggEWMA4GA1Ud DwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDwYDVR0T AQH/BAUwAwEB/zBoBgNVHQ4EYQRfZTY6Y2M6MjE6ZjY6ZGU6YzI6Y2E6NDc6NzY6 NTQ6Zjc6MTU6Mzg6ZTY6ZWE6N2I6NTc6ODk6M2Y6MGQ6Nzc6Mjk6NmY6OTc6NGQ6 MzI6YmM6NDc6ZjE6MDg6MWI6YTYwagYDVR0jBGMwYYBfZTY6Y2M6MjE6ZjY6ZGU6 YzI6Y2E6NDc6NzY6NTQ6Zjc6MTU6Mzg6ZTY6ZWE6N2I6NTc6ODk6M2Y6MGQ6Nzc6 Mjk6NmY6OTc6NGQ6MzI6YmM6NDc6ZjE6MDg6MWI6YTYwCgYIKoZIzj0EAwIDRwAw RAIgaSaCnRAv+lLt9E2spmEaqDnyRVmsobvPMMn4t1MdD8MCIHju978A+vbubyEU s2RDP0oDMTBsD8BJy7VMxIhi+f2t -----END CERTIFICATE-----
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEII+FQXVNyjrOifsbPnc2Iuv2L9KbGd5W9N68LLFMhugqoAoGCCqGSM49
AwEHoUQDQgAEIiFy2f0oWJYB0xhYJ6FSkQyVtExItxsn5GWZQyp8nyeQDQJooVLA
ieWmUwLJAmIUpvYmGjhjG4DU+LYW5wXMqg==
-----END EC PRIVATE KEY-----
最后这个token 是这样:
{ "iss": "kubernetes/serviceaccount", "kubernetes.io/serviceaccount/namespace": "consul3", "kubernetes.io/serviceaccount/secret.name": "consul-auth-method", "kubernetes.io/serviceaccount/service-account.name": "consul-auth-method", "kubernetes.io/serviceaccount/service-account.uid": "b7dac8bc-3ac7-47d2-9655-646f4877b809", "sub": "system:serviceaccount:consul3:consul-auth-method" }
if [ -z "$CONSUL_BIND" ]; then if [ -n "$CONSUL_BIND_INTERFACE" ]; then CONSUL_BIND_ADDRESS=$(ip -o -4 addr list $CONSUL_BIND_INTERFACE | head -n1 | awk '{print $4}' | cut -d/ -f1) if [ -z "$CONSUL_BIND_ADDRESS" ]; then echo "Could not find IP for interface '$CONSUL_BIND_INTERFACE', exiting" exit 1 fi CONSUL_BIND="-bind=$CONSUL_BIND_ADDRESS" echo "==> Found address '$CONSUL_BIND_ADDRESS' for interface '$CONSUL_BIND_INTERFACE', setting bind option..." fi fi # You can set CONSUL_CLIENT_INTERFACE to the name of the interface you'd like to # bind client intefaces (HTTP, DNS, and RPC) to and this will look up the IP and # pass the proper -client= option along to Consul. if [ -z "$CONSUL_CLIENT" ]; then if [ -n "$CONSUL_CLIENT_INTERFACE" ]; then CONSUL_CLIENT_ADDRESS=$(ip -o -4 addr list $CONSUL_CLIENT_INTERFACE | head -n1 | awk '{print $4}' | cut -d/ -f1) if [ -z "$CONSUL_CLIENT_ADDRESS" ]; then echo "Could not find IP for interface '$CONSUL_CLIENT_INTERFACE', exiting" exit 1 fi CONSUL_CLIENT="-client=$CONSUL_CLIENT_ADDRESS" echo "==> Found address '$CONSUL_CLIENT_ADDRESS' for interface '$CONSUL_CLIENT_INTERFACE', setting client option..." fi fi # CONSUL_DATA_DIR is exposed as a volume for possible persistent storage. The # CONSUL_CONFIG_DIR isn't exposed as a volume but you can compose additional # config files in there if you use this image as a base, or use CONSUL_LOCAL_CONFIG # below. if [ -z "$CONSUL_DATA_DIR" ]; then CONSUL_DATA_DIR=/consul/data fi if [ -z "$CONSUL_CONFIG_DIR" ]; then CONSUL_CONFIG_DIR=/consul/config fi # You can also set the CONSUL_LOCAL_CONFIG environemnt variable to pass some # Consul configuration JSON without having to bind any volumes. if [ -n "$CONSUL_LOCAL_CONFIG" ]; then echo "$CONSUL_LOCAL_CONFIG" > "$CONSUL_CONFIG_DIR/local.json" fi # If the user is trying to run Consul directly with some arguments, then # pass them to Consul. if [ "${1:0:1}" = '-' ]; then set -- consul "$@" fi # Look for Consul subcommands. if [ "$1" = 'agent' ]; then shift set -- consul agent \ -data-dir="$CONSUL_DATA_DIR" \ -config-dir="$CONSUL_CONFIG_DIR" \ $CONSUL_BIND \ $CONSUL_CLIENT \ "$@" elif [ "$1" = 'version' ]; then # This needs a special case because there's no help output. set -- consul "$@" elif consul --help "$1" 2>&1 | grep -q "consul $1"; then # We can't use the return code to check for the existence of a subcommand, so # we have to use grep to look for a pattern in the help output. set -- consul "$@" fi # If we are running Consul, make sure it executes as the proper user. if [ "$1" = 'consul' -a -z "${CONSUL_DISABLE_PERM_MGMT+x}" ]; then # Allow to setup user and group via envrironment if [ -z "$CONSUL_UID" ]; then CONSUL_UID="$(id -u consul)" fi if [ -z "$CONSUL_GID" ]; then CONSUL_GID="$(id -g consul)" fi # If the data or config dirs are bind mounted then chown them. # Note: This checks for root ownership as that's the most common case. if [ "$(stat -c %u "$CONSUL_DATA_DIR")" != "${CONSUL_UID}" ]; then chown ${CONSUL_UID}:${CONSUL_GID} "$CONSUL_DATA_DIR" fi if [ "$(stat -c %u "$CONSUL_CONFIG_DIR")" != "${CONSUL_UID}" ]; then chown ${CONSUL_UID}:${CONSUL_GID} "$CONSUL_CONFIG_DIR" fi # If requested, set the capability to bind to privileged ports before # we drop to the non-root user. Note that this doesn't work with all # storage drivers (it won't work with AUFS). if [ ! -z ${CONSUL_ALLOW_PRIVILEGED_PORTS+x} ]; then setcap "cap_net_bind_service=+ep" /bin/consul fi set -- su-exec ${CONSUL_UID}:${CONSUL_GID} "$@" fi exec "$@"
气功波(18037675651)