[쿠버네티스] MSA(7) TLS 인증서 생성

시스템/쿠버네티스

[쿠버네티스] MSA(7) TLS 인증서 생성

cbwstar 2024. 1. 26. 15:56

728x90

1. MSA ingress SSL 인증서 생성

openssl genrsa -out portal.co.kr.key 4096
openssl genrsa -out admin.co.kr.key 4096
openssl genrsa -out kibana.co.kr.key 4096
openssl genrsa -out gateway.co.kr.key 4096
openssl genrsa -out discovery.co.kr.key 4096

2. vi v3.ext

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=invako.kro.kr
DNS.2=nginx.co.kr
DNS.3=zipkin.co.kr
DNS.4=argocd.co.kr
DNS.5=rabbitmq.co.kr
DNS.6=portal.co.kr
DNS.7=admin.co.kr
DNS.8=kibana.co.kr
DNS.9=gateway.co.kr
DNS.10=discovery.co.kr
~                                                                                                                                                                
~

3. 서버 csr 파일 생성

	/* CN은 도메인이나 아이피 입력 */
	openssl req -sha512 -new \
	    -subj "/C=CN/ST=South/L=Osong/O=invako/OU=Personal/CN=portal.co.kr" \
	    -key portal.co.kr.key \
	    -out portal.co.kr.csr

openssl req -sha512 -new \
	    -subj "/C=CN/ST=South/L=Osong/O=invako/OU=Personal/CN=admin.co.kr" \
	    -key admin.co.kr.key \
	    -out admin.co.kr.csr

openssl req -sha512 -new \
	    -subj "/C=CN/ST=South/L=Osong/O=invako/OU=Personal/CN=kibana.co.kr" \
	    -key kibana.co.kr.key \
	    -out kibana.co.kr.csr

openssl req -sha512 -new \
	    -subj "/C=CN/ST=South/L=Osong/O=invako/OU=Personal/CN=gateway.co.kr" \
	    -key gateway.co.kr.key \
	    -out gateway.co.kr.csr

openssl req -sha512 -new \
	    -subj "/C=CN/ST=South/L=Osong/O=invako/OU=Personal/CN=discovery.co.kr" \
	    -key discovery.co.kr.key \
	    -out discovery.co.kr.csr

4. 서버 인증서 crt 파일 생성

openssl x509 -req -sha512 -days 3650 \
    -extfile v3.ext \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -in portal.co.kr.csr \
    -out portal.co.kr.crt

openssl x509 -req -sha512 -days 3650 \
    -extfile v3.ext \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -in admin.co.kr.csr \
    -out admin.co.kr.crt

openssl x509 -req -sha512 -days 3650 \
    -extfile v3.ext \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -in kibana.co.kr.csr \
    -out kibana.co.kr.crt

openssl x509 -req -sha512 -days 3650 \
    -extfile v3.ext \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -in gateway.co.kr.csr \
    -out gateway.co.kr.crt

openssl x509 -req -sha512 -days 3650 \
    -extfile v3.ext \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -in discovery.co.kr.csr \
    -out discovery.co.kr.crt

5. 시크릿 등록

kubectl create secret tls tlssecret-portal --key portal.co.kr.key --cert portal.co.kr.crt
kubectl create secret tls tlssecret-admin --key admin.co.kr.key --cert admin.co.kr.crt
kubectl create secret tls tlssecret-kibana --key kibana.co.kr.key --cert kibana.co.kr.crt
kubectl create secret tls tlssecret-gateway --key gateway.co.kr.key --cert gateway.co.kr.crt
kubectl create secret tls tlssecret-discovery --key discovery.co.kr.key --cert discovery.co.kr.crt

728x90

저작자표시 비영리 동일조건