导入前cURL https API接口失败

export TOKEN=$(cat token_file)
curl  -X GET -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" https://k8sapi.example.com:6443/api/
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

导入后cURL https API接口成功

export TOKEN=$(cat token_file)
curl   -X GET -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" https://k8sapi.example.com:6443/api/
{
  "kind": "APIVersions",
  "versions": [
    "v1"
  ],
  "serverAddressByClientCIDRs": [
    {
      "clientCIDR": "0.0.0.0/0",
      "serverAddress": "10.116.68.203:6443"
    }
  ]
}

## 当然可以在curl命令里面指定-k/--insecure 或者指定证书访问,例如
curl --cacert kubernetes_ca.crt  -X GET -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" https://k8sapi.example.com:6443/api/

CentOS7 导入自定义CA证书(根证书)

1. 安装ca-certificates

 yum -y install ca-certificates

2.证书文件放入 /usr/share/pki/ca-trust-source/anchors

# 证书名字后缀是crt,格式为pem,也就是有BEGIN和END的格式
ls -l /usr/share/pki/ca-trust-source/anchors
kubernetes_ca.crt

3. 更新

update-ca-trust

# 如上命令执行完成后etc/ssl/certs/ca-bundle.crt 以及/etc/ssl/certs/ca-bundle.trust.crt就包含了新的自定义证书
# 例如
tail -n20 /etc/ssl/certs/ca-bundle.trust.crt

# kubernetes
-----BEGIN TRUSTED CERTIFICATE-----
MIICyDCCAbCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
cm5ldGVzMB4XDTE5MTIwNDEwMzUzMFoXDTI5MTIwMTEwMzUzMFowFTETMBEGA1UE
AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOEC
IpMQQP7MSd5JmvnvxGca3r2p5BXVoPKxKa25eXTxGLRV6jKtYVV/Duj10MOxQbSm
61B9T2m7UOzI/KzSaEMVBRe6SvMSQLBrs53BmYQmYd3lzTovClOR9aFDlcus0OMP
BQ2bxQXpeJEQ0vIsEGoHPPxijAwTGx7AoRrnbqEVN/Z+ojd1TI0sIFJtREDdJ5xx
+8qppvmUCSkJ73ps1yp7aiutPrXfTX2wDaDGyu7K6Lq4W+RCZJiv7rG3eipFzDdB
CYF++Aa/jQg76qGfhgjlk2C9XG0FYSiIrOeKoheoflGeYjO6OIO9vkTZUzfer2oM
SmnL7kSkpjCdKcsiQy8CAwEAAaMjMCEwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB
/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAEr/XBOPx18VOl8in88K1i+7WNPH
Pv2mG/O7RgD9NygqfZadt2sboK2fAOwKAa5BJcnCpEr8evaTH92IyZSXyx8m5ew1
h4Zh5CD4VkUabQPFAMiCGvKgmhyLVKEA9yqvbOR/IR4Tx7y8eVEpNYj+dmi6+fs7
6Cb7xAacSttOHzu8g76y5BgLhtnIQux5iv2qWBMnXoR/7596M9OcZkDbkTWOkGZx
THxZD713sgAjwK6ICNkI85uWT/ZQP54uxGPZtt5Y1LpkKqI0lPQM6rpVO1BxiOkB
RwfOB3gbv6DNIi8v8FWap34APcdFlEPEMVlTGb6FB+x75YiziWLtnnEQvsQwDAwK
a3ViZXJuZXRlcw==
-----END TRUSTED CERTIFICATE-----
Logo

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐