牧场主添加内部CA以连接到其他系统
TL; DR:当Rancher SSL证书不是由其签署而是其他外部系统(例如OIDC提供商)是,我如何才能使牧场主内部ca为牧场主?
我在我的一个docker容器中的一个VM上有一个版本v2.6.3中有一个运行的牧场主。它使用Digicert签署的SSL证书,因为我正在使用它来管理自己网络之外的群集。 Web UI登录仅在我的网络中使用。我在KeyCloak中使用OIDC客户端。由于此KeyCloak是(并且应该保留)仅从我的内部网络访问,因此它具有由我的内部CA签名的证书。
为了获得这项工作,我需要使Root CA知道牧场主。因此,我将其安装到/etc/rancher/ssl/cacerts.pem以及我的Digicert-Signed证书和键(ssl_cert_dir)的以及设置为/etce()。ssl_cert_dir) /rancher/ssl
这样做之后,我可以通过内部KeyCloak成功地配置OIDC Auth。在添加root ca之前,当牧场主尝试阅读https:// keycloak Realm auth url>/。众所周知的/OpenID-Configuration时,我会遇到证书错误。
现在,牧场主将此根CA证书添加到kubeconfig用户可以从UI下载以访问其群集的文件。然后,当他们想使用kubectl访问群集时,这会导致证书错误。现在,我可以告诉所有人下载配置时,只需删除证书 - 授权data。但是,感觉就像是在工作 - 这不是使牧场主已知证书的正确方法。如果我正确地理解了文档和结果在此处正确描述,则文件/etc/rancher/ssl/cacerts.pem仅在您的牧场主使用签名证书的情况下才能使用由非公共CA。
有其他方法可以使我的内部CA熟悉牧场主吗?不幸的是,我只能找到 在我遵循上述结果的文档中。
提前致谢!
TL;DR: How can I make a internal root CA known to Rancher when the Rancher SSL cert is not signed by it, but other external systems (like OIDC provider) are?
I have a running Rancher in version v2.6.3 on one of my VMs as a Docker container. It uses a SSL certificate signed by DigiCert, as I'm using it to manage clusters outside of my own network. The Web UI login is only used from within my network. I use an OIDC client in Keycloak for it. Since this Keycloak is (and should stay) only accessible from my internal network it has a certificate signed by my internal CA.
To get this working I needed to make the root CA known to Rancher. So I mounted it to the container at /etc/rancher/ssl/cacerts.pem alongside my DigiCert-signed certificate and key (SSL_CERT_DIR is set to /etc/rancher/ssl).
After doing that I could successfully configure OIDC auth with my internal Keycloak. Before adding the root CA, I got a certificate error when Rancher tried to read https://<KEYCLOAK REALM AUTH URL>/.well-known/openid-configuration.
Now Rancher is adding this root CA certificate to the kubeconfig files the users can download from the UI to access their clusters. Which then results in a certificate error when they want to access the cluster with kubectl. I could now tell everyone to just remove the certificate-authority-data when they download their config. But it feels like - even though it is working - that this is not the correct way to make the certificate known to Rancher. If I understand the documentation and the result described here correctly, the file /etc/rancher/ssl/cacerts.pem should only be used in case your Rancher uses a certificate signed by a non-public CA.
Is there another way to make my internal CA known to Rancher? Unfortunately I could only find this article in the documentation which I followed to the result above.
Thanks in advance!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我弄清楚了!
我在 Rancher Helm Chart选项关于其他受信任的CAS 。这使我进入了掌舵图表,在部署:
显然在信托店中添加其他CA证书就像将CAS安装到
/etc/rancher/ssl/ca-additional.pem和/etc/pki/trust/trust/anchors/ca-additional.pem。已经尝试过了,它就像魅力一样工作! OIDC登录工作起作用,当我下载
kubeconfig证书 - 授权data未设置。I figured it out!
I found something in the Rancher Helm Chart Options about Additional Trusted CAs. Which lead me to the Helm chart where I found this block in the Deployment:
Apparently adding additional CA certs to the trust store is as easy as mounting the CAs to
/etc/rancher/ssl/ca-additional.pemand/etc/pki/trust/anchors/ca-additional.pem.Tried it already and it is working like a charm! OIDC login works and when I download a
kubeconfigthecertificate-authority-datais not set.