获取 Azure K8s 以信任自签名证书

要让 AKS 群集信任自签名证书，您需要将根证书添加到群集环境中的受信任存储中。这通常涉及在容器级别配置信任，因为 Kubernetes 本身不直接管理出站连接的 SSL/TLS 证书。

使用您的根证书创建 ConfigMap -

kubectl create configmap custom-root-ca --from-file=rootCA.pem -n your-namespace

这会将您的根证书作为 ConfigMap 存储在 Kubernetes 中，使其可以挂载到 Pod 中。

更新您的部署以使用受信任的证书。 部署示例-

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  namespace: default
spec:
  selector:
    matchLabels:
      app: nginx
  replicas: 1
  template:
    metadata:
      labels:
        app: nginx
    spec:
      initContainers:
      - name: add-ca-cert
        image: alpine
        command:
        - sh
        - -c
        - >
          if [ -f /etc/ssl/certs/ca-certificates.crt ]; then
            cat /etc/ssl/certs/custom-root-ca/rootCA.pem >> /etc/ssl/certs/ca-certificates.crt;
          elif [ -f /etc/ssl/cert.pem ]; then
            cat /etc/ssl/certs/custom-root-ca/rootCA.pem >> /etc/ssl/cert.pem;
          else
            echo "No known SSL directory found.";
            exit 1;
          fi
        volumeMounts:
        - name: custom-root-ca
          mountPath: /etc/ssl/certs/custom-root-ca
          readOnly: true
      containers:
      - name: nginx
        image: nginx:latest
        ports:
        - containerPort: 80
        volumeMounts:
        - name: custom-root-ca
          mountPath: /etc/ssl/certs/custom-root-ca
          readOnly: true
      volumes:
      - name: custom-root-ca
        configMap:
          name: custom-root-ca

同样适用

kubectl apply -f <filename.yaml>

然后执行到你的 pod 中

kubectl exec -it [your-pod-name] -- /bin/sh

cat /etc/ssl/certs/ca-certificates.crt | grep "Issuer"