Knative Eventing 的传输加密¶
标志名称: transport-encryption
阶段: Beta,默认禁用
跟踪问题: #5957
概述¶
默认情况下,集群内的事件交付是未加密的。这限制了可以传输的事件类型,仅限于那些符合性价值较低(或符合性姿势较宽松)的事件,或者,这会迫使管理员使用服务网格或加密 CNI 来加密流量,这给 Knative Eventing 采用者带来了许多挑战。
Knative Brokers 和 Channels 提供 HTTPS 端点来接收事件。鉴于这些端点通常没有公共 DNS 名称(例如 svc.cluster.local 或类似名称),它们需要由非公共 CA(集群或组织特定 CA)签名。
事件生产者能够连接到具有集群内部 CA 证书的 HTTPS 端点。
先决条件¶
- 为了启用传输加密功能,您需要按照 cert-manager 运算符安装说明安装 cert-manager 运算符。
- Eventing 安装
安装¶
设置 SelfSigned ClusterIssuer¶
注意
ClusterIssuers 是 Kubernetes 资源,代表能够通过遵守证书签名请求来生成签名证书的证书颁发机构 (CA)。所有 cert-manager 证书都需要一个引用的发行者,该发行者处于就绪状态才能尝试满足该请求。参考:cert-manager.io/docs/concepts/issuer/
重要
为了简化本指南,我们将使用 SelfSigned 发行者作为根证书,但请注意,此方法在 cert-manager.io/docs/configuration/selfsigned/ 中记录的含义和限制。如果您正在运行您公司特定的私钥基础设施 (PKI),我们推荐 CA 发行者。有关更多详细信息,请参阅 cert-manager 文档:cert-manager.io/docs/configuration/ca/,但是,您可以使用任何其他适用于集群本地服务的发行者。
- 创建
SelfSignedClusterIssuerapiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: knative-eventing-selfsigned-issuer spec: selfSigned: {} - 应用
ClusterIssuer资源$ kubectl apply -f <filename> - 使用之前创建的
SelfSignedClusterIssuer创建根证书apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: knative-eventing-selfsigned-ca namespace: cert-manager # the cert-manager operator namespace spec: # Secret name later used for the ClusterIssuer for Eventing secretName: knative-eventing-ca isCA: true commonName: selfsigned-ca privateKey: algorithm: ECDSA size: 256 issuerRef: name: knative-eventing-selfsigned-issuer kind: ClusterIssuer group: cert-manager.io - 应用
Certificate资源$ kubectl apply -f <filename>
为 Eventing 设置 ClusterIssuer¶
-
为 Eventing 创建
knative-eventing-ca-issuerClusterIssuer!!! important# This is the issuer that every Eventing component use to issue their server's certs. apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: knative-eventing-ca-issuer spec: ca: # Secret name in the Cert-Manager Operator namespace (cert-manager by default) containing # the certificate that can then be used by Knative Eventing components for new certificates. secretName: knative-eventing-caClusterIssuer的名称必须为knative-eventing-ca-issuer。 -
应用
ClusterIssuer资源$ kubectl apply -f <filename>
为 Eventing 组件安装证书¶
Eventing 组件使用 cert-manager 发行者和证书来配置 TLS 证书,在发布资产中,我们发布了 Eventing 服务器的证书,这些证书可以根据需要进行自定义。
- 安装证书,运行以下命令
kubectl apply -f https://github.com/knative/eventing/releases/download/knative-v1.16.0/eventing-tls-networking.yaml - [可选] 如果您使用的是 Eventing Kafka 组件,请通过运行以下命令为 Kafka 组件安装证书
kubectl apply -f https://github.com/knative-extensions/eventing-kafka-broker/releases/download/knative-v1.16.0/eventing-kafka-tls-networking.yaml - 验证发行者和证书是否已就绪示例输出
kubectl get certificates.cert-manager.io -n knative-eventingNAME READY SECRET AGE imc-dispatcher-server-tls True imc-dispatcher-server-tls 14s mt-broker-filter-server-tls True mt-broker-filter-server-tls 14s mt-broker-ingress-server-tls True mt-broker-ingress-server-tls 14s selfsigned-ca True eventing-ca 14s ...
传输加密配置¶
transport-encryption 功能标志是一个枚举配置,用于配置 Addressables(Broker、Channel、Sink)应如何接受事件。
transport-encryption 的可能值是
disabled(这等同于当前行为)- Addressables 可以接受到 HTTPS 端点的事件
- 生产者可以将事件发送到 HTTPS 端点
permissive- Addressables 应该在 HTTP 和 HTTPS 端点上都接受事件
- Addressables 应该同时宣传 HTTP 和 HTTPS 端点
- 生产者应该优先将事件发送到 HTTPS 端点(如果可用)
strict- Addressables 不得接受到非 HTTPS 端点的事件
- Addressables 必须仅宣传 HTTPS 端点
重要
strict 仅在 Broker 和 Channel 接收器/入口处强制执行。当 Broker 或 Channel 将事件发送到订阅者时,如果该订阅者只有 HTTP 地址,则 Broker 或 Channel 仍然可以通过 HTTP 而不是 HTTPS 发送事件
例如,要启用 strict 传输加密,config-features ConfigMap 将如下所示
apiVersion: v1
kind: ConfigMap
metadata:
name: config-features
namespace: knative-eventing
data:
transport-encryption: "strict"
配置额外的 CA 信任捆绑¶
默认情况下,Eventing 客户端信任系统根 CA(公共 CA)。
如果您需要为 Eventing 添加额外的 CA 捆绑,您可以通过在 knative-eventing 命名空间中创建具有标签 networking.knative.dev/trust-bundle: true 的 ConfigMap 来实现。
重要
每当 CA 捆绑 ConfigMaps 更新时,Eventing 客户端将在建立新连接时自动将其添加到其受信任的 CA 捆绑中。
- 为 Eventing 创建 CA 捆绑
kind: ConfigMap metadata: name: my-org-eventing-bundle namespace: knative-eventing labels: networking.knative.dev/trust-bundle: "true" # All data keys containing valid PEM-encoded CA bundles will be trusted by Eventing clients. data: ca.crt: ... ca1.crt: ... tls.crt: ...
重要
使用不太可能与现有或将来的 Eventing 提供的 ConfigMap 名称冲突的名称。
为了分发 CA 信任捆绑,您可以利用 trust-manager,但这不是必需的。
信任特定事件发送者的 CA¶
事件源、触发器或订阅被认为是事件发送者,它们可以被配置为信任特定的 CA 证书。
重要
CA 证书必须是 PEM 格式的证书。由于它是一个多行 YAML 字符串,请确保 CACerts 值的缩进正确,否则在创建资源时将被拒绝。
触发器和订阅可以按如下方式配置
spec:
# ...
subscriber:
uri: https://mycorp-internal-example.com/v1/api
CACerts: |-
-----BEGIN CERTIFICATE-----
MIIFWjCCA0KgAwIBAgIQT9Irj/VkyDOeTzRYZiNwYDANBgkqhkiG9w0BAQsFADBH
MQswCQYDVQQGEwJDTjERMA8GA1UECgwIVW5pVHJ1c3QxJTAjBgNVBAMMHFVDQSBF
eHRlbmRlZCBWYWxpZGF0aW9uIFJvb3QwHhcNMTUwMzEzMDAwMDAwWhcNMzgxMjMx
MDAwMDAwWjBHMQswCQYDVQQGEwJDTjERMA8GA1UECgwIVW5pVHJ1c3QxJTAjBgNV
BAMMHFVDQSBFeHRlbmRlZCBWYWxpZGF0aW9uIFJvb3QwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCpCQcoEwKwmeBkqh5DFnpzsZGgdT6o+uM4AHrsiWog
D4vFsJszA1qGxliG1cGFu0/GnEBNyr7uaZa4rYEwmnySBesFK5pI0Lh2PpbIILvS
sPGP2KxFRv+qZ2C0d35qHzwaUnoEPQc8hQ2E0B92CvdqFN9y4zR8V05WAT558aop
O2z6+I9tTcg1367r3CTueUWnhbYFiN6IXSV8l2RnCdm/WhUFhvMJHuxYMjMR83dk
sHYf5BA1FxvyDrFspCqjc/wJHx4yGVMR59mzLC52LqGj3n5qiAno8geK+LLNEOfi
c0CTuwjRP+H8C5SzJe98ptfRr5//lpr1kXuYC3fUfugH0mK1lTnj8/FtDw5lhIpj
VMWAtuCeS31HJqcBCF3RiJ7XwzJE+oJKCmhUfzhTA8ykADNkUVkLo4KRel7sFsLz
KuZi2irbWWIQJUoqgQtHB0MGcIfS+pMRKXpITeuUx3BNr2fVUbGAIAEBtHoIppB/
TuDvB0GHr2qlXov7z1CymlSvw4m6WC31MJixNnI5fkkE/SmnTHnkBVfblLkWU41G
sx2VYVdWf6/wFlthWG82UBEL2KwrlRYaDh8IzTY0ZRBiZtWAXxQgXy0MoHgKaNYs
1+lvK9JKBZP8nm9rZ/+I8U6laUpSNwXqxhaN0sSZ0YIrO7o1dfdRUVjzyAfd5LQD
fwIDAQABo0IwQDAdBgNVHQ4EFgQU2XQ65DA9DfcS3H5aBZ8eNJr34RQwDwYDVR0T
AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBADaN
l8xCFWQpN5smLNb7rhVpLGsaGvdftvkHTFnq88nIua7Mui563MD1sC3AO6+fcAUR
ap8lTwEpcOPlDOHqWnzcSbvBHiqB9RZLcpHIojG5qtr8nR/zXUACE/xOHAbKsxSQ
VBcZEhrxH9cMaVr2cXj0lH2RC47skFSOvG+hTKv8dGT9cZr4QQehzZHkPJrgmzI5
c6sq1WnIeJEmMX3ixzDx/BR4dxIOE/TdFpS/S2d7cFOFyrC78zhNLJA5wA3CXWvp
4uXViI3WLL+rG761KIcSF3Ru/H38j9CHJrAb+7lsq+KePRXBOy5nAliRn+/4Qh8s
t2j1da3Ptfb/EX3C8CSlrdP6oDyp+l3cpaDvRKS+1ujl5BOWF3sGPjLtx7dCvHaj
2GU4Kzg1USEODm8uNBNA4StnDG1KQTAYI1oyVZnJF+A83vbsea0rWBmirSwiGpWO
vpaQXUJXxPkUAzUrHC1RVwinOt4/5Mi0A3PCwSaAuwtCH60NryZy2sy+s6ODWA2C
xR9GUeOcGMyNm43sSet1UNWMKFnKdDTajAshqx7qG+XH/RU+wBeq+yNuJkbL+vmx
cmtpzyKEC2IPrNkZAJSidjzULZrtBJ4tBmIQN1IchXIbJ+XMxjHsN+xjWZsLHXbM
fjKaiJUINlK73nZfdklJrX+9ZSCyycErdhh2n1ax
-----END CERTIFICATE-----
类似地,源可以按如下方式配置
spec:
# ...
sink:
uri: https://mycorp-internal-example.com/v1/api
CACerts: |-
-----BEGIN CERTIFICATE-----
MIIFWjCCA0KgAwIBAgIQT9Irj/VkyDOeTzRYZiNwYDANBgkqhkiG9w0BAQsFADBH
MQswCQYDVQQGEwJDTjERMA8GA1UECgwIVW5pVHJ1c3QxJTAjBgNVBAMMHFVDQSBF
eHRlbmRlZCBWYWxpZGF0aW9uIFJvb3QwHhcNMTUwMzEzMDAwMDAwWhcNMzgxMjMx
MDAwMDAwWjBHMQswCQYDVQQGEwJDTjERMA8GA1UECgwIVW5pVHJ1c3QxJTAjBgNV
BAMMHFVDQSBFeHRlbmRlZCBWYWxpZGF0aW9uIFJvb3QwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCpCQcoEwKwmeBkqh5DFnpzsZGgdT6o+uM4AHrsiWog
D4vFsJszA1qGxliG1cGFu0/GnEBNyr7uaZa4rYEwmnySBesFK5pI0Lh2PpbIILvS
sPGP2KxFRv+qZ2C0d35qHzwaUnoEPQc8hQ2E0B92CvdqFN9y4zR8V05WAT558aop
O2z6+I9tTcg1367r3CTueUWnhbYFiN6IXSV8l2RnCdm/WhUFhvMJHuxYMjMR83dk
sHYf5BA1FxvyDrFspCqjc/wJHx4yGVMR59mzLC52LqGj3n5qiAno8geK+LLNEOfi
c0CTuwjRP+H8C5SzJe98ptfRr5//lpr1kXuYC3fUfugH0mK1lTnj8/FtDw5lhIpj
VMWAtuCeS31HJqcBCF3RiJ7XwzJE+oJKCmhUfzhTA8ykADNkUVkLo4KRel7sFsLz
KuZi2irbWWIQJUoqgQtHB0MGcIfS+pMRKXpITeuUx3BNr2fVUbGAIAEBtHoIppB/
TuDvB0GHr2qlXov7z1CymlSvw4m6WC31MJixNnI5fkkE/SmnTHnkBVfblLkWU41G
sx2VYVdWf6/wFlthWG82UBEL2KwrlRYaDh8IzTY0ZRBiZtWAXxQgXy0MoHgKaNYs
1+lvK9JKBZP8nm9rZ/+I8U6laUpSNwXqxhaN0sSZ0YIrO7o1dfdRUVjzyAfd5LQD
fwIDAQABo0IwQDAdBgNVHQ4EFgQU2XQ65DA9DfcS3H5aBZ8eNJr34RQwDwYDVR0T
AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBADaN
l8xCFWQpN5smLNb7rhVpLGsaGvdftvkHTFnq88nIua7Mui563MD1sC3AO6+fcAUR
ap8lTwEpcOPlDOHqWnzcSbvBHiqB9RZLcpHIojG5qtr8nR/zXUACE/xOHAbKsxSQ
VBcZEhrxH9cMaVr2cXj0lH2RC47skFSOvG+hTKv8dGT9cZr4QQehzZHkPJrgmzI5
c6sq1WnIeJEmMX3ixzDx/BR4dxIOE/TdFpS/S2d7cFOFyrC78zhNLJA5wA3CXWvp
4uXViI3WLL+rG761KIcSF3Ru/H38j9CHJrAb+7lsq+KePRXBOy5nAliRn+/4Qh8s
t2j1da3Ptfb/EX3C8CSlrdP6oDyp+l3cpaDvRKS+1ujl5BOWF3sGPjLtx7dCvHaj
2GU4Kzg1USEODm8uNBNA4StnDG1KQTAYI1oyVZnJF+A83vbsea0rWBmirSwiGpWO
vpaQXUJXxPkUAzUrHC1RVwinOt4/5Mi0A3PCwSaAuwtCH60NryZy2sy+s6ODWA2C
xR9GUeOcGMyNm43sSet1UNWMKFnKdDTajAshqx7qG+XH/RU+wBeq+yNuJkbL+vmx
cmtpzyKEC2IPrNkZAJSidjzULZrtBJ4tBmIQN1IchXIbJ+XMxjHsN+xjWZsLHXbM
fjKaiJUINlK73nZfdklJrX+9ZSCyycErdhh2n1ax
-----END CERTIFICATE-----
配置自定义事件源以信任 Eventing CA¶
创建自定义事件源的推荐方法是使用 SinkBinding,SinkBinding 将使用目录 /knative-custom-certs 将配置的 CA 信任捆绑作为投影卷注入到每个容器中。
注意
一些组织可能会将公司特定的 CA 信任捆绑注入到基本容器映像中,并自动配置运行时(openjdk、node 等)以信任该 CA 捆绑。在这种情况下,您可能不需要配置客户端。
使用之前示例中的 my-org-eventing-bundle ConfigMap,其中数据键为 ca.crt、ca1.crt 和 tls.crt,您将拥有一个 /knative-custom-certs 目录,该目录将具有以下布局
/knative-custom-certs/ca.crt
/knative-custom-certs/ca1.crt
/knative-custom-certs/tls.crt
然后,可以使用这些文件将 CA 信任捆绑添加到将事件发送到 Eventing 的 HTTP 客户端。
注意
根据您使用的运行时、编程语言或库,使用命令行标志、环境变量或通过读取这些文件的内容,有不同的方法来配置自定义 CA 证书文件。有关更多详细信息,请参阅其文档。
将 SelfSigned ClusterIssuer 添加到 CA 信任捆绑¶
如果您使用的是 设置 SelfSigned ClusterIssuer 部分中描述的 SelfSigned ClusterIssuer,则可以通过运行以下命令将 CA 添加到 Eventing CA 信任捆绑中
- 从 OpenShift Cert-Manager 运算符命名空间(默认情况下为 cert-manager)中的 knative-eventing-ca 密钥中导出 CA
$ kubectl get secret -n cert-manager knative-eventing-ca -o=jsonpath='{.data.ca\.crt}' | base64 -d > ca.crt - 在
knative-eventing命名空间中创建一个 CA 信任捆绑$ kubectl create configmap -n knative-eventing my-org-selfsigned-ca-bundle --from-file=ca.crt - 使用 networking.knative.dev/trust-bundle: "true" 标签标记 ConfigMap
$ kubectl label configmap -n knative-eventing my-org-selfsigned-ca-bundle networking.knative.dev/trust-bundle=true
验证功能是否正常¶
将以下 YAML 保存到名为 default-broker-example.yaml 的文件中
# default-broker-example.yaml
apiVersion: eventing.knative.dev/v1
kind: Broker
metadata:
name: br
---
apiVersion: eventing.knative.dev/v1
kind: Trigger
metadata:
name: tr
spec:
broker: br
subscriber:
ref:
apiVersion: v1
kind: Service
name: event-display
---
apiVersion: v1
kind: Service
metadata:
name: event-display
spec:
selector:
app: event-display
ports:
- protocol: TCP
port: 80
targetPort: 8080
---
apiVersion: v1
kind: Pod
metadata:
name: event-display
labels:
app: event-display
spec:
containers:
- name: event-display
image: gcr.io/knative-releases/knative.dev/eventing/cmd/event_display
imagePullPolicy: Always
ports:
- containerPort: 8080
将 default-broker-example.yaml 文件应用到测试命名空间 transport-encryption-test 中
kubectl create namespace transport-encryption-test
kubectl apply -n transport-encryption-test -f defautl-broker-example.yaml
验证所有地址是否均为 HTTPS
kubectl get brokers.eventing.knative.dev -n transport-encryption-test br -oyaml
示例输出
apiVersion: eventing.knative.dev/v1
kind: Broker
metadata:
# ...
name: br
namespace: transport-encryption-test
# ...
status:
address:
CACerts: |
-----BEGIN CERTIFICATE-----
MIIBbzCCARagAwIBAgIQAur7vdEcreEWSEQatCYlNjAKBggqhkjOPQQDAjAYMRYw
FAYDVQQDEw1zZWxmc2lnbmVkLWNhMB4XDTIzMDgwMzA4MzA1N1oXDTIzMTEwMTA4
MzA1N1owGDEWMBQGA1UEAxMNc2VsZnNpZ25lZC1jYTBZMBMGByqGSM49AgEGCCqG
SM49AwEHA0IABBqkD9lAwrnXCo/OOdpKzJROSbzCeC73FE/Np+/j8n862Ox5xYwJ
tAp/o3RDpDa3omhzqZoYumqdtneozGFY/zGjQjBAMA4GA1UdDwEB/wQEAwICpDAP
BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSHoKjXzfxfudt3mVGU3VudSi6TrTAK
BggqhkjOPQQDAgNHADBEAiA5z0/TpD7T6vRpN9VQisQMtum/Zg3tThnYA5nFnAW7
KAIgKR/EzW7f8BPcnlcgXt5kp3Fdqye1SAkjxZzr2a0Zik8=
-----END CERTIFICATE-----
name: https
url: https://broker-ingress.knative-eventing.svc.cluster.local/transport-encryption-test/br
addresses:
- CACerts: |
-----BEGIN CERTIFICATE-----
MIIBbzCCARagAwIBAgIQAur7vdEcreEWSEQatCYlNjAKBggqhkjOPQQDAjAYMRYw
FAYDVQQDEw1zZWxmc2lnbmVkLWNhMB4XDTIzMDgwMzA4MzA1N1oXDTIzMTEwMTA4
MzA1N1owGDEWMBQGA1UEAxMNc2VsZnNpZ25lZC1jYTBZMBMGByqGSM49AgEGCCqG
SM49AwEHA0IABBqkD9lAwrnXCo/OOdpKzJROSbzCeC73FE/Np+/j8n862Ox5xYwJ
tAp/o3RDpDa3omhzqZoYumqdtneozGFY/zGjQjBAMA4GA1UdDwEB/wQEAwICpDAP
BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSHoKjXzfxfudt3mVGU3VudSi6TrTAK
BggqhkjOPQQDAgNHADBEAiA5z0/TpD7T6vRpN9VQisQMtum/Zg3tThnYA5nFnAW7
KAIgKR/EzW7f8BPcnlcgXt5kp3Fdqye1SAkjxZzr2a0Zik8=
-----END CERTIFICATE-----
name: https
url: https://broker-ingress.knative-eventing.svc.cluster.local/transport-encryption-test/br
annotations:
knative.dev/channelAPIVersion: messaging.knative.dev/v1
knative.dev/channelAddress: https://imc-dispatcher.knative-eventing.svc.cluster.local/transport-encryption-test/br-kne-trigger
knative.dev/channelCACerts: |
-----BEGIN CERTIFICATE-----
MIIBbzCCARagAwIBAgIQAur7vdEcreEWSEQatCYlNjAKBggqhkjOPQQDAjAYMRYw
FAYDVQQDEw1zZWxmc2lnbmVkLWNhMB4XDTIzMDgwMzA4MzA1N1oXDTIzMTEwMTA4
MzA1N1owGDEWMBQGA1UEAxMNc2VsZnNpZ25lZC1jYTBZMBMGByqGSM49AgEGCCqG
SM49AwEHA0IABBqkD9lAwrnXCo/OOdpKzJROSbzCeC73FE/Np+/j8n862Ox5xYwJ
tAp/o3RDpDa3omhzqZoYumqdtneozGFY/zGjQjBAMA4GA1UdDwEB/wQEAwICpDAP
BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSHoKjXzfxfudt3mVGU3VudSi6TrTAK
BggqhkjOPQQDAgNHADBEAiA5z0/TpD7T6vRpN9VQisQMtum/Zg3tThnYA5nFnAW7
KAIgKR/EzW7f8BPcnlcgXt5kp3Fdqye1SAkjxZzr2a0Zik8=
-----END CERTIFICATE-----
knative.dev/channelKind: InMemoryChannel
knative.dev/channelName: br-kne-trigger
conditions:
# ...
使用 HTTPS 端点将事件发送到 Broker
kubectl run curl -n transport-encryption-test --image=curlimages/curl -i --tty -- sh
将 Broker 的 .status.address.CACerts 字段中的 CA 证书保存到 /tmp/cacerts.pem 中
cat <<EOF >> /tmp/cacerts.pem
-----BEGIN CERTIFICATE-----
MIIBbzCCARagAwIBAgIQAur7vdEcreEWSEQatCYlNjAKBggqhkjOPQQDAjAYMRYw
FAYDVQQDEw1zZWxmc2lnbmVkLWNhMB4XDTIzMDgwMzA4MzA1N1oXDTIzMTEwMTA4
MzA1N1owGDEWMBQGA1UEAxMNc2VsZnNpZ25lZC1jYTBZMBMGByqGSM49AgEGCCqG
SM49AwEHA0IABBqkD9lAwrnXCo/OOdpKzJROSbzCeC73FE/Np+/j8n862Ox5xYwJ
tAp/o3RDpDa3omhzqZoYumqdtneozGFY/zGjQjBAMA4GA1UdDwEB/wQEAwICpDAP
BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSHoKjXzfxfudt3mVGU3VudSi6TrTAK
BggqhkjOPQQDAgNHADBEAiA5z0/TpD7T6vRpN9VQisQMtum/Zg3tThnYA5nFnAW7
KAIgKR/EzW7f8BPcnlcgXt5kp3Fdqye1SAkjxZzr2a0Zik8=
-----END CERTIFICATE-----
EOF
通过运行以下命令发送事件
curl -v -X POST -H "content-type: application/json" -H "ce-specversion: 1.0" -H "ce-source: my/curl/command" -H "ce-type: my.demo.event" -H "ce-id: 6cf17c7b-30b1-45a6-80b0-4cf58c92b947" -d '{"name":"Knative Demo"}' --cacert /tmp/cacert
s.pem https://broker-ingress.knative-eventing.svc.cluster.local/transport-encryption-test/br
示例输出
* processing: https://broker-ingress.knative-eventing.svc.cluster.local/transport-encryption-test/br
* Trying 10.96.174.249:443...
* Connected to broker-ingress.knative-eventing.svc.cluster.local (10.96.174.249) port 443
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /tmp/cacerts.pem
* CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN: server accepted h2
* Server certificate:
* subject: O=local
* start date: Aug 3 08:31:02 2023 GMT
* expire date: Nov 1 08:31:02 2023 GMT
* subjectAltName: host "broker-ingress.knative-eventing.svc.cluster.local" matched cert's "broker-ingress.knative-eventing.svc.cluster.local"
* issuer: CN=selfsigned-ca
* SSL certificate verify ok.
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* using HTTP/2
* h2 [:method: POST]
* h2 [:scheme: https]
* h2 [:authority: broker-ingress.knative-eventing.svc.cluster.local]
* h2 [:path: /transport-encryption-test/br]
* h2 [user-agent: curl/8.2.1]
* h2 [accept: */*]
* h2 [content-type: application/json]
* h2 [ce-specversion: 1.0]
* h2 [ce-source: my/curl/command]
* h2 [ce-type: my.demo.event]
* h2 [ce-id: 6cf17c7b-30b1-45a6-80b0-4cf58c92b947]
* h2 [content-length: 23]
* Using Stream ID: 1
> POST /transport-encryption-test/br HTTP/2
> Host: broker-ingress.knative-eventing.svc.cluster.local
> User-Agent: curl/8.2.1
> Accept: */*
> content-type: application/json
> ce-specversion: 1.0
> ce-source: my/curl/command
> ce-type: my.demo.event
> ce-id: 6cf17c7b-30b1-45a6-80b0-4cf58c92b947
> Content-Length: 23
>
< HTTP/2 202
< allow: POST, OPTIONS
< content-length: 0
< date: Thu, 03 Aug 2023 10:08:22 GMT
<
* Connection #0 to host broker-ingress.knative-eventing.svc.cluster.local left intact