zh-trans:/docs/tasks/tls/managing-tls-in-a-cluster.md #15350
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
k8s-ci-robot
added
cncf-cla: yes
k8s-ci-robot
added
language/zh
| protocol that is similar to the | ||
| [ACME draft](https://github.com/ietf-wg-acme/acme/). | ||
| --> | ||
| 每个 Kubernetes 集群都有一个集群根证书颁发机构(CA)。集群中的组件通常使用 CA 来验证 API server 的证书,由API服务器验证 kubelet 客户端证书等。为了支持这一点,CA 证书包被分发到集群中的每个节点,并作为一个 secret 附加分发到默认 service account 上。 或者,您的工作负载可以使用此 CA 建立信任。您的应用程序可以使用类似于 [ACME 草案](https://github.com/ietf-wg-acme/acme/)的协议,使用 `certificates.k8s.io` API 请求证书签名。 |
There was a problem hiding this comment.
Suggested change
| 每个 Kubernetes 集群都有一个集群根证书颁发机构(CA)。集群中的组件通常使用 CA 来验证 API server 的证书,由API服务器验证 kubelet 客户端证书等。为了支持这一点,CA 证书包被分发到集群中的每个节点,并作为一个 secret 附加分发到默认 service account 上。 或者,您的工作负载可以使用此 CA 建立信任。您的应用程序可以使用类似于 [ACME 草案](https://github.com/ietf-wg-acme/acme/)的协议,使用 `certificates.k8s.io` API 请求证书签名。 | |
| 每个 Kubernetes 集群都有一个集群根证书颁发机构(CA)。集群中的组件通常使用 CA 来验证 API server 的证书,由 API 服务器验证 kubelet 客户端证书等。为了支持这一点,CA 证书包被分发到集群中的每个节点,并作为一个 secret 附加分发到默认 service account 上。 或者,您的工作负载可以使用此 CA 建立信任。您的应用程序可以使用类似于 [ACME 草案](https://github.com/ietf-wg-acme/acme/)的协议,使用 `certificates.k8s.io` API 请求证书签名。 |
| 以下部分演示如何为通过 DNS 访问的 Kubernetes 服务创建 TLS 证书。 | ||
|
|
||
| {{< note >}} | ||
| 本教程使用 CFSSL:Cloudflare's PKI 和 TLS 工具包[点击此处](https://blog.cloudflare.com/introducing-cfssl/) 了解更多信息。 |
There was a problem hiding this comment.
Suggested change
| 本教程使用 CFSSL:Cloudflare's PKI 和 TLS 工具包[点击此处](https://blog.cloudflare.com/introducing-cfssl/) 了解更多信息。 | |
| 本教程使用 CFSSL:Cloudflare's PKI 和 TLS 工具包[点击此处](https://blog.cloudflare.com/introducing-cfssl/)了解更多信息。 |
| --> | ||
| ## 下载并安装 CFSSL | ||
|
|
||
| 本例中使用的 cfssl 工具可以在[https://pkg.cfssl.org/](https://pkg.cfssl.org/) 下载。 |
There was a problem hiding this comment.
Suggested change
| 本例中使用的 cfssl 工具可以在[https://pkg.cfssl.org/](https://pkg.cfssl.org/) 下载。 | |
| 本例中使用的 cfssl 工具可以在 [https://pkg.cfssl.org/](https://pkg.cfssl.org/) 下载。 |
| Events: <none> | ||
| ``` | ||
| --> | ||
| ## 创建证书签名请求对象以发送到 Kubernetes API |
There was a problem hiding this comment.
Suggested change
| ## 创建证书签名请求对象以发送到 Kubernetes API | |
| ## 创建证书签名请求对象发送到 Kubernetes API |
| EOF | ||
| ``` | ||
|
|
||
| 请注意,在步骤1中创建的 `server.csr` 文件是 base64 编码并存储在 `.spec.request` 字段中的,我们还要求提供 “数字签名”,“密钥加密” 和 “服务器身份验证” 密钥用途的证书。我们 [这里](https://godoc.org/k8s.io/api/certificates/v1beta1#KeyUsage)支持列出的所有关键用途和扩展的关键用途,以便您可以使用相同的 API 请求客户端证书和其他证书。 |
There was a problem hiding this comment.
Suggested change
| 请注意,在步骤1中创建的 `server.csr` 文件是 base64 编码并存储在 `.spec.request` 字段中的,我们还要求提供 “数字签名”,“密钥加密” 和 “服务器身份验证” 密钥用途的证书。我们 [这里](https://godoc.org/k8s.io/api/certificates/v1beta1#KeyUsage)支持列出的所有关键用途和扩展的关键用途,以便您可以使用相同的 API 请求客户端证书和其他证书。 | |
| 请注意,在步骤1中创建的 `server.csr` 文件是 base64 编码并存储在 `.spec.request` 字段中的,我们还要求提供 “数字签名”,“密钥加密” 和 “服务器身份验证” 密钥用途的证书。我们[这里](https://godoc.org/k8s.io/api/certificates/v1beta1#KeyUsage)支持列出的所有关键用途和扩展的关键用途,以便您可以使用相同的 API 请求客户端证书和其他证书。 |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: xichengliudui The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
@xichengliudui Thank you very much for your review and have been revised. |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
6 tasks
SataQiu
pushed a commit
to SataQiu/website
that referenced
this pull request
Oct 9, 2019
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.