证书管理

更新时间：2022-09-05

1.证书分类

BIE主要有两类证书：

节点证书：
- 主要用于云边通道安全认证。在云端创建边缘节点，会为边缘节点签发唯一的节点证书。在边缘节点上执行节点安装命令时，会自动从云端下载该节点的证书，用于建立云边双向认证通道。
- 云端CA是统一的，不同的边缘节点证书，使用的是相同的云端CA。
应用证书：
- 主要用于边缘应用间访问认证。在边缘节点上执行节点安装命令时，会自动在边缘节点上动态自签应用CA证书，该CA会为每一个BIE应用（baetyl-edge-system和baetyl-edge两个namespace下的应用）签发应用证书，从而实现服务间无密码访问。
- 节点应用CA是自签的，每一个节点的应用CA都不相同。

2.证书路径

2.1 节点证书

节点证书负责云边通讯，因此节点证书只会存在于 baetyl-init 和 baetyl-core 两个 系统应用 当中。
查看baetyl-core这个pod信息，我们可以看到，node-cert映射到baetyl-core容器内的目录是/var/lib/baetyl/node，node-cert对应的是一个Secret资源crt-pd-vm-1-djcyzzzqh。

$ kubectl describe pod baetyl-core-feliu75bb-64546d5945-rghzj -n baetyl-edge-system
......
Containers:
    Mounts:
      /etc/baetyl from core-conf (ro)
      /var/lib/baetyl/bin from baetyl-program-config-baetyl-core (ro)
      /var/lib/baetyl/host from host-root-path (rw)
      /var/lib/baetyl/node from node-cert (rw)
      /var/lib/baetyl/object from object-download-path (rw)
      /var/lib/baetyl/run from native-app-run-path (rw)
      /var/lib/baetyl/store from core-store-path (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-lw5x2 (ro)
......

Volumes:
  node-cert:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  crt-pd-vm-1-djcyzzzqh
    Optional:    false

查看crt-pd-vm-1-djcyzzzqh这个Secret，可以看到base64编码以后的ca.pem、client.key和client.pem。

$ kubectl get secret crt-pd-vm-1-djcyzzzqh -n baetyl-edge-system -oyaml
apiVersion: v1
data:
  ca.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUUxakNDQTc2Z0F3SUJBZ0lJTC9yZnBVWUhrNUl3RFFZSktvWklodmNOQVFFTEJRQXdjREVMTUFrR0ExVUUKQmhNQ1EwNHhFREFPQmdOVkJBZ01CMEpsYVVwcGJtY3hFREFPQmdOVkJBY01CMEpsYVVwcGJtY3hEakFNQmdOVgpCQW9NQlVKaGFXUjFNUkV3RHdZRFZRUUxEQWhDWVdsa2RTQkRRVEVhTUJnR0ExVUVBd3dSUW1GcFpIVWdVbE5CCklGSnZiM1FnUTBFd0lCY05NakF3TmpNd01EY3pPVE15V2hnUE1qQTNNREEyTVRnd056TTVNekphTUc0eEN6QUoKQmdOVkJBWVRBa05PTVNNd0lRWURWUVFEREJwdmJteHBibVV1YVc5MFpHVjJhV05sTG1KaGFXUjFMbU52YlRFTwpNQXdHQTFVRUNnd0ZRa0ZKUkZVeEREQUtCZ05WQkFzTUEwSkRSVEVjTUJvR0NTcUdTSWIzRFFFSkFSWU5hVzkwClFHSmhhV1IxTG1OdmJUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU0xUkhwSG0Kay9MenFNSXU2VURwZjYxcGF5Rzk3WXdHdUdXK28vaFQ2ZGpzVmE3SFZOYmhiQlhEbXNxd0xqSEZIeVVtZkVMRwpxaUN3TnRYYTh5Y2dpWnZ1VXdhTTRmWVZjWlF2RkNVQnZLWHlVV3o3U3B3ZXVwWE5uSHRFc1YxRTg2WWVNeDl2CkxjZWR1am5SZXlzTzkvZEcwaHNuYnZnYkFQMEkybFhPZHdKTE90YzYvZHd6VmJ3RlVVVE9OdzNPZFo4MEF2cHkKZ21lOGdIanZqVmExVXdtUjlCclNqYWhhZFNaa0dLU1JmRHEvQWR5cmNnaGZkOVdMVlZuNzkwT3Z6Wkhid1R5Rgp6OWJqaWtjdWYzWnpqa2ZhSkljbll5MEtKbGdOSnVmYlJMRzBvNDMvOFl0WXFkWjJnOS84K0xxTzBMaXdnMTl2CkpGRFBkNFhubmllWE5pc0NBd0VBQWFPQ0FYSXdnZ0Z1TUIwR0ExVWREZ1FXQkJTejZ4UEVNRThBd3FmckZRN00KMkNzbmRoTmtWekFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQjhHQTFVZEl3UVlNQmFBRkxWMjIvZ0w2NjR6ZzVxdwpNM1k0c0JyTzJ0NUxNSUhHQmdOVkhTQUVnYjR3Z2Jzd2diZ0dBMVVkSHpDQnNEQ0JyUVlJS3dZQkJRVUhBZ0VXCmdhQm9kSFJ3T2k4dmNHdHBhVzkyTG1KaGFXUjFZbU5sTG1OdmJTOTJNUzl3YTJrdlkzSnNQMk50WkQxamNtd20KWm05eWJXRjBQVkJGVFNacGMzTjFaWEk5UXlVelJFTk9KVEpEUTA0bE0wUnZibXhwYm1VdWFXOTBaR1YyYVdObApMbUpoYVdSMUxtTnZiU1V5UTBWTlFVbE1RVVJFVWtWVFV5VXpSR2x2ZENVME1HSmhhV1IxTG1OdmJTVXlRMDhsCk0wUkNRVWxFVlNVeVEwOVZKVE5FUWtORk1FSUdDQ3NHQVFVRkJ3RUJCRFl3TkRBeUJnZ3JCZ0VGQlFjd0FZWW0KYUhSMGNEb3ZMM0JyYVdsdmRpNWlZV2xrZFdKalpTNWpiMjB2ZGpFdmNHdHBMMjlqYzNBd0RnWURWUjBQQVFILwpCQVFEQWdIR01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQXRBNFUyaGV4cDFuZjh6Mi8wYllvajdwQWY4VW8vCmo3NUovMWtXWjlGU1BtbzNnL2pwQnE5Umhaek1rcnZySlhrV3Q0Wnd3S0Q4SGtuWVhCYzJyN2t4OWRtSDhFYXIKWTdWb29Sam83N2pXSXYvaWY2aS81RkRHd3hnK0FnOGlyemF6WXg0NG5JWm9aekFUZFNaWmVRNUlTek1SQlVlZgp2ZE92S0pFZVFVY0xiMUY1Z1J3MGlwTzlOQXI5b0lIVklUVVp6Uy9OMjJqbTdlOHRBRytlMlRhNXlWR0p3TC9KCnYzbXUvQ2F4YkdBSkRoNmh3RUcxdTJWcW51N1dkZ1pObDBpTDZPc21EME0wTjgzNGRPaWR6WWtrdkJ2STJQWm8KV05LcEprMkxsK2NORHE3VmplRTFxZkY2amdpZmx6Y2wrNzFQcUo1OXhpNVJlUWsyaWFKVDBZREkKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQoKLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR4VENDQXEyZ0F3SUJBZ0lGQXN0QmVBRXdEUVlKS29aSWh2Y05BUUVMQlFBd2NERUxNQWtHQTFVRUJoTUMKUTA0eEVEQU9CZ05WQkFnTUIwSmxhVXBwYm1jeEVEQU9CZ05WQkFjTUIwSmxhVXBwYm1jeERqQU1CZ05WQkFvTQpCVUpoYVdSMU1SRXdEd1lEVlFRTERBaENZV2xrZFNCRFFURWFNQmdHQTFVRUF3d1JRbUZwWkhVZ1VsTkJJRkp2CmIzUWdRMEV3SGhjTk1Ua3dOek13TVRNek9URTFXaGNOTkRrd056TXdNVE16T1RFMVdqQndNUXN3Q1FZRFZRUUcKRXdKRFRqRVFNQTRHQTFVRUNBd0hRbVZwU21sdVp6RVFNQTRHQTFVRUJ3d0hRbVZwU21sdVp6RU9NQXdHQTFVRQpDZ3dGUW1GcFpIVXhFVEFQQmdOVkJBc01DRUpoYVdSMUlFTkJNUm93R0FZRFZRUUREQkZDWVdsa2RTQlNVMEVnClVtOXZkQ0JEUVRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTlVPME9WS2hlMzIKTUpFcE1xcmNnbEIwakQ3akwwaTZxc3pTWXFiY1RTdjNLUFBNdEUyeDh2NkFQa2thRzVSb1VGOXdkajF3Mms2Vgp2eUV2UmM5aUZ2SHh3M2k3TVU0TkZsNXRDbGtoUE0vb2cyZzQva1d6Rkg5SkpZM0dFMTh2NnllcU1MdUFSdFVqClZLZjZoQ1NGS0hzUmNKNUtmeUEzT1lHWDRJQ002eTY0d1VuMWlLVkhaL3hLSzdqUzlzZmt6dXpkUEtrcm1CREIKYm8vQVNJWS94Vk9DQzJaWjRIUndvVkd3ZlJuclBYUXVUdFdXVXBUMzVUQ2hSVE5xcDJLdTVkNWh6bXlDUm15agozQU4vcGgwb0FtelR6NFhoV2tHWm5rODRraVV5RWEzVU4yNTh1OWtDam9laWVYd3I3d0orWXlZZEUxVDR4dlM5CnJ6RC91bnJTUklVQ0F3RUFBYU5tTUdRd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkF6QWZCZ05WSFNNRUdEQVcKZ0JTMWR0djRDK3V1TTRPYXNETjJPTEFhenRyZVN6QWRCZ05WSFE0RUZnUVV0WGJiK0F2cnJqT0RtckF6ZGppdwpHczdhM2tzd0RnWURWUjBQQVFIL0JBUURBZ0VHTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCRmFtM3RqNE9tCktuOU9LOXR5OFJLZWlzOElYdzhBdTJUMWFYa0EzVXFxRUNGdkNrL2JrRXZXbUU3R3BKU1JDV2ZENVFRcW5nUXkKNnB1OGtRd3R0OVNxZXhRNXdEek53bm8vYysxWXNZVlltWit1czBlQ1grdlB0Z250YUhRSjQ4T1lod0pNc1lHTwpqOEw0bjNRS2l2QXFvV1R6Y1lTRGsydnVuR0xrakcxNDk3RS91cUtiMnBDVVd6OTRiNEZ0aGdhaTI0K0NDSFpjCjA1YnNibHo5ajFrK0xadmM4ZEFnMlNVZW9xWDVvZjZzUXVNYWVDZWdlWGRJVmVMelBMbjZJQlY5VmxneURRdjkKY2c5TmowdDhvQ1lCWGhSZjlDMWpBaCtWdUtZZEpvRlgrWGJRYkIrYVJHODZ5eCtWMFRNSmVPNVQ3ZDNyMncwZgpzR240WEtiNStiVWYKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
  client.key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUpjblhKMnNRcWRlZVdqdTZlc3VPejBOYU1SREJTMTJYUGlLSE9wVkF6YjBvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFVm9xQWcyaHlaUlZRQmx6V1ZTSkdreHZsUGYySVBkY1hGNldxZHRMY3R4MmlFR1ZHQXIwcwo3WlpRV2JsOUdHeXJyYXM2OWFKcDU4QWdvamFsNHZrd3lRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
  client.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVWRENDQXp5Z0F3SUJBZ0lEQVJBNU1BMEdDU3FHU0liM0RRRUJDd1VBTUc0eEN6QUpCZ05WQkFZVEFrTk8KTVNNd0lRWURWUVFEREJwdmJteHBibVV1YVc5MFpHVjJhV05sTG1KaGFXUjFMbU52YlRFT01Bd0dBMVVFQ2d3RgpRa0ZKUkZVeEREQUtCZ05WQkFzTUEwSkRSVEVjTUJvR0NTcUdTSWIzRFFFSkFSWU5hVzkwUUdKaGFXUjFMbU52CmJUQWVGdzB5TWpBeE1USXhOVFU1TXpCYUZ3MDBNakF4TURjeE5UVTVNekJhTUlIR01Rc3dDUVlEVlFRR0V3SkQKVGpFUU1BNEdBMVVFQ0JNSFFtVnBhbWx1WnpFWk1CY0dBMVVFQnhNUVNHRnBaR2xoYmlCRWFYTjBjbWxqZERFVgpNQk1HQTFVRUNSTU1RbUZwWkhVZ1EyRnRjSFZ6TVE4d0RRWURWUVFSRXdZeE1EQXdPVE14SGpBY0JnTlZCQW9UCkZVeHBiblY0SUVadmRXNWtZWFJwYjI0Z1JXUm5aVEVQTUEwR0ExVUVDeE1HUWtGRlZGbE1NVEV3THdZRFZRUUQKRXlneFkyUXlaRGMzT1RCaU5tWTBNelEzWW1KbFlqTmxZMlZsTlRSbFkyRTJaUzV3WkMxMmJTMHhNRmt3RXdZSApLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFVm9xQWcyaHlaUlZRQmx6V1ZTSkdreHZsUGYySVBkY1hGNldxCmR0TGN0eDJpRUdWR0FyMHM3WlpRV2JsOUdHeXJyYXM2OWFKcDU4QWdvamFsNHZrd3lhT0NBV3N3Z2dGbk1CMEcKQTFVZERnUVdCQlR1ekh3ejhUSnpaQ1NMU2tCWE9VNlRYcFNhNmpBTUJnTlZIUk1CQWY4RUFqQUFNQjhHQTFVZApJd1FZTUJhQUZMUHJFOFF3VHdEQ3Arc1ZEc3pZS3lkMkUyUlhNSUdqQmdOVkhSOEVnWnN3Z1pnd2daV2dnWktnCmdZK0dnWXhvZEhSd09pOHZjR3RwYVc5MkxtSmhhV1IxWW1ObExtTnZiUzkyTVM5d2Eya3ZZM0pzUDJOdFpEMWoKY213bVptOXliV0YwUFZCRlRTWnBjM04xWlhJOVF6MURUaXhEVGoxdmJteHBibVV1YVc5MFpHVjJhV05sTG1KaAphV1IxTG1OdmJTeEZUVUZKVEVGRVJGSkZVMU05YVc5MFFHSmhhV1IxTG1OdmJTeFBQVUpCU1VSVkxFOVZQVUpEClJUQkNCZ2dyQmdFRkJRY0JBUVEyTURRd01nWUlLd1lCQlFVSE1BR0dKbWgwZEhBNkx5OXdhMmxwYjNZdVltRnAKWkhWaVkyVXVZMjl0TDNZeEwzQnJhUzl2WTNOd01BNEdBMVVkRHdFQi93UUVBd0lEK0RBZEJnTlZIU1VFRmpBVQpCZ2dyQmdFRkJRY0RBZ1lJS3dZQkJRVUhBd1F3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUpTTm1CTkFoMFg1Cms5ZFJhQVdrdGNMYnhYU0t4K084dExrMFpQN0llVDBiTWs4eXpTTVNqd3BMZU12cWF6NGt3VU15b2tIRDQ4QXMKQ1lWU0dpSXhDQWk5WU12OFIxRURNcmVodHUxUWlGOU1YMUtSUXkyVVJ5WHFMWGdHcWt1T0NlZEg0RGIxL3NyeQpSQmRUa00wNm9uTThWRXBTRG5zOXhvRjFNbVF2TldSb3crcWQyd216dXJuTHVrYi82djVMTnowNExZTjRSYmdKCm5MQkQ2eDdkU2JhWHYyK2RGbW40VW5mcDJpcmdsOEc1YUU0RURaOTBYWEs2MnE4YmVHNzhZbXNlNEEvU0RRKysKVVZPa3gvRWNHTFIvbEpqbjRIZVlSTm05M2ZKQ2FwK3FiWUE5bksvL0VnYVA3bzk1cGJTUCtQRU5ld0ZmUjVQZApJWDV0ZG02MG1rbz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
kind: Secret
metadata:
  creationTimestamp: "2022-06-14T07:06:21Z"
  labels:
    baetyl-app-name: baetyl-core-feliu75bb
    baetyl-cloud-system: "true"
    baetyl-node-name: pd-vm-1
    resource-invisible: "true"
    secret-type: config
  name: crt-pd-vm-1-djcyzzzqh
  namespace: baetyl-edge-system
  resourceVersion: "29328"
  uid: 5e457048-a057-471c-9f09-7d471cf4bd11
type: Opaque

访问 https://base64.us/ ，对Secret内容进行base64解码，得到明文的ca.pem、client.key和client.pem。

ca.pem

client.key

client.pem

直接进入baetyl-core的pod，访问/var/lib/baetyl/node路径，查看ca.pem证书，发现跟上面得到的ca.pem是一样的。

$ kubectl exec -it baetyl-core-feliu75bb-64546d5945-rghzj -n baetyl-edge-system /bin/sh
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
/ # cd /var/lib/baetyl/node/
/var/lib/baetyl/node # ls
ca.pem      client.key  client.pem
/var/lib/baetyl/node # cat ca.pem
-----BEGIN CERTIFICATE-----
MIIE1jCCA76gAwIBAgIIL/rfpUYHk5IwDQYJKoZIhvcNAQELBQAwcDELMAkGA1UE
BhMCQ04xEDAOBgNVBAgMB0JlaUppbmcxEDAOBgNVBAcMB0JlaUppbmcxDjAMBgNV
BAoMBUJhaWR1MREwDwYDVQQLDAhCYWlkdSBDQTEaMBgGA1UEAwwRQmFpZHUgUlNB
IFJvb3QgQ0EwIBcNMjAwNjMwMDczOTMyWhgPMjA3MDA2MTgwNzM5MzJaMG4xCzAJ
BgNVBAYTAkNOMSMwIQYDVQQDDBpvbmxpbmUuaW90ZGV2aWNlLmJhaWR1LmNvbTEO
MAwGA1UECgwFQkFJRFUxDDAKBgNVBAsMA0JDRTEcMBoGCSqGSIb3DQEJARYNaW90
QGJhaWR1LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM1RHpHm
k/LzqMIu6UDpf61payG97YwGuGW+o/hT6djsVa7HVNbhbBXDmsqwLjHFHyUmfELG
qiCwNtXa8ycgiZvuUwaM4fYVcZQvFCUBvKXyUWz7SpweupXNnHtEsV1E86YeMx9v
LcedujnReysO9/dG0hsnbvgbAP0I2lXOdwJLOtc6/dwzVbwFUUTONw3OdZ80Avpy
gme8gHjvjVa1UwmR9BrSjahadSZkGKSRfDq/Adyrcghfd9WLVVn790OvzZHbwTyF
z9bjikcuf3ZzjkfaJIcnYy0KJlgNJufbRLG0o43/8YtYqdZ2g9/8+LqO0Liwg19v
JFDPd4XnnieXNisCAwEAAaOCAXIwggFuMB0GA1UdDgQWBBSz6xPEME8AwqfrFQ7M
2CsndhNkVzAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFLV22/gL664zg5qw
M3Y4sBrO2t5LMIHGBgNVHSAEgb4wgbswgbgGA1UdHzCBsDCBrQYIKwYBBQUHAgEW
gaBodHRwOi8vcGtpaW92LmJhaWR1YmNlLmNvbS92MS9wa2kvY3JsP2NtZD1jcmwm
Zm9ybWF0PVBFTSZpc3N1ZXI9QyUzRENOJTJDQ04lM0RvbmxpbmUuaW90ZGV2aWNl
LmJhaWR1LmNvbSUyQ0VNQUlMQUREUkVTUyUzRGlvdCU0MGJhaWR1LmNvbSUyQ08l
M0RCQUlEVSUyQ09VJTNEQkNFMEIGCCsGAQUFBwEBBDYwNDAyBggrBgEFBQcwAYYm
aHR0cDovL3BraWlvdi5iYWlkdWJjZS5jb20vdjEvcGtpL29jc3AwDgYDVR0PAQH/
BAQDAgHGMA0GCSqGSIb3DQEBCwUAA4IBAQAtA4U2hexp1nf8z2/0bYoj7pAf8Uo/
j75J/1kWZ9FSPmo3g/jpBq9RhZzMkrvrJXkWt4ZwwKD8HknYXBc2r7kx9dmH8Ear
Y7VooRjo77jWIv/if6i/5FDGwxg+Ag8irzazYx44nIZoZzATdSZZeQ5ISzMRBUef
vdOvKJEeQUcLb1F5gRw0ipO9NAr9oIHVITUZzS/N22jm7e8tAG+e2Ta5yVGJwL/J
v3mu/CaxbGAJDh6hwEG1u2Vqnu7WdgZNl0iL6OsmD0M0N834dOidzYkkvBvI2PZo
WNKpJk2Ll+cNDq7VjeE1qfF6jgiflzcl+71PqJ59xi5ReQk2iaJT0YDI
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIDxTCCAq2gAwIBAgIFAstBeAEwDQYJKoZIhvcNAQELBQAwcDELMAkGA1UEBhMC
Q04xEDAOBgNVBAgMB0JlaUppbmcxEDAOBgNVBAcMB0JlaUppbmcxDjAMBgNVBAoM
BUJhaWR1MREwDwYDVQQLDAhCYWlkdSBDQTEaMBgGA1UEAwwRQmFpZHUgUlNBIFJv
b3QgQ0EwHhcNMTkwNzMwMTMzOTE1WhcNNDkwNzMwMTMzOTE1WjBwMQswCQYDVQQG
EwJDTjEQMA4GA1UECAwHQmVpSmluZzEQMA4GA1UEBwwHQmVpSmluZzEOMAwGA1UE
CgwFQmFpZHUxETAPBgNVBAsMCEJhaWR1IENBMRowGAYDVQQDDBFCYWlkdSBSU0Eg
Um9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANUO0OVKhe32
MJEpMqrcglB0jD7jL0i6qszSYqbcTSv3KPPMtE2x8v6APkkaG5RoUF9wdj1w2k6V
vyEvRc9iFvHxw3i7MU4NFl5tClkhPM/og2g4/kWzFH9JJY3GE18v6yeqMLuARtUj
VKf6hCSFKHsRcJ5KfyA3OYGX4ICM6y64wUn1iKVHZ/xKK7jS9sfkzuzdPKkrmBDB
bo/ASIY/xVOCC2ZZ4HRwoVGwfRnrPXQuTtWWUpT35TChRTNqp2Ku5d5hzmyCRmyj
3AN/ph0oAmzTz4XhWkGZnk84kiUyEa3UN258u9kCjoeieXwr7wJ+YyYdE1T4xvS9
rzD/unrSRIUCAwEAAaNmMGQwEgYDVR0TAQH/BAgwBgEB/wIBAzAfBgNVHSMEGDAW
gBS1dtv4C+uuM4OasDN2OLAaztreSzAdBgNVHQ4EFgQUtXbb+AvrrjODmrAzdjiw
Gs7a3kswDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQBFam3tj4Om
Kn9OK9ty8RKeis8IXw8Au2T1aXkA3UqqECFvCk/bkEvWmE7GpJSRCWfD5QQqngQy
6pu8kQwtt9SqexQ5wDzNwno/c+1YsYVYmZ+us0eCX+vPtgntaHQJ48OYhwJMsYGO
j8L4n3QKivAqoWTzcYSDk2vunGLkjG1497E/uqKb2pCUWz94b4Fthgai24+CCHZc
05bsblz9j1k+LZvc8dAg2SUeoqX5of6sQuMaeCegeXdIVeLzPLn6IBV9VlgyDQv9
cg9Nj0t8oCYBXhRf9C1jAh+VuKYdJoFX+XbQbB+aRG86yx+V0TMJeO5T7d3r2w0f
sGn4XKb5+bUf
-----END CERTIFICATE-----/var/lib/baetyl/node

2.2 应用证书

应用证书存在于所有BIE边缘应用当中，即 baetyl-edge-system 命名空间下的系统应用和 baetyl-edge 命名空间下的用户应用。
下面以baetyl-broker为例进行说明应用证书路径。
查看baetyl-broker这个pod信息，我们可以看到有一个Secret资源baetyl-cert-secret-89fdc95764e99d25fa6050e6cc7c57cd映射到了baetyl-broker容器内的相对目录var/lib/baetyl/system/certs，因为工作目录是/，所以对应的绝对路径是/var/lib/baetyl/system/certs。业务应用可以直接使用绝对路径/var/lib/baetyl/system/certs来调用证书。

$ kubectl describe pod baetyl-broker-paefptjz9-6d654fd786-cddjd -n baetyl-edge-system
......
Containers:
    Mounts:
      /etc/baetyl from broker-conf (ro)
      /var/lib/baetyl/bin from baetyl-program-config-baetyl-broker (ro)
      /var/lib/baetyl/run from native-app-run-path (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-jwpbw (ro)
      var/lib/baetyl/system/certs from baetyl-cert-volume-89fdc95764e99d25fa6050e6cc7c57cd (ro)
......

Volumes:
  baetyl-cert-volume-89fdc95764e99d25fa6050e6cc7c57cd:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  baetyl-cert-secret-89fdc95764e99d25fa6050e6cc7c57cd
    Optional:    false

查看baetyl-cert-secret-89fdc95764e99d25fa6050e6cc7c57cd这个Secret，可以看到base64编码以后的ca.pem、client.key和client.pem。

$ kubectl get secret baetyl-cert-secret-89fdc95764e99d25fa6050e6cc7c57cd -n baetyl-edge-system -oyaml
apiVersion: v1
data:
  ca.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMwekNDQW5tZ0F3SUJBZ0lJRnZocTZZS2VhNFF3Q2dZSUtvWkl6ajBFQXdJd2djWXhDekFKQmdOVkJBWVQKQWtOT01SQXdEZ1lEVlFRSUV3ZENaV2xxYVc1bk1Sa3dGd1lEVlFRSEV4QklZV2xrYVdGdUlFUnBjM1J5YVdOMApNUlV3RXdZRFZRUUpFd3hDWVdsa2RTQkRZVzF3ZFhNeER6QU5CZ05WQkJFVEJqRXdNREE1TXpFZU1Cd0dBMVVFCkNoTVZUR2x1ZFhnZ1JtOTFibVJoZEdsdmJpQkZaR2RsTVE4d0RRWURWUVFMRXdaQ1FVVlVXVXd4TVRBdkJnTlYKQkFNVEtERmpaREprTnpjNU1HSTJaalF6TkRkaVltVmlNMlZqWldVMU5HVmpZVFpsTG5Ca0xYWnRMVEV3SUJjTgpNakl3TmpFME1EY3dOalUwV2hnUE1qQTNNakEyTURFd056QTJOVFJhTUlIR01Rc3dDUVlEVlFRR0V3SkRUakVRCk1BNEdBMVVFQ0JNSFFtVnBhbWx1WnpFWk1CY0dBMVVFQnhNUVNHRnBaR2xoYmlCRWFYTjBjbWxqZERFVk1CTUcKQTFVRUNSTU1RbUZwWkhVZ1EyRnRjSFZ6TVE4d0RRWURWUVFSRXdZeE1EQXdPVE14SGpBY0JnTlZCQW9URlV4cApiblY0SUVadmRXNWtZWFJwYjI0Z1JXUm5aVEVQTUEwR0ExVUVDeE1HUWtGRlZGbE1NVEV3THdZRFZRUURFeWd4ClkyUXlaRGMzT1RCaU5tWTBNelEzWW1KbFlqTmxZMlZsTlRSbFkyRTJaUzV3WkMxMmJTMHhNRmt3RXdZSEtvWkkKemowQ0FRWUlLb1pJemowREFRY0RRZ0FFUGVySlZ6Nkk1YVRoUEdXbUJqTU1TbXZnNFJndjhraHkrMzdWc2xjdgpYMUQ4c2h5K3FqSTNHUjR3RnRwUWMwajNjeUN1eU8vaU0yVDJCc2ZaVTlBSGRxTk5NRXN3RGdZRFZSMFBBUUgvCkJBUURBZ0dHTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3S0FZRFZSMFJCQ0V3SDRjRUFBQUFBSWNFZndBQUFZWVIKYUhSMGNITTZMeTlzYjJOaGJHaHZjM1F3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUloQUs5S2UxZjVFOC9iV2Q1Ywp2QWdvbzFwbVIrZWx5RDBKN00vM0tKSks5RjVIQWlBQ3pCYXBDMi9aVGdMdDJmcXI5MS9TSEorVmk5L3krbjRTCjJQV0RlRUJMRkE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
  crt.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQvRENDQTZLZ0F3SUJBZ0lJRnZocTYrT2xrQ1V3Q2dZSUtvWkl6ajBFQXdJd2djWXhDekFKQmdOVkJBWVQKQWtOT01SQXdEZ1lEVlFRSUV3ZENaV2xxYVc1bk1Sa3dGd1lEVlFRSEV4QklZV2xrYVdGdUlFUnBjM1J5YVdOMApNUlV3RXdZRFZRUUpFd3hDWVdsa2RTQkRZVzF3ZFhNeER6QU5CZ05WQkJFVEJqRXdNREE1TXpFZU1Cd0dBMVVFCkNoTVZUR2x1ZFhnZ1JtOTFibVJoZEdsdmJpQkZaR2RsTVE4d0RRWURWUVFMRXdaQ1FVVlVXVXd4TVRBdkJnTlYKQkFNVEtERmpaREprTnpjNU1HSTJaalF6TkRkaVltVmlNMlZqWldVMU5HVmpZVFpsTG5Ca0xYWnRMVEV3SGhjTgpNakl3TmpFME1EY3dOekEwV2hjTk5ESXdOakE1TURjd056QTBXakNCd3pFTE1Ba0dBMVVFQmhNQ1EwNHhFREFPCkJnTlZCQWdUQjBKbGFXcHBibWN4R1RBWEJnTlZCQWNURUVoaGFXUnBZVzRnUkdsemRISnBZM1F4RlRBVEJnTlYKQkFrVERFSmhhV1IxSUVOaGJYQjFjekVQTUEwR0ExVUVFUk1HTVRBd01Ea3pNUjR3SEFZRFZRUUtFeFZNYVc1MQplQ0JHYjNWdVpHRjBhVzl1SUVWa1oyVXhEekFOQmdOVkJBc1RCa0pCUlZSWlRERXVNQ3dHQTFVRUF4TWxZbUZsCmRIbHNMV0p5YjJ0bGNpMXdZV1ZtY0hScWVqa3VZbUZsZEhsc0xXSnliMnRsY2pCWk1CTUdCeXFHU000OUFnRUcKQ0NxR1NNNDlBd0VIQTBJQUJLajFwa0ZlV2REVnYzM1J5VmxDUEc5eG5MK3RrQUlJcmNqVFdmVFVlNWs3ZnY0UQo1OW01aUFoR2tNMklvM3piVFlDK2FVUFV1REgxYnFFR3VuT0Vnd09qZ2dGNU1JSUJkVEFPQmdOVkhROEJBZjhFCkJBTUNCYUF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdJR0NDc0dBUVVGQndNQk1Bd0dBMVVkRXdFQi93UUMKTUFBd2dnRTBCZ05WSFJFRWdnRXJNSUlCSjRJcVltRmxkSGxzTFdKeWIydGxjaTF3WVdWbWNIUnFlamt1WW1GbApkSGxzTFdWa1oyVXRjM2x6ZEdWdGdoZGlZV1YwZVd3dFluSnZhMlZ5TFhCaFpXWndkR3A2T1lJZ1ltRmxkSGxzCkxXSnliMnRsY2k1aVlXVjBlV3d0WldSblpTMXplWE4wWlcyQ0RXSmhaWFI1YkMxaWNtOXJaWEtDTTJKaFpYUjUKYkMxaWNtOXJaWEl0Y0dGbFpuQjBhbm81TFc1dlpHVndiM0owTG1KaFpYUjViQzFsWkdkbExYTjVjM1JsYllJZwpZbUZsZEhsc0xXSnliMnRsY2kxd1lXVm1jSFJxZWprdGJtOWtaWEJ2Y25TQ0tXSmhaWFI1YkMxaWNtOXJaWEl0CmJtOWtaWEJ2Y25RdVltRmxkSGxzTFdWa1oyVXRjM2x6ZEdWdGdoWmlZV1YwZVd3dFluSnZhMlZ5TFc1dlpHVncKYjNKMGdnbHNiMk5oYkdodmMzU0hCQUFBQUFDSEJIOEFBQUV3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUloQU1neQpJQTVsZ2l4L0o5L2VXL24yRlV0dGFscEl4U01kUDhSc0JTb2x6aUl5QWlBSW02MCtnUXB6WW9VM3h4NWdhSE15Ck9oSnJVaWdKb1dpbk44cmpOQlJZU0E9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
  key.pem: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUtXc3FGL0VNYnFpbVFFODFIWlNMMHIwczFodmZMQ1VBeVBEeHZXN2t0bVRvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFcVBXbVFWNVowTlcvZmRISldVSThiM0djdjYyUUFnaXR5Tk5aOU5SN21UdCsvaERuMmJtSQpDRWFRellpamZOdE5nTDVwUTlTNE1mVnVvUWE2YzRTREF3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
kind: Secret
metadata:
  creationTimestamp: "2022-06-14T07:07:05Z"
  labels:
    baetyl-app-name: baetyl-broker-paefptjz9
    security-type: certificate
  name: baetyl-cert-secret-89fdc95764e99d25fa6050e6cc7c57cd
  namespace: baetyl-edge-system
  resourceVersion: "29361"
  uid: 5364af96-e40b-44e8-8628-e855d7f49ece
type: Opaque

访问 https://base64.us/ ，对Secret内容进行base64解码，得到明文的ca.pem、crt.pem和key.pem。

ca.pem

直接进入baetyl-broker的pod，访问var/lib/baetyl/system/certs路径，查看ca.pem证书，发现跟上面得到的ca.pem是一样的。

$ kubectl exec -it baetyl-broker-paefptjz9-6d654fd786-cddjd -n baetyl-edge-system /bin/sh
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
/ # cd /var/lib/baetyl/system/certs/
/var/lib/baetyl/system/certs # ls
ca.pem   crt.pem  key.pem
/var/lib/baetyl/system/certs # cat ca.pem
-----BEGIN CERTIFICATE-----
MIIC0zCCAnmgAwIBAgIIFvhq6YKea4QwCgYIKoZIzj0EAwIwgcYxCzAJBgNVBAYT
AkNOMRAwDgYDVQQIEwdCZWlqaW5nMRkwFwYDVQQHExBIYWlkaWFuIERpc3RyaWN0
MRUwEwYDVQQJEwxCYWlkdSBDYW1wdXMxDzANBgNVBBETBjEwMDA5MzEeMBwGA1UE
ChMVTGludXggRm91bmRhdGlvbiBFZGdlMQ8wDQYDVQQLEwZCQUVUWUwxMTAvBgNV
BAMTKDFjZDJkNzc5MGI2ZjQzNDdiYmViM2VjZWU1NGVjYTZlLnBkLXZtLTEwIBcN
MjIwNjE0MDcwNjU0WhgPMjA3MjA2MDEwNzA2NTRaMIHGMQswCQYDVQQGEwJDTjEQ
MA4GA1UECBMHQmVpamluZzEZMBcGA1UEBxMQSGFpZGlhbiBEaXN0cmljdDEVMBMG
A1UECRMMQmFpZHUgQ2FtcHVzMQ8wDQYDVQQREwYxMDAwOTMxHjAcBgNVBAoTFUxp
bnV4IEZvdW5kYXRpb24gRWRnZTEPMA0GA1UECxMGQkFFVFlMMTEwLwYDVQQDEygx
Y2QyZDc3OTBiNmY0MzQ3YmJlYjNlY2VlNTRlY2E2ZS5wZC12bS0xMFkwEwYHKoZI
zj0CAQYIKoZIzj0DAQcDQgAEPerJVz6I5aThPGWmBjMMSmvg4Rgv8khy+37Vslcv
X1D8shy+qjI3GR4wFtpQc0j3cyCuyO/iM2T2BsfZU9AHdqNNMEswDgYDVR0PAQH/
BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wKAYDVR0RBCEwH4cEAAAAAIcEfwAAAYYR
aHR0cHM6Ly9sb2NhbGhvc3QwCgYIKoZIzj0EAwIDSAAwRQIhAK9Ke1f5E8/bWd5c
vAgoo1pmR+elyD0J7M/3KJJK9F5HAiACzBapC2/ZTgLt2fqr91/SHJ+Vi9/y+n4S
2PWDeEBLFA==
-----END CERTIFICATE-----

远程调用

边缘节点OpenAPI

百度智能云

智能边缘 BIE

智能边缘 BIE

证书管理

1.证书分类

2.证书路径

2.1 节点证书

2.2 应用证书