记录k8s下配置ssl安全连接版rabbitmq

2021-03-22 11:41:25 浏览数 (1)

因为有数据接入,公司要求启动ssl安全连接的方式把rabbitmq部署进k8s集群中。 首先,用CMF-AMQP-Configuration.git生成了证书及秘钥文件 接下来编写yaml文件,值得注意的是一定要事先把rabbitmq.conf和相关的秘钥放在/gv0/userapp/rabbitmq/etc/rabbitmq目录下,可供rabbitmq镜像找到。

代码语言:javascript复制
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nevt-rabbitmq
  labels:
    app: nevt-rabbitmq
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nevt-rabbitmq
  template:
    metadata:
      labels:
        app: nevt-rabbitmq
    spec:
      containers:
      - name: nevt-rabbitmq
        image: rabbitmq:management
        imagePullPolicy: IfNotPresent
        ports:
        - name: ssl
          containerPort: 5671
        - name: http
          containerPort: 15672
        env:
        volumeMounts:
        - name: rabbitmq-logs
          mountPath: /var/log/rabbitmq
        - name: rabbitmq-conf-ssl
          mountPath: /etc/rabbitmq
      restartPolicy: Always
      volumes:
      - name: rabbitmq-logs
        glusterfs:
          endpoints: glusterfs-cluster
          path: /gv0/userapp/rabbitmq/log
          readOnly: false
      - name: rabbitmq-conf-ssl
        glusterfs:
          endpoints: glusterfs-cluster
          path: /gv0/userapp/rabbitmq/etc/rabbitmq
          readOnly: false
---
apiVersion: v1
kind: Service
metadata:
  name: nevt-rabbitmq
spec:
  selector:
    app: nevt-rabbitmq
  ports:
    - name: ssl
      port: 5671
      targetPort: 5671
      nodePort: 30205
    - name: http
      port: 15672
      targetPort: 15672
      nodePort: 30206
  type: NodePort

rabbitmq.conf如下,放置在glusterfs的/gv0/userapp/rabbitmq/etc/rabbitmq目录下:

代码语言:javascript复制
# 默认是限制了guest用户只能在本机登陆,也就是只能登陆localhost:15672。可以通过修改配置文件rabbitmq.conf,取消这个限制: loopback_users这个项就是控制访问的,如果只是取消guest用户的话,只需要loopback_users.guest = false 即可
loopback_users.guest = false
listeners.tcp.default = 5672
management.tcp.port = 15672
# ssl端口
listeners.ssl.default=5671
# 证书一定事先放在了对应的挂载目录下
ssl_options.cacertfile=/etc/rabbitmq/ssl/ca/cacert.pem
ssl_options.certfile=/etc/rabbitmq/ssl/server/nevt-server.cert.pem
ssl_options.keyfile=/etc/rabbitmq/ssl/server/nevt-server.key.pem
ssl_options.verify=verify_peer
ssl_options.fail_if_no_peer_cert=true
ssl_options.versions.1=tlsv1.2
ssl_options.versions.2=tlsv1.1

ssl_options.ciphers.1 = ECDHE-ECDSA-AES256-GCM-SHA384
ssl_options.ciphers.2 = ECDHE-RSA-AES256-GCM-SHA384
ssl_options.ciphers.3 = ECDHE-ECDSA-AES256-SHA384
ssl_options.ciphers.4 = ECDHE-RSA-AES256-SHA384
ssl_options.ciphers.5 = ECDHE-ECDSA-DES-CBC3-SHA
ssl_options.ciphers.6 = ECDH-ECDSA-AES256-GCM-SHA384
ssl_options.ciphers.7 = ECDH-RSA-AES256-GCM-SHA384
ssl_options.ciphers.8 = ECDH-ECDSA-AES256-SHA384
ssl_options.ciphers.9 = ECDH-RSA-AES256-SHA384
ssl_options.ciphers.10 = DHE-DSS-AES256-GCM-SHA384
ssl_options.ciphers.11 = DHE-DSS-AES256-SHA256
ssl_options.ciphers.12 = AES256-GCM-SHA384
ssl_options.ciphers.13 = AES256-SHA256
ssl_options.ciphers.14 = ECDHE-ECDSA-AES128-GCM-SHA256
ssl_options.ciphers.15 = ECDHE-RSA-AES128-GCM-SHA256
ssl_options.ciphers.16 = ECDHE-ECDSA-AES128-SHA256
ssl_options.ciphers.17 = ECDHE-RSA-AES128-SHA256
ssl_options.ciphers.18 = ECDH-ECDSA-AES128-GCM-SHA256
ssl_options.ciphers.19 = ECDH-RSA-AES128-GCM-SHA256
ssl_options.ciphers.20 = ECDH-ECDSA-AES128-SHA256
ssl_options.ciphers.21 = ECDH-RSA-AES128-SHA256
ssl_options.ciphers.22 = DHE-DSS-AES128-GCM-SHA256
ssl_options.ciphers.23 = DHE-DSS-AES128-SHA256
ssl_options.ciphers.24 = AES128-GCM-SHA256
ssl_options.ciphers.25 = AES128-SHA256
ssl_options.ciphers.26 = ECDHE-ECDSA-AES256-SHA
ssl_options.ciphers.27 = ECDHE-RSA-AES256-SHA
ssl_options.ciphers.28 = DHE-DSS-AES256-SHA
ssl_options.ciphers.29 = ECDH-ECDSA-AES256-SHA
ssl_options.ciphers.30 = ECDH-RSA-AES256-SHA
ssl_options.ciphers.31 = AES256-SHA
ssl_options.ciphers.32 = ECDHE-ECDSA-AES128-SHA
ssl_options.ciphers.33 = ECDHE-RSA-AES128-SHA
ssl_options.ciphers.34 = DHE-DSS-AES128-SHA
ssl_options.ciphers.35 = DHE-DSS-AES128-SHA256
ssl_options.ciphers.36 = ECDH-ECDSA-AES128-SHA
ssl_options.ciphers.37 = ECDH-RSA-AES128-SHA
ssl_options.ciphers.38 = AES128-SHA

部署完以后,会有一个坑,http界面无法显示,这时候用kubectl exec进入该容器,执行 rabbitmq-plugins enable rabbitmq_management即可开启。 还有一点值得注意:将本地的glusterfs数据卷下的etc/目录及目录下的所有文件夹和文件全部变成777权限,以及log目录也变成777权限,以免不必要的执行权限问题。

0 人点赞