因为有数据接入,公司要求启动ssl安全连接的方式把rabbitmq部署进k8s集群中。 首先,用CMF-AMQP-Configuration.git生成了证书及秘钥文件 接下来编写yaml文件,值得注意的是一定要事先把rabbitmq.conf和相关的秘钥放在/gv0/userapp/rabbitmq/etc/rabbitmq目录下,可供rabbitmq镜像找到。
代码语言:javascript复制apiVersion: apps/v1
kind: Deployment
metadata:
name: nevt-rabbitmq
labels:
app: nevt-rabbitmq
spec:
replicas: 1
selector:
matchLabels:
app: nevt-rabbitmq
template:
metadata:
labels:
app: nevt-rabbitmq
spec:
containers:
- name: nevt-rabbitmq
image: rabbitmq:management
imagePullPolicy: IfNotPresent
ports:
- name: ssl
containerPort: 5671
- name: http
containerPort: 15672
env:
volumeMounts:
- name: rabbitmq-logs
mountPath: /var/log/rabbitmq
- name: rabbitmq-conf-ssl
mountPath: /etc/rabbitmq
restartPolicy: Always
volumes:
- name: rabbitmq-logs
glusterfs:
endpoints: glusterfs-cluster
path: /gv0/userapp/rabbitmq/log
readOnly: false
- name: rabbitmq-conf-ssl
glusterfs:
endpoints: glusterfs-cluster
path: /gv0/userapp/rabbitmq/etc/rabbitmq
readOnly: false
---
apiVersion: v1
kind: Service
metadata:
name: nevt-rabbitmq
spec:
selector:
app: nevt-rabbitmq
ports:
- name: ssl
port: 5671
targetPort: 5671
nodePort: 30205
- name: http
port: 15672
targetPort: 15672
nodePort: 30206
type: NodePort
rabbitmq.conf如下,放置在glusterfs的/gv0/userapp/rabbitmq/etc/rabbitmq目录下:
代码语言:javascript复制# 默认是限制了guest用户只能在本机登陆,也就是只能登陆localhost:15672。可以通过修改配置文件rabbitmq.conf,取消这个限制: loopback_users这个项就是控制访问的,如果只是取消guest用户的话,只需要loopback_users.guest = false 即可
loopback_users.guest = false
listeners.tcp.default = 5672
management.tcp.port = 15672
# ssl端口
listeners.ssl.default=5671
# 证书一定事先放在了对应的挂载目录下
ssl_options.cacertfile=/etc/rabbitmq/ssl/ca/cacert.pem
ssl_options.certfile=/etc/rabbitmq/ssl/server/nevt-server.cert.pem
ssl_options.keyfile=/etc/rabbitmq/ssl/server/nevt-server.key.pem
ssl_options.verify=verify_peer
ssl_options.fail_if_no_peer_cert=true
ssl_options.versions.1=tlsv1.2
ssl_options.versions.2=tlsv1.1
ssl_options.ciphers.1 = ECDHE-ECDSA-AES256-GCM-SHA384
ssl_options.ciphers.2 = ECDHE-RSA-AES256-GCM-SHA384
ssl_options.ciphers.3 = ECDHE-ECDSA-AES256-SHA384
ssl_options.ciphers.4 = ECDHE-RSA-AES256-SHA384
ssl_options.ciphers.5 = ECDHE-ECDSA-DES-CBC3-SHA
ssl_options.ciphers.6 = ECDH-ECDSA-AES256-GCM-SHA384
ssl_options.ciphers.7 = ECDH-RSA-AES256-GCM-SHA384
ssl_options.ciphers.8 = ECDH-ECDSA-AES256-SHA384
ssl_options.ciphers.9 = ECDH-RSA-AES256-SHA384
ssl_options.ciphers.10 = DHE-DSS-AES256-GCM-SHA384
ssl_options.ciphers.11 = DHE-DSS-AES256-SHA256
ssl_options.ciphers.12 = AES256-GCM-SHA384
ssl_options.ciphers.13 = AES256-SHA256
ssl_options.ciphers.14 = ECDHE-ECDSA-AES128-GCM-SHA256
ssl_options.ciphers.15 = ECDHE-RSA-AES128-GCM-SHA256
ssl_options.ciphers.16 = ECDHE-ECDSA-AES128-SHA256
ssl_options.ciphers.17 = ECDHE-RSA-AES128-SHA256
ssl_options.ciphers.18 = ECDH-ECDSA-AES128-GCM-SHA256
ssl_options.ciphers.19 = ECDH-RSA-AES128-GCM-SHA256
ssl_options.ciphers.20 = ECDH-ECDSA-AES128-SHA256
ssl_options.ciphers.21 = ECDH-RSA-AES128-SHA256
ssl_options.ciphers.22 = DHE-DSS-AES128-GCM-SHA256
ssl_options.ciphers.23 = DHE-DSS-AES128-SHA256
ssl_options.ciphers.24 = AES128-GCM-SHA256
ssl_options.ciphers.25 = AES128-SHA256
ssl_options.ciphers.26 = ECDHE-ECDSA-AES256-SHA
ssl_options.ciphers.27 = ECDHE-RSA-AES256-SHA
ssl_options.ciphers.28 = DHE-DSS-AES256-SHA
ssl_options.ciphers.29 = ECDH-ECDSA-AES256-SHA
ssl_options.ciphers.30 = ECDH-RSA-AES256-SHA
ssl_options.ciphers.31 = AES256-SHA
ssl_options.ciphers.32 = ECDHE-ECDSA-AES128-SHA
ssl_options.ciphers.33 = ECDHE-RSA-AES128-SHA
ssl_options.ciphers.34 = DHE-DSS-AES128-SHA
ssl_options.ciphers.35 = DHE-DSS-AES128-SHA256
ssl_options.ciphers.36 = ECDH-ECDSA-AES128-SHA
ssl_options.ciphers.37 = ECDH-RSA-AES128-SHA
ssl_options.ciphers.38 = AES128-SHA
部署完以后,会有一个坑,http界面无法显示,这时候用kubectl exec进入该容器,执行 rabbitmq-plugins enable rabbitmq_management
即可开启。
还有一点值得注意:将本地的glusterfs数据卷下的etc/目录及目录下的所有文件夹和文件全部变成777权限,以及log目录也变成777权限,以免不必要的执行权限问题。