ICode9
精准搜索请尝试: 精确搜索
首页
编程语言>
数据库
系统相关
互联网
其他分享
Python
Java
JavaScript
android
PHP
首页 > 其他分享> 文章详细

记录k8s下配置ssl安全连接版rabbitmq

2021-03-16 13:58:46  阅读:307  来源: 互联网

标签:AES256 SHA256 rabbitmq ssl AES128 k8s options


因为有数据接入,公司要求启动ssl安全连接的方式把rabbitmq部署进k8s集群中。
首先,用CMF-AMQP-Configuration.git生成了证书及秘钥文件
接下来编写yaml文件,值得注意的是一定要事先把rabbitmq.conf和相关的秘钥放在/gv0/userapp/rabbitmq/etc/rabbitmq目录下,可供rabbitmq镜像找到。

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nevt-rabbitmq
  labels:
    app: nevt-rabbitmq
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nevt-rabbitmq
  template:
    metadata:
      labels:
        app: nevt-rabbitmq
    spec:
      containers:
      - name: nevt-rabbitmq
        image: rabbitmq:management
        imagePullPolicy: IfNotPresent
        ports:
        - name: ssl
          containerPort: 5671
        - name: http
          containerPort: 15672
        env:
        volumeMounts:
        - name: rabbitmq-logs
          mountPath: /var/log/rabbitmq
        - name: rabbitmq-conf-ssl
          mountPath: /etc/rabbitmq
      restartPolicy: Always
      volumes:
      - name: rabbitmq-logs
        glusterfs:
          endpoints: glusterfs-cluster
          path: /gv0/userapp/rabbitmq/log
          readOnly: false
      - name: rabbitmq-conf-ssl
        glusterfs:
          endpoints: glusterfs-cluster
          path: /gv0/userapp/rabbitmq/etc/rabbitmq
          readOnly: false
---
apiVersion: v1
kind: Service
metadata:
  name: nevt-rabbitmq
spec:
  selector:
    app: nevt-rabbitmq
  ports:
    - name: ssl
      port: 5671
      targetPort: 5671
      nodePort: 30205
    - name: http
      port: 15672
      targetPort: 15672
      nodePort: 30206
  type: NodePort

rabbitmq.conf如下,放置在glusterfs的/gv0/userapp/rabbitmq/etc/rabbitmq目录下:

# 默认是限制了guest用户只能在本机登陆,也就是只能登陆localhost:15672。可以通过修改配置文件rabbitmq.conf,取消这个限制: loopback_users这个项就是控制访问的,如果只是取消guest用户的话,只需要loopback_users.guest = false 即可
loopback_users.guest = false
listeners.tcp.default = 5672
management.tcp.port = 15672
# ssl端口
listeners.ssl.default=5671
# 证书一定事先放在了对应的挂载目录下
ssl_options.cacertfile=/etc/rabbitmq/ssl/ca/cacert.pem
ssl_options.certfile=/etc/rabbitmq/ssl/server/nevt-server.cert.pem
ssl_options.keyfile=/etc/rabbitmq/ssl/server/nevt-server.key.pem
ssl_options.verify=verify_peer
ssl_options.fail_if_no_peer_cert=true
ssl_options.versions.1=tlsv1.2
ssl_options.versions.2=tlsv1.1

ssl_options.ciphers.1 = ECDHE-ECDSA-AES256-GCM-SHA384
ssl_options.ciphers.2 = ECDHE-RSA-AES256-GCM-SHA384
ssl_options.ciphers.3 = ECDHE-ECDSA-AES256-SHA384
ssl_options.ciphers.4 = ECDHE-RSA-AES256-SHA384
ssl_options.ciphers.5 = ECDHE-ECDSA-DES-CBC3-SHA
ssl_options.ciphers.6 = ECDH-ECDSA-AES256-GCM-SHA384
ssl_options.ciphers.7 = ECDH-RSA-AES256-GCM-SHA384
ssl_options.ciphers.8 = ECDH-ECDSA-AES256-SHA384
ssl_options.ciphers.9 = ECDH-RSA-AES256-SHA384
ssl_options.ciphers.10 = DHE-DSS-AES256-GCM-SHA384
ssl_options.ciphers.11 = DHE-DSS-AES256-SHA256
ssl_options.ciphers.12 = AES256-GCM-SHA384
ssl_options.ciphers.13 = AES256-SHA256
ssl_options.ciphers.14 = ECDHE-ECDSA-AES128-GCM-SHA256
ssl_options.ciphers.15 = ECDHE-RSA-AES128-GCM-SHA256
ssl_options.ciphers.16 = ECDHE-ECDSA-AES128-SHA256
ssl_options.ciphers.17 = ECDHE-RSA-AES128-SHA256
ssl_options.ciphers.18 = ECDH-ECDSA-AES128-GCM-SHA256
ssl_options.ciphers.19 = ECDH-RSA-AES128-GCM-SHA256
ssl_options.ciphers.20 = ECDH-ECDSA-AES128-SHA256
ssl_options.ciphers.21 = ECDH-RSA-AES128-SHA256
ssl_options.ciphers.22 = DHE-DSS-AES128-GCM-SHA256
ssl_options.ciphers.23 = DHE-DSS-AES128-SHA256
ssl_options.ciphers.24 = AES128-GCM-SHA256
ssl_options.ciphers.25 = AES128-SHA256
ssl_options.ciphers.26 = ECDHE-ECDSA-AES256-SHA
ssl_options.ciphers.27 = ECDHE-RSA-AES256-SHA
ssl_options.ciphers.28 = DHE-DSS-AES256-SHA
ssl_options.ciphers.29 = ECDH-ECDSA-AES256-SHA
ssl_options.ciphers.30 = ECDH-RSA-AES256-SHA
ssl_options.ciphers.31 = AES256-SHA
ssl_options.ciphers.32 = ECDHE-ECDSA-AES128-SHA
ssl_options.ciphers.33 = ECDHE-RSA-AES128-SHA
ssl_options.ciphers.34 = DHE-DSS-AES128-SHA
ssl_options.ciphers.35 = DHE-DSS-AES128-SHA256
ssl_options.ciphers.36 = ECDH-ECDSA-AES128-SHA
ssl_options.ciphers.37 = ECDH-RSA-AES128-SHA
ssl_options.ciphers.38 = AES128-SHA

部署完以后,会有一个坑,http界面无法显示,这时候用kubectl exec进入该容器,执行 rabbitmq-plugins enable rabbitmq_management即可开启。

标签:AES256,SHA256,rabbitmq,ssl,AES128,k8s,options
来源: https://blog.csdn.net/weixin_48445640/article/details/114878781

本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享;
2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关;
3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关;
4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除;
5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。

关于我们 | 联系我们 | 留言反馈

专注分享技术,共同学习,共同进步。侵权联系[81616952@qq.com]

Copyright (C)ICode9.com, All Rights Reserved.

ICode9版权所有