k8s中emqx使用ssl证书及官方chart修改示例

1. 思路

1.1 说明

  • 官方容器化的emqx默认已经开启了ssl认证,但是使用了一个默认的自签证书,我们只需要替换证书即可。
  • 如果你的镜像默认没有使用证书,需要在配置文件中添加如下内容:
listener.ssl.external.keyfile = /opt/emqx/etc/certs/key.pem
listener.ssl.external.certfile = /opt/emqx/etc/certs/cert.pem
listener.ssl.external.cacertfile = /opt/emqx/etc/certs/cacert.pem
##开启双向认证
listener.ssl.external.verify = verify_peer
listener.ssl.external.fail_if_no_peer_cert = true

当然K8S中我们建议按 EMQX官方镜像的规则将配置项写成变量。

1.2 做法

创建三个 configmap 挂载需要的证书文件

挂载并替换原有证书

三个原有文件:

  • 证书申请文件
    /opt/emqx/etc/certs/cacert.pem
  • 证书key
    /opt/emqx/etc/certs/key.pem
  • 证书文件
    /opt/emqx/etc/certs/cert.pem

2. 官方chart修改示例

2.1 在 values.yaml 中添加configmap内容

虽然我们可以直接把内容写在template下的文件中,但是为了便于修改,我们按照官方chart原有的逻辑来,因此写在values.yaml中。

  emqxConfig:
    ……
  sslCacertPem: |+
    -----BEGIN CERTIFICATE-----
    MIIFezCCA2OgAwIBAgIUeLn96b0haK5Mk+YplnibMRG5dZMwDQYJKoZIhvcNAQEL
    ……
    V/InL3b6pnqsi5BglbEd
    -----END CERTIFICATE-----

  sslKeyPem: |+
    -----BEGIN RSA PRIVATE KEY-----
    MIIEpAIBAAKCAQEA0wGsjHMbCexI/FAEg2GvPTSQ1ea47Lo/BhN6HOaIG5Ldber0
    ……
    rLIph0hkdeFsrcRsHskX/pxv7W9Pa7n4+DDKxT/MUuU44bxIOJztcg==
    -----END RSA PRIVATE KEY-----

  sslCertPem: |+
    -----BEGIN CERTIFICATE-----
    MIIERzCCAi+gAwIBAgIUaOi94npJva3yRItnxUfa3b9wkIswDQYJKoZIhvcNAQEL
    ……
    mgAAh4/WLEW0adH2j4i5AvsyKImm8Q4CIjwfI+IA/jCC+AKfgc/VV3qk3Q==
    -----END CERTIFICATE-----

2.2 添加创建证书文件

在template中添加创建证书的configmap的yml文件,文件内容引用刚才values.yaml中写好的证书内容。

此处我们和之前的configmap写在一起,在template/configmap.yaml中添加如下内容:

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: {{ include "emqx.fullname" . }}-ssl-cacert
  namespace: {{ .Values.global.namespace }}
  labels:
    app.kubernetes.io/name: {{ include "emqx.name" . }}
    helm.sh/chart: {{ include "emqx.chart" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
data:
  "cacert.pem": |+
    {{ .Values.emqx.sslCacertPem | nindent 4 }} # emqx.sslCacertPem 写你刚才在values.yaml中添加内容的实际位置

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: {{ include "emqx.fullname" . }}-ssl-key
  namespace: {{ .Values.global.namespace }}
  labels:
    app.kubernetes.io/name: {{ include "emqx.name" . }}
    helm.sh/chart: {{ include "emqx.chart" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
data:
  "key.pem": |+
    {{ .Values.emqx.sslKeyPem | nindent 4 }} #emqx.sslKeyPem 写你刚才在values.yaml中添加内容的实际位置

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: {{ include "emqx.fullname" . }}-ssl-cert
  namespace: {{ .Values.global.namespace }}
  labels:
    app.kubernetes.io/name: {{ include "emqx.name" . }}
    helm.sh/chart: {{ include "emqx.chart" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
data:
  "cert.pem": |+
    {{ .Values.emqx.sslCertPem | nindent 4 }} #.emqx.sslCertPem 写你刚才在values.yaml中添加内容的实际位置

2.3 StatefulSet中挂载证书文件

修改 /template/StatefulSet.yaml 文件

  • 挂载证书文件

在文件中 spec:template:spec:volumes 下添加如下内容

  template:
    ……
    spec:
      volumes:
      - name: emqx-ssl-cacert
        configMap:
          name: {{ include "emqx.fullname" . }}-ssl-cacert
          items:
          - key: cacert.pem
            path: cacert.pem
      - name: emqx-ssl-key
        configMap:
          name: {{ include "emqx.fullname" . }}-ssl-key
          items:
          - key: key.pem
            path: key.pem
      - name: emqx-ssl-cert
        configMap:
          name: {{ include "emqx.fullname" . }}-ssl-cert
          items:
          - key: cert.pem
            path: cert.pem

  • 指明内部挂载路径

在文件中 spec:template:spec:containers:volumeMounts 下添加如下内容

          volumeMounts:
          - name: emqx-ssl-cacert
            mountPath: /opt/emqx/etc/certs/cacert.pem
            subPath: cacert.pem
          - name: emqx-ssl-key
            mountPath: /opt/emqx/etc/certs/key.pem
            subPath: key.pem
          - name: emqx-ssl-cert
            mountPath: /opt/emqx/etc/certs/cert.pem
            subPath: cert.pem

2.4 更新release

helm upgrade RELEASE_NAME -n NAMESPASE /CHART_PATH

posted on 2022-06-26 18:06  运维开发玄德公  阅读(71)  评论(0编辑  收藏  举报  来源

导航