k8s中emqx使用ssl证书及官方chart修改示例
文章目录
1. 思路
1.1 说明
- 官方容器化的emqx默认已经开启了ssl认证,但是使用了一个默认的自签证书,我们只需要替换证书即可。
- 如果你的镜像默认没有使用证书,需要在配置文件中添加如下内容:
listener.ssl.external.keyfile = /opt/emqx/etc/certs/key.pem
listener.ssl.external.certfile = /opt/emqx/etc/certs/cert.pem
listener.ssl.external.cacertfile = /opt/emqx/etc/certs/cacert.pem
##开启双向认证
listener.ssl.external.verify = verify_peer
listener.ssl.external.fail_if_no_peer_cert = true
当然K8S中我们建议按 EMQX官方镜像的规则将配置项写成变量。
1.2 做法
创建三个 configmap 挂载需要的证书文件
挂载并替换原有证书
三个原有文件:
- 证书申请文件
/opt/emqx/etc/certs/cacert.pem - 证书key
/opt/emqx/etc/certs/key.pem - 证书文件
/opt/emqx/etc/certs/cert.pem
2. 官方chart修改示例
2.1 在 values.yaml 中添加configmap内容
虽然我们可以直接把内容写在template下的文件中,但是为了便于修改,我们按照官方chart原有的逻辑来,因此写在values.yaml中。
emqxConfig:
……
sslCacertPem: |+
-----BEGIN CERTIFICATE-----
MIIFezCCA2OgAwIBAgIUeLn96b0haK5Mk+YplnibMRG5dZMwDQYJKoZIhvcNAQEL
……
V/InL3b6pnqsi5BglbEd
-----END CERTIFICATE-----
sslKeyPem: |+
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA0wGsjHMbCexI/FAEg2GvPTSQ1ea47Lo/BhN6HOaIG5Ldber0
……
rLIph0hkdeFsrcRsHskX/pxv7W9Pa7n4+DDKxT/MUuU44bxIOJztcg==
-----END RSA PRIVATE KEY-----
sslCertPem: |+
-----BEGIN CERTIFICATE-----
MIIERzCCAi+gAwIBAgIUaOi94npJva3yRItnxUfa3b9wkIswDQYJKoZIhvcNAQEL
……
mgAAh4/WLEW0adH2j4i5AvsyKImm8Q4CIjwfI+IA/jCC+AKfgc/VV3qk3Q==
-----END CERTIFICATE-----
2.2 添加创建证书文件
在template中添加创建证书的configmap的yml文件,文件内容引用刚才values.yaml中写好的证书内容。
此处我们和之前的configmap写在一起,在template/configmap.yaml中添加如下内容:
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "emqx.fullname" . }}-ssl-cacert
namespace: {{ .Values.global.namespace }}
labels:
app.kubernetes.io/name: {{ include "emqx.name" . }}
helm.sh/chart: {{ include "emqx.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
data:
"cacert.pem": |+
{{ .Values.emqx.sslCacertPem | nindent 4 }} # emqx.sslCacertPem 写你刚才在values.yaml中添加内容的实际位置
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "emqx.fullname" . }}-ssl-key
namespace: {{ .Values.global.namespace }}
labels:
app.kubernetes.io/name: {{ include "emqx.name" . }}
helm.sh/chart: {{ include "emqx.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
data:
"key.pem": |+
{{ .Values.emqx.sslKeyPem | nindent 4 }} #emqx.sslKeyPem 写你刚才在values.yaml中添加内容的实际位置
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "emqx.fullname" . }}-ssl-cert
namespace: {{ .Values.global.namespace }}
labels:
app.kubernetes.io/name: {{ include "emqx.name" . }}
helm.sh/chart: {{ include "emqx.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
data:
"cert.pem": |+
{{ .Values.emqx.sslCertPem | nindent 4 }} #.emqx.sslCertPem 写你刚才在values.yaml中添加内容的实际位置
2.3 StatefulSet中挂载证书文件
修改 /template/StatefulSet.yaml 文件
- 挂载证书文件
在文件中
spec:template:spec:volumes
下添加如下内容
template:
……
spec:
volumes:
- name: emqx-ssl-cacert
configMap:
name: {{ include "emqx.fullname" . }}-ssl-cacert
items:
- key: cacert.pem
path: cacert.pem
- name: emqx-ssl-key
configMap:
name: {{ include "emqx.fullname" . }}-ssl-key
items:
- key: key.pem
path: key.pem
- name: emqx-ssl-cert
configMap:
name: {{ include "emqx.fullname" . }}-ssl-cert
items:
- key: cert.pem
path: cert.pem
- 指明内部挂载路径
在文件中
spec:template:spec:containers:volumeMounts
下添加如下内容
volumeMounts:
- name: emqx-ssl-cacert
mountPath: /opt/emqx/etc/certs/cacert.pem
subPath: cacert.pem
- name: emqx-ssl-key
mountPath: /opt/emqx/etc/certs/key.pem
subPath: key.pem
- name: emqx-ssl-cert
mountPath: /opt/emqx/etc/certs/cert.pem
subPath: cert.pem
2.4 更新release
helm upgrade RELEASE_NAME -n NAMESPASE /CHART_PATH