因?yàn)橛袛?shù)據(jù)接入，公司要求啟動ssl安全連接的方式把rabbitmq部署進(jìn)k8s集群中。
首先，用CMF-AMQP-Configuration.git生成了證書及秘鑰文件
接下來編寫yaml文件，值得注意的是一定要事先把rabbitmq.conf和相關(guān)的秘鑰放在/gv0/userapp/rabbitmq/etc/rabbitmq目錄下，可供rabbitmq鏡像找到。

apiVersion: apps/v1 kind: Deployment metadata:name: nevt-rabbitmqlabels:app: nevt-rabbitmq spec:replicas: 1selector:matchLabels:app: nevt-rabbitmqtemplate:metadata:labels:app: nevt-rabbitmqspec:containers:- name: nevt-rabbitmqimage: rabbitmq:managementimagePullPolicy: IfNotPresentports:- name: sslcontainerPort: 5671- name: httpcontainerPort: 15672env:volumeMounts:- name: rabbitmq-logsmountPath: /var/log/rabbitmq- name: rabbitmq-conf-sslmountPath: /etc/rabbitmqrestartPolicy: Alwaysvolumes:- name: rabbitmq-logsglusterfs:endpoints: glusterfs-clusterpath: /gv0/userapp/rabbitmq/logreadOnly: false- name: rabbitmq-conf-sslglusterfs:endpoints: glusterfs-clusterpath: /gv0/userapp/rabbitmq/etc/rabbitmqreadOnly: false --- apiVersion: v1 kind: Service metadata:name: nevt-rabbitmq spec:selector:app: nevt-rabbitmqports:- name: sslport: 5671targetPort: 5671nodePort: 30205- name: httpport: 15672targetPort: 15672nodePort: 30206type: NodePort

rabbitmq.conf如下，放置在glusterfs的/gv0/userapp/rabbitmq/etc/rabbitmq目錄下：

# 默認(rèn)是限制了guest用戶只能在本機(jī)登陸，也就是只能登陸localhost:15672。可以通過修改配置文件rabbitmq.conf，取消這個限制： loopback_users這個項(xiàng)就是控制訪問的，如果只是取消guest用戶的話，只需要loopback_users.guest = false 即可 loopback_users.guest = false listeners.tcp.default = 5672 management.tcp.port = 15672 # ssl端口 listeners.ssl.default=5671 # 證書一定事先放在了對應(yīng)的掛載目錄下 ssl_options.cacertfile=/etc/rabbitmq/ssl/ca/cacert.pem ssl_options.certfile=/etc/rabbitmq/ssl/server/nevt-server.cert.pem ssl_options.keyfile=/etc/rabbitmq/ssl/server/nevt-server.key.pem ssl_options.verify=verify_peer ssl_options.fail_if_no_peer_cert=true ssl_options.versions.1=tlsv1.2 ssl_options.versions.2=tlsv1.1ssl_options.ciphers.1 = ECDHE-ECDSA-AES256-GCM-SHA384 ssl_options.ciphers.2 = ECDHE-RSA-AES256-GCM-SHA384 ssl_options.ciphers.3 = ECDHE-ECDSA-AES256-SHA384 ssl_options.ciphers.4 = ECDHE-RSA-AES256-SHA384 ssl_options.ciphers.5 = ECDHE-ECDSA-DES-CBC3-SHA ssl_options.ciphers.6 = ECDH-ECDSA-AES256-GCM-SHA384 ssl_options.ciphers.7 = ECDH-RSA-AES256-GCM-SHA384 ssl_options.ciphers.8 = ECDH-ECDSA-AES256-SHA384 ssl_options.ciphers.9 = ECDH-RSA-AES256-SHA384 ssl_options.ciphers.10 = DHE-DSS-AES256-GCM-SHA384 ssl_options.ciphers.11 = DHE-DSS-AES256-SHA256 ssl_options.ciphers.12 = AES256-GCM-SHA384 ssl_options.ciphers.13 = AES256-SHA256 ssl_options.ciphers.14 = ECDHE-ECDSA-AES128-GCM-SHA256 ssl_options.ciphers.15 = ECDHE-RSA-AES128-GCM-SHA256 ssl_options.ciphers.16 = ECDHE-ECDSA-AES128-SHA256 ssl_options.ciphers.17 = ECDHE-RSA-AES128-SHA256 ssl_options.ciphers.18 = ECDH-ECDSA-AES128-GCM-SHA256 ssl_options.ciphers.19 = ECDH-RSA-AES128-GCM-SHA256 ssl_options.ciphers.20 = ECDH-ECDSA-AES128-SHA256 ssl_options.ciphers.21 = ECDH-RSA-AES128-SHA256 ssl_options.ciphers.22 = DHE-DSS-AES128-GCM-SHA256 ssl_options.ciphers.23 = DHE-DSS-AES128-SHA256 ssl_options.ciphers.24 = AES128-GCM-SHA256 ssl_options.ciphers.25 = AES128-SHA256 ssl_options.ciphers.26 = ECDHE-ECDSA-AES256-SHA ssl_options.ciphers.27 = ECDHE-RSA-AES256-SHA ssl_options.ciphers.28 = DHE-DSS-AES256-SHA ssl_options.ciphers.29 = ECDH-ECDSA-AES256-SHA ssl_options.ciphers.30 = ECDH-RSA-AES256-SHA ssl_options.ciphers.31 = AES256-SHA ssl_options.ciphers.32 = ECDHE-ECDSA-AES128-SHA ssl_options.ciphers.33 = ECDHE-RSA-AES128-SHA ssl_options.ciphers.34 = DHE-DSS-AES128-SHA ssl_options.ciphers.35 = DHE-DSS-AES128-SHA256 ssl_options.ciphers.36 = ECDH-ECDSA-AES128-SHA ssl_options.ciphers.37 = ECDH-RSA-AES128-SHA ssl_options.ciphers.38 = AES128-SHA

部署完以后，會有一個坑，http界面無法顯示，這時候用kubectl exec進(jìn)入該容器，執(zhí)行 rabbitmq-plugins enable rabbitmq_management即可開啟。
還有一點(diǎn)值得注意：將本地的glusterfs數(shù)據(jù)卷下的etc/目錄及目錄下的所有文件夾和文件全部變成777權(quán)限，以及l(fā)og目錄也變成777權(quán)限，以免不必要的執(zhí)行權(quán)限問題。

總結(jié)

以上是生活随笔為你收集整理的记录k8s下配置ssl安全连接版rabbitmq的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。