optimize code and add md file of deploy rabbitMQ server with eventRT

deploy/mq/client.conf

@@ -0,0 +1,14 @@
+[req]
+distinguished_name = req_distinguished_name
+prompt = no
+
+[req_distinguished_name]
+C = CN
+ST = Beijing
+L = Beijing
+O = coslight
+CN = web-client
+
+[v3_client]
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth

deploy/mq/deploy.md

@@ -0,0 +1,154 @@
+# RabbitMQ 部署与 mTLS 证书签发指南
+
+## 一、 证书签发 (PKI)
+
+### 1. 准备工作
+
+确保本地拥有根 CA 文件:`ca_certificate.pem` 和 `cakey.pem`
+
+### 2. 生成 RabbitMQ 服务端证书
+
+服务端证书必须包含 `serverAuth` 权限，并涵盖所有访问域名和 IP
+
+**配置文件 `server.conf` 关键点:**
+
+* **CN**: `rabbitmq-server`
+* **SAN (alt_names)**: 必须包含 `localhost` 和 `127.0.0.1` 以适配 SSH 隧道
+
+```bash
+# 1. 生成服务端私钥
+openssl genrsa -out server_key.pem 2048
+
+# 2. 生成签名请求 (CSR)
+openssl req -new -key server_key.pem -out server_cert.csr -config server.conf
+
+# 3. 使用 v3_server 扩展签发
+openssl x509 -req -in server_cert.csr -CA ca_certificate.pem -CAkey cakey.pem -CAcreateserial \
+    -out server_certificate.pem -days 730 -sha256 \
+    -extfile server.conf -extensions v3_server
+
+```
+
+### 3. 生成客户端证书 (modelRT / eventRT)
+
+**注意**:客户端证书必须包含 `clientAuth` 扩展，否则会导致 403 错误
+
+#### 签发 modelRT 证书
+
+```bash
+# 1. 生成私钥
+openssl genrsa -out modelrt_client_key.pem 2048
+
+# 2. 生成 CSR (CN 必须匹配 rabbitmq 里的用户名: modelrt-client)
+openssl req -new -key modelrt_client_key.pem -out modelrt_client_cert.csr -config modelrt.conf
+
+# 3. 关键:使用 v3_client 扩展签发
+openssl x509 -req -in modelrt_client_cert.csr -CA ca_certificate.pem -CAkey cakey.pem -CAcreateserial \
+    -out modelrt_client_cert.pem -days 730 -sha256 \
+    -extfile modelrt.conf -extensions v3_client
+
+```
+
+*(eventRT 证书签发流程同上，只需更换 `eventrt.conf` 配置文件)*
+
+---
+
+## 二、 RabbitMQ 服务端部署 (K8s)
+
+### 1. 配置用户与权限
+
+修改 `rabbitmq-users-config.yaml`，确保用户标签为 `management` 或 `administrator`，并赋予 `/` 的权限
+
+```yaml
+# 关键部分:definitions.json
+{
+  "name": "modelrt-client",
+  "password_hash": "", 
+  "tags": ["management"]
+}
+
+```
+
+### 2. 应用 Kubernetes 配置
+
+```bash
+# 1. 应用用户定义
+kubectl apply -f rabbitmq-users-config.yaml
+
+# 2. 创建插件 ConfigMap
+kubectl create configmap rabbit-plugins-conf 
+    --from-literal=enabled_plugins="[rabbitmq_auth_mechanism_ssl, \
+    rabbitmq_management, rabbitmq_management_agent, \
+    rabbitmq_prometheus, rabbitmq_web_dispatch]."
+
+# 3. 创建证书 Secret
+kubectl create secret generic rabbitmq-certs \
+    --from-file=ca.pem=ca_certificate.pem \
+    --from-file=server.pem=server_certificate.pem \
+    --from-file=server_key.pem=server_key.pem
+
+# 4. 应用部署文件
+kubectl apply -f rabbitmq-config.yaml
+kubectl apply -f rabbitmq-deployment.yaml
+kubectl apply -f rabbitmq-service.yaml
+
+```
+
+---
+
+## 三、 开发环境网络配置 (SSH 隧道)
+
+如果你在 Mac 上开发，RabbitMQ 在远程 Linux 的 Minikube 中，请执行以下命令建立加密隧道:
+
+```bash
+# 将远程 Minikube 中 rabbitMQ service 的 NodePort (30671) 映射到 Mac 本地的 5671
+ssh -L 5671:<minikube-ip>:30671 <host-user>@host-ip
+
+```
+
+---
+
+## 四、 Go 程序配置 (config.yaml)
+
+确保客户端配置指向隧道入口，并开启 TLS:
+
+```yaml
+rabbitmq:
+  host: "localhost"
+  port: 5671
+  server_name: "rabbitmq-server"
+  ca_cert_path: "./configs/certs/ca_certificate.pem"
+  client_cert_path: "./configs/certs/modelrt_client_cert.pem"
+  client_key_path: "./configs/certs/modelrt_client_key.pem"
+
+```
+
+---
+
+## 五、 验证与排查
+
+### 1. 证书权限检查
+
+运行以下命令，确信输出中有 `TLS Web Client Authentication`:
+
+```bash
+openssl x509 -in modelrt_client_cert.pem -noout -text | grep -A 1 "Extended Key Usage"
+
+```
+
+### 2. 握手连通性验证
+
+```bash
+openssl s_client -connect localhost:5671 \
+    -cert modelrt_client_cert.pem \
+    -key modelrt_client_key.pem \
+    -CAfile ca_certificate.pem
+
+```
+
+**预期结果**:看到 `Verify return code: 0 (ok)`
+
+### 3. 日志检查
+
+如果连接成功，RabbitMQ 日志应显示:
+`connection <xxx>: user 'modelrt-client' authenticated and granted access to vhost '/'`

deploy/mq/eventrt.conf

@@ -0,0 +1,14 @@
+[req]
+distinguished_name = req_distinguished_name
+prompt = no
+
+[req_distinguished_name]
+C = CN
+ST = Beijing
+L = Beijing
+O = coslight
+CN = eventrt-client
+
+[v3_client]
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth

deploy/mq/modelrt.cnf

@@ -0,0 +1,14 @@
+[req]
+distinguished_name = req_distinguished_name
+prompt = no
+
+[req_distinguished_name]
+C = CN
+ST = Beijing
+L = Beijing
+O = coslight
+CN = modelrt-client
+
+[v3_client]
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth

deploy/mq/plugins.sh

@@ -0,0 +1 @@
+kubectl create configmap rabbit-plugins-conf --from-literal=enabled_plugins="[rabbitmq_auth_mechanism_ssl, rabbitmq_management, rabbitmq_management_agent, rabbitmq_prometheus, rabbitmq_web_dispatch]."

deploy/mq/rabbitmq-config.yaml

@@ -16,15 +16,15 @@ data:
     # 开启此项配置会导致只能通过TLS端口访问
     listeners.tcp = none
     listeners.ssl.default = 5671
+    # default user config
+    load_definitions = /etc/rabbitmq/definitions.json
     # ssl config
     ssl_options.cacertfile = /etc/rabbitmq/certs/ca_certificate.pem
     ssl_options.certfile   = /etc/rabbitmq/certs/server_certificate.pem
     ssl_options.keyfile    = /etc/rabbitmq/certs/server_key.pem
     ssl_options.verify     = verify_peer
     ssl_options.fail_if_no_peer_cert = true
-    # ssl_options.verify     = verify_none
-    # ssl_options.fail_if_no_peer_cert = false
-    # management ssl config
+    # management config
     management.ssl.port  = 15671
     management.ssl.cacertfile = /etc/rabbitmq/certs/ca_certificate.pem
     management.ssl.certfile   = /etc/rabbitmq/certs/server_certificate.pem

deploy/mq/rabbitmq-deployment.yaml

@@ -50,6 +50,12 @@ spec:
               mountPath: /etc/rabbitmq/rabbitmq.conf
               subPath: rabbitmq.conf
               readOnly: true
+            - name: plugins-config-volume
+              mountPath: /etc/rabbitmq/enabled_plugins
+              subPath: enabled_plugins
+            - name: users-config-volume
+              mountPath: /etc/rabbitmq/definitions.json
+              subPath: definitions.json
             - name: rabbitmq-data
               mountPath: /var/lib/rabbitmq
       volumes:
@@ -59,5 +65,11 @@ spec:
         - name: rabbitmq-config-volume
           configMap:
             name: rabbitmq-config
+        - name: plugins-config-volume
+          configMap:
+            name: rabbit-plugins-conf
+        - name: users-config-volume
+          configMap:
+            name: rabbitmq-users-definitions
         - name: rabbitmq-data
           emptyDir: {}

deploy/mq/rabbitmq-users-config.yaml

@@ -0,0 +1,77 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: rabbitmq-users-definitions
+data:
+  definitions.json: |
+    {
+      "users": [
+        {
+          "name": "coslight",
+          "password_hash": "Gl2XVEJwPwDZQF8ZhsYnvm83wMkdftY3/raxyntdZueyx/Uv", 
+          "hashing_algorithm": "rabbit_password_hashing_sha256",
+          "tags": ["administrator"]
+        },
+        {
+          "name": "web-client",
+          "password_hash": "", 
+          "hashing_algorithm": "rabbit_password_hashing_sha256",
+          "tags": ["management"]
+        },
+        {
+          "name": "modelrt-client",
+          "password_hash": "", 
+          "hashing_algorithm": "rabbit_password_hashing_sha256",
+          "tags": ["management"]
+        },
+        {
+          "name": "eventrt-client",
+          "password_hash": "", 
+          "hashing_algorithm": "rabbit_password_hashing_sha256",
+          "tags": ["management"]
+        }
+      ],
+      "vhosts": [ { "name": "/" } ],
+      "permissions": [
+        {
+          "user": "coslight",
+          "vhost": "/",
+          "configure": ".*",
+          "write": ".*",
+          "read": ".*"
+        },
+        {
+          "user": "web-client",
+          "vhost": "/",
+          "configure": "^$",
+          "write": ".*",
+          "read": ".*"
+        },
+        {
+          "user": "modelrt-client",
+          "vhost": "/",
+          "configure": ".*",
+          "write": ".*",
+          "read": ".*"
+        },
+         {
+          "user": "eventrt-client",
+          "vhost": "/",
+          "configure": ".*",
+          "write": ".*",
+          "read": ".*"
+        }
+      ],
+      "topic_permissions": [],
+      "parameters": [],
+      "global_parameters": [
+        {
+          "name": "cluster_name",
+          "value": "evnetrt-rabbitmq-cluster"
+        }
+      ],
+      "policies": [],
+      "queues": [],
+      "exchanges": [],
+      "bindings": []
+    }

deploy/mq/server.conf

@@ -0,0 +1,22 @@
+[req]
+distinguished_name = req_distinguished_name
+prompt = no
+
+[req_distinguished_name]
+C = CN
+ST = Beijing
+L = Beijing
+O = coslight
+CN = rabbitmq-server
+
+[v3_server]
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth, clientAuth
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = rabbitmq-server
+DNS.2 = rabbitmq-service.default.svc.cluster.local
+DNS.3 = localhost
+IP.1 = 192.168.49.2
+IP.2 = 127.0.0.1

mq/mq_init.go

@@ -7,7 +7,6 @@ import (
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
-	"net/url"
 	"os"
 	"sync"
 	"time"
@@ -148,12 +147,17 @@ func CloseRabbitProxy() {
 }
 
 func generateRabbitMQURI(rCfg config.RabbitMQConfig) string {
-	user := url.QueryEscape(rCfg.User)
-	password := url.QueryEscape(rCfg.Password)
+	// TODO 考虑拆分用户名密码配置项，兼容不同认证方式
+	// user := url.QueryEscape(rCfg.User)
+	// password := url.QueryEscape(rCfg.Password)
 
-	amqpURI := fmt.Sprintf("amqps://%s:%s@%s:%d/",
-		user,
-		password,
+	// amqpURI := fmt.Sprintf("amqps://%s:%s@%s:%d/",
+	// 	user,
+	// 	password,
+	// 	rCfg.Host,
+	// 	rCfg.Port,
+	// )
+	amqpURI := fmt.Sprintf("amqps://%s:%d/",
 		rCfg.Host,
 		rCfg.Port,
 	)