From 8930f3a20ed3c1d2bc7c7d895400749c3860a9fd Mon Sep 17 00:00:00 2001 From: douxu Date: Wed, 11 Feb 2026 16:41:08 +0800 Subject: [PATCH] optimize code and add md file of deploy rabbitMQ server with eventRT --- deploy/mq/client.conf | 14 +++ deploy/mq/deploy.md | 154 +++++++++++++++++++++++ deploy/mq/eventrt.conf | 14 +++ deploy/mq/modelrt.cnf | 14 +++ deploy/mq/plugins.sh | 1 + deploy/{ => mq}/rabbitmq-config.yaml | 6 +- deploy/{ => mq}/rabbitmq-deployment.yaml | 12 ++ deploy/{ => mq}/rabbitmq-secret.yaml | 0 deploy/{ => mq}/rabbitmq-service.yaml | 0 deploy/mq/rabbitmq-users-config.yaml | 77 ++++++++++++ deploy/{ => mq}/secert.sh | 0 deploy/mq/server.conf | 22 ++++ mq/mq_init.go | 16 ++- 13 files changed, 321 insertions(+), 9 deletions(-) create mode 100644 deploy/mq/client.conf create mode 100644 deploy/mq/deploy.md create mode 100644 deploy/mq/eventrt.conf create mode 100644 deploy/mq/modelrt.cnf create mode 100644 deploy/mq/plugins.sh rename deploy/{ => mq}/rabbitmq-config.yaml (91%) rename deploy/{ => mq}/rabbitmq-deployment.yaml (79%) rename deploy/{ => mq}/rabbitmq-secret.yaml (100%) rename deploy/{ => mq}/rabbitmq-service.yaml (100%) create mode 100644 deploy/mq/rabbitmq-users-config.yaml rename deploy/{ => mq}/secert.sh (100%) create mode 100644 deploy/mq/server.conf diff --git a/deploy/mq/client.conf b/deploy/mq/client.conf new file mode 100644 index 0000000..74244bf --- /dev/null +++ b/deploy/mq/client.conf @@ -0,0 +1,14 @@ +[req] +distinguished_name = req_distinguished_name +prompt = no + +[req_distinguished_name] +C = CN +ST = Beijing +L = Beijing +O = coslight +CN = web-client + +[v3_client] +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth diff --git a/deploy/mq/deploy.md b/deploy/mq/deploy.md new file mode 100644 index 0000000..a776273 --- /dev/null +++ b/deploy/mq/deploy.md @@ -0,0 +1,154 @@ +# RabbitMQ 部署与 mTLS 证书签发指南 + +## 一、 证书签发 (PKI) + +### 1. 准备工作 + +确保本地拥有根 CA 文件:`ca_certificate.pem` 和 `cakey.pem` + +### 2. 生成 RabbitMQ 服务端证书 + +服务端证书必须包含 `serverAuth` 权限,并涵盖所有访问域名和 IP + +**配置文件 `server.conf` 关键点:** + +* **CN**: `rabbitmq-server` +* **SAN (alt_names)**: 必须包含 `localhost` 和 `127.0.0.1` 以适配 SSH 隧道 + +```bash +# 1. 生成服务端私钥 +openssl genrsa -out server_key.pem 2048 + +# 2. 生成签名请求 (CSR) +openssl req -new -key server_key.pem -out server_cert.csr -config server.conf + +# 3. 使用 v3_server 扩展签发 +openssl x509 -req -in server_cert.csr -CA ca_certificate.pem -CAkey cakey.pem -CAcreateserial \ + -out server_certificate.pem -days 730 -sha256 \ + -extfile server.conf -extensions v3_server + +``` + +### 3. 生成客户端证书 (modelRT / eventRT) + +**注意**:客户端证书必须包含 `clientAuth` 扩展,否则会导致 403 错误 + +#### 签发 modelRT 证书 + +```bash +# 1. 生成私钥 +openssl genrsa -out modelrt_client_key.pem 2048 + +# 2. 生成 CSR (CN 必须匹配 rabbitmq 里的用户名: modelrt-client) +openssl req -new -key modelrt_client_key.pem -out modelrt_client_cert.csr -config modelrt.conf + +# 3. 关键:使用 v3_client 扩展签发 +openssl x509 -req -in modelrt_client_cert.csr -CA ca_certificate.pem -CAkey cakey.pem -CAcreateserial \ + -out modelrt_client_cert.pem -days 730 -sha256 \ + -extfile modelrt.conf -extensions v3_client + +``` + +*(eventRT 证书签发流程同上,只需更换 `eventrt.conf` 配置文件)* + +--- + +## 二、 RabbitMQ 服务端部署 (K8s) + +### 1. 配置用户与权限 + +修改 `rabbitmq-users-config.yaml`,确保用户标签为 `management` 或 `administrator`,并赋予 `/` 的权限 + +```yaml +# 关键部分:definitions.json +{ + "name": "modelrt-client", + "password_hash": "", + "tags": ["management"] +} + +``` + +### 2. 应用 Kubernetes 配置 + +```bash +# 1. 应用用户定义 +kubectl apply -f rabbitmq-users-config.yaml + +# 2. 创建插件 ConfigMap +kubectl create configmap rabbit-plugins-conf + --from-literal=enabled_plugins="[rabbitmq_auth_mechanism_ssl, \ + rabbitmq_management, rabbitmq_management_agent, \ + rabbitmq_prometheus, rabbitmq_web_dispatch]." + +# 3. 创建证书 Secret +kubectl create secret generic rabbitmq-certs \ + --from-file=ca.pem=ca_certificate.pem \ + --from-file=server.pem=server_certificate.pem \ + --from-file=server_key.pem=server_key.pem + +# 4. 应用部署文件 +kubectl apply -f rabbitmq-config.yaml +kubectl apply -f rabbitmq-deployment.yaml +kubectl apply -f rabbitmq-service.yaml + +``` + +--- + +## 三、 开发环境网络配置 (SSH 隧道) + +如果你在 Mac 上开发,RabbitMQ 在远程 Linux 的 Minikube 中,请执行以下命令建立加密隧道: + +```bash +# 将远程 Minikube 中 rabbitMQ service 的 NodePort (30671) 映射到 Mac 本地的 5671 +ssh -L 5671::30671 @host-ip + +``` + +--- + +## 四、 Go 程序配置 (config.yaml) + +确保客户端配置指向隧道入口,并开启 TLS: + +```yaml +rabbitmq: + host: "localhost" + port: 5671 + server_name: "rabbitmq-server" + ca_cert_path: "./configs/certs/ca_certificate.pem" + client_cert_path: "./configs/certs/modelrt_client_cert.pem" + client_key_path: "./configs/certs/modelrt_client_key.pem" + +``` + +--- + +## 五、 验证与排查 + +### 1. 证书权限检查 + +运行以下命令,确信输出中有 `TLS Web Client Authentication`: + +```bash +openssl x509 -in modelrt_client_cert.pem -noout -text | grep -A 1 "Extended Key Usage" + +``` + +### 2. 握手连通性验证 + +```bash +openssl s_client -connect localhost:5671 \ + -cert modelrt_client_cert.pem \ + -key modelrt_client_key.pem \ + -CAfile ca_certificate.pem + +``` + +**预期结果**:看到 `Verify return code: 0 (ok)` + +### 3. 日志检查 + +如果连接成功,RabbitMQ 日志应显示: +`connection : user 'modelrt-client' authenticated and granted access to vhost '/'` diff --git a/deploy/mq/eventrt.conf b/deploy/mq/eventrt.conf new file mode 100644 index 0000000..c326b54 --- /dev/null +++ b/deploy/mq/eventrt.conf @@ -0,0 +1,14 @@ +[req] +distinguished_name = req_distinguished_name +prompt = no + +[req_distinguished_name] +C = CN +ST = Beijing +L = Beijing +O = coslight +CN = eventrt-client + +[v3_client] +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth diff --git a/deploy/mq/modelrt.cnf b/deploy/mq/modelrt.cnf new file mode 100644 index 0000000..2e4ada9 --- /dev/null +++ b/deploy/mq/modelrt.cnf @@ -0,0 +1,14 @@ +[req] +distinguished_name = req_distinguished_name +prompt = no + +[req_distinguished_name] +C = CN +ST = Beijing +L = Beijing +O = coslight +CN = modelrt-client + +[v3_client] +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth diff --git a/deploy/mq/plugins.sh b/deploy/mq/plugins.sh new file mode 100644 index 0000000..f40866e --- /dev/null +++ b/deploy/mq/plugins.sh @@ -0,0 +1 @@ +kubectl create configmap rabbit-plugins-conf --from-literal=enabled_plugins="[rabbitmq_auth_mechanism_ssl, rabbitmq_management, rabbitmq_management_agent, rabbitmq_prometheus, rabbitmq_web_dispatch]." \ No newline at end of file diff --git a/deploy/rabbitmq-config.yaml b/deploy/mq/rabbitmq-config.yaml similarity index 91% rename from deploy/rabbitmq-config.yaml rename to deploy/mq/rabbitmq-config.yaml index 4178401..a5cbad7 100644 --- a/deploy/rabbitmq-config.yaml +++ b/deploy/mq/rabbitmq-config.yaml @@ -16,15 +16,15 @@ data: # 开启此项配置会导致只能通过TLS端口访问 listeners.tcp = none listeners.ssl.default = 5671 + # default user config + load_definitions = /etc/rabbitmq/definitions.json # ssl config ssl_options.cacertfile = /etc/rabbitmq/certs/ca_certificate.pem ssl_options.certfile = /etc/rabbitmq/certs/server_certificate.pem ssl_options.keyfile = /etc/rabbitmq/certs/server_key.pem ssl_options.verify = verify_peer ssl_options.fail_if_no_peer_cert = true - # ssl_options.verify = verify_none - # ssl_options.fail_if_no_peer_cert = false - # management ssl config + # management config management.ssl.port = 15671 management.ssl.cacertfile = /etc/rabbitmq/certs/ca_certificate.pem management.ssl.certfile = /etc/rabbitmq/certs/server_certificate.pem diff --git a/deploy/rabbitmq-deployment.yaml b/deploy/mq/rabbitmq-deployment.yaml similarity index 79% rename from deploy/rabbitmq-deployment.yaml rename to deploy/mq/rabbitmq-deployment.yaml index 5a9cb5e..4e2708f 100644 --- a/deploy/rabbitmq-deployment.yaml +++ b/deploy/mq/rabbitmq-deployment.yaml @@ -50,6 +50,12 @@ spec: mountPath: /etc/rabbitmq/rabbitmq.conf subPath: rabbitmq.conf readOnly: true + - name: plugins-config-volume + mountPath: /etc/rabbitmq/enabled_plugins + subPath: enabled_plugins + - name: users-config-volume + mountPath: /etc/rabbitmq/definitions.json + subPath: definitions.json - name: rabbitmq-data mountPath: /var/lib/rabbitmq volumes: @@ -59,5 +65,11 @@ spec: - name: rabbitmq-config-volume configMap: name: rabbitmq-config + - name: plugins-config-volume + configMap: + name: rabbit-plugins-conf + - name: users-config-volume + configMap: + name: rabbitmq-users-definitions - name: rabbitmq-data emptyDir: {} diff --git a/deploy/rabbitmq-secret.yaml b/deploy/mq/rabbitmq-secret.yaml similarity index 100% rename from deploy/rabbitmq-secret.yaml rename to deploy/mq/rabbitmq-secret.yaml diff --git a/deploy/rabbitmq-service.yaml b/deploy/mq/rabbitmq-service.yaml similarity index 100% rename from deploy/rabbitmq-service.yaml rename to deploy/mq/rabbitmq-service.yaml diff --git a/deploy/mq/rabbitmq-users-config.yaml b/deploy/mq/rabbitmq-users-config.yaml new file mode 100644 index 0000000..8de5f30 --- /dev/null +++ b/deploy/mq/rabbitmq-users-config.yaml @@ -0,0 +1,77 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: rabbitmq-users-definitions +data: + definitions.json: | + { + "users": [ + { + "name": "coslight", + "password_hash": "Gl2XVEJwPwDZQF8ZhsYnvm83wMkdftY3/raxyntdZueyx/Uv", + "hashing_algorithm": "rabbit_password_hashing_sha256", + "tags": ["administrator"] + }, + { + "name": "web-client", + "password_hash": "", + "hashing_algorithm": "rabbit_password_hashing_sha256", + "tags": ["management"] + }, + { + "name": "modelrt-client", + "password_hash": "", + "hashing_algorithm": "rabbit_password_hashing_sha256", + "tags": ["management"] + }, + { + "name": "eventrt-client", + "password_hash": "", + "hashing_algorithm": "rabbit_password_hashing_sha256", + "tags": ["management"] + } + ], + "vhosts": [ { "name": "/" } ], + "permissions": [ + { + "user": "coslight", + "vhost": "/", + "configure": ".*", + "write": ".*", + "read": ".*" + }, + { + "user": "web-client", + "vhost": "/", + "configure": "^$", + "write": ".*", + "read": ".*" + }, + { + "user": "modelrt-client", + "vhost": "/", + "configure": ".*", + "write": ".*", + "read": ".*" + }, + { + "user": "eventrt-client", + "vhost": "/", + "configure": ".*", + "write": ".*", + "read": ".*" + } + ], + "topic_permissions": [], + "parameters": [], + "global_parameters": [ + { + "name": "cluster_name", + "value": "evnetrt-rabbitmq-cluster" + } + ], + "policies": [], + "queues": [], + "exchanges": [], + "bindings": [] + } diff --git a/deploy/secert.sh b/deploy/mq/secert.sh similarity index 100% rename from deploy/secert.sh rename to deploy/mq/secert.sh diff --git a/deploy/mq/server.conf b/deploy/mq/server.conf new file mode 100644 index 0000000..cf57908 --- /dev/null +++ b/deploy/mq/server.conf @@ -0,0 +1,22 @@ +[req] +distinguished_name = req_distinguished_name +prompt = no + +[req_distinguished_name] +C = CN +ST = Beijing +L = Beijing +O = coslight +CN = rabbitmq-server + +[v3_server] +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth, clientAuth +subjectAltName = @alt_names + +[alt_names] +DNS.1 = rabbitmq-server +DNS.2 = rabbitmq-service.default.svc.cluster.local +DNS.3 = localhost +IP.1 = 192.168.49.2 +IP.2 = 127.0.0.1 diff --git a/mq/mq_init.go b/mq/mq_init.go index aa8ad7b..608ffaf 100644 --- a/mq/mq_init.go +++ b/mq/mq_init.go @@ -7,7 +7,6 @@ import ( "crypto/x509" "encoding/pem" "fmt" - "net/url" "os" "sync" "time" @@ -148,12 +147,17 @@ func CloseRabbitProxy() { } func generateRabbitMQURI(rCfg config.RabbitMQConfig) string { - user := url.QueryEscape(rCfg.User) - password := url.QueryEscape(rCfg.Password) + // TODO 考虑拆分用户名密码配置项,兼容不同认证方式 + // user := url.QueryEscape(rCfg.User) + // password := url.QueryEscape(rCfg.Password) - amqpURI := fmt.Sprintf("amqps://%s:%s@%s:%d/", - user, - password, + // amqpURI := fmt.Sprintf("amqps://%s:%s@%s:%d/", + // user, + // password, + // rCfg.Host, + // rCfg.Port, + // ) + amqpURI := fmt.Sprintf("amqps://%s:%d/", rCfg.Host, rCfg.Port, )