CL-Softwares
/
eventRT
8
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
eventRT/deploy/mq/deploy.md

155 lines
3.9 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# RabbitMQ 部署与 mTLS 证书签发指南
## 一、 证书签发 (PKI)
### 1. 准备工作
确保本地拥有根 CA 文件:`ca_certificate.pem` 和 `cakey.pem`
### 2. 生成 RabbitMQ 服务端证书
服务端证书必须包含 `serverAuth` 权限,并涵盖所有访问域名和 IP
**配置文件 `server.conf` 关键点:**
* **CN**: `rabbitmq-server`
* **SAN (alt_names)**: 必须包含 `localhost``127.0.0.1` 以适配 SSH 隧道
```bash
# 1. 生成服务端私钥
openssl genrsa -out server_key.pem 2048
# 2. 生成签名请求 (CSR)
openssl req -new -key server_key.pem -out server_cert.csr -config server.conf
# 3. 使用 v3_server 扩展签发
openssl x509 -req -in server_cert.csr -CA ca_certificate.pem -CAkey cakey.pem -CAcreateserial \
-out server_certificate.pem -days 730 -sha256 \
-extfile server.conf -extensions v3_server
```
### 3. 生成客户端证书 (modelRT / eventRT)
**注意**:客户端证书必须包含 `clientAuth` 扩展,否则会导致 403 错误
#### 签发 modelRT 证书
```bash
# 1. 生成私钥
openssl genrsa -out modelrt_client_key.pem 2048
# 2. 生成 CSR (CN 必须匹配 rabbitmq 里的用户名: modelrt-client)
openssl req -new -key modelrt_client_key.pem -out modelrt_client_cert.csr -config modelrt.conf
# 3. 关键:使用 v3_client 扩展签发
openssl x509 -req -in modelrt_client_cert.csr -CA ca_certificate.pem -CAkey cakey.pem -CAcreateserial \
-out modelrt_client_cert.pem -days 730 -sha256 \
-extfile modelrt.conf -extensions v3_client
```
*(eventRT 证书签发流程同上,只需更换 `eventrt.conf` 配置文件)*
---
## 二、 RabbitMQ 服务端部署 (K8s)
### 1. 配置用户与权限
修改 `rabbitmq-users-config.yaml`,确保用户标签为 `management``administrator`,并赋予 `/` 的权限
```yaml
# 关键部分:definitions.json
{
"name": "modelrt-client",
"password_hash": "",
"tags": ["management"]
}
```
### 2. 应用 Kubernetes 配置
```bash
# 1. 应用用户定义
kubectl apply -f rabbitmq-users-config.yaml
# 2. 创建插件 ConfigMap
kubectl create configmap rabbit-plugins-conf
--from-literal=enabled_plugins="[rabbitmq_auth_mechanism_ssl, \
rabbitmq_management, rabbitmq_management_agent, \
rabbitmq_prometheus, rabbitmq_web_dispatch]."
# 3. 创建证书 Secret
kubectl create secret generic rabbitmq-certs \
--from-file=ca.pem=ca_certificate.pem \
--from-file=server.pem=server_certificate.pem \
--from-file=server_key.pem=server_key.pem
# 4. 应用部署文件
kubectl apply -f rabbitmq-config.yaml
kubectl apply -f rabbitmq-deployment.yaml
kubectl apply -f rabbitmq-service.yaml
```
---
## 三、 开发环境网络配置 (SSH 隧道)
如果你在 Mac 上开发RabbitMQ 在远程 Linux 的 Minikube 中,请执行以下命令建立加密隧道:
```bash
# 将远程 Minikube 中 rabbitMQ service 的 NodePort (30671) 映射到 Mac 本地的 5671
ssh -L 5671:<minikube-ip>:30671 <host-user>@host-ip
```
---
## 四、 Go 程序配置 (config.yaml)
确保客户端配置指向隧道入口,并开启 TLS:
```yaml
rabbitmq:
host: "localhost"
port: 5671
server_name: "rabbitmq-server"
ca_cert_path: "./configs/certs/ca_certificate.pem"
client_cert_path: "./configs/certs/modelrt_client_cert.pem"
client_key_path: "./configs/certs/modelrt_client_key.pem"
```
---
## 五、 验证与排查
### 1. 证书权限检查
运行以下命令,确信输出中有 `TLS Web Client Authentication`:
```bash
openssl x509 -in modelrt_client_cert.pem -noout -text | grep -A 1 "Extended Key Usage"
```
### 2. 握手连通性验证
```bash
openssl s_client -connect localhost:5671 \
-cert modelrt_client_cert.pem \
-key modelrt_client_key.pem \
-CAfile ca_certificate.pem
```
**预期结果**:看到 `Verify return code: 0 (ok)`
### 3. 日志检查
如果连接成功RabbitMQ 日志应显示:
`connection <xxx>: user 'modelrt-client' authenticated and granted access to vhost '/'`
Reference in New Issue View Git Blame Copy Permalink