江苏龙网

  1. 主页 > 生活百科 > >

一文搞懂 Traefik2.1 的使用( 六 )

Traefik

将上面证书放置到 certs 目录下面,然后我们新建一个 02-tls-mongo 的目录,在该目录下面执行如下命令来生成证书:
$ bash ../certs/generate-certificates.sh mongo.local .== Checking Requirements...== Generating Certificates for the following domains: mongo.local...最后的目录如下所示,在 02-tls-mongo 目录下面会生成包含证书的 certs 目录:
$ tree ..├── 01-mongo│├── mongo-ingressroute-tcp.yaml│└── mongo.yaml├── 02-tls-mongo│└── certs│├── cert.pem│├── key.pem│└── mongo.pem└── certs├── generate-certificates.sh├── minica-key.pem└── minica.pem在 02-tls-mongo/certs 目录下面执行如下命令通过 Secret 来包含证书内容:
$ kubectl create secret tls traefik-mongo-certs --cert=cert.pem --key=key.pemsecret/traefik-mongo-certs created然后重新更新 IngressRouteTCP 对象,增加 TLS 配置:
apiVersion: traefik.containo.us/v1alpha1kind: IngressRouteTCPmetadata:name: mongo-traefik-tcpspec:entryPoints:- mongoroutes:- match: HostSNI(`mongo.local`)services:- name: mongo-traefikport: 27017tls:secretName: traefik-mongo-certs同样更新后,现在我们直接去访问应用就会被 hang 住,因为我们没有提供证书:
$ mongo --host mongo.local --port 27017MongoDB shell version: 2.6.1connecting to: mongo1.local:27017/test这个时候我们可以带上证书来进行连接:
$ mongo --host mongo.local --port 27017 --ssl --sslCAFile=../certs/minica.pem --sslPEMKeyFile=./certs/mongo.pemMongoDB shell version v4.0.3connecting to: mongodb://mongo.local:27017/Implicit session: session { "id" : UUID("e7409ef6-8ebe-4c5a-9642-42059bdb477b") }MongoDB server version: 4.0.14......> show dbs;admin0.000GBconfig0.000GBlocal0.000GB可以看到现在就可以连接成功了,这样就完成了一个使用 TLS 证书代理 TCP 服务的功能,这个时候如果我们使用其他的域名去进行连接就会报错了,因为现在我们指定的是特定的 HostSNI:
$ mongo --host mongo.k8s.local --port 27017 --ssl --sslCAFile=../certs/minica.pem --sslPEMKeyFile=./certs/mongo.pemMongoDB shell version v4.0.3connecting to: mongodb://mongo.k8s.local:27017/2019-12-29T15:03:52.424+0800 E NETWORK[js] SSL peer certificate validation failed: Certificate trust failure: cssMERR_TP_NOT_TRUSTED; connection rejected2019-12-29T15:03:52.429+0800 E QUERY[js] Error: couldn't connect to server mongo.qikqiak.com:27017, connection attempt failed: SSLHandshakeFailed: SSL peer certificate validation failed: Certificate trust failure: CSSMERR_TP_NOT_TRUSTED; connection rejected :connect@src/mongo/shell/mongo.js:257:13@(connect):1:6exception: connect failed当然我们也可以使用 ACME 来为我们提供一个合法的证书,这样在连接的使用就不需要指定证书了,如下所示:
apiVersion: traefik.containo.us/v1alpha1kind: IngressRouteTCPmetadata:name: mongo-traefik-tcpspec:entryPoints:- mongoroutes:- match: HostSNI(`mongo.qikqiak.com`)services:- name: mongo-traefikport: 27017tls:certResolver: alidomains:- main: "*.qikqiak.com"这样当我们连接的时候就只需要如下的命令即可:
$ mongo --host mongo.qikqiak.com --port 27017 --ssl来源:https://www.qikqiak.com/post/traefik-2.1-101/




推荐阅读


上一篇:碧螺春和雀舌,雀舌茶叶

下一篇:苍山雪绿茶的制茶工序,云南苍山雪绿茶先容