构建后端为etcd的CoreDNS的容器集群(四)、etcd挂载私有自签名证书进行访问测试

本文使用官方etcd镜像生成一个容器,挂载私有自签名证书,并进行功能测试。

一、镜像获取

请见上文:构建后端为etcd的CoreDNS的容器集群(二)、下载最新的etcd容器镜像

建议先进行镜像功能测试:构建后端为etcd的CoreDNS的容器集群(三)、etcd功能测试

二、查看镜像
bash 复制代码
[root@localhost opt]# docker images
REPOSITORY            TAG                 IMAGE ID            CREATED             SIZE
quay.io/coreos/etcd   v3.5.16             8523cb381f23        5 weeks ago         59MB
三、创建容器

为便于检查创建参数并进行保存,建议通过脚本进行创建,先进行单容器创建测试。自签名证书统一放置在/opt/etcd/ssl/中,制作方法参见:构建后端为etcd的CoreDNS的容器集群(一)、生成自签名证书

脚本内容如下:

bash 复制代码
[root@localhost etcd]# cat etcd_docker-withssl_run.sh
  docker run  -d \
  -p 2379:2379 \
  -p 2380:2380 \
  -v /opt/etcd/ssl/etcd.pem:/etc/etcd/ssl/etcd.pem \
  -v /opt/etcd/ssl/etcd-key.pem:/etc/etcd/ssl/etcd-key.pem \
  -v /opt/etcd/ssl/ca.pem:/etc/etcd/ssl/ca.pem \
  --name etcd-1 \
  quay.io/coreos/etcd:v3.5.16 \
  /usr/local/bin/etcd \
  --name etcd-1 \
  --cert-file=/etc/etcd/ssl/etcd.pem \
  --key-file=/etc/etcd/ssl/etcd-key.pem \
  --peer-cert-file=/etc/etcd/ssl/etcd.pem \
  --peer-key-file=/etc/etcd/ssl/etcd-key.pem \
  --trusted-ca-file=/etc/etcd/ssl/ca.pem \
  --peer-trusted-ca-file=/etc/etcd/ssl/ca.pem \
  --listen-client-urls https://0.0.0.0:2379 \
  --advertise-client-urls https://0.0.0.0:2379 \
  --listen-peer-urls http://0.0.0.0:2380 \
  --initial-advertise-peer-urls http://0.0.0.0:2380 \
  --initial-cluster etcd-1=http://0.0.0.0:2380 \
  --initial-cluster-token tkn \
  --initial-cluster-state new \

注意2379端口连接方式调整为https,改为创建容器

bash 复制代码
[root@localhost etcd]# sh etcd_docker-withssl_run.sh 
0510a0b57695aea184ee7114c1a95056a36b0ad03a998cdb5d19b34a89ce8775
[root@localhost etcd]# docker ps
CONTAINER ID        IMAGE                         COMMAND                  CREATED             STATUS              PORTS                              NAMES
0510a0b57695        quay.io/coreos/etcd:v3.5.16   "/usr/local/bin/etcd..."   6 seconds ago       Up 4 seconds        0.0.0.0:2379-2380->2379-2380/tcp   etcd-1
四、配置hosts

因为证书配置里的主机清单为 "hosts": [ "etcd-1", "etcd-2","etcd-3","coredns-1","coredns-2","coredns-3","127.0.0.1","localhost"],需要修改本机hosts文件

bash 复制代码
[root@localhost etcd]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.80.135 etcd-1
五、API健康检查

现在容器内不带证书测试健康状态已无法取到了

bash 复制代码
[root@localhost etcd]# docker exec etcd-1 /usr/local/bin/etcdctl endpoint health
{"level":"warn","ts":"2024-10-17T03:23:43.158797Z","logger":"client","caller":"[email protected]/retry_interceptor.go:63","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc000456000/127.0.0.1:2379","attempt":0,"error":"rpc error: code = DeadlineExceeded desc = latest balancer error: last connection error: connection error: desc = \"error reading server preface: EOF\""}
127.0.0.1:2379 is unhealthy: failed to commit proposal: context deadline exceeded

使用https方式并挂载证书,可以正常访问

bash 复制代码
[root@localhost etcd]# docker exec etcd-1 /usr/local/bin/etcdctl --endpoints=https://127.0.0.1:2379 --cacert /etc/etcd/ssl/ca.pem --cert /etc/etcd/ssl/etcd.pem  --key /etc/etcd/ssl/etcd-key.pem   endpoint health
https://127.0.0.1:2379 is healthy: successfully committed proposal: took = 23.54756ms

在容器外测试不带证书访问:

bash 复制代码
[root@localhost etcd]# ./etcdctl --endpoints=https://etcd-1:2379  endpoint health                                                                
{"level":"warn","ts":"2024-10-17T11:11:32.106740+0800","logger":"client","caller":"[email protected]/retry_interceptor.go:63","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc00036a000/etcd-1:2379","attempt":0,"error":"rpc error: code = DeadlineExceeded desc = latest balancer error: last connection error: connection error: desc = \"transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority\""}
https://etcd-1:2379 is unhealthy: failed to commit proposal: context deadline exceeded
Error: unhealthy cluster
[root@localhost etcd]# ./etcdctl --endpoints=http://etcd-1:2379  endpoint health 
{"level":"warn","ts":"2024-10-17T11:11:41.867510+0800","logger":"client","caller":"[email protected]/retry_interceptor.go:63","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc000468000/etcd-1:2379","attempt":0,"error":"rpc error: code = DeadlineExceeded desc = latest balancer error: last connection error: connection error: desc = \"error reading server preface: read tcp 192.168.80.135:35448->192.168.80.135:2379: read: connection reset by peer\""}
http://etcd-1:2379 is unhealthy: failed to commit proposal: context deadline exceeded
Error: unhealthy cluster

带证书访问

bash 复制代码
[root@localhost etcd]# ./etcdctl --endpoints=https://etcd-1:2379  --cacert ssl/ca.pem --cert ssl/etcd.pem  --key ssl/etcd-key.pem endpoint health   
https://etcd-1:2379 is healthy: successfully committed proposal: took = 18.912612ms

结果正常

六、数据存取测试
bash 复制代码
[root@localhost etcd]# ./etcdctl --endpoints=https://etcd-1:2379  --cacert ssl/ca.pem --cert ssl/etcd.pem  --key ssl/etcd-key.pem get foo
[root@localhost etcd]# ./etcdctl --endpoints=https://etcd-1:2379  --cacert ssl/ca.pem --cert ssl/etcd.pem  --key ssl/etcd-key.pem put foo bar
OK
[root@localhost etcd]# ./etcdctl --endpoints=https://etcd-1:2379  --cacert ssl/ca.pem --cert ssl/etcd.pem  --key ssl/etcd-key.pem get foo    
foo
bar
[root@localhost etcd]# ./etcdctl --endpoints=https://etcd-1:2379  --cacert ssl/ca.pem --cert ssl/etcd.pem  --key ssl/etcd-key.pem put www.sina.com.cn 192.168.8.9
OK
[root@localhost etcd]# ./etcdctl --endpoints=https://etcd-1:2379  --cacert ssl/ca.pem --cert ssl/etcd.pem  --key ssl/etcd-key.pem get www.sina.com.cn
www.sina.com.cn
192.168.8.9

可见,携带证书访问etcd数据库正常。

相关推荐
Arbori_2621513 分钟前
获取oracle表大小
数据库·oracle
王强你强19 分钟前
MySQL 高级查询:JOIN、子查询、窗口函数
数据库·mysql
草巾冒小子20 分钟前
brew 安装mysql,启动,停止,重启
数据库·mysql
用户62799471826227 分钟前
南大通用GBase 8c分布式版本gha_ctl 命令-HI参数详解
数据库
刘若水33 分钟前
Linux: 进程信号初识
linux·运维·服务器
斯汤雷36 分钟前
Matlab绘图案例,设置图片大小,坐标轴比例为黄金比
数据库·人工智能·算法·matlab·信息可视化
SQLplusDB43 分钟前
Oracle 23ai Vector Search 系列之3 集成嵌入生成模型(Embedding Model)到数据库示例,以及常见错误
数据库·oracle·embedding
喝醉酒的小白1 小时前
SQL Server 可用性组自动种子设定失败问题
数据库
chem41111 小时前
Conmon lisp Demo
服务器·数据库·lisp
阳小江1 小时前
Docker知识点
运维·docker·容器