构建后端为etcd的CoreDNS的容器集群(四)、etcd挂载私有自签名证书进行访问测试

本文使用官方etcd镜像生成一个容器,挂载私有自签名证书,并进行功能测试。

一、镜像获取

请见上文:构建后端为etcd的CoreDNS的容器集群(二)、下载最新的etcd容器镜像

建议先进行镜像功能测试:构建后端为etcd的CoreDNS的容器集群(三)、etcd功能测试

二、查看镜像
bash 复制代码
[root@localhost opt]# docker images
REPOSITORY            TAG                 IMAGE ID            CREATED             SIZE
quay.io/coreos/etcd   v3.5.16             8523cb381f23        5 weeks ago         59MB
三、创建容器

为便于检查创建参数并进行保存,建议通过脚本进行创建,先进行单容器创建测试。自签名证书统一放置在/opt/etcd/ssl/中,制作方法参见:构建后端为etcd的CoreDNS的容器集群(一)、生成自签名证书

脚本内容如下:

bash 复制代码
[root@localhost etcd]# cat etcd_docker-withssl_run.sh
  docker run  -d \
  -p 2379:2379 \
  -p 2380:2380 \
  -v /opt/etcd/ssl/etcd.pem:/etc/etcd/ssl/etcd.pem \
  -v /opt/etcd/ssl/etcd-key.pem:/etc/etcd/ssl/etcd-key.pem \
  -v /opt/etcd/ssl/ca.pem:/etc/etcd/ssl/ca.pem \
  --name etcd-1 \
  quay.io/coreos/etcd:v3.5.16 \
  /usr/local/bin/etcd \
  --name etcd-1 \
  --cert-file=/etc/etcd/ssl/etcd.pem \
  --key-file=/etc/etcd/ssl/etcd-key.pem \
  --peer-cert-file=/etc/etcd/ssl/etcd.pem \
  --peer-key-file=/etc/etcd/ssl/etcd-key.pem \
  --trusted-ca-file=/etc/etcd/ssl/ca.pem \
  --peer-trusted-ca-file=/etc/etcd/ssl/ca.pem \
  --listen-client-urls https://0.0.0.0:2379 \
  --advertise-client-urls https://0.0.0.0:2379 \
  --listen-peer-urls http://0.0.0.0:2380 \
  --initial-advertise-peer-urls http://0.0.0.0:2380 \
  --initial-cluster etcd-1=http://0.0.0.0:2380 \
  --initial-cluster-token tkn \
  --initial-cluster-state new \

注意2379端口连接方式调整为https,改为创建容器

bash 复制代码
[root@localhost etcd]# sh etcd_docker-withssl_run.sh 
0510a0b57695aea184ee7114c1a95056a36b0ad03a998cdb5d19b34a89ce8775
[root@localhost etcd]# docker ps
CONTAINER ID        IMAGE                         COMMAND                  CREATED             STATUS              PORTS                              NAMES
0510a0b57695        quay.io/coreos/etcd:v3.5.16   "/usr/local/bin/etcd..."   6 seconds ago       Up 4 seconds        0.0.0.0:2379-2380->2379-2380/tcp   etcd-1
四、配置hosts

因为证书配置里的主机清单为 "hosts": [ "etcd-1", "etcd-2","etcd-3","coredns-1","coredns-2","coredns-3","127.0.0.1","localhost"],需要修改本机hosts文件

bash 复制代码
[root@localhost etcd]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.80.135 etcd-1
五、API健康检查

现在容器内不带证书测试健康状态已无法取到了

bash 复制代码
[root@localhost etcd]# docker exec etcd-1 /usr/local/bin/etcdctl endpoint health
{"level":"warn","ts":"2024-10-17T03:23:43.158797Z","logger":"client","caller":"[email protected]/retry_interceptor.go:63","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc000456000/127.0.0.1:2379","attempt":0,"error":"rpc error: code = DeadlineExceeded desc = latest balancer error: last connection error: connection error: desc = \"error reading server preface: EOF\""}
127.0.0.1:2379 is unhealthy: failed to commit proposal: context deadline exceeded

使用https方式并挂载证书,可以正常访问

bash 复制代码
[root@localhost etcd]# docker exec etcd-1 /usr/local/bin/etcdctl --endpoints=https://127.0.0.1:2379 --cacert /etc/etcd/ssl/ca.pem --cert /etc/etcd/ssl/etcd.pem  --key /etc/etcd/ssl/etcd-key.pem   endpoint health
https://127.0.0.1:2379 is healthy: successfully committed proposal: took = 23.54756ms

在容器外测试不带证书访问:

bash 复制代码
[root@localhost etcd]# ./etcdctl --endpoints=https://etcd-1:2379  endpoint health                                                                
{"level":"warn","ts":"2024-10-17T11:11:32.106740+0800","logger":"client","caller":"[email protected]/retry_interceptor.go:63","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc00036a000/etcd-1:2379","attempt":0,"error":"rpc error: code = DeadlineExceeded desc = latest balancer error: last connection error: connection error: desc = \"transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority\""}
https://etcd-1:2379 is unhealthy: failed to commit proposal: context deadline exceeded
Error: unhealthy cluster
[root@localhost etcd]# ./etcdctl --endpoints=http://etcd-1:2379  endpoint health 
{"level":"warn","ts":"2024-10-17T11:11:41.867510+0800","logger":"client","caller":"[email protected]/retry_interceptor.go:63","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc000468000/etcd-1:2379","attempt":0,"error":"rpc error: code = DeadlineExceeded desc = latest balancer error: last connection error: connection error: desc = \"error reading server preface: read tcp 192.168.80.135:35448->192.168.80.135:2379: read: connection reset by peer\""}
http://etcd-1:2379 is unhealthy: failed to commit proposal: context deadline exceeded
Error: unhealthy cluster

带证书访问

bash 复制代码
[root@localhost etcd]# ./etcdctl --endpoints=https://etcd-1:2379  --cacert ssl/ca.pem --cert ssl/etcd.pem  --key ssl/etcd-key.pem endpoint health   
https://etcd-1:2379 is healthy: successfully committed proposal: took = 18.912612ms

结果正常

六、数据存取测试
bash 复制代码
[root@localhost etcd]# ./etcdctl --endpoints=https://etcd-1:2379  --cacert ssl/ca.pem --cert ssl/etcd.pem  --key ssl/etcd-key.pem get foo
[root@localhost etcd]# ./etcdctl --endpoints=https://etcd-1:2379  --cacert ssl/ca.pem --cert ssl/etcd.pem  --key ssl/etcd-key.pem put foo bar
OK
[root@localhost etcd]# ./etcdctl --endpoints=https://etcd-1:2379  --cacert ssl/ca.pem --cert ssl/etcd.pem  --key ssl/etcd-key.pem get foo    
foo
bar
[root@localhost etcd]# ./etcdctl --endpoints=https://etcd-1:2379  --cacert ssl/ca.pem --cert ssl/etcd.pem  --key ssl/etcd-key.pem put www.sina.com.cn 192.168.8.9
OK
[root@localhost etcd]# ./etcdctl --endpoints=https://etcd-1:2379  --cacert ssl/ca.pem --cert ssl/etcd.pem  --key ssl/etcd-key.pem get www.sina.com.cn
www.sina.com.cn
192.168.8.9

可见,携带证书访问etcd数据库正常。

相关推荐
꧁坚持很酷꧂几秒前
Linux Ubuntu18.04下安装Qt Craeator 5.12.9(图文详解)
linux·运维·qt
Claudio9 分钟前
【MySQL】联合索引和覆盖索引(索引失效的误区讲解+案例分析)
数据库
纪元A梦23 分钟前
Redis最佳实践——性能优化技巧之监控与告警详解
数据库·redis·性能优化
GarfieldFine34 分钟前
MySQL索引使用一定有效吗?如何排查索引效果?
数据库·mysql
cypking1 小时前
mysql 安装
数据库·mysql·adb
一个数据大开发1 小时前
解读《数据资产质量评估实施规则》:企业数据资产认证落地的关键指南
大数据·数据库·人工智能
鬼面瓷1 小时前
CAPL编程_03
前端·数据库·笔记
小诸葛的博客1 小时前
详解Linux中的定时任务管理工具crond
linux·运维·chrome
一默19912 小时前
CentOS 7.9升级OpenSSH到9.9p2
linux·运维·centos
欧先生^_^2 小时前
Jinja 的详细介绍和学习方法
数据库·sqlite