构建后端为etcd的CoreDNS的容器集群(四)、etcd挂载私有自签名证书进行访问测试

本文使用官方etcd镜像生成一个容器,挂载私有自签名证书,并进行功能测试。

一、镜像获取

请见上文:构建后端为etcd的CoreDNS的容器集群(二)、下载最新的etcd容器镜像

建议先进行镜像功能测试:构建后端为etcd的CoreDNS的容器集群(三)、etcd功能测试

二、查看镜像
bash 复制代码
[root@localhost opt]# docker images
REPOSITORY            TAG                 IMAGE ID            CREATED             SIZE
quay.io/coreos/etcd   v3.5.16             8523cb381f23        5 weeks ago         59MB
三、创建容器

为便于检查创建参数并进行保存,建议通过脚本进行创建,先进行单容器创建测试。自签名证书统一放置在/opt/etcd/ssl/中,制作方法参见:构建后端为etcd的CoreDNS的容器集群(一)、生成自签名证书

脚本内容如下:

bash 复制代码
[root@localhost etcd]# cat etcd_docker-withssl_run.sh
  docker run  -d \
  -p 2379:2379 \
  -p 2380:2380 \
  -v /opt/etcd/ssl/etcd.pem:/etc/etcd/ssl/etcd.pem \
  -v /opt/etcd/ssl/etcd-key.pem:/etc/etcd/ssl/etcd-key.pem \
  -v /opt/etcd/ssl/ca.pem:/etc/etcd/ssl/ca.pem \
  --name etcd-1 \
  quay.io/coreos/etcd:v3.5.16 \
  /usr/local/bin/etcd \
  --name etcd-1 \
  --cert-file=/etc/etcd/ssl/etcd.pem \
  --key-file=/etc/etcd/ssl/etcd-key.pem \
  --peer-cert-file=/etc/etcd/ssl/etcd.pem \
  --peer-key-file=/etc/etcd/ssl/etcd-key.pem \
  --trusted-ca-file=/etc/etcd/ssl/ca.pem \
  --peer-trusted-ca-file=/etc/etcd/ssl/ca.pem \
  --listen-client-urls https://0.0.0.0:2379 \
  --advertise-client-urls https://0.0.0.0:2379 \
  --listen-peer-urls http://0.0.0.0:2380 \
  --initial-advertise-peer-urls http://0.0.0.0:2380 \
  --initial-cluster etcd-1=http://0.0.0.0:2380 \
  --initial-cluster-token tkn \
  --initial-cluster-state new \

注意2379端口连接方式调整为https,改为创建容器

bash 复制代码
[root@localhost etcd]# sh etcd_docker-withssl_run.sh 
0510a0b57695aea184ee7114c1a95056a36b0ad03a998cdb5d19b34a89ce8775
[root@localhost etcd]# docker ps
CONTAINER ID        IMAGE                         COMMAND                  CREATED             STATUS              PORTS                              NAMES
0510a0b57695        quay.io/coreos/etcd:v3.5.16   "/usr/local/bin/etcd..."   6 seconds ago       Up 4 seconds        0.0.0.0:2379-2380->2379-2380/tcp   etcd-1
四、配置hosts

因为证书配置里的主机清单为 "hosts": [ "etcd-1", "etcd-2","etcd-3","coredns-1","coredns-2","coredns-3","127.0.0.1","localhost"],需要修改本机hosts文件

bash 复制代码
[root@localhost etcd]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.80.135 etcd-1
五、API健康检查

现在容器内不带证书测试健康状态已无法取到了

bash 复制代码
[root@localhost etcd]# docker exec etcd-1 /usr/local/bin/etcdctl endpoint health
{"level":"warn","ts":"2024-10-17T03:23:43.158797Z","logger":"client","caller":"v3@v3.5.16/retry_interceptor.go:63","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc000456000/127.0.0.1:2379","attempt":0,"error":"rpc error: code = DeadlineExceeded desc = latest balancer error: last connection error: connection error: desc = \"error reading server preface: EOF\""}
127.0.0.1:2379 is unhealthy: failed to commit proposal: context deadline exceeded

使用https方式并挂载证书,可以正常访问

bash 复制代码
[root@localhost etcd]# docker exec etcd-1 /usr/local/bin/etcdctl --endpoints=https://127.0.0.1:2379 --cacert /etc/etcd/ssl/ca.pem --cert /etc/etcd/ssl/etcd.pem  --key /etc/etcd/ssl/etcd-key.pem   endpoint health
https://127.0.0.1:2379 is healthy: successfully committed proposal: took = 23.54756ms

在容器外测试不带证书访问:

bash 复制代码
[root@localhost etcd]# ./etcdctl --endpoints=https://etcd-1:2379  endpoint health                                                                
{"level":"warn","ts":"2024-10-17T11:11:32.106740+0800","logger":"client","caller":"v3@v3.5.16/retry_interceptor.go:63","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc00036a000/etcd-1:2379","attempt":0,"error":"rpc error: code = DeadlineExceeded desc = latest balancer error: last connection error: connection error: desc = \"transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority\""}
https://etcd-1:2379 is unhealthy: failed to commit proposal: context deadline exceeded
Error: unhealthy cluster
[root@localhost etcd]# ./etcdctl --endpoints=http://etcd-1:2379  endpoint health 
{"level":"warn","ts":"2024-10-17T11:11:41.867510+0800","logger":"client","caller":"v3@v3.5.16/retry_interceptor.go:63","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc000468000/etcd-1:2379","attempt":0,"error":"rpc error: code = DeadlineExceeded desc = latest balancer error: last connection error: connection error: desc = \"error reading server preface: read tcp 192.168.80.135:35448->192.168.80.135:2379: read: connection reset by peer\""}
http://etcd-1:2379 is unhealthy: failed to commit proposal: context deadline exceeded
Error: unhealthy cluster

带证书访问

bash 复制代码
[root@localhost etcd]# ./etcdctl --endpoints=https://etcd-1:2379  --cacert ssl/ca.pem --cert ssl/etcd.pem  --key ssl/etcd-key.pem endpoint health   
https://etcd-1:2379 is healthy: successfully committed proposal: took = 18.912612ms

结果正常

六、数据存取测试
bash 复制代码
[root@localhost etcd]# ./etcdctl --endpoints=https://etcd-1:2379  --cacert ssl/ca.pem --cert ssl/etcd.pem  --key ssl/etcd-key.pem get foo
[root@localhost etcd]# ./etcdctl --endpoints=https://etcd-1:2379  --cacert ssl/ca.pem --cert ssl/etcd.pem  --key ssl/etcd-key.pem put foo bar
OK
[root@localhost etcd]# ./etcdctl --endpoints=https://etcd-1:2379  --cacert ssl/ca.pem --cert ssl/etcd.pem  --key ssl/etcd-key.pem get foo    
foo
bar
[root@localhost etcd]# ./etcdctl --endpoints=https://etcd-1:2379  --cacert ssl/ca.pem --cert ssl/etcd.pem  --key ssl/etcd-key.pem put www.sina.com.cn 192.168.8.9
OK
[root@localhost etcd]# ./etcdctl --endpoints=https://etcd-1:2379  --cacert ssl/ca.pem --cert ssl/etcd.pem  --key ssl/etcd-key.pem get www.sina.com.cn
www.sina.com.cn
192.168.8.9

可见,携带证书访问etcd数据库正常。

相关推荐
DEARM LINER16 分钟前
mysql 巧妙的索引
数据库·spring boot·后端·mysql
码农幻想梦1 小时前
实验九 视图的使用
前端·数据库·oracle
影子落人间1 小时前
Oracle创建存储过程,创建定时任务
数据库·oracle
大G哥1 小时前
02、Oracle过滤和排序数据
数据库·oracle
Drscq2 小时前
How to migrate a CentOS 8 to Rocky Linux 8.10
linux·运维·centos
修心光2 小时前
CentOS配置iptables规则并使其永久生效
linux·运维·centos
加载中loading...2 小时前
Linux线程安全(二)条件变量实现线程同步
linux·运维·服务器·c语言·1024程序员节
安科瑞刘鸿鹏2 小时前
校园建筑用电安全监测装置 电气火灾监测预防设备功能介绍
运维·服务器·网络·嵌入式硬件·安全·能源
课堂随想2 小时前
【libGL error】Autodl云服务器配置ACT的conda虚拟环境生成训练数据时,遇到了libGL相关错误,涉及swrast_dri.so
运维·服务器·conda
代码吐槽菌3 小时前
基于SSM的汽车客运站管理系统【附源码】
java·开发语言·数据库·spring boot·后端·汽车