版本

软件版本
apisix3.8.0
apisix-chart2.6.0
apisix-dashboard0.8.1
k8sv1.23.17
etcd3.5.6-0
kubeadm1.23.17

安装

新建secret

kubectl create secret tls  etcd-tls --key server.key --cert server.crt -n ingress-apisix

kubectl create secret tls  etcd-ca-tls --key ca.key --cert ca.crt -n ingress-apisix

[root@k8s-test-01 etcd]# kubectl get secret -n ingress-apisix |grep etcd
etcd-ca-tls                        kubernetes.io/tls                     2      23h
etcd-tls                           kubernetes.io/tls                     2      23h
证书查看
  • 这个查看了etcd-tls的证书内容,crt内容存放至tls.crt字段内,key内容存放至tls.key字段内。
  • tls.crt和tls.key,俩个字段,当挂载至k8s内,则以文件名存在。需要注意configmap和deployment的文件引用,需要和这里保持一致
[root@k8s-test-01 etcd]# kubectl get secret etcd-tls -n ingress-apisix -oyaml
apiVersion: v1
data:
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURjekNDQWx1Z0F3SUJBZ0lJR3Y3WjdhQ0xQcXN3RFFZSktvWklodmNOQVFFTEJRQXdFakVRTUE0R0ExVUUKQXhNSFpYUmpaQzFqWVRBZUZ3MHlOREF5TURJd01qQXlOVEJhRncweU5UQXlNREV3TWpBeU5URmFNQll4RkRBUwpCZ05WQkFNVEMyczRjeTEwWlhOMExUQXhNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDCkFRRUF3Z2pGU3g3UWU3L3dWVXhWbU5NOGEzcDk3STJPTXh0cnJJNGVVd3p1b3JvSFRVdTlLK2xKZzk3RytHY0YKMlVMRGNoVVJxMDgrbDhZVExqdTgweG1zTURndTB6MnhoY0ZKS2tCdUhjNTF3OVpWMmNtbldieW1lWGJQcTc1TApuZkVGMkMzcjErUGZHVnkrT09Ocit0VXdPYVNFWVhRcmxLNDExTWV3Rk93bENIcGE1NFE1MGt6VzBMVkYrN1ErCjhxeTVvb2lDTmVXSHYyQUlsRXZaekdzRmFONHRzOG92Yk1zd0JWU29tTitOd05BQlBOR2xza21YM0s2aFpNSVYKZDNiUEJBNHlJT3JIRlErTHg0bnRHc1hnMERPM25DeTFDUTVSbSs5WHU3VmxlVTI2UVNmUVBCeXRQQUFQSldMcwo4YkU1RlJNak1wRVJUUzhYTlJ2UzV2dmJqd0lEQVFBQm80SElNSUhGTUE0R0ExVWREd0VCL3dRRUF3SUZvREFkCkJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUlLd1lCQlFVSEF3SXdEQVlEVlIwVEFRSC9CQUl3QURBZkJnTlYKSFNNRUdEQVdnQlRpZXVhNER5YzZqSm5QRy81KzFyOXJhbTY5WXpCbEJnTlZIUkVFWGpCY2dndHJPSE10ZEdWegpkQzB3TVlJTGF6aHpMWFJsYzNRdE1ES0NDMnM0Y3kxMFpYTjBMVEF6Z2dsc2IyTmhiR2h2YzNTSEJBb0tDbWFICkJIOEFBQUdIRUFBQUFBQUFBQUFBQUFBQUFBQUFBQUdIQkFvS0NrNkhCQW9LQ2wwd0RRWUpLb1pJaHZjTkFRRUwKQlFBRGdnRUJBQmlZKzJUcGtWZnlVRjlhRG53MzV4TGwwbUFlY2lEYjlGdDVJaDFtWGFKbEhNZ0k1WDNmQjQ4WApGTTZxZUZHM0Q4ODVrNkxObmpNU28xK1ZxdE92MStOaHE0WTR2dmNROVQ2SmZSRWVRUjJ0SVpqWlo1bHZIc2dECkFnNGNGd2NrNVRuc2hZOXRHbmVzVDVCKzdkUzU5ZTFOcnVKVXpkMnJzVC9Mc1pyZG8xK2owS01MVjRBbnA1bmoKOHU3QWcrNThJWTcrNGJ2dGltV1IxT3ExRUtKRXljSDMxaW9CcUJRL0FwVEFhOFdRSnJFT0lzSncrY3dLN21nbwpEWU9tNnRCT1U2SW1GeHVUYm9CRXlRZGVpbXZEL2QyM1EwNTBqSmtkb1YvV3R3TXhrZG5nZVlkcE5UUzUrUERoCkVkcDc5TVBrSlQrRjRPc2pVa1FLTVdub0lPUnpuYms9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
  tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBd2dqRlN4N1FlNy93VlV4Vm1OTThhM3A5N0kyT014dHJySTRlVXd6dW9yb0hUVXU5CksrbEpnOTdHK0djRjJVTERjaFVScTA4K2w4WVRManU4MHhtc01EZ3UwejJ4aGNGSktrQnVIYzUxdzlaVjJjbW4KV2J5bWVYYlBxNzVMbmZFRjJDM3IxK1BmR1Z5K09PTnIrdFV3T2FTRVlYUXJsSzQxMU1ld0ZPd2xDSHBhNTRRNQowa3pXMExWRis3USs4cXk1b29pQ05lV0h2MkFJbEV2WnpHc0ZhTjR0czhvdmJNc3dCVlNvbU4rTndOQUJQTkdsCnNrbVgzSzZoWk1JVmQzYlBCQTR5SU9ySEZRK0x4NG50R3NYZzBETzNuQ3kxQ1E1Um0rOVh1N1ZsZVUyNlFTZlEKUEJ5dFBBQVBKV0xzOGJFNUZSTWpNcEVSVFM4WE5SdlM1dnZiandJREFRQUJBb0lCQVFDUmo5emFmeEp1VTg2cgpYdW0wRFh2OU1WWjRlTFZkMTh0T0Z3dmV5QXZhSGU3T2FPeFFuZUZkd1duSS9oaWdKWHJVQWNSUW5ORmJNT2hBCnZlWHBCQkJ0MkNnZ3B0NmZkaUk2UlQyV3RNVWFGcGd2R3gybHIyWEFKNGFoMDgrTWZEMGpNVWdGbk5oSWdZL2UKdzVYRkJkdjQwbGZSZUVJZGR4ZkJPZEQ1MFRIekNlOUJFOG5Lc3B4MUcrK29JWXQzRXdtNURSeHhaSk1WamRnTQp3SUtqRGYrTWl5QWJGZ29CZUlNditkYWVqbzYyQlh1ajhoOFZxYllrMDlGeXkySExFRVZxZVNHbWhaRGpPZDdRCnFxQjBSbFBpVjZQNnFxY1RHWlhxa1pMRUQrU1FqNDBhZE9jVkNCcnRHV1ZwdTErM2hjNTVkampvaXhzVUdNNG4KSEMrOTdDa0JBb0dCQU1tQ1Q3dm5PemlMNFVoNWF1VXlVRlBpZTJLR3BpVWdNNVdWUGxxekVxNFcwSFoxVCtpTgpIdUdmRnFhcTRjRTFRRmdhUlZRVGZtdFFxMFNueGNoWUJGbCt5SVhIcWVMT0NwVVZ0RGwvV0Y4NUNLQWZSMnloCjZDN1I5RmFwM0VBUVUvVWdvem5uMHE0LzVDWXVadm8rTVJlU25LS0tmenZDQVRUZFNKOSt0cVdCQW9HQkFQYUIKQW8xNVhoemg5aWpYUTFRSDdEYnpHZU4rcHFiK1gyNjlOb3AzMG00L3gyTWo0K0pFZU1wWDNaeis5eFNra3dxdwp0Rmd6K0FNYUdjcmFDK1NkN2M4eU5UdjJxSnkxZWM2NmZkd1BmSnNGNHVWSDRySkJwU0RWNkRYbGJKdnNXTGg2CnNua3JyeW1HU2gvUnhCWGlsdWxONlNHOEpIVEpkZEo1QXlzR0Jxa1BBb0dBVVdFS0dHV2EyZ3hMci93dytsem0KYWVvbVVEVDJ0am1aKzRmcFJiSGFFbXB1UjlpNnE3MEtRcTMvOU5GQUdNb0xzVWp5eExDV3RubytvSnhzMktzTApIcVdBRDk4QnNmSHAvaWxrdm0rNlhjSm54RnE5ZXBhc2NQUWpqRGhQRmFSQ2M5VjVkZkkwZUdDZkgvaFBhREpqCm14Ui9vM2p4UjAzak5ObEU4ZnkzZ0lFQ2dZRUE5aWxqQ1RDWVFUT05oTDlpNXZsNmRHMVQveEN0RDdxYVJwWUIKYjBtMUJKQUFad3FpT1lTek15MkhpNDQ1NDQxdG9aRlFwM3hPUVpyQkF3ZTROTGRaa2ozTFYzUThjVEh3ei9jQQpWTS9LV1cwSlpubmc4cTRIWHNEK1FVUTRyNFRZSEhHNjVMSXhHOENWS1MxcktZZTd1SVFyT1pzT3RPbXlGVnJ2ClJQbWhrUlVDZ1lCejZLZ0tXWVBMb1FFWkVLYUpjL09UQkt4UFlvTEZkM1Jsby9aVGtnbWl6cjdrZVJrbitLODIKcVJLNkFiQ21KOVJ4ZFl6MXdJZDdyTkdsSDVIRDJIUndONnB4OHEwM1RjWS9oZXJWNmVYVkgvUTNrVDRvSTZUbwptQVpWOW9VSlZWd0tGenBoOVorTlA5MEdLeTlKcldhc0d6QkJKTXYyaDBLZzlDVDFCRXJZbEE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
kind: Secret
metadata:
  creationTimestamp: "2024-02-18T06:25:58Z"
  name: etcd-tls
  namespace: ingress-apisix
  resourceVersion: "4280771"
  uid: e6124fd1-61ac-489c-9757-bf83dc13ea41
type: kubernetes.io/tls

apisix支持tls连接

  • 配置values.yaml,支持etcd tls认证
# -- external etcd configuration. If etcd.enabled is false, these configuration will be used.
externalEtcd:
  # -- if etcd.enabled is false, use external etcd, support multiple address, if your etcd cluster enables TLS, please use https scheme, e.g. https://127.0.0.1:2379.
  host:
    # host or ip e.g. http://172.20.128.89:2379
    ## 这里配置支持tls链接的etcd
    - https://10.10.10.102:2379
  # -- 禁止使用用户账号
  ## 自定义参数: 关闭使用用户认证,否则apisix的配置deployment.etcd.user和deployment.etcd.password会有配置。
  userEnabled: false
  # -- if etcd.enabled is false, user for external etcd. Set empty to disable authentication
  user: root
  # -- if etcd.enabled is true, use etcd.auth.rbac.rootPassword instead.
  # -- if etcd.enabled is false and externalEtcd.existingSecret is not empty, the password should store in the corresponding secret
  # -- if etcd.enabled is false and externalEtcd.existingSecret is empty, externalEtcd.password is the passsword for external etcd.
  password: ""
  # -- if externalEtcd.existingSecret is the name of secret containing the external etcd password
  existingSecret: ""
  # -- externalEtcd.secretPasswordKey Key inside the secret containing the external etcd password
  secretPasswordKey: "etcd-root-password"

# -- etcd configuration
# use the FQDN address or the IP of the etcd
etcd:
  # -- install etcd(v3) by default, set false if do not want to install etcd(v3) together
  ## 设置false,禁止使用内部http连接的etcd
  enabled: false
  # -- apisix configurations prefix
  ## 数据存储位置
  prefix: "/apisix"
  # -- Set the timeout value in seconds for subsequent socket operations from apisix to etcd cluster
  timeout: 30

  # -- if etcd.enabled is true, set more values of bitnami/etcd helm chart
  auth:
    rbac:
      # -- No authentication by default. Switch to enable RBAC authentication
      create: false
      # -- root password for etcd. Requires etcd.auth.rbac.create to be true.
      rootPassword: ""
    tls:
      # -- enable etcd client certificate
      ## 启用apisix和etcd的tls认证
      enabled: true
      # -- name of the secret contains etcd client cert
      ## 连接etcd的证书存储secret
      existingSecret: "etcd-tls"
      # -- etcd client cert filename using in etcd.auth.tls.existingSecret
      ## 连接etcd的crt名称,默认是tls.crt
      certFilename: "tls.crt"
      # -- etcd client cert key filename using in etcd.auth.tls.existingSecret
      ## 连接etcd的key名称,默认是tls.key
      certKeyFilename: "tls.key"
      # -- whether to verify the etcd endpoint certificate when setup a TLS connection to etcd
      ## 这里设置false,否则会报错
      verify: false
      # -- specify the TLS Server Name Indication extension, the ETCD endpoint hostname will be used when this setting is unset.
      ## sni默认为空,则配置文件不会填写,如下图
      sni: ""

  service:
    port: 2379

  replicaCount: 3

image-20240218161505441

apisix-dashboard 支持tls连接

values.yaml新增mtls配置
config:
  conf:
    listen:
      # -- The address on which the Manager API should listen.
      # The default value is 0.0.0.0, if want to specify, please enable it.
      # This value accepts IPv4, IPv6, and hostname.
      host: 0.0.0.0
      # -- The port on which the Manager API should listen.
      port: 9000
    etcd:
      # -- Supports defining multiple etcd host addresses for an etcd cluster
      endpoints:
        - apisix-etcd:2379
      # -- apisix configurations prefix
      prefix: "/apisix"
      # -- Specifies etcd basic auth username if enable etcd auth
      username: ~
      # -- Specifies etcd basic auth password if enable etcd auth
      password: ~
	  ## -- 以下是新增mtls配置,dashboard支持tls认证
      mtls:
        # -- 是否支持tls认证
        enabled: true
        # -- 存放ca证书的secret名称
        existingCASecret: "etcd-ca-tls"
        # -- 存放etcd证书的secret名称
        existingETCDSecret: "etcd-tls"
configmap.yaml修改
  • 新增conf.etcd.mtls配置
        {{- if .mtls.enabled }}
        mtls:
          key_file: "/etcd-ssl/tls.key"
          cert_file: "/etcd-ssl/tls.crt"
          ca_file: "/ca-ssl/tls.crt"
        {{- end }}

image-20240219142352517

deployment.yaml修改
  • 将新增的证书文件,挂载至容器内部,挂在位置和configmap配置保持一致
          volumeMounts:
            - mountPath: /usr/local/apisix-dashboard/conf/conf.yaml
              name: apisix-dashboard-config
              subPath: conf.yaml
            {{- if .Values.config.conf.etcd.mtls.enabled }}
            - mountPath: /ca-ssl/tls.crt
              name: ca-ssl
              subPath: tls.crt
            - mountPath: /etcd-ssl
              name: etcd-ssl
            {{- end }}
      volumes:
        - configMap:
            name: {{ include "apisix-dashboard.fullname" . }}
          name: apisix-dashboard-config
        {{- if .Values.config.conf.etcd.mtls.enabled }}
        - secret:
            secretName: {{ .Values.config.conf.etcd.mtls.existingCASecret | quote }}
          name: ca-ssl
        - secret:
            secretName: {{ .Values.config.conf.etcd.mtls.existingETCDSecret | quote }}
          name: etcd-ssl
        {{- end }}

image-20240219142839127

附件

https://github.com/apache/apisix-dashboard/blob/master/api/conf/conf.yaml

apisix-dashboard配置文件

# yamllint disable rule:comments-indentation
conf:
  listen:
    # host: 127.0.0.1     # the address on which the `Manager API` should listen.
                          # The default value is 0.0.0.0, if want to specify, please enable it.
                          # This value accepts IPv4, IPv6, and hostname.
    port: 9000            # The port on which the `Manager API` should listen.

  # ssl:
  #   host: 127.0.0.1     # the address on which the `Manager API` should listen for HTTPS.
                          # The default value is 0.0.0.0, if want to specify, please enable it.
  #   port: 9001            # The port on which the `Manager API` should listen for HTTPS.
  #   cert: "/tmp/cert/example.crt" # Path of your SSL cert.
  #   key:  "/tmp/cert/example.key"  # Path of your SSL key.

  allow_list:             # If we don't set any IP list, then any IP access is allowed by default.
    - 127.0.0.1           # The rules are checked in sequence until the first match is found.
    - ::1                 # In this example, access is allowed only for IPv4 network 127.0.0.1, and for IPv6 network ::1.
                          # It also support CIDR like 192.168.1.0/24 and 2001:0db8::/32
  etcd:
    endpoints:            # supports defining multiple etcd host addresses for an etcd cluster
      - 127.0.0.1:2379
                          # yamllint disable rule:comments-indentation
                          # etcd basic auth info
    # username: "root"    # ignore etcd username if not enable etcd auth
    # password: "123456"  # ignore etcd password if not enable etcd auth
    mtls:
      key_file: ""          # Path of your self-signed client side key
      cert_file: ""         # Path of your self-signed client side cert
      ca_file: ""           # Path of your self-signed ca cert, the CA is used to sign callers' certificates
    # prefix: /apisix       # apisix config's prefix in etcd, /apisix by default
Logo

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐