526互联

Ceph对象存储ingress配置https

发布时间 2023-08-07 10:09:11作者: Varden

每当引用 TLS Secrets时,指的是 PEM 编码的 X.509、RSA (2048) Secrets。可以使用以下命令生成自签名证书和私钥:

$ openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout ${KEY_FILE} -out ${CERT_FILE} -subj "/CN=${HOST}/O=${HOST}"

例如:

$ openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout test.key -out test.crt -subj "/CN=www.test.com/O=www.test.com"

ingress服务规范:

service_type: ingress
service_id: rgw.something    # adjust to match your existing RGW service
placement:
  hosts:
    - host1
    - host2
    - host3
spec:
  backend_service: rgw.something      # adjust to match your existing RGW service
  virtual_ips_list:
  - <string>/<string>                 # ex: 192.168.20.1/24
  - <string>/<string>                 # ex: 192.168.20.2/24
  - <string>/<string>                 # ex: 192.168.20.3/24
  frontend_port: <integer>            # ex: 8080
  monitor_port: <integer>             # ex: 1967, used by haproxy for load balancer status
  virtual_interface_networks: [ ... ] # optional: list of CIDR networks
  ssl_cert: |                         # optional: SSL certificate and key
    -----BEGIN CERTIFICATE-----
    MIIDPTCCAiWgAwIBAgIUWBSI5FUjvKEuVkSqOtvZuVOZJmYwDQYJKoZIhvcNAQEL
    BQAwLjEVMBMGA1UEAwwMd3d3LnRlc3QuY29tMRUwEwYDVQQKDAx3d3cudGVzdC5j
    b20wHhcNMjMwODA3MDExODU5WhcNMzMwODA0MDExODU5WjAuMRUwEwYDVQQDDAx3
    d3cudGVzdC5jb20xFTATBgNVBAoMDHd3dy50ZXN0LmNvbTCCASIwDQYJKoZIhvcN
    AQEBBQADggEPADCCAQoCggEBALOC/4YDQ+iq+hBrNZGSNeA0Mnuny2y+QaKgfbYH
    cThf3vYD0y8+PCB+y+tgJU0r4aNNyZGRr1l1Q2UrvmPIBJ+aJEQaP++LM6g5/TM5
    q2bNaZGgmislNGI40WksTx2eIkcYEBLEYx8Bohtj+WLQlQvPmi0tYTy2UEobIBgq
    lHo5w/FZ6F4MreTn0Zl08wupeqnNOv1hpAK1gohQ5mCkgJ4ulUkFzVg9QeVYXm5K
    wuk+ZXWk0srsrEvUupA1Dh2UPtDMcvrsR++k0kTxjCIRk2h+gYlvdc3J1Ij+x3NP
    lfu01d5U7hK3gVPpzwFJNsPL/bj0a/TJq2wo5DkPeMpGH6kCAwEAAaNTMFEwHQYD
    VR0OBBYEFDYF9l7HI9vtF26gePOJ+Ddt4SkuMB8GA1UdIwQYMBaAFDYF9l7HI9vt
    F26gePOJ+Ddt4SkuMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
    AGBFnmxFQ2fEr46ry51XTZs5oeTSlaru+wDz+OKeDg/B1gj4FxBVT5rhnSU8RYcu
    12l5prbZD8ZQW+4882Hf2mEnAL/WS042rCj9/PpnRo5CebXL7d1rg4J+QxU/EWej
    8BsVRc/D9Dz+dvrh9/O1vswY+zLxhg+1CdnCgo7SId2a6Yti2qbTUnWxO7ssmMYo
    LX0NikwRRmWipdUDOX2K9eL0ZBRLt2oIaQRToJo7OE2wUg8BGeR07wpDVu+FL7SF
    gdEjSW+AvtBkm7acyJtgnx/Q2efKLNWSWiF/d1sGC9c9iy7/b9ffvy//FURd8V9B
    KjVbZZC6vqzyD2sdl3Aau4I=
    -----END CERTIFICATE-----
    -----BEGIN PRIVATE KEY-----
    MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCzgv+GA0PoqvoQ
    azWRkjXgNDJ7p8tsvkGioH22B3E4X972A9MvPjwgfsvrYCVNK+GjTcmRka9ZdUNl
    K75jyASfmiREGj/vizOoOf0zOatmzWmRoJorJTRiONFpLE8dniJHGBASxGMfAaIb
    Y/li0JULz5otLWE8tlBKGyAYKpR6OcPxWeheDK3k59GZdPMLqXqpzTr9YaQCtYKI
    UOZgpICeLpVJBc1YPUHlWF5uSsLpPmV1pNLK7KxL1LqQNQ4dlD7QzHL67EfvpNJE
    8YwiEZNofoGJb3XNydSI/sdzT5X7tNXeVO4St4FT6c8BSTbDy/249Gv0yatsKOQ5
    D3jKRh+pAgMBAAECggEAedtLKeW9i4vFBLBCRPdDq1bDjj1xUfg1Bfh8Xbzflq09
    5TLjgQZ2OnjYZId3ytMm8Hw1gKOsrMV1YpA3RfTZbp5sT+6hyDJudpwmzUcwmzCF
    oV2sSe2Pib2YKhTx/+EA09H510OJJdst9/n9qJ5/Du12c4SCpXv9NNEFEGKXOAAq
    nTuzHKEh7eVZQA5WgvD2IaPP6ii248uU2DC++wnepwgrGSZpOnYws9y3YUZs1+8U
    E4LgaK3JCv/Xg9iWEKnjNFEjosnbpTz/3LayjA/FEx3OOfyopo+ZwVfUCr2BPdbj
    s5e0wOqnNb2YYIlw7uwkWOwXTfxUVUgM2yd06dEmgQKBgQDnvztA9NxqYTb6Pjs+
    9g9O4+K4NL+VLBRftPtFGl7AbPfQ3Z3p43GjItQOLJi2h3yzo+kQBMp7SaHCk46B
    UPCfQ8Y1OHpUQ2mPra3NO+OEN8MkL4ou0gtXGYFPLLrEVW55D4AH/qMEZ/SMIlPu
    HHMpPfruqPw5I+SGbbMaW+5BdQKBgQDGTFLDcboCJoU0f/avVd619HI2eDTbcADi
    igPI44XSUyX/kRmGABmtV1EDEVNRxBCHf5EzuR23VXia4hZ+74irqxsv+PcAbf0V
    a7lSs4c47WmNjQYVwOj6dfjP9Rc2fiG1u6lZBiKHI6Hy60j3ffp8Vygq4beczyuK
    kWDJr1sK5QKBgAsioCk92r1t0GNzzAr5bcDfqEwrlK0JQi1bF9u5KaZbVgj+LRFI
    8XPiP4gy0l+q4O4MyS0Q3d3QquobhvRlvDoa2pJCFXapCpBxyvEamJMIzuKVOjGH
    vC3CNvlj79FxPW6ptQAtVw3mJNT67Ud6rHnl1YHUMtJYDCn9aWax1h/lAoGAfofQ
    /7kfsaOWt6s3YyXt2DjEcBE/2Q2c4vCh/ZuAlnZL9slFegWyXLMslEKH4dKzoWI6
    6sAiQAufy2Scah66HKAv1uqL4ZBNP0/fju/TRvXmtlXYHiVcBAUm4LtJNpJBPE8k
    fhO2EHkiK3kKtDGElbafgM1KdhqTc/XTxp3IACkCgYEAqhcbxnCo9yVxxtjNsybc
    +p2DJNWcGlriq+7aPrSSsOKyudM7923fFTvRN5DhEeDHLbhFaRQj8j92T60laiff
    uZLOv8DaweyQVeEw/RDhoaNlwsO1Dabg/TaDoLfUXZg2jnimyBDL/64p/UruK+Bx
    FRx0jV63eOjb369XoGHeVkE=
    -----END PRIVATE KEY-----

其中,此服务规范的属性为:

    service_type

        必需并设置为“ingress”

    service_id

        服务的名称。 我们建议以您的服务命名控制ingress(例如, rgw.foo)。

    placement hosts

        需要运行 HA 守护程序的主机。一个 haproxy 和 Keepalive 容器将部署在这些主机上。 这些主机不需要以匹配部署 RGW 的节点。

    virtual_ip

        ingress服务可用的 CIDR 格式的虚拟 IP(和网络)。

    virtual_ips_list

        ingress服务可用的 CIDR 格式的虚拟 IP 地址。 每个虚拟 IP 地址将在运行ingress服务的一个节点上为主。虚拟 IP 地址的数量必须小于或等于ingress节点数。

    virtual_interface_networks

        用于标识要用于虚拟 IP 的以太网接口的网络列表。

    frontend_port

        用于访问ingress服务的端口。

    ssl_cert:

        SSL 证书(如果要启用 SSL)。这必须包含证书和 .pem 格式的私钥块。