读取:对等方重置连接

时间:2021-03-22 18:06:34

标签: go ssl kubernetes rabbitmq

我已使用 rabbitmq 运算符在我的 EKS 集群中部署了 rabbitmq 服务实例。我在 rabbitmq 实例定义文件中启用了 ssl。 这是我的rabbitmq-cluster.yaml

apiVersion: rabbitmq.com/v1beta1
kind: RabbitmqCluster
metadata:
  name: rabbitmq-single-instance-clusterip # name of the service instance.
  labels:
    app: rabbitmq
  annotations:
    purpose: rabbitmq-poc
spec:
  replicas: 1  # 1 replica for single instance.
  image: rabbitmq:3.8.10-management-alpine # this is required if the image has to pull from private registry. In such case imagePullSecrets is also required. Default is from docker.hub/rabbitmq.
  service:
    type: ClusterIP  # Possible values : ClusterIP/NodePort/LoadBalancer. Default is - ClusterIP.  RabbitMQ Cluster Kubernetes Operator currently does not support the ExternalName Service Type
  resources:
    requests:
      cpu: 2
      memory: 8Gi
    limits:
      cpu: 2
      memory: 8Gi
  persistence:
    storageClassName: ebs-sc # The name of the Kubernetes StorageClass to use.
    storage: 10Gi  # The capacity of the persistent volume, expressed as a Kubernetes resource quantity.
  rabbitmq: # this is for rabbitmq cluster configuration. operator by default attaches default parameters.
    additionalConfig: |     # Additional configuration options that will be appended to rabbitmq.conf file.
       channel_max = 1050
       ssl_options.fail_if_no_peer_cert = false
    #envConfig:  # The value of spec.rabbitmq.envConfig will be written to /etc/rabbitmq/rabbitmq-env.conf.
    additionalPlugins:  # Additional plugins to enable in RabbitMQ. By default , rabbitmq_peer_discovery_k8s/rabbitmq_prometheus/rabbitmq_management
      - rabbitmq_top
      - rabbitmq_shovel
  tls:
    secretName: tls-secret
    caSecretName: ca-secret
    disableNonTLSListeners: true

我已经设置了这个标志 disableNonTLSListeners = true,这意味着它会丢弃所有非 tls 连接。 rabbitmq 实例运行良好。

k get pods,svc
NAME                                              READY   STATUS             RESTARTS   AGE
pod/rabbitmq-single-instance-clusterip-server-0   1/1     Running            0          3h7m


NAME                                               TYPE           CLUSTER-IP      EXTERNAL-IP                                                                     PORT(S)                          AGE
service/rabbitmq-single-instance-clusterip         ClusterIP      10.100.6.196    <none>                                                                          5671/TCP,15671/TCP               3h7m
service/rabbitmq-single-instance-clusterip-nodes   ClusterIP      None            <none>                                                                          4369/TCP,25672/TCP               3h7m

我正在尝试使用示例 go 使用者连接到此实例。

package main

import (
    "crypto/tls"
    "fmt"

    "github.com/streadway/amqp"
)

func main() {
    fmt.Println("Go RabbitMQ Consumer Tutorial")
    fmt.Println("Testing ClusterIP service connection over TLS")
    /*
        cert, err := tls.LoadX509KeyPair("client.crt", "mykey.key")
        if err != nil {
            panic(err)
        }
        //Load CA cert.
        caCert, err := ioutil.ReadFile("ca.crt") // The same you configured in your MQ server
        if err != nil {
            log.Fatal(err)
        }
        caCertPool := x509.NewCertPool()
        caCertPool.AppendCertsFromPEM(caCert)
        tlsConfig := &tls.Config{
            Certificates: []tls.Certificate{cert}, // from tls.LoadX509KeyPair
            RootCAs:      caCertPool,
            // ...other options are just the same as yours
        }*/

    tlsconfig1 := &tls.Config{
        InsecureSkipVerify: true,
    }

    conn, err := amqp.DialTLS("amqps://<username>:<password>@rabbitmq-single-instance-clusterip.demo.svc.cluster.local:5671", tlsconfig1)
    if err != nil {
        fmt.Println("Error is -", err)
        panic(err)
    }

    fmt.Println("Connected to consumer successfully")
    defer conn.Close()

    ch, err := conn.Channel()
    if err != nil {
        fmt.Println(err)
    }
    defer ch.Close()

    if err != nil {
        fmt.Println(err)
    }

    msgs, err := ch.Consume(
        "TestQueue",
        "",
        true,
        false,
        false,
        false,
        nil,
    )

    forever := make(chan bool)
    go func() {
        for d := range msgs {
            fmt.Printf("Recieved Message: %s\n", d.Body)
        }
    }()

    fmt.Println("Successfully Connected to our RabbitMQ Instance")
    fmt.Println(" [*] - Waiting for messages")
    <-forever

}

当我运行这段代码时,我得到了。

Go RabbitMQ Consumer Tutorial
Testing ClusterIP service connection over TLS
Error is - read tcp 172.20.150.29:58892->10.100.6.196:5671: read: connection reset by peer
panic: read tcp 172.20.150.29:58892->10.100.6.196:5671: read: connection reset by peer

goroutine 1 [running]:
main.main()
    /app/main.go:38 +0x689

任何想法,为什么这不起作用? 如果我想在不通过客户端证书的情况下使其工作,那么我该怎么办?

我的 Rabbitmq 配置:

ssl_options.certfile                  = /etc/rabbitmq-tls/tls.crt
ssl_options.keyfile                   = /etc/rabbitmq-tls/tls.key
listeners.ssl.default                 = 5671
management.ssl.certfile               = /etc/rabbitmq-tls/tls.crt
management.ssl.keyfile                = /etc/rabbitmq-tls/tls.key
management.ssl.port                   = 15671
prometheus.ssl.certfile               = /etc/rabbitmq-tls/tls.crt
prometheus.ssl.keyfile                = /etc/rabbitmq-tls/tls.key
prometheus.ssl.port                   = 15691
listeners.tcp                         = none
ssl_options.cacertfile                = /etc/rabbitmq-tls/ca.crt
ssl_options.verify                    = verify_peer
management.ssl.cacertfile             = /etc/rabbitmq-tls/ca.crt
prometheus.ssl.cacertfile             = /etc/rabbitmq-tls/ca.crt
total_memory_available_override_value = 6871947674
channel_max                           = 1050
ssl_options.fail_if_no_peer_cert      = false

0 个答案:

没有答案
相关问题
最新问题