This is the 23rd day of my participation in the November Gwen Challenge. Check out the event details: The last Gwen Challenge 2021
introduce
With a full example of TLS/SSL enabled in the Echo framework, I’m what we call HTTPS.
We will use RK-boot to start the Echo framework microservice.
Please visit the following address for the full tutorial:
- rkdocs.netlify.app/cn
Generate the Self – Signed Certificate
Users can purchase certificates from major cloud vendors or create custom certificates using CFSSL.
We show you how to generate certificates locally.
1. Download the CFSSL & cfssljson command lines
The rK command line is recommended.
$ go get -u github.com/rookie-ninja/rk/cmd/rk
$ rk install cfssl
$ rk install cfssljson
Copy the code
Official website to download
$ go get github.com/cloudflare/cfssl/cmd/cfssl
$ go get github.com/cloudflare/cfssl/cmd/cfssljson
Copy the code
2. Generate the CA
$ cfssl print-defaults config > ca-config.json
$ cfssl print-defaults csr > ca-csr.json
Copy the code
Modify ca-config.json and ca-csr.json as required.
$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
Copy the code
3. Generate a server certificate
Server. CSR, server. Pem and server-key.pem will be generated.
$ cfssl gencert -config ca-config.json -ca ca.pem -ca-key ca-key.pem -profile www ca-csr.json | cfssljson -bare server
Copy the code
The installation
go get github.com/rookie-ninja/rk-boot
go get github.com/rookie-ninja/rk-echo
Copy the code
Quick start
Rk-boot allows the gRPC service to obtain certificates in the following ways.
- Local file system
- Remote file system
- Consul
- ETCD
Let’s start by looking at how to get the certificate locally and start it.
1. Create the boot. Yaml
In this example, we only start the server’s certificate. Locale is used to distinguish cert control in different environments.
Please refer to the previous article for details:
---
cert:
- name: "local-cert" # Required
provider: "localFs" # Required, etcd, consul, localFs, remoteFs are supported options
locale: * : : : : : : "*" # Required, default: ""
serverCertPath: "cert/server.pem" # Optional, default: "", path of certificate on local FS
serverKeyPath: "cert/server-key.pem" # Optional, default: "", path of certificate on local FS
echo:
- name: greeter
port: 8080
enabled: true
enableReflection: true
cert:
ref: "local-cert" # Enable grpc TLS
commonService:
enabled: true
Copy the code
2. Create a main. Go
package main
import (
"context"
"github.com/rookie-ninja/rk-boot"
_ "github.com/rookie-ninja/rk-echo/boot"
)
// Application entrance.
func main(a) {
// Create a new boot instance.
boot := rkboot.NewBoot()
// Bootstrap
boot.Bootstrap(context.Background())
// Wait for shutdown sig
boot.WaitForShutdownSig(context.Background())
}
Copy the code
3. Folder structure
. ├ ─ ─ the boot. Yaml ├ ─ ─ cert │ ├ ─ ─ server - key. Pem │ └ ─ ─ for server pem ├ ─ ─. Mod ├ ─ ─. Sum └ ─ ─ main. Go 1 directory, 6 filesCopy the code
4. Start the main. Go
$ go run main.go
Copy the code
5. Verify
$ curl -X GET --insecure https://localhost:8080/rk/v1/healthy
{"healthy":true}
Copy the code
architecture
Parameter is introduced
1. Read the certificate from the local PC
Configuration items | details | Need to be | The default value |
---|---|---|---|
cert.localFs.name | Name of the local file system getter | is | “” |
cert.localFs.locale | Comply with the locale: < realm > : < region > : : < az > : : < domain > | is | “” |
cert.localFs.serverCertPath | Server Certificate Path | no | “” |
cert.localFs.serverKeyPath | Path of the server certificate key | no | “” |
cert.localFs.clientCertPath | Path of the client certificate | no | “” |
cert.localFs.clientCertPath | Path of the client certificate key | no | “” |
- example
---
cert:
- name: "local-cert" # Required
description: "Description of entry" # Optional
provider: "localFs" # Required, etcd, consul, localFs, remoteFs are supported options
locale: * : : : : : : "*" # Required, default: ""
serverCertPath: "cert/server.pem" # Optional, default: "", path of certificate on local FS
serverKeyPath: "cert/server-key.pem" # Optional, default: "", path of certificate on local FS
echo:
- name: greeter
port: 8080
enabled: true
enableReflection: true
cert:
ref: "local-cert" # Enable grpc TLS
Copy the code
2. Read the certificate from the remote file service
Configuration items | details | Need to be | The default value |
---|---|---|---|
cert.remoteFs.name | Name of the remote file service getter | is | “” |
cert.remoteFs.locale | Comply with locale :< realm>::<region>::<az>::<domain> | is | “” |
cert.remoteFs.endpoint | Remote Address:http://x.x.x.xOr X.X.X.X | is | N/A |
cert.remoteFs.basicAuth | Basic auth:user:pass. | no | “” |
cert.remoteFs.serverCertPath | Server Certificate Path | no | “” |
cert.remoteFs.serverKeyPath | Path of the server certificate key | no | “” |
cert.remoteFs.clientCertPath | Path of the client certificate | no | “” |
cert.remoteFs.clientCertPath | Path of the client certificate key | no | “” |
- example
---
cert:
- name: "remote-cert" # Required
description: "Description of entry" # Optional
provider: "remoteFs" # Required, etcd, consul, localFs, remoteFs are supported options
endpoint: "localhost:8081" # Required, both http://x.x.x.x or x.x.x.x are acceptable
locale: * : : : : : : "*" # Required, default: ""
serverCertPath: "cert/server.pem" # Optional, default: "", path of certificate on local FS
serverKeyPath: "cert/server-key.pem" # Optional, default: "", path of certificate on local FS
echo:
- name: greeter
port: 8080
enabled: true
cert:
ref: "remote-cert" # Enable grpc TLS
Copy the code
3. Obtain the certificate from Consul
Configuration items | details | Need to be | The default value |
---|---|---|---|
cert.consul.name | Consul Specifies the Consul name | is | “” |
cert.consul.locale | Comply with the locale: < realm > : < region > : : < az > : : < domain > | is | “” |
cert.consul.endpoint | The Consul address:http://x.x.x.x or x.x.x.x | is | N/A |
cert.consul.datacenter | Consul Data Center | is | “” |
cert.consul.token | Consul access key | no | “” |
cert.consul.basicAuth | Consul Basic Auth, format:user:pass. | no | “” |
cert.consul.serverCertPath | Server Certificate Path | no | “” |
cert.consul.serverKeyPath | Path of the server certificate key | no | “” |
cert.consul.clientCertPath | Path of the server certificate key | no | “” |
cert.consul.clientCertPath | Path of the server certificate key | no | “” |
- example
---
cert:
- name: "consul-cert" # Required
provider: "consul" # Required, etcd, consul, localFS, remoteFs are supported options
description: "Description of entry" # Optional
locale: * : : : : : : "*" # Required, ""
endpoint: "localhost:8500" # Required, http://x.x.x.x or x.x.x.x both acceptable.
datacenter: "dc1" # Optional, default: "", consul datacenter
serverCertPath: "server.pem" # Optional, default: "", key of value in consul
serverKeyPath: "server-key.pem" # Optional, default: "", key of value in consul
echo:
- name: greeter
port: 8080
enabled: true
cert:
ref: "consul-cert" # Enable grpc TLS
Copy the code
4. Read the certificate from the ETCD
Configuration items | details | Need to be | The default value |
---|---|---|---|
cert.etcd.name | ETCD getter name | is | “” |
cert.etcd.locale | Comply with the locale: < realm > : < region > : : < az > : : < domain > | is | “” |
cert.etcd.endpoint | ETCD address:http://x.x.x.x or x.x.x.x | is | N/A |
cert.etcd.basicAuth | ETCD Basic Authuser:pass. | no | “” |
cert.etcd.serverCertPath | Server Certificate Path | no | “” |
cert.etcd.serverKeyPath | Server Certificate Path | no | “” |
cert.etcd.clientCertPath | Path of the client certificate | no | “” |
cert.etcd.clientCertPath | Path of the client certificate key | no | “” |
- example
---
cert:
- name: "etcd-cert" # Required
description: "Description of entry" # Optional
provider: "etcd" # Required, etcd, consul, localFs, remoteFs are supported options
locale: * : : : : : : "*" # Required, default: ""
endpoint: "localhost:2379" # Required, http://x.x.x.x or x.x.x.x both acceptable.
serverCertPath: "server.pem" # Optional, default: "", key of value in etcd
serverKeyPath: "server-key.pem" # Optional, default: "", key of value in etcd
echo:
- name: greeter
port: 8080
enabled: true
cert:
ref: "etcd-cert" # Enable grpc TLS
Copy the code