This is the 23rd day of my participation in the November Gwen Challenge. Check out the event details: The last Gwen Challenge 2021

introduce

With a full example of TLS/SSL enabled in the Echo framework, I’m what we call HTTPS.

We will use RK-boot to start the Echo framework microservice.

Please visit the following address for the full tutorial:

  • rkdocs.netlify.app/cn

Generate the Self – Signed Certificate

Users can purchase certificates from major cloud vendors or create custom certificates using CFSSL.

We show you how to generate certificates locally.

1. Download the CFSSL & cfssljson command lines

The rK command line is recommended.

$ go get -u github.com/rookie-ninja/rk/cmd/rk
$ rk install cfssl
$ rk install cfssljson
Copy the code

Official website to download

$ go get github.com/cloudflare/cfssl/cmd/cfssl
$ go get github.com/cloudflare/cfssl/cmd/cfssljson
Copy the code

2. Generate the CA

$ cfssl print-defaults config > ca-config.json
$ cfssl print-defaults csr > ca-csr.json
Copy the code

Modify ca-config.json and ca-csr.json as required.

$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
Copy the code

3. Generate a server certificate

Server. CSR, server. Pem and server-key.pem will be generated.

$ cfssl gencert -config ca-config.json -ca ca.pem -ca-key ca-key.pem -profile www ca-csr.json | cfssljson -bare server
Copy the code

The installation

go get github.com/rookie-ninja/rk-boot
go get github.com/rookie-ninja/rk-echo
Copy the code

Quick start

Rk-boot allows the gRPC service to obtain certificates in the following ways.

  • Local file system
  • Remote file system
  • Consul
  • ETCD

Let’s start by looking at how to get the certificate locally and start it.

1. Create the boot. Yaml

In this example, we only start the server’s certificate. Locale is used to distinguish cert control in different environments.

Please refer to the previous article for details:

---
cert:
  - name: "local-cert"                     # Required
    provider: "localFs"                    # Required, etcd, consul, localFs, remoteFs are supported options
    locale: * : : : : : : "*"                   # Required, default: ""
    serverCertPath: "cert/server.pem"      # Optional, default: "", path of certificate on local FS
    serverKeyPath: "cert/server-key.pem"   # Optional, default: "", path of certificate on local FS
echo:
  - name: greeter
    port: 8080
    enabled: true
    enableReflection: true
    cert:
      ref: "local-cert"                    # Enable grpc TLS
    commonService:
      enabled: true
Copy the code

2. Create a main. Go

package main

import (
	"context"
	"github.com/rookie-ninja/rk-boot"
        _ "github.com/rookie-ninja/rk-echo/boot"
)

// Application entrance.
func main(a) {
	// Create a new boot instance.
	boot := rkboot.NewBoot()

	// Bootstrap
	boot.Bootstrap(context.Background())

	// Wait for shutdown sig
	boot.WaitForShutdownSig(context.Background())
}
Copy the code

3. Folder structure

. ├ ─ ─ the boot. Yaml ├ ─ ─ cert │ ├ ─ ─ server - key. Pem │ └ ─ ─ for server pem ├ ─ ─. Mod ├ ─ ─. Sum └ ─ ─ main. Go 1 directory, 6 filesCopy the code

4. Start the main. Go

$ go run main.go
Copy the code

5. Verify

$ curl -X GET --insecure https://localhost:8080/rk/v1/healthy                 
{"healthy":true}
Copy the code

architecture

Parameter is introduced

1. Read the certificate from the local PC

Configuration items details Need to be The default value
cert.localFs.name Name of the local file system getter is “”
cert.localFs.locale Comply with the locale: < realm > : < region > : : < az > : : < domain > is “”
cert.localFs.serverCertPath Server Certificate Path no “”
cert.localFs.serverKeyPath Path of the server certificate key no “”
cert.localFs.clientCertPath Path of the client certificate no “”
cert.localFs.clientCertPath Path of the client certificate key no “”
  • example
---
cert:
  - name: "local-cert"                     # Required
    description: "Description of entry"    # Optional
    provider: "localFs"                    # Required, etcd, consul, localFs, remoteFs are supported options
    locale: * : : : : : : "*"                   # Required, default: ""
    serverCertPath: "cert/server.pem"      # Optional, default: "", path of certificate on local FS
    serverKeyPath: "cert/server-key.pem"   # Optional, default: "", path of certificate on local FS
echo:
  - name: greeter
    port: 8080
    enabled: true
    enableReflection: true
    cert:
      ref: "local-cert"                    # Enable grpc TLS
Copy the code

2. Read the certificate from the remote file service

Configuration items details Need to be The default value
cert.remoteFs.name Name of the remote file service getter is “”
cert.remoteFs.locale Comply with locale :< realm>::<region>::<az>::<domain> is “”
cert.remoteFs.endpoint Remote Address:http://x.x.x.xOr X.X.X.X is N/A
cert.remoteFs.basicAuth Basic auth:user:pass. no “”
cert.remoteFs.serverCertPath Server Certificate Path no “”
cert.remoteFs.serverKeyPath Path of the server certificate key no “”
cert.remoteFs.clientCertPath Path of the client certificate no “”
cert.remoteFs.clientCertPath Path of the client certificate key no “”
  • example
---
cert:
  - name: "remote-cert"                    # Required
    description: "Description of entry"    # Optional
    provider: "remoteFs"                   # Required, etcd, consul, localFs, remoteFs are supported options
    endpoint: "localhost:8081"             # Required, both http://x.x.x.x or x.x.x.x are acceptable
    locale: * : : : : : : "*"                   # Required, default: ""
    serverCertPath: "cert/server.pem"      # Optional, default: "", path of certificate on local FS
    serverKeyPath: "cert/server-key.pem"   # Optional, default: "", path of certificate on local FS
echo:
  - name: greeter
    port: 8080
    enabled: true
    cert:
      ref: "remote-cert"                   # Enable grpc TLS
Copy the code

3. Obtain the certificate from Consul

Configuration items details Need to be The default value
cert.consul.name Consul Specifies the Consul name is “”
cert.consul.locale Comply with the locale: < realm > : < region > : : < az > : : < domain > is “”
cert.consul.endpoint The Consul address:http://x.x.x.x or x.x.x.x is N/A
cert.consul.datacenter Consul Data Center is “”
cert.consul.token Consul access key no “”
cert.consul.basicAuth Consul Basic Auth, format:user:pass. no “”
cert.consul.serverCertPath Server Certificate Path no “”
cert.consul.serverKeyPath Path of the server certificate key no “”
cert.consul.clientCertPath Path of the server certificate key no “”
cert.consul.clientCertPath Path of the server certificate key no “”
  • example
---
cert:
  - name: "consul-cert"                    # Required
    provider: "consul"                     # Required, etcd, consul, localFS, remoteFs are supported options
    description: "Description of entry"    # Optional
    locale: * : : : : : : "*"                   # Required, ""
    endpoint: "localhost:8500"             # Required, http://x.x.x.x or x.x.x.x both acceptable.
    datacenter: "dc1"                      # Optional, default: "", consul datacenter
    serverCertPath: "server.pem"           # Optional, default: "", key of value in consul
    serverKeyPath: "server-key.pem"        # Optional, default: "", key of value in consul
echo:
  - name: greeter
    port: 8080
    enabled: true
    cert:
      ref: "consul-cert"                   # Enable grpc TLS
Copy the code

4. Read the certificate from the ETCD

Configuration items details Need to be The default value
cert.etcd.name ETCD getter name is “”
cert.etcd.locale Comply with the locale: < realm > : < region > : : < az > : : < domain > is “”
cert.etcd.endpoint ETCD address:http://x.x.x.x or x.x.x.x is N/A
cert.etcd.basicAuth ETCD Basic Authuser:pass. no “”
cert.etcd.serverCertPath Server Certificate Path no “”
cert.etcd.serverKeyPath Server Certificate Path no “”
cert.etcd.clientCertPath Path of the client certificate no “”
cert.etcd.clientCertPath Path of the client certificate key no “”
  • example
---
cert:
  - name: "etcd-cert"                      # Required
    description: "Description of entry"    # Optional
    provider: "etcd"                       # Required, etcd, consul, localFs, remoteFs are supported options
    locale: * : : : : : : "*"                   # Required, default: ""
    endpoint: "localhost:2379"             # Required, http://x.x.x.x or x.x.x.x both acceptable.
    serverCertPath: "server.pem"           # Optional, default: "", key of value in etcd
    serverKeyPath: "server-key.pem"        # Optional, default: "", key of value in etcd
echo:
  - name: greeter
    port: 8080
    enabled: true
    cert:
      ref: "etcd-cert"                   # Enable grpc TLS
Copy the code