반응형
consul 보안(security credentials) 설정
consul 컨테이너 실행
docker run -it --rm -v ${PWD}/consul/certs:/consul/config/certs/ consul:latest /bin/sh--- docker container start
cd /consul/config/certsconsul gossip 암호화 키 생성
consul keygen$ consul keygen
ozAzxQlvUHL3Qr0hhW2ibUxSa4B+M6RDz2bTC8OOsN0=consul.hcl 설정
vim /etc/consul.d/consul.hcl...
# bootstrap_expect
bootstrap_expect = 3
# encrypt
# Specifies the secret key to use for encryption of Consul network traffic. This key must
# be 32-bytes that are Base64-encoded. The easiest way to create an encryption key is to
# use consul keygen. All nodes within a cluster must share the same encryption key to
# communicate. The provided key is automatically persisted to the data directory and loaded
# automatically whenever the agent is restarted. This means that to encrypt Consul's gossip
# protocol, this option only needs to be provided once on each agent's initial startup
# sequence. If it is provided after Consul has been initialized with an encryption key,
# then the provided key is ignored and a warning will be displayed.
encrypt = "ozAzxQlvUHL3Qr0hhW2ibUxSa4B+M6RDz2bTC8OOsN0="
# retry_join
retry_join = ["control1", "node1", "node2"]구성 파일 확인
consul validate /consul/config/RPC 암호화를 위한 TLS 인증서 생성(TLS certificates)
ca 생성
Usage: consul tls ca create [filename-prefix] [options]
consul tls ca create$ consul tls ca create -domain consul
==> Saved consul-agent-ca.pem
==> Saved consul-agent-ca-key.pem인증서 생성
consul tls cert create -server -dc my-dc-1 -domain consul$ consul tls cert create -server -dc my-dc-1 -domain consul
==> WARNING: Server Certificates grants authority to become a
server and access all state in the cluster including root keys
and all ACL tokens. Do not distribute them to production hosts
that are not server nodes. Store them as securely as CA keys.
==> Using consul-agent-ca.pem and consul-agent-ca-key.pem
==> Saved my-dc-1-server-consul-0.pem
==> Saved my-dc-1-server-consul-0-key.pemconsul.hcl 설정
vim /etc/consul.d/consul.hcl...
tls.defaults.verify_incoming = true
tls.defaults.verify_outgoing = true
tls.internal_rpc.verify_server_hostname = true
tls.defaults.ca_file = "/consul/config/certs/consul-agent-ca.pem"
tls.defaults.cert_file = "/consul/config/cert/my-dc-1-server-consul-0.pem"
tls.defaults.key_file = "/consul/config/cert/my-dc-1-server-consul-0-key.pem"
...구성 파일 확인
consul validate /consul/config/$ consul validate /consul/config/
skipping file /consul/config/consul.env, extension must be .hcl or .json, or config format must be set
skipping file /consul/config/consul.hcl.origin, extension must be .hcl or .json, or config format must be set
bootstrap_expect > 0: expecting 3 servers
Configuration is valid!exit--- docker container end
인증서 확인
$ ls -l consul/certs
total 16
-rw------- 1 root root 227 Jan 31 03:53 consul-agent-ca-key.pem
-rw-r--r-- 1 root root 1078 Jan 31 03:53 consul-agent-ca.pem
-rw------- 1 root root 227 Jan 31 03:54 my-dc-1-server-consul-0-key.pem
-rw-r--r-- 1 root root 977 Jan 31 03:54 my-dc-1-server-consul-0.pem
참고URL
- Consul TLS CA Create : https://developer.hashicorp.com/consul/commands/tls/ca
728x90
반응형
'리눅스' 카테고리의 다른 글
| [리눅스] 유닉스 타임스탬프 변환기(unix timestamp converter) (0) | 2023.02.03 |
|---|---|
| free 명령어 (0) | 2023.01.31 |
| 우분투에서 Pacemaker와 Corosync을 사용하여 HA(고가용성) 클러스터를 구성하는 방법 (0) | 2023.01.31 |
| [리눅스] envoy를 사용하는 도커 컨테이너 리버스 프록시(docker container reverse proxy) (0) | 2023.01.29 |
| [리눅스] traefik을 사용하는 도커 컨테이너 리버스 프록시(docker container reverse proxy) (0) | 2023.01.27 |
