From 5de26fde751a0950c812660c0584cd416d285ea4 Mon Sep 17 00:00:00 2001 From: jacky-xbb Date: Fri, 4 Aug 2023 23:07:34 +0800 Subject: [PATCH] docs: add tls configuration --- docs/en_US/tasks/configure-emqx-tls.md | 130 +++++++++++++------------ docs/zh_CN/tasks/configure-emqx-tls.md | 4 + 2 files changed, 72 insertions(+), 62 deletions(-) diff --git a/docs/en_US/tasks/configure-emqx-tls.md b/docs/en_US/tasks/configure-emqx-tls.md index 2bd1b1ba9..185e9ff9c 100644 --- a/docs/en_US/tasks/configure-emqx-tls.md +++ b/docs/en_US/tasks/configure-emqx-tls.md @@ -38,68 +38,6 @@ Secret is an object that contains a small amount of sensitive information such a The following is the relevant configuration of EMQX Custom Resource. You can choose the corresponding APIVersion according to the version of EMQX you want to deploy. For the specific compatibility relationship, please refer to [EMQX Operator Compatibility](../index.md): :::: tabs type:card -::: tab apps.emqx.io/v1beta4 - -`apps.emqx.io/v1beta4 EmqxEnterprise` supports configuring volumes and mount points for EMQX clusters through `.spec.template.spec.volumes` and `.spec.template.spec.emqxContainer.volumeMounts` fields. In this article, we can use these two fields to configure TLS certificates for the EMQX cluster. - -There are many types of Volumes. For the description of Volumes, please refer to the document: [Volumes](https://kubernetes.io/docs/concepts/storage/volumes/). In this article we are using the `secret` type. - -+ Save the following as a YAML file and deploy it with the `kubectl apply` command - - ```yaml - apiVersion: apps.emqx.io/v1beta4 - kind: EmqxEnterprise - metadata: - name: emqx-ee - spec: - template: - spec: - emqxContainer: - image: - repository: emqx/emqx-ee - version: 4.4.14 - emqxConfig: - listener.ssl.external.cacertfile: /mounted/cert/ca.crt - listener.ssl.external.certfile: /mounted/cert/tls.crt - listener.ssl.external.keyfile: /mounted/cert/tls.key - listener.ssl.external: "0.0.0.0:8883" - volumeMounts: - - name: emqx-tls - mountPath: /mounted/cert - volumes: - - name: emqx-tls - secret: - secretName: emqx-tls - serviceTemplate: - spec: - type: LoadBalancer - ``` - - > The `.spec.template.spec.volumes` field configures the volume type as: secret, and the name as: emqx-tls. - - > The `.spec.template.spec.emqxContainer.volumeMounts` field configures the directory where the TLS certificate is mounted to EMQX: `/mounted/cert`. - - > The `.spec.template.spec.emqxContainer.emqxConfig` field configures the TLS listener certificate path. For more TLS listener configurations, please refer to the document: [tlsexternal](https://docs.emqx.com/en/enterprise/v4.4/configuration/configuration.html#tlsexternal). - -+ Wait for EMQX cluster to be ready, you can check the status of EMQX cluster through the `kubectl get` command, please make sure that `STATUS` is `Running`, this may take some time - - ```bash - $ kubectl get emqxenterprises - NAME STATUS AGE - emqx-ee Running 8m33s - ``` - -+ Obtain the External IP of EMQX cluster and access EMQX console - - ```bash - $ kubectl get svc emqx-ee -o json | jq '.status.loadBalancer.ingress[0].ip' - - 192.168.1.200 - ``` - - Access `http://192.168.1.200:18083` through a browser, and use the default username and password `admin/public` to login EMQX console. - -::: ::: tab apps.emqx.io/v2beta1 `apps.emqx.io/v2beta1 EMQX` supports `.spec.coreTemplate.extraVolumes` and `.spec.coreTemplate.extraVolumeMounts` and `.spec.replicantTemplate.extraVolumes` and `.spec.replicantTemplate.extraVolumeMounts` fields to EMQX The cluster configures additional volumes and mount points. In this article, we can use these two fields to configure TLS certificates for the EMQX cluster. @@ -123,6 +61,8 @@ There are many types of Volumes. For the description of Volumes, please refer to cacertfile = "/mounted/cert/ca.crt" certfile = "/mounted/cert/tls.crt" keyfile = "/mounted/cert/tls.key" + gc_after_handshake = true + hibernate_after = 5s } } coreTemplate: @@ -178,6 +118,72 @@ There are many types of Volumes. For the description of Volumes, please refer to Access `http://192.168.1.200:18083` through a browser, and use the default username and password `admin/public` to login EMQX console. +::: +::: tab apps.emqx.io/v1beta4 + +`apps.emqx.io/v1beta4 EmqxEnterprise` supports configuring volumes and mount points for EMQX clusters through `.spec.template.spec.volumes` and `.spec.template.spec.emqxContainer.volumeMounts` fields. In this article, we can use these two fields to configure TLS certificates for the EMQX cluster. + +There are many types of Volumes. For the description of Volumes, please refer to the document: [Volumes](https://kubernetes.io/docs/concepts/storage/volumes/). In this article we are using the `secret` type. + ++ Save the following as a YAML file and deploy it with the `kubectl apply` command + + ```yaml + apiVersion: apps.emqx.io/v1beta4 + kind: EmqxEnterprise + metadata: + name: emqx-ee + spec: + template: + spec: + emqxContainer: + image: + repository: emqx/emqx-ee + version: 4.4.14 + emqxConfig: + listener.ssl.external.cacertfile: /mounted/cert/ca.crt + listener.ssl.external.certfile: /mounted/cert/tls.crt + listener.ssl.external.keyfile: /mounted/cert/tls.key + listener.ssl.external: "0.0.0.0:8883" + listener.ssl.external.gc_after_handshake: "true" + listener.ssl.external.hibernate_after: 5s + volumeMounts: + - name: emqx-tls + mountPath: /mounted/cert + volumes: + - name: emqx-tls + secret: + secretName: emqx-tls + serviceTemplate: + spec: + type: LoadBalancer + ``` + + > The `.spec.template.spec.volumes` field configures the volume type as: secret, and the name as: emqx-tls. + + > The `.spec.template.spec.emqxContainer.volumeMounts` field configures the directory where the TLS certificate is mounted to EMQX: `/mounted/cert`. + + > The `.spec.template.spec.emqxContainer.emqxConfig` field configures the TLS listener certificate path. For more TLS listener configurations, please refer to the document: [tlsexternal](https://docs.emqx.com/en/enterprise/v4.4/configuration/configuration.html#tlsexternal). + + ++ Wait for EMQX cluster to be ready, you can check the status of EMQX cluster through the `kubectl get` command, please make sure that `STATUS` is `Running`, this may take some time + + ```bash + $ kubectl get emqxenterprises + NAME STATUS AGE + emqx-ee Running 8m33s + ``` + ++ Obtain the External IP of EMQX cluster and access EMQX console + + ```bash + $ kubectl get svc emqx-ee -o json | jq '.status.loadBalancer.ingress[0].ip' + + 192.168.1.200 + ``` + + Access `http://192.168.1.200:18083` through a browser, and use the default username and password `admin/public` to login EMQX console. + + ::: :::: diff --git a/docs/zh_CN/tasks/configure-emqx-tls.md b/docs/zh_CN/tasks/configure-emqx-tls.md index c0e01d34a..707984bba 100644 --- a/docs/zh_CN/tasks/configure-emqx-tls.md +++ b/docs/zh_CN/tasks/configure-emqx-tls.md @@ -61,6 +61,8 @@ Volumes 的类型有很多种,关于 Volumes 描述可以参考文档:[Volum cacertfile = "/mounted/cert/ca.crt" certfile = "/mounted/cert/tls.crt" keyfile = "/mounted/cert/tls.key" + gc_after_handshake = true + hibernate_after = 5s } } coreTemplate: @@ -140,6 +142,8 @@ Volumes 的类型有很多种,关于 Volumes 描述可以参考文档:[Volum listener.ssl.external.certfile: /mounted/cert/tls.crt listener.ssl.external.keyfile: /mounted/cert/tls.key listener.ssl.external: "0.0.0.0:8883" + listener.ssl.external.gc_after_handshake: "true" + listener.ssl.external.hibernate_after: 5s volumeMounts: - name: emqx-tls mountPath: /mounted/cert