\u5728 KubeEdge \u4e2d\uff0c\u5b89\u5168\u6027\u548c\u6570\u636e\u52a0\u5bc6\u4e3b\u8981\u901a\u8fc7\u4ee5\u4e0b\u63aa\u65bd\u6765\u5b9e\u73b0\uff1a<\/p>\n
\u5728\u5177\u4f53\u5b9e\u73b0\u4e2d\uff0cKubeEdge \u4e3b\u8981\u901a\u8fc7\u5728 KubeEdge \u91c7\u7528 TLS \u534f\u8bae\u6765\u52a0\u5bc6\u4e91\u7aef\u4e0e\u8fb9\u7aef\u7684\u901a\u4fe1\uff0c\u4ee5\u9632\u6b62\u6570\u636e\u5728\u4f20\u8f93\u8fc7\u7a0b\u4e2d\u88ab\u7a83\u542c\u548c\u7be1\u6539\u3002TLS \u52a0\u5bc6\u7684\u914d\u7f6e\u548c\u5b9e\u73b0\u4e3b\u8981\u96c6\u4e2d\u5728 \u8be5\u51fd\u6570\u4f7f\u7528 \u542f\u52a8 TLS WebSocket \u670d\u52a1<\/strong>\uff1a\u5728 \u8be5\u4ee3\u7801\u6bb5\u786e\u4fdd WebSocket \u670d\u52a1\u901a\u8fc7 TLS \u542f\u52a8\uff0c\u5b9e\u73b0\u52a0\u5bc6\u901a\u4fe1\u3002<\/p>\n<\/li>\n<\/ul>\n \u5728\u8fb9\u7aef\u7684 \u8fd9\u91cc\u7684 \u4e3a\u4e86\u9650\u5236\u5bf9\u4e91\u7aef\u548c\u8fb9\u7aef\u670d\u52a1\u7684\u672a\u6388\u6743\u8bbf\u95ee\uff0cKubeEdge \u63d0\u4f9b\u4e86\u8eab\u4efd\u8ba4\u8bc1\u4e0e\u8bbf\u95ee\u63a7\u5236\u914d\u7f6e\u3002<\/p>\n \u5728 MQTT \u5ba2\u6237\u7aef\u521d\u59cb\u5316\u4e2d\uff0c \u8bbf\u95ee\u63a7\u5236<\/strong>\uff1a\u5728\u4e91\u7aef\u548c\u8fb9\u7aef\u7684\u670d\u52a1\u4e2d\uff0c\u53ef\u4ee5\u8bbe\u7f6e IP \u767d\u540d\u5355\u6216\u57fa\u4e8e\u89d2\u8272\u7684\u8bbf\u95ee\u63a7\u5236\uff08RBAC\uff09\uff0c\u4ece\u800c\u9650\u5236\u672a\u6388\u6743\u7684\u8bbe\u5907\u8bbf\u95ee\u7cfb\u7edf\u8d44\u6e90\u3002\u8fd9\u901a\u5e38\u5728\u90e8\u7f72\u914d\u7f6e\u4e2d\u5b8c\u6210\uff0c\u4f8b\u5982\u5728\u8fb9\u7aef\u914d\u7f6e \u5728 KubeEdge \u4e2d\uff0c\u4e3a\u4e86\u786e\u4fdd\u672c\u5730\u5b58\u50a8\u7684\u6570\u636e\u5b89\u5168\uff0c \u8fd9\u91cc KubeEdge \u8fd8\u652f\u6301\u5728\u914d\u7f6e\u6587\u4ef6\u4e2d\u7ba1\u7406\u654f\u611f\u4fe1\u606f\u3002\u7528\u6237\u53ef\u4ee5\u5bf9\u8bf8\u5982\u8bc1\u4e66\u8def\u5f84\u3001\u5ba2\u6237\u7aef ID \u548c\u5bc6\u7801\u7b49\u914d\u7f6e\u654f\u611f\u4fe1\u606f\u8fdb\u884c\u52a0\u5bc6\u7ba1\u7406\u3002<\/p>\n \u5728\u4e91\u8fb9\u901a\u4fe1\u4e2d\uff0c\u8bc1\u4e66\u548c\u5bc6\u94a5\u7684\u7ba1\u7406\u5bf9\u5b89\u5168\u6027\u81f3\u5173\u91cd\u8981\u3002KubeEdge \u5141\u8bb8\u7528\u6237\u5728 \u5728\u8be5\u914d\u7f6e\u4e2d\uff0c\u6307\u5b9a\u4e86 TLS \u6240\u9700\u7684 CA \u8bc1\u4e66\u3001\u670d\u52a1\u5668\u8bc1\u4e66\u548c\u79c1\u94a5\u6587\u4ef6\u8def\u5f84\uff0c\u901a\u8fc7\u81ea\u52a8\u66f4\u65b0\u673a\u5236\uff0c\u786e\u4fdd\u8bc1\u4e66\u957f\u671f\u6709\u6548\u3002<\/p>\n<\/li>\n<\/ul>\n KubeEdge \u7684\u5b89\u5168\u6027\u548c\u6570\u636e\u52a0\u5bc6\u4e3b\u8981\u901a\u8fc7 TLS \u52a0\u5bc6\u3001\u8eab\u4efd\u8ba4\u8bc1\u3001\u8bbf\u95ee\u63a7\u5236\u548c\u672c\u5730\u6570\u636e\u52a0\u5bc6\u5b58\u50a8\u7b49\u65b9\u5f0f\u6765\u5b9e\u73b0\u3002 \u5728 KubeEdge \u4e2d\uff0c\u5b89\u5168\u6027\u548c\u6570\u636e\u52a0\u5bc6\u4e3b\u8981\u901a\u8fc7\u4ee5\u4e0b\u63aa\u65bd\u6765\u5b9e\u73b0\uff1a TLS \u52a0\u5bc6\u901a\u4fe1\uff0c\u786e\u4fdd\u4e91\u8fb9\u4f20\u8f93\u7684\u6570\u636e\u4e0d\u88ab\u7be1…<\/p>\n Read More<\/span> \u516d.\u5b89\u5168\u6027\u4e0e\u6570\u636e\u52a0\u5bc6\u7684\u6838\u5fc3\u4ee3\u7801<\/span><\/a>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"Layout":"","footnotes":""},"categories":[1],"tags":[],"class_list":["entry","author-suredandan","post-753","post","type-post","status-publish","format-standard","category-uncategorized"],"views":1156,"_links":{"self":[{"href":"https:\/\/www.db2go.net\/index.php?rest_route=\/wp\/v2\/posts\/753","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.db2go.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.db2go.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.db2go.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.db2go.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=753"}],"version-history":[{"count":1,"href":"https:\/\/www.db2go.net\/index.php?rest_route=\/wp\/v2\/posts\/753\/revisions"}],"predecessor-version":[{"id":754,"href":"https:\/\/www.db2go.net\/index.php?rest_route=\/wp\/v2\/posts\/753\/revisions\/754"}],"wp:attachment":[{"href":"https:\/\/www.db2go.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=753"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.db2go.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=753"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.db2go.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=753"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}cloudhub<\/code> \u548c edgehub<\/code> \u4e2d\u914d\u7f6e TLS \u8fde\u63a5\u6765\u5b9e\u73b0\u5b89\u5168\u901a\u4fe1\u3002\u4ee5\u4e0b\u662f KubeEdge \u4e2d\u5b89\u5168\u6027\u4e0e\u6570\u636e\u52a0\u5bc6\u7684\u6838\u5fc3\u4ee3\u7801\u5206\u6790\u3002<\/p>\n1. \u4e91\u8fb9\u901a\u4fe1\u4e2d\u7684 TLS \u52a0\u5bc6<\/h3>\n
cloudhub<\/code>\uff08\u4e91\u7aef\uff09\u548c edgehub<\/code>\uff08\u8fb9\u7aef\uff09\u6a21\u5757\u4e2d\u3002<\/p>\n\u4e91\u7aef
cloudhub<\/code> \u7684 TLS \u914d\u7f6e\u4e0e\u52a0\u5bc6\u5b9e\u73b0<\/h4>\ncloudhub<\/code> \u8d1f\u8d23\u4e91\u7aef\u7684 WebSocket \u670d\u52a1\uff0c\u5e76\u652f\u6301 TLS \u52a0\u5bc6\u3002\u4e91\u7aef TLS \u7684\u914d\u7f6e\u6587\u4ef6\u4f4d\u4e8e cloud\/pkg\/cloudhub\/config\/config.go<\/code>\uff0c\u5176\u4e2d\u6307\u5b9a\u4e86\u8bc1\u4e66\u548c\u79c1\u94a5\u7684\u8def\u5f84\u3002<\/p>\n\n
cloud\/pkg\/cloudhub\/servers\/server.go<\/code> \u4e2d\uff0cinitTLSConfig<\/code> \u51fd\u6570\u4f1a\u52a0\u8f7d TLS \u8bc1\u4e66\uff0c\u5e76\u914d\u7f6e WebSocket \u670d\u52a1\u5668\u7684 TLS \u52a0\u5bc6\u3002\nfunc initTLSConfig(config *config.Config) (*tls.Config, error) {\n cert, err := tls.LoadX509KeyPair(config.TLSCertFile, config.TLSPrivateKeyFile)\n if err != nil {\n return nil, fmt.Errorf(\"failed to load TLS certificate: %v\", err)\n }\n\n tlsConfig := &tls.Config{\n Certificates: []tls.Certificate{cert},\n }\n return tlsConfig, nil\n}\n<\/code><\/pre>\ntls.LoadX509KeyPair<\/code> \u52a0\u8f7d TLS \u8bc1\u4e66\u548c\u79c1\u94a5\uff0c\u5e76\u5c06\u5176\u7ed1\u5b9a\u5230 WebSocket \u670d\u52a1\u5668\uff0c\u4ee5\u786e\u4fdd\u901a\u4fe1\u7684\u5b89\u5168\u6027\u3002<\/p>\n<\/li>\nStart<\/code> \u51fd\u6570\u4e2d\u8c03\u7528 TLS \u914d\u7f6e\u5e76\u542f\u52a8 WebSocket \u670d\u52a1\u3002<\/p>\nfunc (s *WsServer) Start() {\n tlsConfig, err := initTLSConfig(s.Config)\n if err != nil {\n log.Fatalf(\"Failed to initialize TLS config: %v\", err)\n }\n httpServer := &http.Server{\n Addr: s.Address,\n Handler: s,\n TLSConfig: tlsConfig,\n }\n log.Infof(\"Starting cloudhub websocket server with TLS on %s\", s.Address)\n httpServer.ListenAndServeTLS(\"\", \"\")\n}\n<\/code><\/pre>\n\u8fb9\u7aef
edgehub<\/code> \u7684 TLS \u914d\u7f6e\u4e0e\u52a0\u5bc6\u5b9e\u73b0<\/h4>\nedgehub<\/code> \u6a21\u5757\u4e2d\uff0c\u901a\u8fc7 TLS \u52a0\u5bc6\u4e0e\u4e91\u7aef\u5efa\u7acb\u5b89\u5168\u8fde\u63a5\uff0c\u76f8\u5173\u914d\u7f6e\u6587\u4ef6\u4f4d\u4e8e edge\/pkg\/edgehub\/config\/config.go<\/code>\u3002<\/p>\n\n
edge\/pkg\/edgehub\/clients\/wsclient\/websocket.go<\/code> \u4e2d\u7684 InitWebSocket<\/code> \u51fd\u6570\u4e2d\u521d\u59cb\u5316 TLS \u5ba2\u6237\u7aef\u8fde\u63a5\u3002\nfunc (wc *WebSocketClient) InitWebSocket() error {\n tlsConfig := &tls.Config{\n InsecureSkipVerify: wc.Config.InsecureSkipVerify,\n }\n conn, _, err := websocket.DialConfig(&websocket.Config{\n Location: wc.ServerURL,\n TLSConfig: tlsConfig,\n })\n if err != nil {\n return err\n }\n wc.Connection = conn\n return nil\n}\n<\/code><\/pre>\nTLSConfig<\/code> \u786e\u4fdd WebSocket \u5ba2\u6237\u7aef\u5728\u8fde\u63a5\u4e91\u7aef\u65f6\u4f7f\u7528\u52a0\u5bc6\u4f20\u8f93\uff0c\u9632\u6b62\u6570\u636e\u6cc4\u9732\u3002<\/p>\n<\/li>\n<\/ul>\n2. \u8eab\u4efd\u8ba4\u8bc1\u4e0e\u8bbf\u95ee\u63a7\u5236<\/h3>\n
\n
edgehub<\/code> \u901a\u8fc7\u8bbe\u7f6e clientID<\/code> \u6216 token<\/code> \u7b49\u8ba4\u8bc1\u4fe1\u606f\u6765\u9650\u5236\u8bbf\u95ee\u6743\u9650\uff0c\u786e\u4fdd\u53ea\u6709\u88ab\u6388\u6743\u7684\u8bbe\u5907\u624d\u80fd\u63a5\u5165\u4e91\u7aef\u3002\nfunc NewMqttClient(config MqttConfig) (*MqttClient, error) {\n opts := mqtt.NewClientOptions()\n opts.AddBroker(config.Broker)\n opts.SetClientID(config.ClientID)\n opts.SetUsername(config.Username)\n opts.SetPassword(config.Password)\n client := mqtt.NewClient(opts)\n token := client.Connect()\n if token.Wait() && token.Error() != nil {\n return nil, token.Error()\n }\n return &MqttClient{Client: client}, nil\n}\n<\/code><\/pre>\nClientID<\/code>\u3001Username<\/code>\u3001Password<\/code> \u7684\u8bbe\u7f6e\u53ef\u7528\u4e8e\u8eab\u4efd\u8ba4\u8bc1\uff0c\u9650\u5236\u8fb9\u7aef\u7684\u63a5\u5165\u6743\u9650\u3002<\/p>\n<\/li>\nnodeName<\/code> \u4f5c\u4e3a\u552f\u4e00\u6807\u8bc6\uff0c\u4ee5\u9632\u6b62\u672a\u6388\u6743\u7684\u8fb9\u7f18\u8bbe\u5907\u63a5\u5165\u3002<\/p>\n<\/li>\n<\/ul>\n3. \u6570\u636e\u52a0\u5bc6\u5b58\u50a8<\/h3>\n
metamanager<\/code> \u53ef\u4ee5\u5bf9\u654f\u611f\u6570\u636e\u8fdb\u884c\u52a0\u5bc6\u5b58\u50a8\u3002\u6570\u636e\u52a0\u5bc6\u5b58\u50a8\u4f7f\u5f97\u5373\u4f7f\u672c\u5730\u6570\u636e\u5e93\u88ab\u8bbf\u95ee\uff0c\u654f\u611f\u4fe1\u606f\u4e5f\u4e0d\u4f1a\u88ab\u6cc4\u9732\u3002<\/p>\n\n
edge\/pkg\/metamanager\/dao\/meta.go<\/code> \u6587\u4ef6\u4e2d\uff0cInsertOrUpdate<\/code> \u51fd\u6570\u53ef\u4ee5\u6dfb\u52a0\u6570\u636e\u52a0\u5bc6\u903b\u8f91\uff0c\u786e\u4fdd\u5b58\u50a8\u5230 SQLite \u6570\u636e\u5e93\u4e2d\u7684\u6570\u636e\u662f\u52a0\u5bc6\u7684\u3002\nfunc InsertOrUpdate(meta *Meta) error {\n encryptedValue, err := encrypt(meta.Value)\n if err != nil {\n return err\n }\n db := getDB()\n _, err = db.Exec(\"INSERT OR REPLACE INTO meta (key, value) VALUES (?, ?)\", meta.Key, encryptedValue)\n return err\n}\n\nfunc encrypt(value string) (string, error) {\n \/\/ \u52a0\u5bc6\u903b\u8f91\uff0c\u4f8b\u5982\u4f7f\u7528 AES \u52a0\u5bc6\n}\n<\/code><\/pre>\nencrypt<\/code> \u51fd\u6570\u53ef\u4ee5\u4f7f\u7528 AES \u6216\u5176\u4ed6\u52a0\u5bc6\u7b97\u6cd5\u5bf9\u654f\u611f\u4fe1\u606f\u8fdb\u884c\u52a0\u5bc6\u540e\u518d\u5b58\u50a8\uff0c\u786e\u4fdd\u5728\u672c\u5730\u6570\u636e\u5e93\u4e2d\u4fdd\u5b58\u7684\u8bbe\u5907\u4fe1\u606f\u5b89\u5168\u3002<\/p>\n<\/li>\n<\/ul>\n4. \u914d\u7f6e\u654f\u611f\u4fe1\u606f\u7684\u52a0\u5bc6\u7ba1\u7406<\/h3>\n
\n
5. \u8bc1\u4e66\u4e0e\u5bc6\u94a5\u7ba1\u7406<\/h3>\n
cloudcore<\/code> \u548c edgecore<\/code> \u914d\u7f6e\u6587\u4ef6\u4e2d\u6307\u5b9a\u81ea\u5b9a\u4e49\u8bc1\u4e66\u8def\u5f84\u548c\u5bc6\u94a5\u8def\u5f84\u3002<\/p>\n\n
# cloudcore \u914d\u7f6e\u6587\u4ef6\u793a\u4f8b\ncloudhub:\ntls:\n enable: true\n caFile: \/etc\/kubeedge\/ca\/rootCA.crt\n certFile: \/etc\/kubeedge\/certs\/server.crt\n keyFile: \/etc\/kubeedge\/certs\/server.key\n<\/code><\/pre>\n\u603b\u7ed3<\/h3>\n
cloudhub<\/code> \u548c edgehub<\/code> \u901a\u8fc7\u52a0\u8f7d\u8bc1\u4e66\u548c\u79c1\u94a5\u6765\u652f\u6301 TLS \u52a0\u5bc6\u901a\u4fe1\uff0c\u4fdd\u969c\u6570\u636e\u5728\u4f20\u8f93\u8fc7\u7a0b\u4e2d\u4e0d\u88ab\u7a83\u53d6\u3002metamanager<\/code> \u6a21\u5757\u53ef\u4ee5\u5bf9\u672c\u5730\u7f13\u5b58\u7684\u6570\u636e\u8fdb\u884c\u52a0\u5bc6\u5b58\u50a8\uff0c\u786e\u4fdd\u654f\u611f\u4fe1\u606f\u7684\u5b89\u5168\u3002\u6b64\u5916\uff0c\u901a\u8fc7\u8eab\u4efd\u8ba4\u8bc1\u548c\u8bbf\u95ee\u63a7\u5236\u7b49\u673a\u5236\uff0cKubeEdge \u9650\u5236\u4e86\u672a\u6388\u6743\u8bbe\u5907\u7684\u8bbf\u95ee\uff0c\u63d0\u9ad8\u4e86\u6574\u4f53\u7684\u5b89\u5168\u6027\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"