Cloud Foundry组件之间的通信使用相互的TLS进行加密。为了使一个组件相信SSL证书是有效的,它验证证书是由可信任的证书颁发机构(CA)签署的。CA本身由SSL证书/密钥对表示。当operator生成新的证书时,需要选择一个CA并使用其私有密钥对该证书进行签名。组件相信该CA也将信任新的证书。

  1. Check out cf-release (release-candidate branch or tagged release) from git:
cd ~/workspace
git clone https://github.com/cloudfoundry/cf-release.git
cd ~/workspace/cf-release
git checkout release-candidate
./scripts/update  

2.Check out diego-release (master branch or tagged release) from git:

cd ~/workspace
git clone https://github.com/cloudfoundry/diego-release.git
cd ~/workspace/diego-release
git checkout master
./scripts/update

证书生成

Consul

./scripts/generate-consul-certs
脚本输出 对应参数
consul-certs/server-ca.crt properties.consul.ca_cert
consul-certs/server.crt properties.consul.server_cert
consul-certs/server.key properties.consul.server_key
consul-certs/agent.crt properties.consul.agent_cert
consul-certs/agent.key properties.consul.agent_key

Etcd

./scripts/generate-etcd-certs

这个脚本会生成两个CA。一个用于client/server之间交互,另一个各个etcd节点之间的交互。

脚本输出 对应参数
etcd-certs/etcd-ca.crt properties.etcd.ca_cert properties.loggregator.etcd.ca_cert
etcd-certs/server.crt properties.etcd.server_cert
etcd-certs/server.key properties.etcd.server_key
etcd-certs/client.crt properties.etcd.client_cert properties.doppler.etcd.client_cert properties.traffic_controller.etcd.client_cert properties.syslog_drain_binder.etcd.client_cert
etcd-certs/client.key properties.etcd.client_key properties.doppler.etcd.client_key properties.traffic_controller.etcd.client_key properties.syslog_drain_binder.etcd.client_key
etcd-certs/peer-ca.crt properties.etcd.peer_ca_cert
etcd-certs/peer.crt properties.etcd.peer_cert
etcd-certs/peer.key properties.etcd.peer_key

Blobstore

./scripts/generate-blobstore-certs​
脚本输出 对应参数
blobstore-certs/server-ca.crt properties.blobstore.tls.ca_cert
blobstore-certs/server.crt blobstore-certs/server.crt
blobstore-certs/server.key properties.blobstore.tls.private_key

UAA

./scripts/generate-uaa-certs​
脚本输出 对应参数
uaa-certs/server-ca.crt properties.uaa.ca_cert
uaa-certs/server.crt properties.uaa.sslCertificate
uaa-certs/server.key properties.uaa.sslPrivateKey

DEA

./scripts/generate-dea-certs
脚本输出 对应参数
dea-certs/dea_ca.crt properties.dea.ca_cert
dea-certs/dea_client.crt properties.dea.client_cert
dea-certs/dea_client.key properties.dea.client_key
dea-certs/dea_server.crt properties.dea.server_cert
dea-certs/dea_server.key properties.dea.server_key

HM9000

./scripts/generate-hm9000-certs
脚本输出 对应参数
hm9000-certs/hm9000_ca.crt properties.hm9000.ca_cert
hm9000-certs/hm9000_client.crt properties.hm9000.client_cert
hm9000-certs/hm9000_client.key properties.hm9000.client_key
hm9000-certs/hm9000_server.crt properties.hm9000.server_cert
hm9000-certs/hm9000_server.key properties.hm9000.server_key

生成 cf-diego-ca

./scripts/generate-cf-diego-certs
脚本输出 对应参数
cf-diego-certs/cf-diego-ca.crt properties.cc.mutual_tls.ca_cert properties.capi.tps.cc.ca_cert in the Diego manifest properties.capi.cc_uploader.cc.ca_cert in the Diego manifest properties.capi.cc_uploader.mutual_tls.ca_cert in the Diego manifest
cf-diego-certs/cloud_controller.crt properties.cc.mutual_tls.public_cert
cf-diego-certs/cloud_controller.key properties.cc.mutual_tls.private_key

生成用于Diego deployment的cetificates, 这些证书必须由cf-diego-ca签发

../diego-release/scripts/generate-diego-certs ./cf-diego-certs
脚本输出 对应参数
diego-certs/auctioneer-certs/server.crt properties.diego.auctioneer.server_cert
diego-certs/auctioneer-certs/server.key properties.diego.auctioneer.server_key
diego-certs/bbs-certs/client.crt properties.capi.nsync.bbs.client_cert properties.capi.stager.bbs.client_cert properties.capi.tps.bbs.client_cert properties.diego.auctioneer.bbs.client_cert properties.diego.rep.bbs.client_cert properties.diego.cfdot.bbs.client_cert properties.diego.route_emitter.bbs.client_cert properties.diego.ssh_proxy.bbs.client_cert
diego-certs/bbs-certs/client.key properties.capi.nsync.bbs.client_key properties.capi.stager.bbs.client_key properties.capi.tps.bbs.client_key properties.diego.auctioneer.bbs.client_key properties.diego.rep.bbs.client_key properties.diego.cfdot.bbs.client_key properties.diego.route_emitter.bbs.client_key properties.diego.ssh_proxy.bbs.client_key
diego-certs/cc-uploader-certs/client.crt properties.capi.cc_uploader.cc.client_cert
diego-certs/cc-uploader-certs/client.key properties.capi.cc_uploader.cc.client_key
diego-certs/locket-certs/server.crt properties.tls.cert
diego-certs/locket-certs/server.key properties.tls.key
diego-certs/rep-certs/server.crt properties.diego.rep.server_cert
diego-certs/rep-certs/server.crt properties.diego.rep.server_key
diego-certs/rep-certs/client.crt properties.diego.auctioneer.rep.client_cert properties.diego.bbs.rep.client_cert
diego-certs/rep-certs/client.key properties.diego.auctioneer.rep.client_key properties.diego.bbs.rep.client_key
diego-certs/tps-certs/client.crt properties.capi.tps.cc.client_cert
diego-certs/tps-certs/client.key properties.capi.tps.cc.client_key

生成Loggregator证书

./scripts/generate-loggregator-certs cf-diego-certs/cf-diego-ca.crt cf-diego-certs/cf-diego-ca.key

该证书为traffic controller, doppler, metron和syslog_drain_binder创建证书。前三个证书由新生成的loggregatorCA签发,syslog_drain_binder由cf-diego-ca签发。

脚本输出 对应参数
loggregator-certs/loggregator-ca.crt properties.loggregator.tls.ca_cert
loggregator-certs/doppler.crt properties.loggregator.tls.doppler.cert
loggregator-certs/doppler.key properties.loggregator.tls.doppler.key
loggregator-certs/metron.crt properties.loggregator.tls.metron.cert
loggregator-certs/metron.key properties.loggregator.tls.metron.key
loggregator-certs/trafficcontroller.crt properties.loggregator.tls.trafficcontroller.cert
loggregator-certs/trafficcontroller.key properties.loggregator.tls.trafficcontroller.key
loggregator-certs/syslogdrainbinder.crt properties.loggregator.tls.syslogdrainbinder.cert
loggregator-certs/syslogdrainbinder.key properties.loggregator.tls.syslogdrainbinder.key

生成 stated-injector证书

该证书必须由loggregatorCA签发

./scripts/generate-statsd-injector-certs loggregator-certs/loggregator-ca.crt loggregator-certs/loggregator-ca.key
脚本输出 对应参数
statsd-injector-certs/statsdinjector.crt properties.loggregator.tls.statsd_injector.cert
statsd-injector-certs/statsdinjector.key properties.loggregator.tls.statsd_injector.key