Fatal编程技术网
  • cloud-foundry/
  • Cloud foundry 具有MITM代理证书的Bosh Lite cf部署VirtualBox

Cloud foundry 具有MITM代理证书的Bosh Lite cf部署VirtualBox

cloud-foundry

Cloud foundry 具有MITM代理证书的Bosh Lite cf部署VirtualBox,cloud-foundry,cf-bosh,Cloud Foundry,Cf Bosh,我正试图通过VirtualBox bosh lite虚拟机在本地部署CF,但在接触到internet之前,我遇到了注入自签名证书的公司代理 我已经通过SSH将CA添加到操作系统级别的受信任证书中,但我仍然在链中获得不受信任的证书 是否有地方可以将公司CA放入配置中,以便所有项目都能成功下载/安装?BOSH通过创建“机器”并安装适当的软件并在这些“机器”中运行,将CF、Zookeeper、Kubernetes等部署到“云”中。在“典型”云(如Amazon Web Services或VMWare v

我正试图通过VirtualBox bosh lite虚拟机在本地部署CF,但在接触到internet之前,我遇到了注入自签名证书的公司代理

我已经通过SSH将CA添加到操作系统级别的受信任证书中,但我仍然在链中获得不受信任的证书

是否有地方可以将公司CA放入配置中,以便所有项目都能成功下载/安装?

BOSH通过创建“机器”并安装适当的软件并在这些“机器”中运行,将CF、Zookeeper、Kubernetes等部署到“云”中。在“典型”云(如Amazon Web Services或VMWare vSphere)上,“机器”是典型的虚拟机

BOSH还可以将各种容器运行时(如Docker、Kubernetes或Garden)视为“云”,在BOSH Lite中,它将Garden视为云。因此,在BOSH Lite案例中,“机器”实际上是在VirtualBox VM中运行的Linux容器。因此,当您在VM的OS级别安装证书时,这将不适用于VM中作为容器运行的东西

BOSH确实有一种原生方法,使用
trusted\u certs
属性将可信证书注入到它管理的每台机器中。假设您按照以下步骤安装BOSH Lite,您可以从以下位置更新
create env
命令:

bosh create-env ~/workspace/bosh-deployment/bosh.yml \
  --state ./state.json \
  -o ~/workspace/bosh-deployment/virtualbox/cpi.yml \
  -o ~/workspace/bosh-deployment/virtualbox/outbound-network.yml \
  -o ~/workspace/bosh-deployment/bosh-lite.yml \
  -o ~/workspace/bosh-deployment/bosh-lite-runc.yml \
  -o ~/workspace/bosh-deployment/uaa.yml \
  -o ~/workspace/bosh-deployment/credhub.yml \
  -o ~/workspace/bosh-deployment/jumpbox-user.yml \
  --vars-store ./creds.yml \
  -v director_name=bosh-lite \
  -v internal_ip=192.168.50.6 \
  -v internal_gw=192.168.50.1 \
  -v internal_cidr=192.168.50.0/24 \
  -v outbound_network_name=NatNetwork
为此:

bosh create-env ~/workspace/bosh-deployment/bosh.yml \
  --state ./state.json \
  -o ~/workspace/bosh-deployment/virtualbox/cpi.yml \
  -o ~/workspace/bosh-deployment/virtualbox/outbound-network.yml \
  -o ~/workspace/bosh-deployment/bosh-lite.yml \
  -o ~/workspace/bosh-deployment/bosh-lite-runc.yml \
  -o ~/workspace/bosh-deployment/uaa.yml \
  -o ~/workspace/bosh-deployment/credhub.yml \
  -o ~/workspace/bosh-deployment/jumpbox-user.yml \
  -o ~/workspace/bosh-deployment/openstack/trusted-certs.yml \
  --vars-store ./creds.yml \
  -v director_name=bosh-lite \
  -v internal_ip=192.168.50.6 \
  -v internal_gw=192.168.50.1 \
  -v internal_cidr=192.168.50.0/24 \
  -v outbound_network_name=NatNetwork \
  --var-file=openstack_ca_cert=</PATH/TO/YOUR/CERT>

bosh-create-env~/workspace/bosh-deployment/bosh.yml\
--state./state.json\
-o~/workspace/bosh部署/virtualbox/cpi.yml\
-o~/workspace/bosh部署/virtualbox/outbound-network.yml\
-o~/workspace/bosh部署/bosh-lite.yml\
-o~/workspace/bosh部署/bosh-lite-runc.yml\
-o~/workspace/bosh部署/uaa.yml\
-o~/workspace/bosh部署/credhub.yml\
-o~/workspace/bosh部署/jumpbox-user.yml\
-o~/workspace/bosh部署/openstack/trusted-certs.yml\
--vars商店。/creds.yml\
-v控制器名称=波什lite\
-v内部_ip=192.168.50.6\
-v内部_gw=192.168.50.1\
-v内部cidr=192.168.50.0/24\
-v出站网络名称=NatNetwork\
--var file=openstack\u ca\u证书=
这增加了两行:

-o ~/workspace/bosh-deployment/openstack/trusted-certs.yml
--var-file=openstack_ca_cert=</PATH/TO/YOUR/CERT>

-o~/workspace/bosh部署/openstack/trusted-certs.yml
--var file=openstack\u ca\u证书=
尽管它说的是
openstack
,但这些文件并没有特定于openstack的内容。第一行(带有
-o
)修改BOSH的基本清单,以包含一个用于设置
控制器的部分。trusted_certs
属性,但实际上没有设置值,它将其参数化为一个名为
openstack_ca_cert
的变量,第二行(带有
--var file
)实际使用给定文件的内容设置值

运行该命令后,它将更新BOSH Lite,但不会更新BOSH部署的内容,例如CF。您需要重新运行CF的部署命令,以确保它获取那些受信任的证书