【原创】OCP&VMware网络与安全集成解决方案安装部署向导-04-注意事项

Harbo仓库证书创建

CA根证书创建

# 产生伪随机数,如果不敲后面生成证书会有如下告警。

root@harbor:~# openssl rand -writerand .rnd

# 制作私钥(.key)

root@harbor:~# openssl genrsa -out ca.key 4096

# 私钥(.key)+ csr生成CA根证书

root@harbor:~# openssl req -x509 -new -nodes -sha512 -days 36500 -subj “/C=CN/ST=Beijing/L=Beijing/O=vmwlab/OU=vmwlab/CN=vmwlab.net” -key ca.key -out ca.crt

Text Description automatically generated

签发服务器证书

# 生成服务器私钥

root@harbor:~# openssl genrsa -out harbor.vmwlab.net.key 4096

# 生成证书签名请求

root@harbor:~# openssl req -sha512 -new -subj “/C=CN/ST=Beijing/L=Beijing/O=vmwlab/OU=vmwlab/CN=vmwlab.net” -key harbor.vmwlab.net.key -out harbor.vmwlab.net.csr

# 生成一个x509 v3扩展文件

cat > harbor.v3.ext <<-EOF

authorityKeyIdentifier=keyid,issuer

basicConstraints=CA:FALSE

keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

extendedKeyUsage = serverAuth

subjectAltName = @alt_names

[alt_names]

DNS.1=vmwlab.net

DNS.2=vmwlab

DNS.3=*.vmwlab.net

DNS.4=harbor.vmwlab.net

EOF

# 使用该v3.ext文件为您的Harbor主机生成证书

openssl x509 -req -sha512 -days 36500 -extfile harbor.v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in harbor.vmwlab.net.csr -out harbor.vmwlab.net.crt

# 查看已在主机上安装的根证书 

awk -v cmd=’openssl x509 -noout -subject’ ‘ /BEGIN/{close(cmd)};{print | cmd}’ < /etc/ssl/certs/ca-certificates.crt

Antrea安装后参数调整

通常Antrea安装后的配置变动可通过configmap来调整,但在OCP环境下通过Operator来安装部署,略有不同,建议通过OperatorCR来调整,具体操作方式如下:

# CLI方式

[root@Operator ~]# kubectl -n antrea-operator edit antreainstall

# GUI方式

Graphical user interface, application Description automatically generated

Graphical user interface, application Description automatically generated

 

 

A screenshot of a computer Description automatically generated

在官网下载最新版本OCP

# 依据Operator VM的操作系统类型选择相应环境下的安装工具.

下载地址如下(需要注册redhat账户):

https://console.redhat.com/openshift/install/vsphere/installer-provisioned

Graphical user interface, text, application Description automatically generated

# 上传所有文件至Operator VM

Text Description automatically generated with medium confidence

# 文件解压,为方便在全局使用kubectl与oc命令,需将文件移至/usr/local/bin目录

[root@Operator ~]# tar xvf openshift-client-linux.tar.gz

[root@Operator ~]# mv kubectl oc /usr/local/bin/

[root@Operator ~]# tar xvf openshift-install-linux.tar.gz

Avi 中静态路由无法注入SE

虽然已经在GUI界面添加了静态路由,但是通过CLI依然发现路由并未注入到SE 

admin@192-168-60-11:~$ shell

Text Description automatically generated

[admin:192-168-60-11]: >show serviceengine AVI_C01_SLB-se-qcswi route

A picture containing diagram Description automatically generated

临时解决方案,需要在所有SE上操作,本章节已其中一台SE为例。

[admin:192-168-60-11]: > attach serviceengine AVI_C01_SLB-se-qcswi

Text Description automatically generated

admin@AVI-C01-SLB-se-qcswi:~$ ip ns list

admin@AVI-C01-SLB-se-qcswi:~$ sudo ip netns exec avi_ns1 bash

root@AVI-C01-SLB-se-qcswi:/home/admin# ip route add 0.0.0.0/0 via 172.36.111.254

root@AVI-C01-SLB-se-qcswi:/home/admin# exit

admin@AVI-C01-SLB-se-qcswi:~$ exit

[admin:192-168-60-11]: > show serviceengine AVI_C01_SLB-se-qcswi route

A picture containing text Description automatically generated

Antrea IDPS 功能尝试

目前最新版的1.5.0支持IDS功能,但在OCP下验证过程中还存在问题,研发还在针对OCP 平台解决中,后期验证通过将更新此部分内容。

参考文档

https://docs.openshift.com/container-platform/4.11/installing/installing_vsphere/installing-vsphere-installer-provisioned.html#installing-vsphere-installer-provisioned

 

https://docs.vmware.com/en/VMware-Container-Networking-with-Antrea/1.x/vmware_antrea_install/GUID-9985059E-D73D-45E1-B14D-652EC5C89626.html

https://docs.vmware.com/en/VMware-Container-Networking-with-Antrea/1.5.0/rn/vmware-container-networking-with-antrea-150-release-notes/index.html

https://onevmw-my.sharepoint.com/personal/taoh_vmware_com/_layouts/15/Doc.aspx?sourcedoc=%7B35BEF25A-A38E-4CD2-ACA3-86318039ADAB%7D&file=OCP-4.7%E9%83%A8%E7%BD%B2%E6%96%87%E6%A1%A3%E5%8F%8AAntrea%E9%9B%86%E6%88%90-v1.0.docx&action=default&mobileredirect=true

Leave a Reply