Skip to content

Commit

Permalink
update: edge agent management
Browse files Browse the repository at this point in the history
  • Loading branch information
@chongyuanyin
chongyuanyin committed Jun 21, 2024
1 parent 641e50a commit 170bb54
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 45 deletions.
31 changes: 8 additions & 23 deletions ecp/en_US/edge_service/edge_agent_management.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,33 +37,18 @@ You can view all NeuronEX agents registered to ECP in this window. Agents that h

The default agent server of ECP uses the TCP protocol for data transmission. If you want to use a more secure transmission method, you can configure it appropriately and enable SSL/TLS. The following will take the example of ECP deployed with Docker using the built-in NanoMQ to explain the configuration steps in detail. You can also refer to the [NanoMQ Docker Deployment Document](https://nanomq.io/docs/en/latest/installation/docker.html) for a more complete introduction.

1. Prepare the SSL certificate files used by NanoMQ, including the CA file (cacert.pem), the certificate file used by NanoMQ (cert.pem), and the certificate key file used by NanoMQ (key.pem), and save them to the configs/nanomq subdirectory of the installation file directory.
1. Prepare the server-side SSL certificate files used by NanoMQ, including the CA file (cacert.pem), the server certificate file (cert.pem), and the server certificate key file (key.pem), and save them to the configs/nanomq subdirectory of the installation file directory.

2. Prepare the SSL certificate files used by ECP, including the CA file (cacert.pem), the certificate file used by ECP (client-cert.pem), and the certificate key file used by NanoMQ (client-key.pem), and save them to the configs/main subdirectory of the installation file directory.
2. Prepare the client-side SSL certificate files used by ECP and NeuronEX, including the CA file (cacert.pem), the client certificate file (client-cert.pem), and the client certificate key file (client-key.pem), and save them to the configs/main subdirectory of the installation file directory.

3. Enter the installation file directory, modify configs/nanomq/nanomq.conf, add an SSL listener, and mainly configure the port and certificate location:
3. Enter the directory where the installation file is located and modify the mqtt part in the docker-compose.yaml file. The specific content that needs to be modified is as follows:

- Use port 8883 in `bind`.
- `keyfile`, `certfile`, `cacertfile` are the paths where the NanoMQ SSL certificate files are mounted to the container.
- Mount the certificate file to the NanoMQ container in `volumes`. Please make sure the path in the container should be under directory `/etc/certs`.
- Configure SSL/TLS related environment variables in `environment`
- NANOMQ_TLS_ENABLE is set to true to enable TLS.
- If NANOMQ_TLS_VERIFY_PEER is set to false, it means NanoMQ does not verify the client certificate. If it is set to true, it means that the client certificate needs to be verified. Please set it according to actual needs.
- NANOMQ_TLS_FAIL_IF_NO_PEER_CERT If set to false, NanoMQ allows the client to not send a certificate or to send an empty certificate. If set to true, it means that the client will be refused to connect without a certificate. Please set it according to actual needs.

```
listeners.ssl {
bind = "0.0.0.0:8883"
keyfile = "/etc/certs/server.key"
certfile = "/etc/certs/server.pem"
cacertfile = "/etc/certs/cacert.pem"
}
```

4. Enter the directory where the installation file is located and modify the mqtt part in the docker-compose.yaml file. The specific content that needs to be modified is as follows:

- Confirm to use the full version of NanoMQ image in `image`, such as 0.21.2-full.
- Added mapping of SSL port 8883 in `ports`. In the example, it is mapped to port 38883 (port 38883 is used for external access such as NeuronEX, and ECP still uses the network port 8883 in the container)
- Mount the certificate file to the NanoMQ container in `volumes`. Please make sure it is consistent with the path in the container specified in nanomq.conf in the previous step.
- Configure SSL/TLS related environment variables in `environment`
- NANOMQ_TLS_ENABLE is set to true to enable TLS.
- If NANOMQ_TLS_VERIFY_PEER is set to false, it means NanoMQ does not verify the client certificate. If it is set to true, it means that the client certificate needs to be verified. Please set it according to actual needs.
- NANOMQ_TLS_FAIL_IF_NO_PEER_CERT If set to false, NanoMQ allows the client to not send a certificate or to send an empty certificate. If set to true, it means that the client will be refused to connect without a certificate. Please set it according to actual needs.


```
Expand Down
30 changes: 8 additions & 22 deletions ecp/zh_CN/edge_service/edge_agent_management.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,34 +52,19 @@ NeuronEX 代理纳管接入 ECP,并采用不开启 SSL/TLS 的方式,数据

ECP 默认代理服务器通过 TCP 协议进行数据传输,如果您希望使用更安全的传输方式,可以进行适当的配置,开启 SSL/TLS。以下将以 Docker 部署的 ECP 使用自带的 NanoMQ 为例来详细说明配置步骤。您也可以参考[NanoMQ Docker 部署文档](https://nanomq.io/docs/zh/latest/installation/docker.html)获取更完整的介绍。

1. 准备好NanoMQ 使用的 SSL 证书文件,包括 CA 文件(cacert.pem)、NanoMQ 使用的证书文件(cert.pem)、NanoMQ 使用的证书密钥文件(key.pem),并保存到安装文件所在目录的 configs/nanomq 子目录下。
1. 准备好NanoMQ 使用的服务端 SSL 证书文件,包括 CA 文件(cacert.pem)、服务端证书文件(cert.pem)、服务端证书密钥文件(key.pem),并保存到安装文件所在目录的 configs/nanomq 子目录下。

2. 准备好 ECP 使用的 SSL 证书文件,包括 CA 文件(cacert.pem)、ECP 使用的证书文件(client-cert.pem)、NanoMQ 使用的证书密钥文件(client-key.pem),并保存到安装文件所在目录的 configs/main 子目录下。
2. 准备好 ECP 及 NeuronEX 使用的客户端 SSL 证书文件,包括 CA 文件(cacert.pem)、客户端证书文件(client-cert.pem)、客户端证书密钥文件(client-key.pem),并保存到安装文件所在目录的 configs/main 子目录下。

3. 进入安装文件所在目录,修改 configs/nanomq/nanomq.conf,增加 SSL 监听器,主要配置端口和证书位置
3. 进入安装文件所在目录,修改 docker-compose.yaml 文件中的 mqtt 部分,需要改动的具体内容如下

- `bind` 中使用 8883 端口。
- `keyfile`, `certfile`, `cacertfile` 分别为 NanoMQ SSL 证书文件所挂载到的容器中的路径。

```
listeners.ssl {
bind = "0.0.0.0:8883"
keyfile = "/etc/certs/server.key"
certfile = "/etc/certs/server.pem"
cacertfile = "/etc/certs/cacert.pem"
}
```

4. 进入安装文件所在目录,修改 docker-compose.yaml 文件中的 mqtt 部分,需要改动的具体内容如下:

- `image` 中确认使用完整版 NanoMQ 的镜像,如0.21.2-full。
- `ports` 中新增 SSL 端口 8883 的映射。示例中映射到 38883 端口(38883 端口供 NeuronEX 等外部访问使用,ECP 仍使用容器内网络端口 8883)
- `volumes` 中挂载证书文件到 NanoMQ 容器,请确保与上一步 nanomq.conf 中指定的容器内路径保持一致。
- `volumes` 中如示例配置所示,挂载证书文件到 NanoMQ 容器的 `/etc/cets` 目录下,请不要修改容器内的证书文件路径。
- `environment` 中配置 SSL/TLS 相关环境变量
- NANOMQ_TLS_ENABLE 设为 true,表示开启 TLS。
- NANOMQ_TLS_VERIFY_PEER 设为 false 表示 NanoMQ 不验证客户端证书,设为 true 表示需要验证客户端证书,请根据实际需要设置。
- NANOMQ_TLS_FAIL_IF_NO_PEER_CERT 设为 false 表示 NanoMQ 允许客户端不发送证书或发送空证书,设为 true 表示拒绝客户端无证书连接,请根据实际需要设置。


```
mqtt:
container_name: emqx-ecp-nanomq
Expand All @@ -105,7 +90,7 @@ ECP 默认代理服务器通过 TCP 协议进行数据传输,如果您希望
```

5. 修改 docker-compose.yaml 文件中的 main 部分,需要改动的具体内容如下:
- `volumes` 中挂载证书文件到 ECP main 容器。示例中将证书文件都挂载到容器的 `/bc/certs` 目录下。
- `volumes` 中如示例配置所示,挂载证书文件到 ECP main 容器的 `/bc/certs` 目录下。

```
main:
Expand Down Expand Up @@ -215,4 +200,5 @@ mqtt:
```
kubectl -n emqx-ecp edit configmap kube-ecp-stack-main-conf
``` -->
```
-->

0 comments on commit 170bb54

Please sign in to comment.