配置 SSL
Neo4j SSL 框架可与 Neo4j Helm chart 一起使用。您可以为 bolt、https、cluster 和 backup 指定 SSL 策略对象。用于 Neo4j Helm 部署的 SSL 公共证书和私钥必须存储在 Kubernetes Secrets 中。
要启用 Neo4j SSL 策略,请在 Neo4j Helm 部署的 values.yaml 文件中配置 ssl.<policy name> 对象,以引用包含要使用的 SSL 证书和密钥的 Kubernetes Secrets。此示例展示了如何配置 bolt SSL 策略
ssl:
bolt:
privateKey:
secretName: bolt-cert
subPath: private.key
publicCertificate:
secretName: bolt-cert
subPath: public.crt当在 values.yaml 文件中指定私钥时,Neo4j ssl 策略将自动启用。要禁用策略,请将 dbms.ssl.policy.{{ $name }}.enabled: "false" 添加到 config 对象中。
|
当 |
有关配置 SSL 策略的更多信息,请参阅 SSL 框架配置。
以下示例展示了如何部署具有配置 SSL 策略的 Neo4j 集群。
创建自签名证书
如果您没有可用的自签名证书,请按照以下步骤创建一个
-
为自签名证书创建一个新文件夹。本示例使用 /neo4j-ssl 文件夹。
mkdir neo4j-ssl cd neo4j-ssl -
使用
openssl命令并通过subj参数传递所有值,为自签名证书创建private.key和public.crt。openssl req -newkey rsa:2048 -nodes -keyout private.key -x509 -days 365 -out public.crt -subj "/C=GB/ST=London/L=London/O=Neo4j/OU=IT Department" -
验证 private.key 和 public.crt 文件是否已创建
ls -lst示例输出-rw-r--r-- 1 user staff 1679 28 Dec 15:00 private.key -rw-r--r-- 1 user staff 1679 28 Dec 15:00 public.crt
创建 neo4j 命名空间并配置它在当前上下文中使用
kubectl create namespace neo4j
kubectl config set-context --current --namespace=neo4j使用 tls Kubernetes secret 配置 SSL 策略
本示例展示了如何使用存储在 tls Kubernetes secret 中的自签名证书来配置用于集群内部通信的 SSL 策略。
-
使用 public.crt 和 private.key 文件创建 Kubernetes TLS secret
您必须运行 Kubernetes 集群并安装 kubectl命令。有关更多信息,请参阅先决条件。-
要创建 TLS secret,请使用
tls选项和 secret 名称,例如neo4j-tls。kubectl create secret tls neo4j-tls --cert=/path/to/neo4j-ssl/public.crt --key=/path/to/neo4j-ssl/private.key -
验证 secret 是否已创建
kubectl get secret示例输出NAME TYPE DATA AGE neo4j-tls kubernetes.io/tls 2 4s
-
验证 secret 是否包含 public.crt 和 private.key 文件
kubectl get secret neo4j-tls -o yaml示例输出apiVersion: v1 data: tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURLakNDQWhJQ0NRRGRYYVg1Y29mczdEQU5CZ2txaGtpRzl3MEJBUXNGQURCWE1Rc3dDUVlEVlFRR0V3SkgKUWpFUE1BMEdBMVVFQ0F3R1RHOXVaRzl1TVE4d0RRWURWUVFIREFaTWIyNWtiMjR4RGpBTUJnTlZCQW9NQlU1bApielJxTVJZd0ZBWURWUVFMREExSlZDQkVaWEJoY25SdFpXNTBNQjRYRFRJeU1USXlPREl4TURjeU5sb1hEVEl6Ck1USXlPREl4TURjeU5sb3dWekVMTUFrR0ExVUVCaE1DUjBJeER6QU5CZ05WQkFnTUJreHZibVJ2YmpFUE1BMEcKQTFVRUJ3d0dURzl1Wkc5dU1RNHdEQVlEVlFRS0RBVk9aVzgwYWpFV01CUUdBMVVFQ3d3TlNWUWdSR1Z3WVhKMApiV1Z1ZERDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTDBRc0c2Ukwrd3hxZSt3CjJGSWljZldVaUFtdmNqeVdlS0lKaThuT2tBSGIvSTYzUUU2L3ZpR3RNeEI3S28xdUJLNlVPZXBaeU91UzE2bUMKaitpMDAwbmFnWkR3RGNyRXd3UUE1cTBGMC90VXB5UHBaL1p3clhEaGFDOXhzVnFnVms0TXl5aUtTNzRIOUc2UgprUUV4dHBaNFArcTlaRHVFVk1KVGVaL2pQNGZoTkg2MUpSTVdORTJ3NjNUWkx2ZGMyUitXL2U5N3h2TGQ5Y0FnCjlqTm9FMHo5UHRmczB2L2lyUGhuUHpzWHQ5bzE0MWlnOVFZNjNtMzBxQ0NaYnpMRlR6WFgvdTUvTSsycFB3WXoKcUNOTUZYYW1ITlAxdlRPWFlRTG1iYW1JdVplYnVPNEVlUHZ6WUVXSmEyUi9oTmhtUDNvM2tRVFAzdmF1UEFjZQpSQlJZS09NQ0F3RUFBVEFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBWVh6SkIzNU55cExDUEdvQXVJdGt5dHBFCk1ZeSs5YnlrV3BEVnhRaXZLUHQ3d1NUaWZjNU1QdW5NUy9xYmxnaWprWm5IaWVLeEdoU3lQL283QndtMzJDSnAKQUFsSjJ3RjhIVXVSSGpYcUU5dkNQeFdtVlVJS2ExOWN5V0tUYWhySWU1eWZkQWNkbUJmRzJNWnY0dEdFeWxsUgo0Vk81STdRNjVWZDlGQnB0U3JjS3R1WUtBUzg2RTBHZmlmMWxCakdUZTFZbkhvK1RZTVpoVEUvN3RlNHZ1M251CjA4Y1BmbS9RYThSNFBXZDZNbXVDaTJYcDduWVlEMmp3WklCSENtMUU3U1RrdS9JRk5kOWFWRW91VG5KR1pCWFcKeWVzWG9OMXhOb3kvMXZFdElhV2xXZW1GcGo4clJ6VGJQekQ1TEpiNDBSRFVOTXN3NytLUXczV3BBMjVKUHc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2QUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktZd2dnU2lBZ0VBQW9JQkFRQzlFTEJ1a1Mvc01hbnYKc05oU0luSDFsSWdKcjNJOGxuaWlDWXZKenBBQjIveU90MEJPdjc0aHJUTVFleXFOYmdTdWxEbnFXY2pya3RlcApnby9vdE5OSjJvR1E4QTNLeE1NRUFPYXRCZFA3VktjajZXZjJjSzF3NFdndmNiRmFvRlpPRE1zb2lrdStCL1J1CmtaRUJNYmFXZUQvcXZXUTdoRlRDVTNtZjR6K0g0VFIrdFNVVEZqUk5zT3QwMlM3M1hOa2ZsdjN2ZThieTNmWEEKSVBZemFCTk0vVDdYN05MLzRxejRaejg3RjdmYU5lTllvUFVHT3Q1dDlLZ2dtVzh5eFU4MTEvN3VmelB0cVQ4RwpNNmdqVEJWMnBoelQ5YjB6bDJFQzVtMnBpTG1YbTdqdUJIajc4MkJGaVd0a2Y0VFlaajk2TjVFRXo5NzJyandICkhrUVVXQ2pqQWdNQkFBRUNnZ0VBTmF6OVNnYXlJazVmUG90b2Zya0V2WUh6dFR3NEpIZGJ2RFVWbUsrcU5yenIKME9DNXd5R3dxd0x2RW1qRlJlM01Lbnd1alJmOGNOVDVvVWhON3ZVWFgwcEhxb3hjZmdxcWl3SnVld1RDa0FJUwppYUdFUUhUdzZMRTEwUEpvTmFCN29DRUZ0SGErMWk2UCtLd2ZETVcrWHEyNUI3M0pMUlIrczhUYkxNZHBpL3VvCjRmTFNJV0xDV09MZThUTlU0ck5vVDQ0enY0eUhUOXAyV3liSUNrL3F5bVV3bTlhRHFnYzRJRzk4YXVVNG5JYVQKenk2T3NBODdONW9FME0rcHlUdEFJcmxRZFBXUzBBZ28xZUJCcWplL1I3MTI4TmdHVzhOTzVMWDBtNit2YzhyVgpaTHh0N1d0NThucXR2WlI3QTF5SU9lbWtocHl2Q3hrNVRxSmZQRlJxRVFLQmdRRGlOL3NBZncrZ1dvTFpLbTNyCm50WVkyRW9TOTBkQ0wwd293SGFGa0lsL2hIWXduQi9qaWlnMU5ZbEhDNzNPVDdDc2UycS9tS0xhMzZBVHlpTHcKZjN1T0J3NmNFZ2RJZlU5aDBtZjJCNFZXdEVEeDJMSU94MEtZU2VrYldTTVZQZ2w2SkhNb3hLdjNMbEx5R1RiMApZQmtKVmpRdkVLS1dpa1FLMUdPYnZtdzFWUUtCZ1FEVjlJLzc5WFJuN1EzZ3M4Z2JqZWhDejRqNHdtNWdpNFM2CkVsVzVJWkFidDh3QWZPdVIzUm4wQW41NFl0ZW1HUk1seDF0L1ZUM1IzK0J5bmVTZEgzbUJ6eVJEQysvRGhBTlYKNVZPckk5SFhnVTRMSElVMmNwVVZxYVo3N1J1b2JnTmlDenBmOVZPVkNadzdmQzRPYkFqcTMzQ3RtT2taR0hRbAo2dkJtNm1ubFZ3S0JnQ2FnOW95TUplZjA3TGtXcExTQ1ovN1FHRDRLMmJFMGtHVzVEOFFZL1ZHNEZkS1JKbVRkCmQ2WTJZUjJ2cEpheFJ2TDlGQ3BwYncyKzkvL0pHWlJGd0p4dEdoS09oWTNjVUF6ZE9BRnNJVm0vNkFNa1JLdC8KWFNEU0ppc1VXb2hMRXFVM3lpNWcveGh6WVppVHM2MmhKMFZQNGhOVFhPQWw5aDUvVEE4UlFqc05Bb0dBTm84Twp5R2xuTGJrOWVMZGZwK2NmK3ltQS9DNVloellNdW9aQ1pkc3hMR0JLSFRXOXZJeHRPZFFJL0JuNGM5cWhEMWt1CjgrR0F5aXdVeUNXTFRxWGdEa0lNTlN5dUQyVnlsRXpPY1MzSkxQTkVPNEVpVnlnUTdGMCtud3R2cWh1anNUUzcKeGd5Qks5Z3ZodHU3d3VHNXhHc0dDTDZkY2xEU0RYbERwSHJTVmpFQ2dZQWx0STNjMzJxaG5KU2xHSGhjdW1wRwpReGpvYnJBUUxUa3dyOWk2TkNuS0EyNVR1SVFXa1NiN2JUWWtuUi80WDhOT2w2U2EvYm9QK2dncWNJM0haSk05CkxJRnpPUTFWT1luQ2ZYZVd0SmlHQklwUExadFdobnA3NGVhdmJKYW9udlhVVGNZcm5qcytIWGhpaFhjOUhENWsKeEJEaWJKYUlEbXg2T1FpVWI2RndJZz09Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K kind: Secret metadata: creationTimestamp: "2023-01-04T13:53:14Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:tls.crt: {} f:tls.key: {} f:type: {} manager: kubectl operation: Update time: "2023-01-04T13:53:14Z" name: neo4j-tls namespace: neo4j resourceVersion: "212009" uid: b1be45dd-4cbe-41c9-a6e5-c814c5e39c25 type: kubernetes.io/tls
-
-
使用创建的 secret 在 ssl-values.yaml 文件中配置
ssl对象ssl: # setting per "connector" matching neo4j config bolt: privateKey: secretName: neo4j-tls subPath: tls.key publicCertificate: secretName: neo4j-tls subPath: tls.crt https: privateKey: secretName: neo4j-tls subPath: tls.key publicCertificate: secretName: neo4j-tls subPath: tls.crt trustedCerts: sources: - secret: name: neo4j-tls items: - key: tls.crt path: public.crt cluster: privateKey: secretName: neo4j-tls subPath: tls.key publicCertificate: secretName: neo4j-tls subPath: tls.crt trustedCerts: sources: - secret: name: neo4j-tls items: - key: tls.crt path: public.crt revokedCerts: sources: [ ]
现在,您可以使用配置好的 ssl-values.yaml 文件和 Neo4j Helm chart 来部署 Neo4j 集群了。
使用 generic Kubernetes secret 配置 SSL 策略
本示例展示了如何使用存储在 generic Kubernetes secret 中的自签名证书来配置用于集群内部通信的 SSL 策略。
-
使用 public.crt 和 private.key 文件创建 Kubernetes
genericsecret您必须运行 Kubernetes 集群并安装 kubectl命令。有关更多信息,请参阅先决条件。-
获取 public.crt 和 private.key 的 Base64 编码值
cat public.crt| base64cat private.key| base64 -
使用 public.crt 和 private.key 的 Base64 编码值,创建 secret.yaml 文件
apiVersion: v1 data: public.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURLakNDQWhJQ0NRRGRYYVg1Y29mczdEQU5CZ2txaGtpRzl3MEJBUXNGQURCWE1Rc3dDUVlEVlFRR0V3SkgKUWpFUE1BMEdBMVVFQ0F3R1RHOXVaRzl1TVE4d0RRWURWUVFIREFaTWIyNWtiMjR4RGpBTUJnTlZCQW9NQlU1bApielJxTVJZd0ZBWURWUVFMREExSlZDQkVaWEJoY25SdFpXNTBNQjRYRFRJeU1USXlPREl4TURjeU5sb1hEVEl6Ck1USXlPREl4TURjeU5sb3dWekVMTUFrR0ExVUVCaE1DUjBJeER6QU5CZ05WQkFnTUJreHZibVJ2YmpFUE1BMEcKQTFVRUJ3d0dURzl1Wkc5dU1RNHdEQVlEVlFRS0RBVk9aVzgwYWpFV01CUUdBMVVFQ3d3TlNWUWdSR1Z3WVhKMApiV1Z1ZERDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTDBRc0c2Ukwrd3hxZSt3CjJGSWljZldVaUFtdmNqeVdlS0lKaThuT2tBSGIvSTYzUUU2L3ZpR3RNeEI3S28xdUJLNlVPZXBaeU91UzE2bUMKaitpMDAwbmFnWkR3RGNyRXd3UUE1cTBGMC90VXB5UHBaL1p3clhEaGFDOXhzVnFnVms0TXl5aUtTNzRIOUc2UgprUUV4dHBaNFArcTlaRHVFVk1KVGVaL2pQNGZoTkg2MUpSTVdORTJ3NjNUWkx2ZGMyUitXL2U5N3h2TGQ5Y0FnCjlqTm9FMHo5UHRmczB2L2lyUGhuUHpzWHQ5bzE0MWlnOVFZNjNtMzBxQ0NaYnpMRlR6WFgvdTUvTSsycFB3WXoKcUNOTUZYYW1ITlAxdlRPWFlRTG1iYW1JdVplYnVPNEVlUHZ6WUVXSmEyUi9oTmhtUDNvM2tRVFAzdmF1UEFjZQpSQlJZS09NQ0F3RUFBVEFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBWVh6SkIzNU55cExDUEdvQXVJdGt5dHBFCk1ZeSs5YnlrV3BEVnhRaXZLUHQ3d1NUaWZjNU1QdW5NUy9xYmxnaWprWm5IaWVLeEdoU3lQL283QndtMzJDSnAKQUFsSjJ3RjhIVXVSSGpYcUU5dkNQeFdtVlVJS2ExOWN5V0tUYWhySWU1eWZkQWNkbUJmRzJNWnY0dEdFeWxsUgo0Vk81STdRNjVWZDlGQnB0U3JjS3R1WUtBUzg2RTBHZmlmMWxCakdUZTFZbkhvK1RZTVpoVEUvN3RlNHZ1M251CjA4Y1BmbS9RYThSNFBXZDZNbXVDaTJYcDduWVlEMmp3WklCSENtMUU3U1RrdS9JRk5kOWFWRW91VG5KR1pCWFcKeWVzWG9OMXhOb3kvMXZFdElhV2xXZW1GcGo4clJ6VGJQekQ1TEpiNDBSRFVOTXN3NytLUXczV3BBMjVKUHc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== private.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2QUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktZd2dnU2lBZ0VBQW9JQkFRQzlFTEJ1a1Mvc01hbnYKc05oU0luSDFsSWdKcjNJOGxuaWlDWXZKenBBQjIveU90MEJPdjc0aHJUTVFleXFOYmdTdWxEbnFXY2pya3RlcApnby9vdE5OSjJvR1E4QTNLeE1NRUFPYXRCZFA3VktjajZXZjJjSzF3NFdndmNiRmFvRlpPRE1zb2lrdStCL1J1CmtaRUJNYmFXZUQvcXZXUTdoRlRDVTNtZjR6K0g0VFIrdFNVVEZqUk5zT3QwMlM3M1hOa2ZsdjN2ZThieTNmWEEKSVBZemFCTk0vVDdYN05MLzRxejRaejg3RjdmYU5lTllvUFVHT3Q1dDlLZ2dtVzh5eFU4MTEvN3VmelB0cVQ4RwpNNmdqVEJWMnBoelQ5YjB6bDJFQzVtMnBpTG1YbTdqdUJIajc4MkJGaVd0a2Y0VFlaajk2TjVFRXo5NzJyandICkhrUVVXQ2pqQWdNQkFBRUNnZ0VBTmF6OVNnYXlJazVmUG90b2Zya0V2WUh6dFR3NEpIZGJ2RFVWbUsrcU5yenIKME9DNXd5R3dxd0x2RW1qRlJlM01Lbnd1alJmOGNOVDVvVWhON3ZVWFgwcEhxb3hjZmdxcWl3SnVld1RDa0FJUwppYUdFUUhUdzZMRTEwUEpvTmFCN29DRUZ0SGErMWk2UCtLd2ZETVcrWHEyNUI3M0pMUlIrczhUYkxNZHBpL3VvCjRmTFNJV0xDV09MZThUTlU0ck5vVDQ0enY0eUhUOXAyV3liSUNrL3F5bVV3bTlhRHFnYzRJRzk4YXVVNG5JYVQKenk2T3NBODdONW9FME0rcHlUdEFJcmxRZFBXUzBBZ28xZUJCcWplL1I3MTI4TmdHVzhOTzVMWDBtNit2YzhyVgpaTHh0N1d0NThucXR2WlI3QTF5SU9lbWtocHl2Q3hrNVRxSmZQRlJxRVFLQmdRRGlOL3NBZncrZ1dvTFpLbTNyCm50WVkyRW9TOTBkQ0wwd293SGFGa0lsL2hIWXduQi9qaWlnMU5ZbEhDNzNPVDdDc2UycS9tS0xhMzZBVHlpTHcKZjN1T0J3NmNFZ2RJZlU5aDBtZjJCNFZXdEVEeDJMSU94MEtZU2VrYldTTVZQZ2w2SkhNb3hLdjNMbEx5R1RiMApZQmtKVmpRdkVLS1dpa1FLMUdPYnZtdzFWUUtCZ1FEVjlJLzc5WFJuN1EzZ3M4Z2JqZWhDejRqNHdtNWdpNFM2CkVsVzVJWkFidDh3QWZPdVIzUm4wQW41NFl0ZW1HUk1seDF0L1ZUM1IzK0J5bmVTZEgzbUJ6eVJEQysvRGhBTlYKNVZPckk5SFhnVTRMSElVMmNwVVZxYVo3N1J1b2JnTmlDenBmOVZPVkNadzdmQzRPYkFqcTMzQ3RtT2taR0hRbAo2dkJtNm1ubFZ3S0JnQ2FnOW95TUplZjA3TGtXcExTQ1ovN1FHRDRLMmJFMGtHVzVEOFFZL1ZHNEZkS1JKbVRkCmQ2WTJZUjJ2cEpheFJ2TDlGQ3BwYncyKzkvL0pHWlJGd0p4dEdoS09oWTNjVUF6ZE9BRnNJVm0vNkFNa1JLdC8KWFNEU0ppc1VXb2hMRXFVM3lpNWcveGh6WVppVHM2MmhKMFZQNGhOVFhPQWw5aDUvVEE4UlFqc05Bb0dBTm84Twp5R2xuTGJrOWVMZGZwK2NmK3ltQS9DNVloellNdW9aQ1pkc3hMR0JLSFRXOXZJeHRPZFFJL0JuNGM5cWhEMWt1CjgrR0F5aXdVeUNXTFRxWGdEa0lNTlN5dUQyVnlsRXpPY1MzSkxQTkVPNEVpVnlnUTdGMCtud3R2cWh1anNUUzcKeGd5Qks5Z3ZodHU3d3VHNXhHc0dDTDZkY2xEU0RYbERwSHJTVmpFQ2dZQWx0STNjMzJxaG5KU2xHSGhjdW1wRwpReGpvYnJBUUxUa3dyOWk2TkNuS0EyNVR1SVFXa1NiN2JUWWtuUi80WDhOT2w2U2EvYm9QK2dncWNJM0haSk05CkxJRnpPUTFWT1luQ2ZYZVd0SmlHQklwUExadFdobnA3NGVhdmJKYW9udlhVVGNZcm5qcytIWGhpaFhjOUhENWsKeEJEaWJKYUlEbXg2T1FpVWI2RndJZz09Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K kind: Secret metadata: name: neo4j-tls namespace: neo4j type: Opaque -
使用
kubectl create命令和 secret.yaml 文件创建通用 secretkubectl create -f /path/to/secret.yaml示例输出secret/neo4j-tls created
-
验证 secret 是否已创建
kubectl get secret示例输出NAME TYPE DATA AGE neo4j-tls Opaque 2 85s
-
-
使用创建的 secret 在 ssl-values.yaml 文件中配置
ssl对象ssl: # setting per "connector" matching neo4j config bolt: privateKey: secretName: neo4j-tls subPath: private.key publicCertificate: secretName: neo4j-tls subPath: public.crt https: privateKey: secretName: neo4j-tls subPath: private.key publicCertificate: secretName: neo4j-tls subPath: public.crt trustedCerts: sources: - secret: name: neo4j-tls items: - key: public.crt path: public.crt cluster: privateKey: secretName: neo4j-tls subPath: private.key publicCertificate: secretName: neo4j-tls subPath: public.crt trustedCerts: sources: - secret: name: neo4j-tls items: - key: public.crt path: public.crt revokedCerts: sources: [ ]
现在,您可以使用 ssl-values.yaml 文件和 Neo4j Helm chart 部署 Neo4j 集群了。
部署带有 SSL 证书的 Neo4j 集群
使用 Neo4j Helm chart 和 ssl-values.yaml 文件部署 Neo4j 集群。
-
安装 server-1
helm install server-1 neo4j/neo4j --namespace neo4j --set neo4j.acceptLicenseAgreement=yes --set neo4j.password=my-password --set neo4j.name="my-cluster" --set neo4j.minimumClusterSize=3 --set neo4j.edition="enterprise" --set volumes.data.mode=defaultStorageClass -f ~/Documents/neo4j-ssl/ssl-values.yaml -
对
server-2和server-3重复上一步的命令。 -
验证 Neo4j 集群是否正在运行
kubectl get pods示例输出NAME READY STATUS RESTARTS AGE server-1-0 1/1 Running 0 2m server-2-0 1/1 Running 0 2m server-3-0 1/1 Running 0 2m
-
连接到其中一个服务器并验证 /certificates/cluster 目录是否包含证书
kubectl exec -it server-1-0 -- bashneo4j@server-1-0:~$ cd certificates/ neo4j@server-1-0:~/certificates$ ls -lst示例输出total 12 4 drwxr-xr-x 2 root root 4096 Jan 4 13:55 bolt 4 drwxr-xr-x 3 root root 4096 Jan 4 13:55 cluster 4 drwxr-xr-x 3 root root 4096 Jan 4 13:55 https
neo4j@server-1-0:~/certificates$ cd cluster/ neo4j@server-1-0:~/certificates/cluster$ ls -lst示例输出total 8 0 drwxrwsrwt 3 root neo4j 100 Jan 4 13:56 trusted 4 -rw-r--r-- 1 root neo4j 1704 Jan 4 13:56 private.key 4 -rw-r--r-- 1 root neo4j 1159 Jan 4 13:56 public.crt
neo4j@server-1-0:~/certificates/cluster$ cd trusted/ neo4j@server-1-0:~/certificates/cluster/trusted$ ls -lst示例输出total 0 0 lrwxrwxrwx 1 root neo4j 17 Jan 4 13:56 public.crt -> ..data/public.crt
-
退出 Pod
exit -
使用安装时使用的
neo4j.name检查 LoadBalancer 服务是否可用export NEO4J_NAME=my-cluster kubectl get service ${NEO4J_NAME}-lb-neo4j示例输出NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE my-cluster-lb-neo4j LoadBalancer 10.0.134.210 20.237.50.207 7474:31168/TCP,7473:31045/TCP,7687:32708/TCP 3m30s
-
使用以下任一选项连接到 Neo4j 集群
-
Neo4j Browser
-
打开网页浏览器并输入 https://lb-EXTERNAL_IP:7473(在本例中为 https://20.237.50.207:7473/browser/)。您应该能看到 Neo4j 浏览器。
-
使用用户
neo4j和部署核心时设置的密码(本例中为my-password)进行认证。 -
通过运行
:sysinfo或SHOW SERVERS验证集群是否在线
-
运行
SHOW SETTINGS YIELD name, value WHERE name CONTAINS 'ssl'以验证配置是否按预期部署。
-
-
Cypher Shell
-
打开终端并连接到其中一个集群 Pod
kubectl exec -it server-1-0 -- bash -
导航到 bin 目录并使用
cypher-shell连接到 server-1neo4j@server-1-0:~$ cd bin neo4j@server-1-0:~/bin$ ./cypher-shell -u neo4j -p my-password -a neo4j+ssc://server-1.neo4j.svc.cluster.local:7687示例输出Connected to Neo4j using Bolt protocol version 5.26 at neo4j+ssc://server-1.neo4j.svc.cluster.local:7687 as user neo4j. Type :help for a list of available commands or :exit to exit the shell. Note that Cypher queries must end with a semicolon. neo4j@neo4j>
-
通过运行
SHOW SERVERS验证集群是否在线neo4j@server-1-0:~/bin$ SHOW SERVERS;示例输出+-----------------------------------------------------------------------------------------------------------------------------------+ | name | address | state | health | hosting | +-----------------------------------------------------------------------------------------------------------------------------------+ | "1c5946b1-0eb5-43b9-a549-5601087c57f2" | "server-3.neo4j.svc.cluster.local:7687" | "Enabled" | "Available" | ["neo4j", "system"] | | "ba63cd32-3e7d-4042-9935-c8eba925a98f" | "server-1.neo4j.svc.cluster.local:7687" | "Enabled" | "Available" | ["neo4j", "system"] | | "cbad7ed6-0c13-4ba7-b6a1-f20c5552dfcd" | "server-2.neo4j.svc.cluster.local:7687" | "Enabled" | "Available" | ["neo4j", "system"] | +-----------------------------------------------------------------------------------------------------------------------------------+
-
运行
SHOW SETTINGS YIELD name, value WHERE name CONTAINS 'ssl'以验证配置是否按预期部署。示例输出+----------------------------------------------------------------------------------------------------+ | name | value | +----------------------------------------------------------------------------------------------------+ | "dbms.netty.ssl.provider" | "JDK" | | "dbms.ssl.policy.bolt.base_directory" | "/var/lib/neo4j/certificates/bolt" | | "dbms.ssl.policy.bolt.ciphers" | "No Value" | | "dbms.ssl.policy.bolt.client_auth" | "NONE" | | "dbms.ssl.policy.bolt.enabled" | "true" | | "dbms.ssl.policy.bolt.private_key" | "/var/lib/neo4j/certificates/bolt/private.key" | | "dbms.ssl.policy.bolt.private_key_password" | "No Value" | | "dbms.ssl.policy.bolt.public_certificate" | "/var/lib/neo4j/certificates/bolt/public.crt" | | "dbms.ssl.policy.bolt.revoked_dir" | "/var/lib/neo4j/certificates/bolt/revoked" | | "dbms.ssl.policy.bolt.tls_versions" | "TLSv1.2" | | "dbms.ssl.policy.bolt.trust_all" | "false" | | "dbms.ssl.policy.bolt.trusted_dir" | "/var/lib/neo4j/certificates/bolt/trusted" | | "dbms.ssl.policy.bolt.verify_hostname" | "true" | | "dbms.ssl.policy.cluster.base_directory" | "/var/lib/neo4j/certificates/cluster" | | "dbms.ssl.policy.cluster.ciphers" | "No Value" | | "dbms.ssl.policy.cluster.client_auth" | "REQUIRE" | | "dbms.ssl.policy.cluster.enabled" | "true" | | "dbms.ssl.policy.cluster.private_key" | "/var/lib/neo4j/certificates/cluster/private.key" | | "dbms.ssl.policy.cluster.private_key_password" | "No Value" | | "dbms.ssl.policy.cluster.public_certificate" | "/var/lib/neo4j/certificates/cluster/public.crt" | | "dbms.ssl.policy.cluster.revoked_dir" | "/var/lib/neo4j/certificates/cluster/revoked" | | "dbms.ssl.policy.cluster.tls_versions" | "TLSv1.2" | | "dbms.ssl.policy.cluster.trust_all" | "false" | | "dbms.ssl.policy.cluster.trusted_dir" | "/var/lib/neo4j/certificates/cluster/trusted" | | "dbms.ssl.policy.cluster.verify_hostname" | "true" | | "dbms.ssl.policy.https.base_directory" | "/var/lib/neo4j/certificates/https" | | "dbms.ssl.policy.https.ciphers" | "No Value" | | "dbms.ssl.policy.https.client_auth" | "NONE" | | "dbms.ssl.policy.https.enabled" | "true" | | "dbms.ssl.policy.https.private_key" | "/var/lib/neo4j/certificates/https/private.key" | | "dbms.ssl.policy.https.private_key_password" | "No Value" | | "dbms.ssl.policy.https.public_certificate" | "/var/lib/neo4j/certificates/https/public.crt" | | "dbms.ssl.policy.https.revoked_dir" | "/var/lib/neo4j/certificates/https/revoked" | | "dbms.ssl.policy.https.tls_versions" | "TLSv1.2" | | "dbms.ssl.policy.https.trust_all" | "false" | | "dbms.ssl.policy.https.trusted_dir" | "/var/lib/neo4j/certificates/https/trusted" | | "dbms.ssl.policy.https.verify_hostname" | "true" | +----------------------------------------------------------------------------------------------------+ 37 rows ready to start consuming query after 212 ms, results consumed after another 11 ms
-
-