"Haɗari shine sunana na tsakiya," Austin Powers, wani ɗan asiri na duniya, ya taɓa cewa. Amma abin da manyan jami'ai da ma'aikatan leken asiri ke girmamawa ko kadan bai dace da ayyukan kwamfuta ba, inda gajiya ya fi haɗari.
Kuma Istio, tare da OpenShift da Kubernetes, suna yin jigilar microservices da gaske abin ban sha'awa da tsinkaya - kuma hakan yana da kyau. Za mu yi magana game da wannan da ƙari mai yawa a matsayi na huɗu kuma na ƙarshe a cikin jerin Istio.
Lokacin da bacin rai yayi daidai
A cikin yanayinmu, rashin jin daɗi yana faruwa ne kawai a cikin kashi na ƙarshe, lokacin da abin da ya rage shi ne zama mu kalli tsarin. Amma don wannan kuna buƙatar saita komai da farko, kuma abubuwa masu ban sha'awa da yawa suna jiran ku a nan.
Lokacin tura sabon sigar software ɗinku, yana da daraja la'akari da duk zaɓuɓɓuka don rage haɗari. Gudu a layi daya hanya ce mai ƙarfi da tabbatarwa don gwadawa, kuma Istio yana ba ku damar amfani da "sabis na sirri" (wani ɓoyayyen sigar microservice ɗin ku) don yin wannan ba tare da tsoma baki tare da tsarin samarwa ba. Akwai ma wani lokaci na musamman don wannan - "Dark Launch", wanda bi da bi yana kunna ta hanyar aiki tare da daidai sunan ɗan leƙen asiri "madaidaicin zirga-zirga".
Lura cewa jimla ta farko na sakin layi na baya yana amfani da kalmar "aiwatar" maimakon "saki". Yakamata da gaske ku sami damar tura-kuma, ba shakka, yi amfani da-microservice ɗinku koyaushe gwargwadon yadda kuke so. Dole ne wannan sabis ɗin ya sami damar karɓa da sarrafa zirga-zirga, samar da sakamako, da kuma rubuta zuwa rajistan ayyukan da saka idanu. Amma a lokaci guda, wannan sabis ɗin ba dole ba ne a sake shi cikin samarwa. Aiwatar da fitar da software ba koyaushe iri ɗaya bane. Kuna iya tura duk lokacin da kuke so, amma saki kawai idan kun shirya.
Shirya gajiya yana da ban sha'awa
Dubi ƙa'idar hanyar istio mai zuwa, wacce ke bin duk buƙatun HTTP zuwa shawarar microservice v1 (duk misalan da aka ɗauka daga ), yayin da yake misalta su a lokaci guda ga shawarar v2 microservice:
Kula da lakabin mirror: a kasan allon - wannan shine ke saita madubin zirga-zirga. Ee, yana da sauƙi!
Sakamakon wannan doka zai kasance cewa tsarin samar da ku (v1) zai ci gaba da aiwatar da buƙatun masu shigowa, amma buƙatun da kansu za a yi kama da v2 ba tare da izini ba, wato, cikakkun kwafin su za su je can. Ta wannan hanyar, zaku iya gwada v2 a cikin yanayi na ainihi - akan ainihin bayanai da zirga-zirga - ba tare da tsangwama ta kowace hanya ba tare da aikin tsarin samarwa. Shin hakan ya sa shirya gwaji ya zama abin ban sha'awa? Ee, tabbas. Amma an yi shi a hanya mai ban sha'awa.
Mu kara wasan kwaikwayo
Lura cewa a cikin lambar v2 ya zama dole don samar da yanayi inda buƙatun shigowa na iya haifar da canje-canjen bayanai. Buƙatun da kansu suna madubi cikin sauƙi kuma a bayyane, amma zaɓin hanyar sarrafawa a cikin gwajin ya rage naku - kuma wannan ɗan damuwa ne.
Mu sake maimaita wani muhimmin batu
Ƙaddamar da asirce tare da madubin zirga-zirga (Ƙaddamarwar duhu/Neman Mirroring) za a iya yi ba tare da shafar lambar ta kowace hanya ba.
Abinci don tunani
Me zai faru idan wurin da ake nuna buƙatun ya aika wasu daga cikinsu ba zuwa v1 ba, amma zuwa v2? Misali, kashi ɗaya cikin ɗari na duk buƙatun ko buƙatun kawai daga wasu rukunin masu amfani. Sannan, riga duba yadda v2 ke aiki, a hankali canza duk buƙatun zuwa sabon sigar. Ko akasin haka, mayar da komai zuwa v1 idan wani abu ya yi kuskure tare da v2. Ina tsammanin ana kiransa Canary Deployment. , kuma idan na asalin Rasha ne, tabbas zai ƙunshi magana game da ), kuma yanzu za mu kalli wannan dalla-dalla.
Aiwatar da Canary a cikin Istio: sauƙaƙe ƙaddamarwa
A hankali kuma a hankali
Mahimman ƙirar ƙaddamar da Canary Deployment abu ne mai sauƙi: lokacin da kuka ƙaddamar da sabon sigar software ɗinku (a cikin yanayinmu, microservice), kuna fara ba da dama ga ƙaramin rukunin masu amfani. Idan komai ya yi kyau, sannu a hankali za ku ƙara wannan rukunin har sai sabon sigar ta fara aiki, ko - idan ba haka ba - a ƙarshe za ku ƙaura duk masu amfani zuwa gare ta. Ta hanyar tunani da sannu a hankali gabatar da sabon siga da canza masu amfani zuwa gare shi ta hanyar sarrafawa, zaku iya rage haɗari da haɓaka ra'ayi.
Tabbas, Istio yana sauƙaƙe Canary Deployment ta hanyar ba da zaɓuɓɓuka masu kyau da yawa don sarrafa buƙatun fasaha. Kuma eh, duk waɗannan ana iya yin su ba tare da taɓa lambar tushe ta kowace hanya ba.
Tace browser
Ɗaya daga cikin mafi sauƙi ma'aunin tuƙi shine jujjuya tushen burauza. Bari mu ce kuna son buƙatun kawai daga masu binciken Safari don zuwa v2. Ga yadda ake yi:
Bari mu yi amfani da wannan ƙa'idar tuƙi sannan mu yi amfani da umarnin curl Za mu kwaikwayi ainihin buƙatun zuwa microservice a cikin madauki. Kamar yadda kuke gani a cikin hoton, duk suna zuwa v1:
Ina zirga-zirga akan v2? Tun da a cikin misalinmu duk buƙatun sun zo ne kawai daga layin umarni namu, kawai babu shi. Amma kula da ƙasan layin da ke sama: wannan shine martani ga gaskiyar cewa mun aiwatar da buƙatun daga mai binciken Safari, wanda hakan ya haifar da hakan:
Unlimited iko
Mun riga mun rubuta cewa maganganun yau da kullun suna ba da ƙarfi sosai don buƙatun buƙatun. Dubi misali mai zuwa (muna tsammanin za ku fahimci abin da yake yi):
A yanzu ƙila kuna da ra'ayin abin da maganganu na yau da kullun za su iya yi.
Aiki Smart
Smart routing, musamman masu sarrafa fakiti ta amfani da maganganu na yau da kullun, yana ba ku damar sarrafa zirga-zirga yadda kuke so. Kuma wannan yana sauƙaƙa aiwatar da sabon lambar - yana da sauƙi, baya buƙatar canza lambar kanta, kuma idan ya cancanta, ana iya dawo da komai da sauri kamar yadda yake.
Ana sha'awa?
Shin kuna sha'awar yin gwaji tare da Istio, Kubernetes da OpenShift akan kwamfutarka? Tawaga shirya mai kyau akan wannan batu kuma ya sanya duk fayilolin da ke tare da su a bainar jama'a. Don haka ci gaba kuma kada ku hana kanku komai.
Istio Egress: fita ta cikin kantin kayan tunawa
Ta amfani da Istio tare da Red Hat OpenShift da Kubernetes, zaku iya sauƙaƙe rayuwar ku tare da microservices. Rukunin sabis na Istio yana ɓoye a cikin kwas ɗin Kubernetes, kuma lambar ku tana gudana (mafi yawa) a keɓe. Ayyukan aiki, sauƙi na canji, ganowa, da dai sauransu - duk wannan yana da sauƙin amfani da godiya ga yin amfani da kwantena na gefe. Amma idan microservice ɗin ku yana buƙatar sadarwa tare da wasu ayyuka waɗanda ke wajen tsarin OpenShift-Kubernetes fa?
Anan ne Istio Egress ya zo don ceto. A taƙaice, yana ba ku damar samun damar albarkatu (karanta: “sabis”) waɗanda ba sa cikin tsarin Kubernetes pods. Idan ba ku yi ƙarin daidaitawa ba, to, a cikin Istio Egress zirga-zirgar muhalli ana yin ta ne kawai a cikin gungu na kwas ɗin kuma tsakanin irin wannan gungu dangane da tebur na IP na ciki. Kuma irin wannan jan hankali yana aiki mai girma matuƙar ba kwa buƙatar samun dama ga ayyuka daga waje.
Egress yana ba ku damar ketare allunan IP na sama, ko dai bisa ka'idodin Egress ko akan kewayon adiresoshin IP.
Bari mu ce muna da shirin Java wanda ke yin buƙatar GET zuwa httpbin.org/headers.
(httpbin.org hanya ce mai dacewa don gwada buƙatun sabis masu fita.)
Idan kun shigar akan layin umarni curl http://httpbin.org/headers, za mu ga kamar haka:
Ko kuma kuna iya buɗe adireshi iri ɗaya a cikin burauzar.
Kamar yadda kuke gani, sabis ɗin da ke can yana mayar da kanun kan da aka wuce zuwa gare shi.
Muna maye gurbin shigo da kaya gaba-gaba
Yanzu bari mu ɗauki lambar Java na wannan sabis ɗin, na waje zuwa tsarinmu, kuma mu gudanar da kanmu, inda, tuna, an shigar da Istio. (Za ku iya yin wannan da kanku ta hanyar tuntuɓar .) Bayan gina hoton da ya dace kuma mun ƙaddamar da shi akan dandalin OpenShift, za mu kira wannan sabis ɗin tare da umarni curl egresshttpbin-istioegress.$(minishift ip).nip.io, bayan haka za mu ga wannan akan allon:
Kash, me ya faru? Komai yayi aiki kawai. Me ake nufi da Ba a samo ba? Mun dai yi masa curl.
Ƙaddamar da tebur na IP zuwa duk Intanet
Yakamata a zargi Istio (ko a gode) akan wannan. Bayan haka, Istio kawai kwantena na gefe ne waɗanda ke da alhakin ganowa da tuƙi (da sauran abubuwa da yawa waɗanda muka yi magana a baya). Don wannan dalili, tebur na IP kawai sun san abin da ke cikin tsarin tarin ku. Kuma httpbin.org yana waje don haka ba zai iya shiga ba. Kuma wannan shine inda Istio Egress ke zuwa don ceto - ba tare da ɗan canji zuwa lambar tushen ku ba.
Dokar Egress da ke ƙasa tana tilasta Istio ya bincika (idan ya cancanta, sannan a duk Intanet) don sabis ɗin da ake buƙata, a wannan yanayin, httpbin.org. Kamar yadda kuke gani daga wannan fayil ɗin (egress_httpbin.yml), aikin anan yana da sauƙi:
Abin da ya rage shi ne a yi amfani da wannan doka:
istioctl create -f egress_httpbin.yml -n istioegress
Kuna iya duba dokokin Egress tare da umarni istioctl get egressrules:
Kuma a ƙarshe, muna sake gudanar da umarnin Curl - kuma mun ga cewa komai yana aiki:
Muna tunani a fili
Kamar yadda kuke gani, Istio yana ba ku damar tsara hulɗa tare da duniyar waje. A takaice dai, har yanzu kuna iya ƙirƙirar ayyukan OpenShift kuma ku sarrafa su ta hanyar Kubernetes, adana komai a cikin kwas ɗin da ke haɓaka sama da ƙasa kamar yadda ake buƙata. Kuma a lokaci guda, zaku iya samun damar yin amfani da sabis na waje da muhallinku cikin aminci. Kuma a, mun sake maimaita cewa duk wannan ana iya yin ba tare da taɓa lambar ku ta kowace hanya ba.
Wannan shine matsayi na ƙarshe a cikin jerin akan Istio. Kasance a hankali - akwai abubuwa masu ban sha'awa da yawa a gaba!
source: www.habr.com