Haka ne, bayan an sake shi Hashicorp Consul 1.5.0 a farkon Mayu 2019, a cikin Consul kuna iya ba da izinin aikace-aikace da ayyuka da ke gudana a Kubernetes na asali.
A cikin wannan koyawa za mu ƙirƙira mataki-mataki POC (Tabbacin ra'ayi, PoC) yana nuna wannan sabon fasalin. Ana sa ran samun ilimin asali na Kubernetes da Consul na Hashicorp. Yayin da zaku iya amfani da kowane dandamali na girgije ko muhallin gida, a cikin wannan koyawa za mu yi amfani da Google's Cloud Platform.
Siffar
Idan muka je Takaddun shaida kan hanyar ba da izini, Za mu sami taƙaitaccen bayani game da manufarsa da shari'ar amfani da shi, da kuma wasu cikakkun bayanai na fasaha da cikakken bayyani na dabaru. Ina ba da shawarar karanta shi aƙalla sau ɗaya kafin ci gaba, kamar yadda yanzu zan yi bayani da taunawa duka.
Hoto 1: Bayanin hukuma na hanyar ba da izini na Consul
Tabbas, akwai bayanai masu amfani a wurin, amma babu jagora kan yadda ake amfani da su duka. Don haka, kamar kowane mai hankali, kuna bincika Intanet don jagora. Sannan... Kun kasa. Yana faruwa. Mu gyara wannan.
Kafin mu ci gaba don ƙirƙirar POC ɗin mu, bari mu koma kan taƙaitaccen hanyoyin ba da izini na Consul (Hoto na 1) kuma mu gyara shi cikin mahallin Kubernetes.
gine
A cikin wannan koyawa, za mu ƙirƙiri uwar garken Consul akan wata na'ura daban wacce za ta sadarwa tare da gungun Kubernetes tare da shigar da abokin ciniki na Consul. Daga nan za mu ƙirƙiri aikace-aikacen mu na ɓarna a cikin kwas ɗin kuma mu yi amfani da tsarin ba da izini don karantawa daga kantin sayar da maɓalli/darajar mu.
Hoton da ke ƙasa ya yi cikakken bayani game da gine-ginen da muke ƙirƙira a cikin wannan koyawa, da kuma dabarun da ke tattare da hanyar ba da izini, wanda za a yi bayani daga baya.
Hoto 2: Bayanin Hanyar Ba da izini Kubernetes
Bayani mai sauri: uwar garken Consul baya buƙatar zama a waje da gungu na Kubernetes don yin aiki. Amma eh, zai iya yin hakan ta wannan hanya da wancan.
Don haka, ɗaukar hoto na Consul (Tsarin 1) da yin amfani da Kubernetes akansa, mun sami zanen sama (Hoto 2), kuma ma'anar a nan ita ce kamar haka:
Kowane kwas ɗin zai sami asusun sabis da ke makale da shi wanda ke ɗauke da alamar JWT da Kubernetes ta ƙirƙira kuma ta san ta. Hakanan ana shigar da wannan alamar a cikin kwas ɗin ta tsohuwa.
Aikace-aikacenmu ko sabis ɗinmu a cikin faifan yana ƙaddamar da umarnin shiga ga abokin aikin mu Consul. Buƙatun shiga kuma za ta haɗa da alamar mu da suna musamman halitta Hanyar izini (nau'in Kubernetes). Wannan mataki #2 yayi daidai da mataki na 1 na zanen Consul (Tsarin 1).
SIHIRI! Anan ne uwar garken Consul ke tabbatar da sahihancin buƙatun, ta tattara bayanai game da ainihin buƙatar da kwatanta shi da kowace ƙayyadaddun ƙayyadaddun ƙa'idodi. A ƙasa akwai wani zane don kwatanta wannan. Wannan matakin ya yi daidai da matakai na 3, 4 da 5 na zane-zane na Consul (Tsarin 1).
Sabar Consul ɗin mu tana samar da alamar Consul tare da izini bisa ga ƙayyadadden ƙayyadaddun ƙa'idodin hanyar izini (wanda muka ayyana) dangane da ainihin mai nema. Daga nan za ta mayar da wannan alamar. Wannan yayi daidai da mataki na 6 na zanen Consul (Hoto na 1).
Abokin ciniki na Consul ɗinmu yana tura alamar zuwa aikace-aikacen da ake nema ko sabis.
Aikace-aikacenmu ko sabis ɗinmu yanzu na iya amfani da wannan alamar Consul don sadarwa tare da bayanan Consul ɗinmu, kamar yadda haƙƙoƙin alamar ya ƙaddara.
An bayyana sihiri!
Ga wadanda daga cikinku waɗanda ba su da farin ciki da zomo kawai daga hula kuma suna son sanin yadda yake aiki ... bari in "nuna muku zurfin zurfin rami zomo".
Kamar yadda aka ambata a baya, matakinmu na “sihiri” (Hoto na 2: Mataki na 4) shine inda uwar garken Consul ke tabbatar da buƙatar, tattara bayanai game da buƙatar, kuma ta kwatanta shi da kowane ƙayyadaddun ƙayyadaddun ƙa'idodi. Wannan matakin ya yi daidai da matakai na 3, 4 da 5 na zane-zane na Consul (Tsarin 1). A ƙasa akwai zane (zane na 3), wanda manufarsa shine a nuna abin da ke faruwa a zahiri a karkashin kaho takamaiman hanyar izinin Kubernetes.
Hoto na 3: An bayyana sihiri!
A matsayin farkon farawa, abokin ciniki na Consul ɗinmu yana tura buƙatar shiga zuwa uwar garken Consul ɗinmu tare da alamar asusun Kubernetes da takamaiman sunan hanyar ba da izini da aka ƙirƙira a baya. Wannan matakin yayi daidai da mataki na 3 a bayanin da'irar da ta gabata.
Yanzu uwar garken Consul (ko shugaba) yana buƙatar tabbatar da sahihancin alamar da aka karɓa. Saboda haka, za ta tuntubi gungu na Kubernetes (ta hanyar abokin ciniki na Consul) kuma, tare da izini masu dacewa, za mu gano ko alamar ta gaskiya ce da kuma wanda yake.
Ana mayar da ingantacciyar buƙatar zuwa ga jagoran Consul, kuma uwar garken Consul yana duba misalin hanyar ba da izini tare da ƙayyadadden suna daga buƙatun shiga (da nau'in Kubernetes).
Jagoran ofishin jakadanci yana gano ƙayyadadden hanyar ba da izini (idan an same shi) kuma ya karanta saitin ƙa'idodin ɗaure waɗanda ke haɗe da shi. Daga nan sai ta karanta waɗannan ƙa'idodin kuma ta kwatanta su da ingantattun halayen asali.
TA-da! Bari mu matsa zuwa mataki na 5 a bayanin da'irar da ta gabata.
Gudun Consul-server akan injin kama-da-wane na yau da kullun
Daga yanzu, galibi zan ba da umarni kan yadda ake ƙirƙirar wannan POC, sau da yawa a cikin makirufo, ba tare da cikakkun bayanan jumla ba. Hakanan, kamar yadda aka ambata a baya, zan yi amfani da GCP don ƙirƙirar duk abubuwan more rayuwa, amma zaku iya ƙirƙirar abubuwan more rayuwa iri ɗaya a ko'ina.
Fara injin kama-da-wane (misali/uwar garken).
Ƙirƙirar doka don Tacewar zaɓi (ƙungiyar tsaro a AWS):
Ina son sanya sunan na'ura iri ɗaya zuwa duka ka'ida da alamar hanyar sadarwa, a wannan yanayin "skywiz-consul-server-poc".
Nemo adireshin IP na kwamfutar ku na gida kuma ƙara shi zuwa jerin tushen adiresoshin IP don mu sami damar yin amfani da mai amfani (UI).
Bude tashar jiragen ruwa 8500 don UI. Danna Ƙirƙiri. Za mu sake canza wannan Tacewar zaɓi nan ba da jimawa ba [mahada].
Ƙara ƙa'idar Tacewar zaɓi ga misalin. Koma kan dashboard na VM akan Consul Server kuma ƙara "skywiz-consul-server-poc" zuwa filin alamun cibiyar sadarwa. Danna Ajiye.
Shigar da Consul akan na'ura mai mahimmanci, duba nan. Ka tuna kana buƙatar sigar Consul ≥ 1.5 [mahaɗi]
Bari mu ƙirƙiri Ƙungiya guda ɗaya - ƙayyadaddun tsari shine kamar haka.
groupadd --system consul
useradd -s /sbin/nologin --system -g consul consul
mkdir -p /var/lib/consul
chown -R consul:consul /var/lib/consul
chmod -R 775 /var/lib/consul
mkdir /etc/consul.d
chown -R consul:consul /etc/consul.d
Don ƙarin cikakken jagora kan shigar da Consul da kafa gungu na nodes 3, duba a nan.
consul agent
-server
-ui
-client 0.0.0.0
-data-dir=/var/lib/consul
-bootstrap-expect=1
-config-dir=/etc/consul.d
Ya kamata ku ga tarin fitarwa kuma ku ƙare tare da "... sabuntawa da aka katange ta ACLs."
Nemo adireshin IP na waje na uwar garken Consul kuma buɗe mai bincike tare da wannan adireshin IP akan tashar jiragen ruwa 8500. Tabbatar cewa UI ya buɗe.
Gwada ƙara maɓalli/daraja biyu. Ina ganin an yi kuskure. Wannan saboda mun loda uwar garken Consul tare da ACL kuma mun kashe duk dokoki.
Koma cikin harsashin ku akan uwar garken Consul kuma fara aiwatarwa a bango ko wata hanya don sa ta gudana kuma shigar da mai zuwa:
consul acl bootstrap
Nemo ƙimar "SecretID" kuma komawa zuwa UI. A cikin shafin ACL, shigar da sirrin ID na alamar da kuka kwafa. Kwafi SecretID a wani wuri dabam, za mu buƙaci shi daga baya.
Yanzu ƙara maɓalli/daraja biyu. Don wannan POC, ƙara mai zuwa: maɓalli: "custom-ns/test_key", darajar: "Ina cikin babban fayil na custom-ns!"
Ƙaddamar da gungu na Kubernetes don aikace-aikacenmu tare da abokin ciniki na Consul a matsayin Daemonset
Ƙirƙiri gungu na K8s (Kubernetes). Za mu ƙirƙira shi a cikin yanki ɗaya da uwar garken don samun shiga cikin sauri, don haka za mu iya amfani da rukunin yanar gizo iri ɗaya don haɗawa cikin sauƙi tare da adiresoshin IP na ciki. Za mu kira shi "skywiz-app-with-consul-client-poc".
A matsayin bayanin kula na gefe, ga kyakkyawar koyawa da na ci karo da ita yayin kafa ƙungiyar Consul POC tare da Consul Connect.
Hakanan za mu yi amfani da ginshiƙi na Hashicorp tare da ƙarin fayil ɗin ƙima.
Yi amfani da fayil ɗin ƙima mai zuwa (bayanin kula na kashe mafi yawan):
### poc-helm-consul-values.yaml
global:
enabled: false
image: "consul:latest"
# Expose the Consul UI through this LoadBalancer
ui:
enabled: false
# Allow Consul to inject the Connect proxy into Kubernetes containers
connectInject:
enabled: false
# Configure a Consul client on Kubernetes nodes. GRPC listener is required for Connect.
client:
enabled: true
join: ["<PRIVATE_IP_CONSUL_SERVER>"]
extraConfig: |
{
"acl" : {
"enabled": true,
"default_policy": "deny",
"enable_token_persistence": true
}
}
# Minimal Consul configuration. Not suitable for production.
server:
enabled: false
# Sync Kubernetes and Consul services
syncCatalog:
enabled: false
Aiwatar da ginshiƙi:
./helm install -f poc-helm-consul-values.yaml ./consul-helm - name skywiz-app-with-consul-client-poc
Lokacin da ya yi ƙoƙarin gudu, zai buƙaci izini ga uwar garken Consul, don haka bari mu ƙara su.
Lura da "Pod Address Range" dake kan gunkin dashboard kuma koma zuwa ga "skywiz-consul-server-poc" ka'idar tacewar zaɓi.
Ƙara kewayon adireshi don kwaf ɗin zuwa jerin adiresoshin IP da buɗe tashoshin jiragen ruwa 8301 da 8300.
Je zuwa Consul UI kuma bayan 'yan mintoci kaɗan za ku ga gungu ya bayyana a cikin nodes tab.
Ƙirƙirar Hanyar izini ta Haɗa Consul tare da Kubernetes
Koma zuwa harsashin uwar garken Consul kuma fitar da alamar da kuka adana a baya:
export CONSUL_HTTP_TOKEN=<SecretID>
Za mu buƙaci bayani daga gungu na Kubernetes don ƙirƙirar misalin hanyar ingantaccen:
kubernetes-host
kubectl get endpoints | grep kubernetes
kubernetes-service-account-jwt
kubectl get sa <helm_deployment_name>-consul-client -o yaml | grep "- name:"
kubectl get secret <secret_name_from_prev_command> -o yaml | grep token:
Alamar tana da tushe64, don haka yanke shi ta amfani da kayan aikin da kuka fi so [mahada]
kubernetes-ca-cert
kubectl get secret <secret_name_from_prev_command> -o yaml | grep ca.crt:
Ɗauki takardar shaidar "ca.crt" (bayan ƙaddamar da tushe64) kuma rubuta ta cikin fayil na "ca.crt".
Yanzu aiwatar da hanyar auth, maye gurbin masu riƙe da ƙimar da kuka karɓa yanzu.
consul acl auth-method create
-type "kubernetes"
-name "auth-method-skywiz-consul-poc"
-description "This is an auth method using kubernetes for the cluster skywiz-app-with-consul-client-poc"
-kubernetes-host "<k8s_endpoint_retrieved earlier>"
[email protected]
-kubernetes-service-account-
jwt="<decoded_token_retrieved_earlier>"
Na gaba muna buƙatar ƙirƙirar doka kuma mu haɗa shi zuwa sabon rawar. Don wannan ɓangaren zaku iya amfani da Consul UI, amma za mu yi amfani da layin umarni.
Ƙirƙiri ƙarin manyan manyan fayiloli masu mahimmanci tare da maɓalli ɗaya na saman matakin (watau. /sample_key) da ƙimar zaɓinku. Ƙirƙirar manufofi da matsayi masu dacewa don sababbin hanyoyi masu mahimmanci. Za mu yi daurin daga baya.
Gwajin sarari na musamman:
Bari mu ƙirƙiri namu filin suna:
kubectl create namespace custom-ns
Bari mu ƙirƙiri kwafsa a cikin sabon filin suna. Rubuta saitin kwafsa.
Kuna iya ƙaddamar da ƙima64 "darajar" kuma ku ga cewa ya dace da ƙimar a al'ada-ns/test_key a cikin UI. Idan kun yi amfani da ƙima ɗaya da ke sama a cikin wannan koyawa, ƙimar ku da aka ɓoye zata zama IkknbSBpbiB0aGUgY3VzdG9tLW5zIGZvbGRlciEi.
Gwajin asusun sabis na mai amfani:
Ƙirƙiri asusun sabis na al'ada ta amfani da umarni mai zuwa [mahada].
An ƙi izini. Oh, mun manta da ƙara sabbin dokoki masu ɗaure tare da izini masu dacewa, bari mu yi hakan yanzu.
Maimaita matakan da suka gabata a sama:
a) Ƙirƙiri manufa iri ɗaya don prefix “custom-sa/”.
b) Ƙirƙiri Role, kira shi "custom-sa-role"
c) Haɗa Manufofin zuwa Matsayin.
Ƙirƙirar Doka-Dauri (zai yiwu kawai daga cli/api). Kula da ma'anar daban-daban na tutar mai zaɓe.
consul acl binding-rule create
-method=auth-method-skywiz-consul-poc
-bind-type=role
-bind-name='custom-sa-role'
-selector='serviceaccount.name=="custom-sa"'
Sake shiga daga akwati "poc-ubuntu-custom-sa". Nasara!
Hakanan zaka iya tabbatar da cewa wannan alamar ba ta ba da damar yin amfani da kv a cikin "custom-ns/" ba. Kawai maimaita umarnin da ke sama bayan maye gurbin "custom-sa" tare da prefix "custom-ns".
An ƙi izini.
Misali mai rufi:
Yana da kyau a lura cewa za a ƙara duk taswirorin ɗaure ƙa'ida zuwa alamar tare da waɗannan haƙƙoƙin.
Akwatin mu "poc-ubuntu-custom-sa" tana cikin tsohowar sunaye - don haka bari mu yi amfani da shi don ɗaurin doka na daban.
Maimaita matakan da suka gabata:
a) Ƙirƙiri manufa iri ɗaya don "default/" prefix key.
b) Ƙirƙiri Role, suna suna "default-ns-role"
c) Haɗa Manufofin zuwa Matsayin.
Ƙirƙirar Doka-Dauri (zai yiwu kawai daga cli/api)
consul acl binding-rule create
-method=auth-method-skywiz-consul-poc
-bind-type=role
-bind-name='default-ns-role'
-selector='serviceaccount.namespace=="default"'
Koma cikin akwati na "poc-ubuntu-custom-sa" kuma gwada samun dama ga hanyar "default/" kv.
An ƙi izini.
Kuna iya duba ƙayyadaddun takaddun shaidar kowane alamar a cikin UI ƙarƙashin ACL> Alamu. Kamar yadda kuke gani, alamar mu ta yanzu tana da “al’ada-sa-rawar” ɗaya kawai a haɗe da ita. Alamar da muke amfani da ita a halin yanzu an samar da ita ne lokacin da muka shiga kuma akwai ƙa'ida guda ɗaya kawai da ta dace da ita a lokacin. Muna buƙatar sake shiga kuma mu yi amfani da sabuwar alamar.
Tabbatar cewa zaku iya karantawa daga duka hanyoyin "custom-sa/" da "default/" kv hanyoyin.
Success!
Wannan saboda "poc-ubuntu-custom-sa" ɗinmu ya dace da ƙa'idodin "custom-sa" da "default-ns".
ƙarshe
TTL token mgmt?
A lokacin wannan rubutun, babu wata hanyar haɗin gwiwa don tantance TTL don alamun da aka samar ta wannan hanyar izini. Zai zama babbar dama don samar da amintaccen ikon sarrafa Consul.
Akwai zaɓi don ƙirƙirar alama da hannu tare da TTL: