🥇 Taw Qhia rau Hashicorp Consul's Kubernetes Tso Cai

Yog lawm, tom qab tso tawm Hashicorp Consul 1.5.0 Thaum pib lub Tsib Hlis 2019, hauv Consul koj tuaj yeem tso cai rau cov ntawv thov thiab cov kev pabcuam khiav hauv Kubernetes ib txwm muaj.

Nyob rau hauv no nyeem peb yuav tsim ib kauj ruam yog kauj ruam POC (Cov ntaub ntawv pov thawj ntawm lub tswv yim, PoC) qhia txog qhov tshiab no.Koj yuav tsum muaj kev paub yooj yim ntawm Kubernetes thiab Hashicorp Tus Neeg Saib Xyuas.

txheej txheem cej luam

Yog peb mus Consul cov ntaub ntawv ntawm nws txoj kev tso cai, peb yuav tau txais cov ntsiab lus ceev ntawm nws lub hom phiaj thiab cov ntaub ntawv siv, nrog rau qee cov ntsiab lus thiab cov ntsiab lus dav dav ntawm cov logic. Kuv pom zoo kom nyeem nws tsawg kawg ib zaug ua ntej pib, raws li tam sim no kuv yuav piav qhia thiab zom rau txhua yam.

Daim duab 1: Kev pom zoo ntawm Consul tso cai txoj kev

Cia peb saib hauv cov ntaub ntawv rau ib txoj kev tso cai Kubernetes tshwj xeeb.

Tseeb, muaj cov ntaub ntawv tseem ceeb nyob ntawd, tab sis tsis muaj cov lus qhia yuav ua li cas siv nws tag nrho. Yog li ntawd, zoo li txhua tus neeg tsis zoo, koj nplawm hauv Internet rau kev taw qhia. Thiab ces... Koj ua tsis tiav. Nws tshwm sim. Cia peb kho qhov no.

Ua ntej peb tsiv mus rau kev tsim peb lub POC, cia peb rov qab mus rau lub ntsiab lus ntawm Consul txoj kev tso cai (Daim duab 1) thiab kho nws hauv cov ntsiab lus ntawm Kubernetes.

architecture

Hauv qhov kev qhia no, peb yuav tsim Consul server ntawm lub tshuab cais uas yuav sib txuas lus nrog Kubernetes pawg nrog Consul tus neeg siv tau teeb tsa. Tom qab ntawd peb mam li tsim peb daim ntawv thov dummy hauv lub plhaub thiab siv peb cov txheej txheem kev tso cai los nyeem los ntawm peb lub tuam txhab Consul key/value store.

Daim duab hauv qab no qhia meej txog cov qauv uas peb tab tom tsim hauv qhov kev qhia no, nrog rau cov laj thawj hauv qab txoj kev tso cai, uas yuav piav qhia tom qab.

Daim duab 2: Kubernetes Kev Tso Cai Txheej Txheem Txheej Txheem

Daim ntawv ceeb toom ceev: Consul server tsis tas yuav nyob sab nraud ntawm Kubernetes pawg rau qhov no ua haujlwm. Tab sis yog, nws tuaj yeem ua tau li no thiab qhov ntawd.

Yog li, coj tus Consul saib daim duab (Daim duab 1) thiab siv Kubernetes rau nws, peb tau txais daim duab saum toj no (Daim duab 2), thiab cov logic ntawm no yog raws li nram no:

Txhua lub pod yuav muaj ib qho kev pabcuam txuas nrog nws uas muaj JWT token tsim thiab paub los ntawm Kubernetes. Cov token no kuj tau muab tso rau hauv lub pod los ntawm lub neej ntawd.
Peb daim ntawv thov lossis kev pabcuam hauv lub plhaub tau txais kev nkag mus rau peb tus neeg siv Consul. Daim ntawv thov nkag yuav kuj suav nrog peb lub cim thiab lub npe tsim tshwj xeeb txoj kev tso cai (Kubernetes hom). Cov kauj ruam #2 no sib raug mus rau kauj ruam 1 ntawm daim duab Consul (Scheme 1).
Peb tus neeg siv Consul yuav xa daim ntawv thov no mus rau peb tus Consul server.
MAGIC! Qhov no yog qhov chaw Consul server txheeb xyuas qhov tseeb ntawm qhov kev thov, sau cov ntaub ntawv hais txog tus kheej ntawm qhov kev thov thiab muab piv nrog rau cov kev cai uas tau teev ua ntej. Hauv qab no yog lwm daim duab qhia txog qhov no. Cov kauj ruam no sib raug rau cov kauj ruam 3, 4 thiab 5 ntawm Consul saib daim duab (Daim duab 1).
Peb tus neeg rau zaub mov Consul tsim ib tus Consul token nrog kev tso cai raws li peb cov cai tswj kev tso cai (uas peb tau teev tseg) hais txog tus kheej ntawm tus neeg thov. Nws mam li xa tus token rov qab. Qhov no sib haum mus rau kauj ruam 6 ntawm daim duab Consul (Daim duab 1).
Peb tus neeg thov Consul xa tus token rau daim ntawv thov lossis kev pabcuam.

Peb daim ntawv thov lossis kev pabcuam tam sim no tuaj yeem siv tus Consul token no los sib txuas lus nrog peb cov ntaub ntawv Consul, raws li tau txiav txim los ntawm lub token cov cai.

Cov khawv koob tau tshwm sim!

Rau cov uas tsis zoo siab tsuas yog ib tug luav tawm ntawm lub kaus mom thiab xav paub seb nws ua haujlwm li cas ... cia kuv "qhia koj tob npaum li cas luav qhov".

Raws li tau hais ua ntej, peb cov kauj ruam "magic" (Daim duab 2: Kauj Ruam 4) yog qhov chaw Consul server authenticates qhov kev thov, sau cov ntaub ntawv hais txog qhov kev thov, thiab muab piv rau ib qho kev sib txuas ua ntej cov cai. Cov kauj ruam no sib raug rau cov kauj ruam 3, 4 thiab 5 ntawm Consul saib daim duab (Daim duab 1). Hauv qab no yog daim duab (Daim duab 3), lub hom phiaj ntawm qhov uas yog qhia meej tias qhov tshwm sim tiag tiag hauv qab hood Kubernetes txoj kev tso cai tshwj xeeb.

Daim duab 3: Cov khawv koob tau tshwm sim!

Raws li qhov pib, peb tus neeg siv Consul xa mus rau qhov kev thov nkag mus rau peb tus neeg rau zaub mov Consul nrog Kubernetes tus account token thiab lub npe tshwj xeeb ntawm txoj kev tso cai uas tau tsim ua ntej. Cov kauj ruam no sib raug rau qib 3 hauv kev piav qhia hauv Circuit Court dhau los.
Tam sim no tus neeg rau zaub mov Consul (lossis tus thawj coj) yuav tsum tau txheeb xyuas qhov tseeb ntawm qhov tau txais token. Yog li ntawd, nws yuav sab laj nrog Kubernetes pawg (ntawm tus neeg siv Consul) thiab, nrog rau kev tso cai tsim nyog, peb yuav pom seb lub token puas yog tiag thiab nws yog leej twg.
Qhov kev thov raug lees paub yuav raug xa rov qab mus rau tus thawj coj Consul, thiab Consul server saib cov qauv kev tso cai nrog lub npe teev los ntawm kev thov nkag (thiab Kubernetes hom).
Tus thawj coj hauv Consul txheeb xyuas cov txheej txheem kev tso cai tshwj xeeb (yog tias pom) thiab nyeem cov txheej txheem kev khi lus uas txuas nrog. Tom qab ntawd nws nyeem cov cai no thiab muab piv rau cov ntawv txheeb xyuas tus cwj pwm.
TA-daah! Cia peb mus rau kauj ruam 5 hauv kev piav qhia hauv Circuit Court dhau los.

Khiav Consul-server ntawm lub tshuab virtual tsis tu ncua

Txij no mus, feem ntau kuv yuav muab cov lus qhia yuav ua li cas los tsim POC no, feem ntau hauv cov ntsiab lus mos txwv, tsis muaj cov lus piav qhia tag nrho. Tsis tas li ntawd, raws li tau hais ua ntej, kuv yuav siv GCP los tsim tag nrho cov kev tsim kho vaj tse, tab sis koj tuaj yeem tsim tib lub vaj tse nyob txhua qhov chaw.

Pib lub tshuab virtual (piv txwv li / server).

Tsim ib txoj cai rau firewall (Security group in AWS):
Kuv nyiam muab tib lub npe tshuab rau ob txoj cai thiab lub network tag, qhov no "skywiz-consul-server-poc".
Nrhiav koj lub computer hauv zos tus IP chaw nyob thiab ntxiv rau cov npe ntawm qhov chaw nyob IP yog li peb tuaj yeem nkag mus rau tus neeg siv interface (UI).
Qhib chaw nres nkoj 8500 rau UI. Nyem Tsim. Peb yuav hloov qhov firewall no sai sai [txuas].
Ntxiv txoj cai firewall rau qhov piv txwv. Rov qab mus rau VM dashboard ntawm Consul Server thiab ntxiv "skywiz-consul-server-poc" rau lub network cim npe. Nyem Txuag.

Nruab Consul ntawm lub tshuab virtual, kos ntawm no. Nco ntsoov koj xav tau Consul version ≥ 1.5 [link]
Cia peb tsim ib qho ntawm Consul - qhov kev teeb tsa yog raws li hauv qab no.

groupadd --system consul
useradd -s /sbin/nologin --system -g consul consul
mkdir -p /var/lib/consul
chown -R consul:consul /var/lib/consul
chmod -R 775 /var/lib/consul
mkdir /etc/consul.d
chown -R consul:consul /etc/consul.d

Yog xav paub ntxiv txog kev txhim kho Consul thiab teeb tsa ib pawg ntawm 3 nodes, saib no.
Tsim ib cov ntaub ntawv /etc/consul.d/agent.json raws li hauv qab no [txuas]:

### /etc/consul.d/agent.json
{
 "acl" : {
 "enabled": true,
 "default_policy": "deny",
 "enable_token_persistence": true
 }
}

Pib peb Consul server:

consul agent 
-server 
-ui 
-client 0.0.0.0 
-data-dir=/var/lib/consul 
-bootstrap-expect=1 
-config-dir=/etc/consul.d

Koj yuav tsum pom ib pawg ntawm cov zis thiab xaus nrog "... hloov tshiab thaiv los ntawm ACLs."
Nrhiav qhov chaw nyob IP sab nraud ntawm Consul server thiab qhib qhov browser nrog qhov chaw nyob IP no ntawm chaw nres nkoj 8500. Nco ntsoov tias UI qhib.
Sim ntxiv tus yuam sij / tus nqi khub. Yuav tsum muaj qhov yuam kev. Qhov no yog vim peb loaded Consul server nrog ACL thiab ua tsis taus txhua txoj cai.
Rov qab mus rau koj lub plhaub ntawm Consul server thiab pib cov txheej txheem hauv keeb kwm yav dhau los lossis lwm txoj hauv kev kom nws khiav thiab nkag mus rau hauv qab no:

consul acl bootstrap

Nrhiav tus nqi "SecretID" thiab rov qab mus rau UI. Hauv ACL tab, sau tus ID zais cia ntawm lub token koj nyuam qhuav theej. Luam SecretID rau lwm qhov, peb yuav xav tau tom qab.
Tam sim no ntxiv tus yuam sij / tus nqi khub. Rau qhov POC no, ntxiv cov hauv qab no: qhov tseem ceeb: “custom-ns/test_key”, tus nqi: “Kuv nyob hauv daim nplaub tshev custom-ns!”

Tshaj tawm Kubernetes pawg rau peb daim ntawv thov nrog Consul tus neeg siv khoom raws li Daemonset

Tsim K8s (Kubernetes) pawg. Peb yuav tsim nws nyob rau hauv tib cheeb tsam raws li tus neeg rau zaub mov kom nkag tau sai dua, thiab yog li peb tuaj yeem siv tib lub subnet kom yooj yim txuas nrog cov chaw nyob hauv IP. Peb mam li hu nws "skywiz-app-with-consul-client-poc".

Raws li ib sab lus, ntawm no yog ib qho kev qhia zoo uas kuv tau hla thaum teeb tsa POC Consul pawg nrog Consul Connect.
Peb kuj tseem yuav tau siv Hashicorp daim ntawv qhia txog qhov muaj nuj nqis ntxiv.
Nruab thiab configure Helm. Configuration cov kauj ruam:

kubectl create serviceaccount tiller --namespace kube-system
kubectl create clusterrolebinding tiller-admin-binding 
   --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
./helm init --service-account=tiller
./helm update

helm chart: https://www.consul.io/docs/platform/k8s/helm.html
Siv cov ntaub ntawv tus nqi hauv qab no (ceeb toom kuv tau xiam feem ntau):

### poc-helm-consul-values.yaml
global:
 enabled: false
 image: "consul:latest"
# Expose the Consul UI through this LoadBalancer
ui:
 enabled: false
# Allow Consul to inject the Connect proxy into Kubernetes containers
connectInject:
 enabled: false
# Configure a Consul client on Kubernetes nodes. GRPC listener is required for Connect.
client:
 enabled: true
 join: ["<PRIVATE_IP_CONSUL_SERVER>"]
 extraConfig: |
{
  "acl" : {
 "enabled": true,   
 "default_policy": "deny",   
 "enable_token_persistence": true 
  }
}
# Minimal Consul configuration. Not suitable for production.
server:
 enabled: false
# Sync Kubernetes and Consul services
syncCatalog:
 enabled: false

Siv daim ntawv qhia kaus mom hlau:

./helm install -f poc-helm-consul-values.yaml ./consul-helm - name skywiz-app-with-consul-client-poc

Thaum nws sim khiav, nws yuav xav tau kev tso cai rau Consul server, yog li cia peb ntxiv lawv.
Nco ntsoov "Pod Address Range" nyob rau ntawm pawg dashboard thiab xa rov qab rau peb "skywiz-consul-server-poc" txoj cai firewall.
Ntxiv qhov chaw nyob ntau rau cov pod rau cov npe ntawm IP chaw nyob thiab qhib chaw nres nkoj 8301 thiab 8300.

Mus rau Consul UI thiab tom qab ob peb feeb koj yuav pom peb pawg tshwm sim hauv cov nodes tab.

Configuring ib txoj kev tso cai los ntawm Integrating Consul nrog Kubernetes

Rov qab mus rau Consul server plhaub thiab xa cov token koj tau khaws tseg ua ntej:

export CONSUL_HTTP_TOKEN=<SecretID>

Peb yuav xav tau cov ntaub ntawv los ntawm peb cov Kubernetes pawg txhawm rau txhawm rau ua qhov kev lees paub:
kubernetes-host

kubectl get endpoints | grep kubernetes

kubernetes-service-account-jwt

kubectl get sa <helm_deployment_name>-consul-client -o yaml | grep "- name:"
kubectl get secret <secret_name_from_prev_command> -o yaml | grep token:

Lub token yog base64 encoded, yog li decrypt nws siv koj nyiam cov cuab yeej [txuas]
kubernetes-ca-cert

kubectl get secret <secret_name_from_prev_command> -o yaml | grep ca.crt:

Nqa daim ntawv pov thawj "ca.crt" (tom qab base64 decoding) thiab sau rau hauv cov ntaub ntawv "ca.crt".
Tam sim no instantiate auth method, hloov cov placeholder nrog cov nqi koj nyuam qhuav tau txais.

consul acl auth-method create 
-type "kubernetes" 
-name "auth-method-skywiz-consul-poc" 
-description "This is an auth method using kubernetes for the cluster skywiz-app-with-consul-client-poc" 
-kubernetes-host "<k8s_endpoint_retrieved earlier>" 
[email protected] 
-kubernetes-service-account-
jwt="<decoded_token_retrieved_earlier>"

Tom ntej no peb yuav tsum tsim ib txoj cai thiab muab nws tso rau lub luag haujlwm tshiab. Rau qhov no koj tuaj yeem siv Consul UI, tab sis peb yuav siv cov kab hais kom ua.
Sau ib txoj cai

### kv-custom-ns-policy.hcl
key_prefix "custom-ns/" {
 policy = "write"
}

Siv txoj cai

consul acl policy create 
-name kv-custom-ns-policy 
-description "This is an example policy for kv at custom-ns/" 
-rules @kv-custom-ns-policy.hcl

Nrhiav tus ID ntawm txoj cai koj nyuam qhuav tsim los ntawm cov zis.
Tsim lub luag haujlwm nrog txoj cai tshiab.

consul acl role create 
-name "custom-ns-role" 
-description "This is an example role for custom-ns namespace" 
-policy-id <policy_id>

Tam sim no peb yuav koom nrog peb lub luag haujlwm tshiab nrog rau qhov piv txwv auth method. Nco ntsoov tias tus chij "selector" txiav txim siab seb peb qhov kev thov nkag yuav tau txais lub luag haujlwm no. Mus saib ntawm no rau lwm cov kev xaiv xaiv: https://www.consul.io/docs/acl/auth-methods/kubernetes.html#trusted-identity-attributes

consul acl binding-rule create 
-method=auth-method-skywiz-consul-poc 
-bind-type=role 
-bind-name='custom-ns-role' 
-selector='serviceaccount.namespace=="custom-ns"'

Thaum kawg configurations

Cov cai nkag

Tsim cov cai nkag. Peb yuav tsum tau tso cai rau Consul los txheeb xyuas thiab txheeb xyuas tus kheej ntawm K8s kev pabcuam tus lej token.
Sau cov lus hauv qab no rau hauv cov ntaub ntawv [link]:

###skywiz-poc-consul-server_rbac.yaml
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: review-tokens
 namespace: default
subjects:
- kind: ServiceAccount
 name: skywiz-app-with-consul-client-poc-consul-client
 namespace: default
roleRef:
 kind: ClusterRole
 name: system:auth-delegator
 apiGroup: rbac.authorization.k8s.io
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: service-account-getter
 namespace: default
rules:
- apiGroups: [""]
 resources: ["serviceaccounts"]
 verbs: ["get"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: get-service-accounts
 namespace: default
subjects:
- kind: ServiceAccount
 name: skywiz-app-with-consul-client-poc-consul-client
 namespace: default
roleRef:
 kind: ClusterRole
 name: service-account-getter
 apiGroup: rbac.authorization.k8s.io

Cia peb tsim cov cai nkag

kubectl create -f skywiz-poc-consul-server_rbac.yaml

Txuas rau Consul Client

Raws li tau sau tseg noMuaj ntau ntau txoj hauv kev rau kev txuas mus rau daemonset, tab sis peb yuav txav mus rau cov kev daws teeb meem yooj yim hauv qab no:
Siv cov ntaub ntawv hauv qab no [txuas].

### poc-consul-client-ds-svc.yaml
apiVersion: v1
kind: Service
metadata:
 name: consul-ds-client
spec:
 selector:
   app: consul
   chart: consul-helm
   component: client
   hasDNS: "true"
   release: skywiz-app-with-consul-client-poc
 ports:
 - protocol: TCP
   port: 80
   targetPort: 8500

Tom qab ntawd siv cov lus txib hauv qab no los tsim ib qho configmap [txuas]. Thov nco ntsoov tias peb tab tom xa mus rau lub npe ntawm peb qhov kev pabcuam, hloov nws yog tias tsim nyog.

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
 labels:
   addonmanager.kubernetes.io/mode: EnsureExists
 name: kube-dns
 namespace: kube-system
data:
 stubDomains: |
   {"consul": ["$(kubectl get svc consul-ds-client -o jsonpath='{.spec.clusterIP}')"]}
EOF

Kev ntsuam xyuas tus txheej txheem auth

Tam sim no cia saib cov khawv koob hauv kev nqis tes ua!

Tsim ob peb qhov tseem ceeb folders nrog tib lub ntsiab lus saum toj kawg nkaus (piv txwv li. /sample_key) thiab tus nqi ntawm koj xaiv. Tsim cov cai tsim nyog thiab lub luag haujlwm rau txoj hauv kev tseem ceeb tshiab. Peb mam li ua cov ntawv khi tom qab.

Custom namespace xeem:

Cia peb tsim peb tus kheej lub npe:

kubectl create namespace custom-ns

Cia peb tsim ib lub pob hauv peb lub npe tshiab. Sau qhov configuration rau lub pod.

###poc-ubuntu-custom-ns.yaml
apiVersion: v1
kind: Pod
metadata:
 name: poc-ubuntu-custom-ns
 namespace: custom-ns
spec:
 containers:
 - name: poc-ubuntu-custom-ns
   image: ubuntu
   command: ["/bin/bash", "-ec", "sleep infinity"]
 restartPolicy: Never

Tsim nyob rau hauv:

kubectl create -f poc-ubuntu-custom-ns.yaml

Thaum lub thawv khiav, mus rau ntawd thiab nruab curl.

kubectl exec poc-ubuntu-custom-ns -n custom-ns -it /bin/bash
apt-get update && apt-get install curl -y

Tam sim no peb yuav xa daim ntawv thov nkag mus rau Consul siv txoj kev tso cai peb tau tsim ua ntej [txuas].
Txhawm rau saib cov token nkag los ntawm koj tus account kev pabcuam:

cat /run/secrets/kubernetes.io/serviceaccount/token

Sau cov hauv qab no rau ib daim ntawv hauv lub thawv:

### payload.json
{
 "AuthMethod": "auth-method-test",
 "BearerToken": "<jwt_token>"
}

Nkag mus!

curl 
--request POST 
--data @payload.json 
consul-ds-client.default.svc.cluster.local/v1/acl/login

Txhawm rau ua kom tiav cov kauj ruam saum toj no hauv ib kab (vim peb yuav ua ntau yam kev xeem), koj tuaj yeem ua cov hauv qab no:

echo "{ 
"AuthMethod": "auth-method-skywiz-consul-poc", 
"BearerToken": "$(cat /run/secrets/kubernetes.io/serviceaccount/token)" 
}" 
| curl 
--request POST 
--data @- 
consul-ds-client.default.svc.cluster.local/v1/acl/login

Ua haujlwm! Yam tsawg kawg nws yuav tsum. Tam sim no coj tus SecretID thiab sim nkag mus rau tus yuam sij / tus nqi peb yuav tsum muaj kev nkag mus.

curl 
consul-ds-client.default.svc.cluster.local/v1/kv/custom-ns/test_key --header “X-Consul-Token: <SecretID_from_prev_response>”

Koj tuaj yeem base64 txiav txim siab "Tus nqi" thiab pom tias nws phim tus nqi hauv kev cai-ns/test_key hauv UI. Yog tias koj siv tib tus nqi saum toj no hauv cov lus qhia no, koj tus nqi encoded yuav yog IkknbSBpbiB0aGUgY3VzdG9tLW5zIGZvbGRlciEi.

Tus neeg siv kev pabcuam tus account xeem:

Tsim ib qho kev cai ServiceAccount siv cov lus txib hauv qab no [txuas].

kubectl apply -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
 name: custom-sa
EOF

Tsim ib cov ntaub ntawv configuration tshiab rau lub pod. Thov nco ntsoov tias kuv suav nrog curl installation kom txuag tau txoj haujlwm :)

###poc-ubuntu-custom-sa.yaml
apiVersion: v1
kind: Pod
metadata:
 name: poc-ubuntu-custom-sa
 namespace: default
spec:
 serviceAccountName: custom-sa
 containers:
 - name: poc-ubuntu-custom-sa
   image: ubuntu
   command: ["/bin/bash","-ec"]
   args: ["apt-get update && apt-get install curl -y; sleep infinity"]
 restartPolicy: Never

Tom qab ntawd, khiav ib lub plhaub hauv lub thawv.

kubectl exec -it poc-ubuntu-custom-sa /bin/bash

Nkag mus!

echo "{ 
"AuthMethod": "auth-method-skywiz-consul-poc", 
"BearerToken": "$(cat /run/secrets/kubernetes.io/serviceaccount/token)" 
}" 
| curl 
--request POST 
--data @- 
consul-ds-client.default.svc.cluster.local/v1/acl/login

Tso cai tsis kam. Auj, peb tsis nco qab ntxiv cov cai tshiab khi nrog cov kev tso cai tsim nyog, cia peb ua tam sim no.

Rov ua dua cov kauj ruam dhau los saum toj no:
a) Tsim ib txoj cai zoo ib yam rau lub npe "custom-sa/".
b) Tsim Lub Luag Haujlwm, hu nws "kev cai-sa-lub luag haujlwm"
c) Txuas Txoj Cai rau Lub Luag Haujlwm.

Tsim Txoj Cai-Txuas (tsuas yog ua tau los ntawm cli/api). Nco ntsoov lub ntsiab lus sib txawv ntawm tus chij xaiv.

consul acl binding-rule create 
-method=auth-method-skywiz-consul-poc 
-bind-type=role 
-bind-name='custom-sa-role' 
-selector='serviceaccount.name=="custom-sa"'

Nkag mus dua los ntawm lub thawv "poc-ubuntu-custom-sa". Kev vam meej!
Mus saib peb txoj kev nkag mus rau txoj kev cai-sa/qhov tseem ceeb.

curl 
consul-ds-client.default.svc.cluster.local/v1/kv/custom-sa/test_key --header “X-Consul-Token: <SecretID>”

Koj tseem tuaj yeem xyuas kom meej tias qhov token no tsis pub nkag rau kv hauv "kev cai-ns/". Tsuas yog rov hais dua cov lus txib saum toj no tom qab hloov "kev cai-sa" nrog rau lub npe "custom-ns".
Tso cai tsis kam.

Overlay piv txwv:

Nws yog ib qho tsim nyog sau cia tias tag nrho cov kev cai tswjhwm daim ntawv qhia yuav raug ntxiv rau lub cim nrog cov cai no.
Peb lub thawv "poc-ubuntu-custom-sa" yog nyob rau hauv lub neej ntawd namespace - yog li cia peb siv nws rau ib tug txawv txoj cai-binding.
Rov ua cov kauj ruam dhau los:
a) Tsim ib txoj cai zoo ib yam rau qhov "default/" key prefix.
b) Tsim Ib Lub Luag Haujlwm, npe nws "default-ns-role"
c) Txuas Txoj Cai rau Lub Luag Haujlwm.
Tsim Txoj Cai-Txuas (tsuas yog ua tau los ntawm cli/api)

consul acl binding-rule create 
-method=auth-method-skywiz-consul-poc 
-bind-type=role 
-bind-name='default-ns-role' 
-selector='serviceaccount.namespace=="default"'

Rov qab mus rau peb lub thawv "poc-ubuntu-custom-sa" thiab sim nkag mus rau "default/" kv txoj kev.
Tso cai tsis kam.
Koj tuaj yeem saib cov ntaub ntawv pov thawj rau txhua tus token hauv UI hauv qab ACL> Tokens. Raws li koj tuaj yeem pom, peb lub cim tam sim no tsuas muaj ib qho "kev cai-sa-lub luag haujlwm" txuas rau nws. Lub token uas peb tab tom siv tam sim no tau tsim tawm thaum peb nkag rau hauv thiab tsuas muaj ib txoj cai-khi uas phim thaum ntawd. Peb yuav tsum tau nkag mus dua thiab siv lub token tshiab.
Nco ntsoov koj tuaj yeem nyeem los ntawm ob qho tib si "kev cai-sa/" thiab "default/" kv txoj hauv kev.
Kev vam meej!
Qhov no yog vim peb "poc-ubuntu-custom-sa" sib phim "custom-sa" thiab "default-ns" txoj cai khi.

xaus

TTL token mgmt?

Thaum lub sijhawm sau ntawv no, tsis muaj kev sib koom ua ke los txiav txim siab TTL rau cov tokens tsim los ntawm txoj kev tso cai no. Nws yuav yog lub sijhawm zoo los muab kev ruaj ntseg automation ntawm Consul tso cai.

Muaj ib qho kev xaiv los tsim ib lub token nrog TTL:

https://www.consul.io/docs/acl/acl-system.html#acl-tokens
Lub Sijhawm Kawg - Lub sijhawm uas lub cim no yuav raug tshem tawm. (Yeem; ntxiv hauv Consul 1.5.0)
Muaj tsuas yog rau phau ntawv tsim / hloov tshiab https://www.consul.io/api/acl/tokens.html#expirationtime

Cia siab tias yav tom ntej no peb yuav muaj peev xwm tswj tau li cas tokens yog generated (ib txoj cai los yog txoj kev tso cai) thiab ntxiv TTL.

Txog thaum ntawd, nws tau qhia tias koj siv qhov kawg ntawm qhov kawg hauv koj qhov kev xav.

Kuj nyeem lwm cov ntawv hauv peb blog:

Tau qhov twg los: www.hab.com

Taw qhia rau Hashicorp Consul's Kubernetes Tso Cai