Rịba ama. ntụgharị asụsụ.: Usoro isiokwu a bụ maka ịmata ike nke Istio na igosi ha n'omume, - nlegharị anya nke ọma na njikwa okporo ụzọ netwọkụ. Ugbu a, anyị ga-ekwu maka nchekwa: iji gosipụta ọrụ ndị bụ isi metụtara ya, onye edemede na-eji ọrụ njirimara Auth0, mana enwere ike ịhazi ndị na-enye ndị ọzọ n'otu ụzọ ahụ.
Anyị guzobe ụyọkọ Kubernetes nke anyị wepụrụ Istio na ngwa microservice ihe atụ, Sentiment Analysis, iji gosi ike nke Istio.
Site na Istio, anyị nwere ike idobe ọrụ anyị obere n'ihi na ha achọghị imejuputa n'ígwé dị ka Retries, Timeouts, Circuit Breakers, Tracing, Monitoring. Na mgbakwunye, anyị na-eji usoro nnwale dị elu na ntinye: nnwale A/B, mirroring na canary rollouts.
N'ime ihe ọhụrụ ahụ, anyị ga-eleba anya n'ọkwa ikpeazụ n'ụzọ nke uru azụmahịa: nkwenye na ikike - na na Istio ọ bụ ezigbo obi ụtọ!
Nyocha na ikike na Istio
Ọ dịghị mgbe m ga-ekweta na a ga-akpali m site na nyocha na ikike. Kedu ihe Istio nwere ike ịnye site na teknụzụ iji mee ka isiokwu ndị a bụrụ ihe na-atọ ụtọ na, ọbụna karịa, na-akpali gị?
Azịza ya dị mfe: Istio na-atụgharị ọrụ maka ikike ndị a site na ọrụ gị gaa na onye nnọchi anya nnọchiteanya. Ka ọ na-erule oge arịrịọ ahụ ruru ọrụ ndị ahụ, akwadola ha ma nye ya ikike, yabụ naanị ihe ị ga - eme bụ ide koodu bara uru azụmaahịa.
Dị mma? Ka anyị leba anya n'ime!
Nyocha na Auth0
Dị ka ihe nkesa maka njirimara na njikwa ohere, anyị ga-eji Auth0, nke nwere ụdị nnwale, nwere nghọta iji ma ọ masịrị m. Agbanyeghị, enwere ike itinye otu ụkpụrụ ahụ n'ọrụ ọ bụla ọzọ : KeyCloak, IdentityServer na ọtụtụ ndị ọzọ.
Iji malite, gaa na na akaụntụ gị, mepụta onye nwe ụlọ (onye nwe ụlọ - “onye nwe ụlọ”, ngalaba ezi uche dị na ya, maka nkọwa ndị ọzọ hụ - ihe ruru. ntụgharị asụsụ.) wee gaa Ngwa > Ngwa emepụtarasite na-ahọpụta domain, dị ka egosiri na nseta ihuenyo dị n'okpuru:
Ezipụta ngalaba a na faịlụ resource-manifests/istio/security/auth-policy.yaml ():
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: auth-policy
spec:
targets:
- name: sa-web-app
- name: sa-feedback
origins:
- jwt:
issuer: "https://{YOUR_DOMAIN}/"
jwksUri: "https://{YOUR_DOMAIN}/.well-known/jwks.json"
principalBinding: USE_ORIGIN
Site na akụrụngwa dị otú ahụ, Pilot (Otu n'ime ihe atọ bụ isi njikwa ụgbọ elu dị na Istio - ihe dị ka transl.) na-ahazi Envoy ka ọ chọpụta arịrịọ tupu iziga ha na ọrụ: sa-web-app и sa-feedback. N'otu oge ahụ, a naghị etinye nhazi ahụ na ndị nnọchianya ọrụ sa-frontend, na-enye anyị ohere ịhapụ frontend na-akwadoghị. Iji tinye Amụma a, mee iwu:
$ kubectl apply -f resource-manifests/istio/security/auth-policy.yaml
policy.authentication.istio.io “auth-policy” createdLaghachi na ibe ma mee arịrịọ - ị ga-ahụ na ọ na-ejedebe na ọkwa 401 enweghị ikikere. Ugbu a, ka anyị zigharịa ndị ọrụ frontend iji gosi na Auth0.
Iji Auth0 nweta arịrịọ
Iji chọpụta arịrịọ onye ọrụ njedebe, ịkwesịrị ịmepụta API na Auth0 nke ga-anọchi anya ọrụ egosipụtara (nyocha, nkọwa na ọkwa). Iji mepụta API, gaa na Auth0 Portal > APIs > Mepụta API ma dejupụta fọm:
Ozi dị mkpa ebe a bụ mata, nke anyị ga-eji emechaa na edemede. Ka anyị dee ya dị ka nke a:
- Ndị na-ege ntị: {YOUR_AUDIENCE}
Nkọwa ndị fọdụrụ anyị chọrọ dị na Auth0 Portal na ngalaba ngwa - họrọ Ngwa nwale (mepụtara na-akpaghị aka yana API).
Ebe anyị ga-ede:
- domain: {YOUR_DOMAIN}
- Id onye ahịa: {YOUR_CLIENT_ID}
Pịgharịa gaa na Ngwa nwale na mpaghara ederede URL ịkpọghachi anabatara (URL ndị edoziziri maka nlọghachite), nke anyị na-akọwapụta URL ebe ekwesịrị iziga oku ahụ ka emechara nyocha. N'ọnọdụ anyị, ọ bụ:
http://{EXTERNAL_IP}/callbackNa n'ihi URL ọpụpụ anabatara ( URL ndị akwadoro maka ịpụ apụ) tinye:
http://{EXTERNAL_IP}/logoutKa anyị gaa n'ihu n'ihu.
Mmelite ihu ihu
Gbanwee na alaka ụlọ ọrụ auth0 ebe nchekwa [istio-mastery]. N'alaka ụlọ ọrụ a, a na-agbanwe koodu frontend ka ọ bụrụ redirect ndị ọrụ gaa Auth0 maka nyocha yana jiri akara JWT na arịrịọ maka ọrụ ndị ọzọ. A na-eme nke ikpeazụ dị ka ndị a ():
analyzeSentence() {
fetch('/sentiment', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Authorization': `Bearer ${auth.getAccessToken()}` // Access Token
},
body: JSON.stringify({ sentence: this.textField.getValue() })
})
.then(response => response.json())
.then(data => this.setState(data));
}
Ka ịgbanwee ihu ihu ka iji data onye nwe ụlọ na Auth0, mepee sa-frontend/src/services/Auth.js ma dochie n'ime ya ụkpụrụ ndị anyị dere n'elu ():
const Config = {
clientID: '{YOUR_CLIENT_ID}',
domain:'{YOUR_DOMAIN}',
audience: '{YOUR_AUDIENCE}',
ingressIP: '{EXTERNAL_IP}' // Используется для редиректа после аутентификации
}Ngwa adịla njikere. Ezipụta ID Docker gị na iwu dị n'okpuru mgbe ị na-ewu ma na-ebuga mgbanwe ndị a:
$ docker build -f sa-frontend/Dockerfile
-t $DOCKER_USER_ID/sentiment-analysis-frontend:istio-auth0
sa-frontend
$ docker push $DOCKER_USER_ID/sentiment-analysis-frontend:istio-auth0
$ kubectl set image deployment/sa-frontend
sa-frontend=$DOCKER_USER_ID/sentiment-analysis-frontend:istio-auth0Gbalịa ngwa ahụ! A ga-atụgharị gị gaa na Auth0, ebe ịchọrọ ịbanye (ma ọ bụ debanye aha), emesia a ga-ezigaghachi gị na ibe nke a ga-arịọrịrị arịrịọ. Ọ bụrụ na iji curl nwalee iwu ndị a kpọtụrụ aha na akụkụ mbụ nke akụkọ ahụ, ị ga-enweta koodu ahụ Koodu ọnọdụ 401, na-egosi na anabataghị arịrịọ a.
Ka anyị mee nzọụkwụ ọzọ - nye ikike ịrịọ arịrịọ.
Ikike na Auth0
Nyocha na-enye anyị ohere ịghọta onye onye ọrụ bụ, mana achọrọ ikike iji mara ihe ha nwere ike ịnweta. Istio na-enyekwa ngwaọrụ maka nke a kwa.
Dịka ọmụmaatụ, ka anyị mepụta otu ndị ọrụ abụọ (lee eserese dị n'okpuru):
- Ndị ọrụ (ndị ọrụ) - iji nweta naanị SA-WebApp na ọrụ SA-Frontend;
- Ndị nhazi (ndị nhazi) - iji nweta ọrụ atọ niile.
Echiche ikike
Iji mepụta otu ndị a, anyị ga-eji ndọtị ikike Auth0 wee jiri Istio nye ha ọkwa dị iche iche.
Nwụnye na nhazi nke ikike Auth0
Na ọnụ ụzọ Auth0, gaa na ndọtị (Extensions) ma wụnye ikike Auth0. Mgbe echichi, gaa Mgbatị ikike, na ebe ahụ - na nhazi nke onye nwe ụlọ site na ịpị n'elu aka nri ma họrọ nhọrọ menu kwesịrị ekwesị (Nhazi). Mee ka otu rụọ ọrụ (Otu dị iche iche) wee pịa bọtịnụ bipụta iwu (Iwu mbipụta).
Mepụta otu
Na ndọtị ikike gaa na Iche iche ma mepụta otu Ndị na-eme mgbanwe. Ebe ọ bụ na anyị ga-emeso ndị ọrụ niile egosipụtara dị ka ndị ọrụ oge niile, ọ dịghị mkpa ịmepụta otu mgbakwunye maka ha.
Họrọ otu Ndị na-eme mgbanwe, Pịa na Tinye Ndi, tinye isi akaụntụ gị. Hapụ ụfọdụ ndị ọrụ na-enweghị otu ọ bụla iji hụ na ajụrụ ha ohere. (Enwere ike iji aka mepụta ndị ọrụ ọhụrụ site na Auth0 Portal > Ndị ọrụ > Mepụta onye ọrụ.)
Tinye nkwupụta otu na nweta akara ngosi
Agbakwunyela ndị ọrụ na otu, mana ozi a ga-egosipụtakwa na akara ohere. Iji soro OpenID Jikọọ ma n'otu oge ahụ weghachi otu ndị anyị chọrọ, token ga-achọ ịgbakwunye nke ya . Ejiri ya site na iwu Auth0.
Iji mepụta iwu, gaa na Auth0 Portal ka iwu, Pịa na Mepụta Iwu ma họrọ iwu efu site na ndebiri.
Detuo koodu dị n'okpuru wee chekwaa ya ka iwu ọhụrụ Tinye nkwupụta otu ():
function (user, context, callback) {
context.accessToken['https://sa.io/group'] = user.groups[0];
return callback(null, user, context);
}Примечание: Koodu a na-ewe otu onye ọrụ izizi akọwapụtara na ndọtị ikike wee tinye ya na akara nnabata dị ka nkwupụta omenala (n'okpuru aha aha ya, dịka Auth0 chọrọ).
Laghachi na ibe iwu wee lelee na i nwere iwu abụọ edere n'usoro a:
- auth0-ikike-mgbatị
- Tinye nkwupụta otu
Usoro a dị mkpa n'ihi na mpaghara otu na-enweta iwu asynchronously auth0-ikike-mgbatị ma mgbe nke ahụ gasịrị, a na-agbakwụnye ya dịka nkwupụta site na iwu nke abụọ. Nsonaazụ bụ akara nnweta dị ka nke a:
{
"https://sa.io/group": "Moderators",
"iss": "https://sentiment-analysis.eu.auth0.com/",
"sub": "google-oauth2|196405271625531691872"
// [сокращено для наглядности]
}
Ugbu a ịkwesịrị ịhazi proxy nke Envoy ka ịlele ohere onye ọrụ, nke a ga-ewepụ otu ahụ site na nkwupụta (https://sa.io/group) n'ime akara nnabata eweghachiri. Nke a bụ isiokwu maka akụkụ na-esote nke akụkọ ahụ.
Nhazi ikike na Istio
Maka ikike ịrụ ọrụ, ị ga-emerịrị RBAC maka Istio. Iji mee nke a, anyị ga-eji nhazi ndị a:
apiVersion: "rbac.istio.io/v1alpha1"
kind: RbacConfig
metadata:
name: default
spec:
mode: 'ON_WITH_INCLUSION' # 1
inclusion:
services: # 2
- "sa-frontend.default.svc.cluster.local"
- "sa-web-app.default.svc.cluster.local"
- "sa-feedback.default.svc.cluster.local" Nkọwa:
- 1 - mee RBAC naanị maka ọrụ na oghere aha edepụtara n'ọhịa
Inclusion; - 2 — anyị depụtara ndepụta nke ọrụ anyị.
Ka anyị jiri iwu a tinye nhazi ahụ:
$ kubectl apply -f resource-manifests/istio/security/enable-rbac.yaml
rbacconfig.rbac.istio.io/default created
Ọrụ niile chọrọ ugbu a njikwa nnweta dabere na ọrụ. N'ikwu ya n'ụzọ ọzọ, amachibidoro ịnweta ọrụ niile ma ọ ga-ebute nzaghachi RBAC: access denied. Ugbu a, ka anyị kwe ka ịnweta ndị ọrụ ikike.
Nhazi nnweta maka ndị ọrụ oge niile
Ndị ọrụ niile ga-enwerịrị ike ịnweta ọrụ SA-Frontend na SA-WebApp. Ejiri akụrụngwa Istio ndị a:
- Ọrụ Ọrụ - na-ekpebi ikike onye ọrụ nwere;
- ỌrụRoleBinding - na-ekpebi onye ọrụ Ọrụ a bụ nke.
Maka ndị ọrụ nkịtị anyị ga-ahapụ ohere ịnweta ụfọdụ ọrụ ():
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
name: regular-user
namespace: default
spec:
rules:
- services:
- "sa-frontend.default.svc.cluster.local"
- "sa-web-app.default.svc.cluster.local"
paths: ["*"]
methods: ["*"]
Na site na regular-user-binding tinye ServiceRole na ndị ọbịa ibe niile ():
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
name: regular-user-binding
namespace: default
spec:
subjects:
- user: "*"
roleRef:
kind: ServiceRole
name: "regular-user""Ndị ọrụ niile" ọ pụtara na ndị ọrụ na-akwadoghị ga-enwekwa ohere na SA WebApp? Mba, amụma ahụ ga-enyocha izi ezi nke akara JWT.
Ka anyị tinye nhazi ndị a:
$ kubectl apply -f resource-manifests/istio/security/user-role.yaml
servicerole.rbac.istio.io/regular-user created
servicerolebinding.rbac.istio.io/regular-user-binding createdNhazi ohere maka ndị nhazi
Maka ndị nhazi, anyị chọrọ ime ka ịnweta ọrụ niile ():
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
name: mod-user
namespace: default
spec:
rules:
- services: ["*"]
paths: ["*"]
methods: ["*"]
Mana anyị chọrọ ikike dị otú ahụ naanị maka ndị ọrụ nwere ikike ikike nwere ikike https://sa.io/group nwere ihe ọ pụtara Moderators ():
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
name: mod-user-binding
namespace: default
spec:
subjects:
- properties:
request.auth.claims[https://sa.io/group]: "Moderators"
roleRef:
kind: ServiceRole
name: "mod-user" Ka anyị tinye nhazi ndị a:
$ kubectl apply -f resource-manifests/istio/security/mod-role.yaml
servicerole.rbac.istio.io/mod-user created
servicerolebinding.rbac.istio.io/mod-user-binding createdN'ihi ịchekwa ndị ozi, ọ nwere ike were nkeji ole na ole maka iwu ikike ka ọ malite. Ị nwere ike hụ na ndị ọrụ na ndị nhazi nwere ọkwa dị iche iche nke ohere.
Nkwubi okwu n'akụkụ a
N'ezie, ị hụtụla ụzọ dị mfe, enweghị mgbakasị, scalable na nchekwa maka nyocha na ikike?
Naanị akụrụngwa Istio atọ (RbacConfig, ServiceRole, na ServiceRoleBinding) ka achọrọ iji nweta ezigbo njikwa maka nyocha na ikike nke onye ọrụ njedebe ịnweta ọrụ.
Na mgbakwunye, anyị ejirila ọrụ ndị nnọchi anya anyị lekọta okwu ndị a, na-enweta:
- ibelata ọnụọgụ ọnụọgụ ọnụọgụ nke nwere ike ịnwe nsogbu nchekwa na ahụhụ;
- na-ebelata ọnụ ọgụgụ nke ọnọdụ nzuzu nke otu njedebe na-atụgharị na-enweta site n'èzí wee chefuo ịkọ ya;
- na-ewepụ mkpa ọ dị imelite ọrụ niile oge ọ bụla agbakwunyere ọrụ ma ọ bụ ikike ọhụrụ;
- na ọrụ ọhụrụ na-adị mfe, nchekwa na ngwa ngwa.
nkwubi
Istio na-enye ndị otu ohere ka ha lekwasị anya n'ihe onwunwe ha na ọrụ ndị dị mkpa azụmahịa na-agbakwunyeghị ego na ọrụ, na-atụgharị ha na ọkwa micro.
Isiokwu ahụ (n'akụkụ atọ) nyere ihe ọmụma bụ isi na ntụziaka bara uru nke dị njikere maka ịmalite Istio na ezigbo ọrụ.
PS sitere na onye ntụgharị
Gụọkwa na blọọgụ anyị:
- "Laghachi na microservices na Istio": , ;
- «»;
- «".
isi: www.habr.com