Fa'atomuaga ile Fa'atagaga a le Konesula a Hashicorp Kubernetes

E sa'o, pe a uma ona tatala Hashicorp Konesula 1.5.0 i le amataga o Me 2019, i le Konesula e mafai ona e faʻatagaina tusi talosaga ma tautua o loʻo faʻagaioia i Kubernetes.

I totonu o lenei aʻoaʻoga o le a tatou fatuina laasaga i lea laasaga POC (Faʻamaoniga o manatu, PoC) faʻaalia lenei foliga fou. E faʻamoemoeina e te maua le poto masani o Kubernetes ma Hashicorp's Consul. E ui e mafai ona e faʻaogaina soʻo se faʻavae ao poʻo luga ole siosiomaga, i lenei aʻoaʻoga o le a matou faʻaogaina le Google's Cloud Platform.

lagona

Afai tatou te o i Fa'amaumauga a le Konesula ile auala fa'atagaina, o le a matou maua se faʻamatalaga vave o lona faʻamoemoega ma le faʻaogaina o mataupu, faʻapea foʻi ma nisi faʻamatalaga faʻapitoa ma se faʻamatalaga lautele o le manatu. Ou te matua fautuaina lava e faitau ia le itiiti ifo ma le tasi ae leʻi faʻaauau, aua o le a ou faʻamatalaina ma lamu uma.

Ata 1: Va'aiga aloa'ia o le auala fa'atagaina a le Konesula

Sei o tatou tilotilo i totonu fa'amaumauga mo se auala fa'atagaina Kubernetes fa'apitoa.

E mautinoa, o loʻo i ai faʻamatalaga aoga iina, ae leai se taʻiala ile faʻaogaina moni uma. O lea, e pei o soʻo se tagata mafaufau, e te suʻeina le Initaneti mo se taʻiala. Ona... Ua e toilalo. E tupu. Sei o tatou faaleleia lea.

Ae tatou te lei agai i luma i le fausiaina o la tatou POC, tatou toe foi i le aotelega o auala faʻatagaina a le Konesula (Ata 1) ma faʻaleleia i le tulaga o Kubernetes.

atiga

I totonu o lenei aʻoaʻoga, o le a matou fatuina se 'auʻaunaga a le Konesula i luga o se masini ese'ese o le a fesoʻotaʻi ma se kulupu Kubernetes ma faʻapipiʻi le tagata Konesula. O le a matou faia la matou talosaga fa'atusa i totonu o le pod ma fa'aoga le matou auala fa'atagaina e faitau mai ai le matou Consul key/value store.

O le ata o loʻo i lalo o loʻo faʻamatalaina ai le fausaga o loʻo matou fatuina i lenei aʻoaʻoga, faʻapea foʻi ma le faʻamatalaga i tua o le auala faʻatagaina, lea o le a faʻamatalaina mulimuli ane.

Ata 2: Kubernetes Fa'atagaina Metotia Aotelega

O se fa'amatalaga vave: e le mana'omia e le 'au'aunaga Konesula ona nofo i fafo atu o le fa'aputuga Kubernetes e fa'atino ai lenei mea. Ae ioe, e mafai ona ia faia i lenei auala ma lena.

O lea la, ave le Consul overview diagram (Ata 1) ma faʻaaoga Kubernetes i ai, matou te maua le ata o loʻo i luga (Ata 2), ma o le faʻamatalaga iinei e faʻapea:

1. O pod ta'itasi o le ai ai se fa'amatalaga tautua fa'apipi'i i ai o lo'o iai se fa'ailoga JWT na gaosia ma iloa e Kubernetes. O lenei faʻailoga e faʻapipiʻi foi i totonu o le pod e ala i le faaletonu.
2. O la matou talosaga po'o le tautua i totonu o le pod e amata ai se fa'atonuga e saini ai i le matou Consul client. Ole talosaga ole saini ole a aofia ai foi a tatou faailoga ma igoa faia faapitoa auala fa'atagaina (ituaiga Kubernetes). Ole laasaga #2 e fetaui ma le Laasaga 1 o le ata Konesula (Fuafuaga 1).
3. O le a tu'uina atu e le matou Konesula lea talosaga i la matou 'au'aunaga a le Konesula.
4. MAGIC! O le mea lea e fa'amaonia ai e le 'au'aunaga a le Konesula le sa'o o le talosaga, aoina fa'amatalaga e uiga i le fa'asinomaga o le talosaga ma fa'atusatusa i so'o se tulafono fa'atulagaina muamua. O lo'o i lalo le isi ata e fa'amalamalama ai lenei mea. O lea la'asaga e fetaui ma la'asaga 3, 4 ma le 5 o le ata lautele o le Konesula (Ata 1).
5. O le matou 'au'aunaga a le Konesula e fa'atupuina se fa'ailoga a le Konesula ma fa'atagaga e tusa ai ma a matou tulafono fa'atulafonoina fa'atagaga (lea na matou fa'amalamalamaina) e uiga i le fa'asinomaga o le tagata talosaga. Ona toe lafo atu lea o le faailoga lea. E fetaui lea ma le Laasaga 6 o le ata Konesula (Ata 1).
6. O lo'o tu'uina atu e le matou Konesula le fa'ailoga i le talosaga po'o le tautua.

O la matou talosaga po'o le tautua ua mafai nei ona fa'aoga lenei fa'ailoga Konesula e feso'ota'i ai ma a matou fa'amaumauga a le Konesula, e pei ona fa'amoemoeina i fa'amanuiaga o le fa'ailoga.

Ua faaalia mai le togafiti faataulaitu!

Mo outou e le fiafia i na o se lapiti mai se pulou ma fia iloa pe faapefea ona aoga... sei ou "faaali atu ia te oe le loloto pu lapiti".

E pei ona taʻua muamua, o la tatou "magic" laasaga (Ata 2: Laasaga 4) o le mea lea e faʻamaonia ai e le Consul server le talosaga, aoina faʻamatalaga e uiga i le talosaga, ma faʻatusatusa i soʻo se tulafono faʻatulagaina muamua. O lea la'asaga e fetaui ma la'asaga 3, 4 ma le 5 o le ata lautele o le Konesula (Ata 1). O lo'o i lalo se ata (Ata 3), o lona fa'amoemoe e fa'aalia manino ai le mea o lo'o tupu lalo o le pulou auala faapitoa fa'atagaina Kubernetes.

Ata 3: Ua fa'aalia le togafiti fa'ataulāitu!

1. O se amataga, e tu'uina atu e le matou Consul client le talosaga e saini i la matou Consul server ma le Kubernetes account fa'ailoga ma le igoa fa'apitoa o le fa'atagaga na faia muamua. O lenei laasaga e fetaui ma le Laasaga 3 i le faʻamatalaga o le matagaluega muamua.
2. O le taimi nei e manaʻomia e le Consul server (poʻo le taʻitaʻi) ona faʻamaonia le moni o le faʻailoga na maua. O le mea lea, o le a fa'atalanoaina le vaega Kubernetes (e ala i le Consul client) ma, fa'atasi ai ma fa'atagaga talafeagai, o le a matou iloa pe moni le fa'ailoga ma o ai e ona.
3. O le talosaga fa'amaonia e toe fa'afo'i atu i le ta'ita'i o le Konesula, ma su'e e le 'au'aunaga a le Konesula le fa'ata'ita'iga o auala fa'atagaina ma le igoa fa'amaonia mai le talosaga e saini (ma le ituaiga Kubernetes).
4. E fa'ailoa e le ta'ita'i o le konesula le fa'ata'ita'iga fa'ata'ita'iga fa'atagaina (pe a maua) ma faitau le seti o tulafono fa'apipi'i o lo'o fa'apipi'i i ai. Ona faitau lea o tulafono nei ma fa'atusatusa i uiga fa'amaonia fa'amaonia.
5. TA-dah! Sei o tatou agai i luma i le Laasaga 5 i le faamatalaga matagaluega talu ai.

Fa'asolo le Consul-server i luga o se masini fa'akomepiuta masani

Mai le taimi nei, o le a tele lava ina ou tuʻuina atu faʻatonuga i le auala e fai ai lenei POC, e masani lava i pulufana, e aunoa ma ni faʻamatalaga atoa o fuaiupu. E le gata i lea, e pei ona taʻua muamua, o le a ou faʻaogaina le GCP e fatu ai mea tetele uma, ae e mafai ona e faia le atinaʻe tutusa i se isi mea.

• Amata le masini komepiuta (faʻataʻitaʻiga / server).

• Fausia se tulafono mo le pa puipui (vaega saogalemu i le AWS):
• Ou te manaʻo e tuʻuina le igoa tutusa o le masini i le tulafono ma le upega tafailagi, i lenei tulaga "skywiz-consul-server-poc".
• Su'e le tuatusi IP a lau komepiuta i le lotoifale ma fa'aopoopo i le lisi o tuatusi IP fa'apogai ina ia mafai ai ona matou maua le fa'aoga fa'aoga (UI).
• Tatala le taulaga 8500 mo UI. Kiliki Fausia. O le a matou toe suia lenei puipui i se taimi lata mai [ссылка].
• Fa'aopoopo se tulafono firewall ile fa'ata'ita'iga. Toe foʻi i le VM dashboard i luga o le Consul Server ma faʻaopopo le "skywiz-consul-server-poc" i le upega tafaʻilagi faʻailoga. Kiliki Save.

• Fa'apipi'i le Konesula i luga o se masini masini, siaki iinei. Manatua e te manaʻomia le Consul version ≥ 1.5 [soʻotaga]
• Sei o tatou faia se tasi node Konesula - o le faatulagaga e faapea.

groupadd --system consul
useradd -s /sbin/nologin --system -g consul consul
mkdir -p /var/lib/consul
chown -R consul:consul /var/lib/consul
chmod -R 775 /var/lib/consul
mkdir /etc/consul.d
chown -R consul:consul /etc/consul.d

• Mo se faʻamatalaga auiliili ile faʻapipiʻiina o le Konesula ma le faʻatulagaina o se fuifui o 3 nodes, vaʻai iinei.
• Fausia se faila /etc/consul.d/agent.json e pei ona taua i lalo [ссылка]:

### /etc/consul.d/agent.json
{
 "acl" : {
 "enabled": true,
 "default_policy": "deny",
 "enable_token_persistence": true
 }
}

• Amata la matou Consul server:

consul agent 
-server 
-ui 
-client 0.0.0.0 
-data-dir=/var/lib/consul 
-bootstrap-expect=1 
-config-dir=/etc/consul.d

• E tatau ona e vaʻai i le tele o gaioiga ma faʻaiʻu i le "... faʻafouina poloka e ACLs."
• Su'e le tuatusi IP fafo o le 'au Konesula ma tatala se su'esu'ega ma lenei tuatusi IP ile taulaga 8500. Ia mautinoa ua tatala le UI.
• Taumafai e fa'aopoopo se ki/taua pea. E tatau ona i ai se mea sese. E mafua ona sa matou utaina le consul server i se ACL ma faʻagata uma tulafono.
• Toe fo'i i lau atigi i luga o le consul server ma amata le faagasologa i tua po'o se isi auala e fa'agasolo ai ma ulufale i mea nei:

consul acl bootstrap

• Su'e le tau "SecretID" ma toe fo'i i le UI. I le ACL tab, ulufale i le ID faalilolilo o le faailoga na e kopiina. Kopi SecretID i se isi mea, matou te manaʻomia mulimuli ane.
• Fa'aopoopo nei se ki/taua pea. Mo lenei POC, fa'aopoopo mea nei: ki: "custom-ns/test_key", tau: "O a'u i le custom-ns folder!"

Fa'alauiloa se fa'aputuga Kubernetes mo la matou talosaga ma le Consul client o se Daemonset

• Fausia se kulupu K8s (Kubernetes). O le a matou faia i le sone tutusa e pei o le server mo avanoa vave, ma o lea e mafai ai ona matou faʻaogaina le subnet tutusa e faigofie ona fesoʻotaʻi ma tuatusi IP i totonu. Matou te taʻua o le "skywiz-app-with-consul-client-poc".

• I le avea ai o se faʻamatalaga, o se aʻoaʻoga lelei lea na ou mauaina aʻo faʻatulagaina se faʻaputuga POC Consul ma Consul Connect.
• O le a matou faʻaogaina foʻi le siata foeuli a Hashicorp faʻatasi ai ma se faila faʻalauteleina.
• Fa'apipi'i ma fetu'una'i Foiuli. Fa'asagaga laasaga:

kubectl create serviceaccount tiller --namespace kube-system
kubectl create clusterrolebinding tiller-admin-binding 
   --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
./helm init --service-account=tiller
./helm update

• siata foeuli: https://www.consul.io/docs/platform/k8s/helm.html
• Fa'aoga le faila o lo'o taua i lalo (fa'aaliga ua sili ona ou fa'aletonu):

### poc-helm-consul-values.yaml
global:
 enabled: false
 image: "consul:latest"
# Expose the Consul UI through this LoadBalancer
ui:
 enabled: false
# Allow Consul to inject the Connect proxy into Kubernetes containers
connectInject:
 enabled: false
# Configure a Consul client on Kubernetes nodes. GRPC listener is required for Connect.
client:
 enabled: true
 join: ["<PRIVATE_IP_CONSUL_SERVER>"]
 extraConfig: |
{
  "acl" : {
 "enabled": true,   
 "default_policy": "deny",   
 "enable_token_persistence": true 
  }
}
# Minimal Consul configuration. Not suitable for production.
server:
 enabled: false
# Sync Kubernetes and Consul services
syncCatalog:
 enabled: false

• Fa'aoga siata foeuli:

./helm install -f poc-helm-consul-values.yaml ./consul-helm - name skywiz-app-with-consul-client-poc

• A taumafai e tamo'e, o le a mana'omia fa'atagaga mo le 'au'aunaga a le Konesula, se'i o tatou fa'aopoopoina.
• Matau le "Pod Address Range" o loʻo i luga o le lisi o faʻailoga ma toe faʻafeiloaʻi i la matou tulafono "skywiz-consul-server-poc" firewall.
• Fa'aopoopo le tuatusi tuatusi mo le pod i le lisi o tuatusi IP ma tatala ports 8301 ma 8300.

• Alu i le Consul UI ma a maeʻa ni nai minute o le a e vaʻai i la matou fuifui o loʻo faʻaalia i le nodes tab.

Fa'atulagaina o se auala fa'atagaina e ala i le tu'ufa'atasia o le Konesula ma Kubernetes

• Toe fo'i i le atigi consul server ma ave i fafo le fa'ailoga na e fa'asaoina muamua:

export CONSUL_HTTP_TOKEN=<SecretID>

• Matou te manaʻomia faʻamatalaga mai le matou Kubernetes cluster e fatu ai se faʻataʻitaʻiga o le auala faʻamaonia:
• kubernetes-host

kubectl get endpoints | grep kubernetes

• kubernetes-service-account-jwt

kubectl get sa <helm_deployment_name>-consul-client -o yaml | grep "- name:"
kubectl get secret <secret_name_from_prev_command> -o yaml | grep token:

• O le fa'ailoga o lo'o fa'ailogaina le base64, o lea e fa'aaoga ai lau meafaigaluega e sili ona e fiafia i ai [ссылка]
• kubernetes-ca-cert

kubectl get secret <secret_name_from_prev_command> -o yaml | grep ca.crt:

• Ave le tusi faamaonia "ca.crt" (pe a uma le decoding base64) ma tusi i totonu o le faila "ca.crt".
• Fa'amata loa le auala fa'aauth, sui mea e tu'u i ai fa'atauga na e faatoa mauaina.

consul acl auth-method create 
-type "kubernetes" 
-name "auth-method-skywiz-consul-poc" 
-description "This is an auth method using kubernetes for the cluster skywiz-app-with-consul-client-poc" 
-kubernetes-host "<k8s_endpoint_retrieved earlier>" 
[email protected] 
-kubernetes-service-account-
jwt="<decoded_token_retrieved_earlier>"

• O le isi mea e tatau ona tatou faia se tulafono ma faʻapipiʻi i le matafaioi fou. Mo lenei vaega e mafai ona e faʻaogaina le Consul UI, ae o le a matou faʻaogaina le laina faʻatonu.
• Tusi se tulafono

### kv-custom-ns-policy.hcl
key_prefix "custom-ns/" {
 policy = "write"
}

• Fa'aaoga le tulafono

consul acl policy create 
-name kv-custom-ns-policy 
-description "This is an example policy for kv at custom-ns/" 
-rules @kv-custom-ns-policy.hcl

• Su'e le ID o le tulafono na e fa'ato'a faia mai le mea e fai.
• Fausia se matafaioi i se tulafono fou.

consul acl role create 
-name "custom-ns-role" 
-description "This is an example role for custom-ns namespace" 
-policy-id <policy_id>

• O lea la o le a matou faʻafesoʻotaʻi la matou matafaioi fou ma le faʻataʻitaʻiga auala faʻamaonia. Manatua o le fu'a "filifilia" e fuafua pe maua e le matou talosaga mo le saini lenei matafaioi. Siaki iinei mo isi filifiliga filifiliga: https://www.consul.io/docs/acl/auth-methods/kubernetes.html#trusted-identity-attributes

consul acl binding-rule create 
-method=auth-method-skywiz-consul-poc 
-bind-type=role 
-bind-name='custom-ns-role' 
-selector='serviceaccount.namespace=="custom-ns"'

Fa'ai'uga fa'aopoopo

Avanoa aia tatau

• Fausia aia tatau avanoa. Matou te manaʻomia le tuʻuina atu o le faʻatagaga a le Konesula e faʻamaonia ma iloa ai le faʻamatalaga o le K8s service account faʻailoga.
• Tusi mea nei i le faila [sootaga]:

###skywiz-poc-consul-server_rbac.yaml
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: review-tokens
 namespace: default
subjects:
- kind: ServiceAccount
 name: skywiz-app-with-consul-client-poc-consul-client
 namespace: default
roleRef:
 kind: ClusterRole
 name: system:auth-delegator
 apiGroup: rbac.authorization.k8s.io
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: service-account-getter
 namespace: default
rules:
- apiGroups: [""]
 resources: ["serviceaccounts"]
 verbs: ["get"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: get-service-accounts
 namespace: default
subjects:
- kind: ServiceAccount
 name: skywiz-app-with-consul-client-poc-consul-client
 namespace: default
roleRef:
 kind: ClusterRole
 name: service-account-getter
 apiGroup: rbac.authorization.k8s.io

• Se'i o tatou fatuina aia tatau avanoa

kubectl create -f skywiz-poc-consul-server_rbac.yaml

Feso'ota'i ile Consul Client

• E pei ona matauina iineiE tele filifiliga mo le faʻafesoʻotaʻi i le daemonset, ae o le a tatou agai atu i le tali faigofie nei:
• Fa'aoga le faila lea [ссылка].

### poc-consul-client-ds-svc.yaml
apiVersion: v1
kind: Service
metadata:
 name: consul-ds-client
spec:
 selector:
   app: consul
   chart: consul-helm
   component: client
   hasDNS: "true"
   release: skywiz-app-with-consul-client-poc
 ports:
 - protocol: TCP
   port: 80
   targetPort: 8500

• Ona faʻaaoga lea o le faʻatonuga o loʻo i lalo e fatu ai se configmap [ссылка]. Faamolemole ia matau o loo matou faasino i le igoa o la matou auaunaga, sui pe a manaomia.

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
 labels:
   addonmanager.kubernetes.io/mode: EnsureExists
 name: kube-dns
 namespace: kube-system
data:
 stubDomains: |
   {"consul": ["$(kubectl get svc consul-ds-client -o jsonpath='{.spec.clusterIP}')"]}
EOF

Su'ega le auala fa'amaonia

Se'i o tatou va'ai i le faiga fa'ataulāitu o lo'o fa'atinoina!

• Fausia nisi fa'amaufa'ailoga autu e tutusa le ki pito i luga (ie. /sample_key) ma se tau o lau filifiliga. Fausia faiga faavae ma matafaioi talafeagai mo ala autu fou. O le a tatou faia le fusia mulimuli ane.

Su'ega fa'asinomaga igoa:

• Se'i fai a tatou lava igoa avanoa:

kubectl create namespace custom-ns

• Se'i tatou faia se pod i la tatou igoa fou. Tusi le faatulagaga mo le pod.

###poc-ubuntu-custom-ns.yaml
apiVersion: v1
kind: Pod
metadata:
 name: poc-ubuntu-custom-ns
 namespace: custom-ns
spec:
 containers:
 - name: poc-ubuntu-custom-ns
   image: ubuntu
   command: ["/bin/bash", "-ec", "sleep infinity"]
 restartPolicy: Never

• Fausia i lalo:

kubectl create -f poc-ubuntu-custom-ns.yaml

• A uma loa le koneteina, alu i ai ma faʻapipiʻi le curl.

kubectl exec poc-ubuntu-custom-ns -n custom-ns -it /bin/bash
apt-get update && apt-get install curl -y

• O lea la o le a matou lafoina se talosaga e saini i le Konesula e faʻaaoga ai le auala faʻatagaina na matou faia muamua [ссылка].
• Ina ia va'ai i le fa'ailoga na tu'uina mai i lau 'au'aunaga:

cat /run/secrets/kubernetes.io/serviceaccount/token

• Tusi mea nei i se faila i totonu o le koneteina:

### payload.json
{
 "AuthMethod": "auth-method-test",
 "BearerToken": "<jwt_token>"
}

• Ulufale!

curl 
--request POST 
--data @payload.json 
consul-ds-client.default.svc.cluster.local/v1/acl/login

• Ina ia faʻamaeʻaina laasaga o loʻo i luga i le laina e tasi (talu ai o le a matou faia ni suʻega se tele), e mafai ona e faia mea nei:

echo "{ 
"AuthMethod": "auth-method-skywiz-consul-poc", 
"BearerToken": "$(cat /run/secrets/kubernetes.io/serviceaccount/token)" 
}" 
| curl 
--request POST 
--data @- 
consul-ds-client.default.svc.cluster.local/v1/acl/login

• Galuega! O le mea sili e tatau. Ave nei le SecretID ma taumafai e maua le ki / taua e tatau ona tatou maua.

curl 
consul-ds-client.default.svc.cluster.local/v1/kv/custom-ns/test_key --header “X-Consul-Token: <SecretID_from_prev_response>”

• E mafai ona e fa'avae64 fa'avasega le "Taua" ma va'ai e fetaui ma le tau i custom-ns/test_key i le UI. Afai na e fa'aogaina le tau tutusa o lo'o i luga i lenei a'oa'oga, o lau tau fa'ailoga o le IkknbSBpbiB0aGUgY3VzdG9tLW5zIGZvbGRlciEi.

Su'ega fa'amatalaga a le tagata e faaaogāina auaunaga:

• Fausia se ServiceAccount masani e faʻaaoga ai le poloaiga lenei [ссылка].

kubectl apply -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
 name: custom-sa
EOF

• Fausia se faila fetuutuunaiga fou mo le pod. Faamolemole ia matau na ou aofia ai le faʻapipiʻiina o curl e faʻasaoina ai galuega :)

###poc-ubuntu-custom-sa.yaml
apiVersion: v1
kind: Pod
metadata:
 name: poc-ubuntu-custom-sa
 namespace: default
spec:
 serviceAccountName: custom-sa
 containers:
 - name: poc-ubuntu-custom-sa
   image: ubuntu
   command: ["/bin/bash","-ec"]
   args: ["apt-get update && apt-get install curl -y; sleep infinity"]
 restartPolicy: Never

• A mae'a lena, fa'asolo se atigi i totonu o le koneteina.

kubectl exec -it poc-ubuntu-custom-sa /bin/bash

• Ulufale!

echo "{ 
"AuthMethod": "auth-method-skywiz-consul-poc", 
"BearerToken": "$(cat /run/secrets/kubernetes.io/serviceaccount/token)" 
}" 
| curl 
--request POST 
--data @- 
consul-ds-client.default.svc.cluster.local/v1/acl/login

• Ua teena le faatagaga. Oi, ua galo ia i matou le fa'aopoopoina o se tulafono fou o lo'o fusifusia ma fa'atagaga talafeagai, ta faia nei loa.

Toe fai laasaga muamua i luga:
a) Fausia se Faiga Fa'avae tutusa mo le prefix "custom-sa/".
e) Fausia se Matafaioi, fa'aigoa o le "custom-sa-role"
i) Fa'apipi'i le Faiga Fa'avae i le Matafaioi.

• Fausia se Tulafono-Tu'i (na'o le mafai mai cli/api). Matau le uiga ese o le fu'a filifilia.

consul acl binding-rule create 
-method=auth-method-skywiz-consul-poc 
-bind-type=role 
-bind-name='custom-sa-role' 
-selector='serviceaccount.name=="custom-sa"'

• Toe ulufale mai i le pusa "poc-ubuntu-custom-sa". Manuia!
• Siaki lo matou avanoa i le aganu'u-sa/ ala autu.

curl 
consul-ds-client.default.svc.cluster.local/v1/kv/custom-sa/test_key --header “X-Consul-Token: <SecretID>”

• E mafai foi ona e mautinoa o lenei faʻailoga e le faʻatagaina le avanoa i kv i le "custom-ns/". Tau lava o le toe fai o le poloaiga i luga pe a uma ona sui le "custom-sa" ma le prefix "custom-ns".
  Ua teena le faatagaga.

Fa'ata'ita'iga fa'apipi'i:

• E taua le maitauina o faʻafanua uma e faʻatulafonoina o le a faʻaopoopoina i le faʻailoga ma nei aia tatau.
• O la matou koneteina "poc-ubuntu-custom-sa" o loʻo i totonu o le igoa e le mafai ona faʻaogaina - o lea seʻi o tatou faʻaogaina mo se isi tulafono faʻapipiʻi.
• Toe fai laasaga muamua:
  a) Fausia se Faiga Fa'avae tutusa mo le "default/" key prefix.
  e) Fausia se Matafaioi, faaigoa "default-ns-role"
  i) Fa'apipi'i le Faiga Fa'avae i le Matafaioi.
• Fausia se Tulafono-Uisai (na'o mafai mai cli/api)

consul acl binding-rule create 
-method=auth-method-skywiz-consul-poc 
-bind-type=role 
-bind-name='default-ns-role' 
-selector='serviceaccount.namespace=="default"'

• Toe fo'i i la matou koneteina "poc-ubuntu-custom-sa" ma taumafai e fa'aoga le ala "default/" kv.
• Ua teena le faatagaga.
  E mafai ona e va'ai i fa'amatalaga fa'amaonia mo fa'ailoga ta'itasi i le UI i lalo ole ACL > Tokens. E pei ona e va'aia, o la tatou fa'ailoga o lo'o iai nei e na'o le tasi le "custom-sa-role" fa'apipi'i i ai. O le fa'ailoga o lo'o matou fa'aogaina i le taimi nei na fa'atupuina ina ua matou saini ma e na'o le tasi le tulafono fa'amauina e tutusa i lena taimi. Matou te manaʻomia le toe saini ma faʻaoga le faʻailoga fou.
• Ia mautinoa e mafai ona e faitau mai le "custom-sa/" ma le "default/" kv ala.
  Manuia!
  E mafua ona o la matou "poc-ubuntu-custom-sa" e fetaui ma tulafono "custom-sa" ma le "default-ns".

iʻuga

TTL fa'ailoga mgmt?

I le taimi o lenei tusitusiga, e leai se auala tuʻufaʻatasia e faʻamautinoa ai le TTL mo faʻailoga na gaosia e lenei auala faʻatagaina. Ole a avea ma se avanoa matagofie e tu'uina atu ai le fa'aautomatika saogalemu o le fa'atagaga a le Konesula.

O loʻo i ai se filifiliga e fai ma le lima se faʻailoga i le TTL:

• https://www.consul.io/docs/acl/acl-system.html#acl-tokens
  Taimi Fa'amuta - Le taimi o le a fa'aleaogaina ai lenei fa'ailoga. (Filifili; faaopoopo i le Konesula 1.5.0)
• O lo'o iai mo na'o le fa'afou tusilima/fa'afouina https://www.consul.io/api/acl/tokens.html#expirationtime

Faamoemoe i se taimi lata mai o le a mafai ona tatou pulea pe faʻafefea ona gaosia faʻailoga (i le tulafono poʻo le faʻatagaina auala) ma faʻaopoopo TTL.

Se'ia o'o i lena taimi, e fautuaina e te fa'aogaina se fa'ai'uga logout i lau fa'atatau.

• https://www.consul.io/api/acl/acl.html#logout-from-auth-method
• https://www.consul.io/docs/acl/acl-auth-methods.html#overall-login-process

Faitau foi isi tala i la matou blog:

• O le a le mea na taʻitaʻia e le malaga mai ClickHouse e aunoa ma se faʻatagaga i le ClickHouse faʻatasi ai ma le faʻatagaina?
• E faʻafefea ona faʻatautaia le tele o paipa e faʻaaoga ai le GitLab CI/CD
• Togafiti Faigofie e Tolu e Fa'aitiitia Ata o Docker
• Traefik o le Ingress controller mo K8S
• Lagolagoina o se numera tele o poloketi 'upega tafaʻilagi eseese
• Telegram bot mo Redmine. Auala e faafaigofie ai le olaga mo oe ma isi

puna: www.habr.com