Cherechedza. transl.: iyi nhevedzano yakazvipira kusvika pakuziva kugona kweIstio uye kuvaratidza mukuita, - yakanyatsorongeka nzira uye network traffic manejimendi. Iye zvino tichataura nezve chengetedzo: kuratidza mabasa ekutanga ane chekuita nazvo, munyori anoshandisa iyo Auth0 identity sevhisi, asi vamwe vanopa vanogona kugadzirwa nenzira yakafanana.
Isu takagadzira Kubernetes cluster umo takaisa Istio uye muenzaniso microservice application, Sentiment Analysis, kuratidza kugona kweIstio.
NeIstio, takakwanisa kuchengeta masevhisi edu ari madiki nekuti haafanire kuita masevhisi akaita seRetries, Nguva yekubuda, Circuit Breakers, Tracing, Monitoring. . Pamusoro pezvo, takashandisa nzira dzekuyedza dzepamusoro uye nzira dzekutumira: kuyedza A/B, girazi uye canary rollout.
Mune zvinyorwa zvitsva, tichabata nezvikamu zvekupedzisira panzira yekukosha kwebhizimisi: kuvimbiswa uye mvumo - uye muIstio inofadza chaizvo!
Kutendeseka uye mvumo muIstio
Ini handina kumbobvira ndatenda kuti ndaizofemerwa nehuchokwadi uye mvumo. Chii chinogona kupihwa neIstio kubva kune tekinoroji maonero kuita kuti misoro iyi inakidze uye, kunyanya, inokurudzira iwe?
Mhinduro iri nyore: Istio inoshandura mutoro wezvikwanisiro izvi kubva kumasevhisi ako kuenda kune Evoy proxy. Nenguva iyo zvikumbiro zvinosvika kumasevhisi, zvakatove zvakatenderwa uye zvakabvumidzwa, saka zvese zvaunofanirwa kuita kunyora bhizinesi-rinobatsira kodhi.
Zvinonzwika zvakanaka? Ngatitarisei mukati!
Kusimbiswa neAuth0
Sevhavha yekuzivikanwa uye yekuwana manejimendi, isu tichashandisa Auth0, iyo ine vhezheni yekuedzwa, ine intuitive kushandisa uye ini ndinongoifarira. Zvisinei, nheyo dzakafanana dzinogona kushandiswa kune imwe ipi neipi : KeyCloak, IdentityServer nevamwe vazhinji.
Kuti utange, enda ku neakaundi yako, gadzira muroja (muroja - "muroja", zvine musoro chikamu chekuzviparadzanisa nevamwe, kuti uwane rumwe ruzivo ona - approx. transl.) uye enda ku Zvishandiso > Default Anwendungkusarudza Domain, sezvinoratidzwa mumufananidzo uri pasi apa:
Taura iyi domain mufaira resource-manifests/istio/security/auth-policy.yaml ():
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: auth-policy
spec:
targets:
- name: sa-web-app
- name: sa-feedback
origins:
- jwt:
issuer: "https://{YOUR_DOMAIN}/"
jwksUri: "https://{YOUR_DOMAIN}/.well-known/jwks.json"
principalBinding: USE_ORIGIN
Nekushandisa kwakadaro, Pilot (chimwe chezvikamu zvitatu zvakakosha Kudzora Ndege muIstio - approx. transl.) inogadzirisa Envoy kutendesa zvikumbiro isati yatumira kune masevhisi: sa-web-app ΠΈ sa-feedback. Panguva imwecheteyo, iyo gadziriso haina kushandiswa kune sevhisi Nhume sa-frontend, zvichiita kuti tibve pamberi tisina kuvimbiswa. Kuti ushandise iyo Policy, mhanyisa murairo:
$ kubectl apply -f resource-manifests/istio/security/auth-policy.yaml
policy.authentication.istio.io βauth-policyβ createdDzokera kune peji uye uite chikumbiro - iwe uchaona kuti inopera nechimiro 401 haibvumirwi. Iye zvino ngatitarisei vashandisi vepamberi kuti vasimbise neAuth0.
Kusimbisa zvikumbiro neAuth0
Kuti utende zvikumbiro zvevashandisi vekupedzisira, unofanirwa kugadzira API muAuth0 inomiririra masevhisi akavimbiswa (wongororo, ruzivo, uye zviyero). Kuti ugadzire API, enda ku Auth0 Portal > APIs > Gadzira API uye zadza fomu:
Ruzivo rwakakosha pano Identifier, iyo yatichashandisa gare gare mune script. Ngatinyorei pasi seizvi:
- Vateereri: {VAMWE_VAKO}
Iwo asara mameseji atinoda ari paAuth0 Portal muchikamu Applications - sarudza Test Application (yakagadzirwa otomatiki pamwe chete neAPI).
Pano tichanyora:
- Domain: {YAKO_DOMAIN}
- Client ID: {WAKO_CLIENT_ID}
Skiritsa ku Test Application kune text field Ma URLs anobvumidzwa (akagadziriswa maURL ekufona kumashure), umo tinotsanangura iyo URL iyo kufona kunofanirwa kutumirwa mushure mekunge chokwadi chapera. Muchiitiko chedu ndeiyi:
http://{EXTERNAL_IP}/callbackUye nokuda Inobvumirwa Logout URLs (anobvumidzwa maURL ekubuda) wedzera:
http://{EXTERNAL_IP}/logoutNgatipfuurirei mberi.
Frontend update
Chinja kuita bazi auth0 repository [istio-mastery]. Mubazi iri, kodhi yekumberi inochinjirwa kuti iendese vashandisi kuAuth0 kuti isimbiswe uye shandisa chiratidzo cheJWT mukukumbira kune mamwe masevhisi. Iyo yekupedzisira inoitwa sezvinotevera ():
analyzeSentence() {
fetch('/sentiment', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Authorization': `Bearer ${auth.getAccessToken()}` // Access Token
},
body: JSON.stringify({ sentence: this.textField.getValue() })
})
.then(response => response.json())
.then(data => this.setState(data));
}
Kuti uchinje kumberi kuti ushandise tenant data muAuth0, vhura sa-frontend/src/services/Auth.js uye kutsiva mairi maitiro atakanyora pamusoro ():
const Config = {
clientID: '{YOUR_CLIENT_ID}',
domain:'{YOUR_DOMAIN}',
audience: '{YOUR_AUDIENCE}',
ingressIP: '{EXTERNAL_IP}' // ΠΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΡΡΡ Π΄Π»Ρ ΡΠ΅Π΄ΠΈΡΠ΅ΠΊΡΠ° ΠΏΠΎΡΠ»Π΅ Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ
}Chikumbiro chagadzirira. Rondedzera yako Docker ID mumirairo iri pazasi paunenge uchivaka uye uchitumira shanduko dzakaitwa:
$ docker build -f sa-frontend/Dockerfile
-t $DOCKER_USER_ID/sentiment-analysis-frontend:istio-auth0
sa-frontend
$ docker push $DOCKER_USER_ID/sentiment-analysis-frontend:istio-auth0
$ kubectl set image deployment/sa-frontend
sa-frontend=$DOCKER_USER_ID/sentiment-analysis-frontend:istio-auth0Edza iyo app! Iwe unozodzoserwa kuAuth0, kwaunoda kupinda (kana kunyoresa), mushure mezvo unozodzoserwa kupeji kunenge kwaitwa zvikumbiro zvakatotendwa. Kana iwe ukaedza mirairo yakataurwa muzvikamu zvekutanga zvechinyorwa chine curl, iwe uchawana iyo kodhi 401 Status Code, zvichiratidza kuti chikumbiro hachina mvumo.
Ngatitorei danho rinotevera - bvumidza zvikumbiro.
Mvumo neAuth0
Kutendesa kunotibvumira kunzwisisa kuti mushandisi ndiani, asi mvumo inodiwa kuti tizive zvavanogona kuwana. Istio inopa zvishandiso zveizvi zvakare.
Semuenzaniso, ngatigadzire mapoka maviri evashandisi (ona dhayagiramu pazasi):
- Vashandisi (vashandisi) - nekuwana chete kuSA-WebApp uye SA-Frontend masevhisi;
- Vatungamiriri (Vatungamiriri) - nekuwana masevhisi ese ari matatu.
Mvumo pfungwa
Kugadzira mapoka aya, isu tichashandisa iyo Auth0 Authorization yekuwedzera uye kushandisa Istio kuvapa iwo akasiyana mazinga ekuwana.
Kuiswa uye kugadzirisa kweAuth0 Authorization
MuAuth0 portal, enda kune edzedzero (Extensions) uye kuisa Auth0 Mvumo. Mushure mekuisa, enda ku Authorization Extension, uye ipapo - kugadziriso yemuroja nekudzvanya kumusoro kurudyi uye kusarudza yakakodzera menyu sarudzo. (Kugadziridza). Activate groups (Mapoka) wobva wadzvanya bhatani rekutsikisa mutemo (Publish mutemo).
Kugadzira mapoka
MuMvumo Yekuwedzera enda ku Groups uye gadzira boka Moderators. Sezvo isu tichabata vese vashandisi vakatendeseka sevashandisi venguva dzose, hapana chikonzero chekugadzira rimwe boka kwavari.
Sarudza boka Moderators, Press Wedzera Nhengo, wedzera account yako huru. Siya vamwe vashandisi vasina chero boka kuti uve nechokwadi chekuti varambidzwa kuwana. (Vashandisi vatsva vanogona kugadzirwa nemaoko kuburikidza Auth0 Portal> Vashandisi> Gadzira Mushandisi.)
Wedzera Group Claim kune Access Token
Vashandisi vakawedzerwa kumapoka, asi ruzivo urwu runofanirawo kuratidzwa mumatokeni ekuwana. Kutevedzera OpenID Connect uye panguva imwe chete kudzorera mapoka atinoda, chiratidzo chinoda kuwedzera chayo. . Inoitwa kuburikidza neAuth0 mitemo.
Kuti ugadzire mutemo, enda kuAuth0 Portal to rules, Press Gadzira Rule uye sarudza mutemo usina chinhu kubva kumatemplate.
Kopa kodhi iri pazasi uye uichengetedze semutemo mutsva Wedzera Group Claim ():
function (user, context, callback) {
context.accessToken['https://sa.io/group'] = user.groups[0];
return callback(null, user, context);
}taura pfungwa: Iyi kodhi inotora yekutanga mushandisi boka inotsanangurwa muMvumo Yekuwedzera uye inoiwedzera kune chiratidzo chekuwana sechipo chekuda (pasi pezita rayo, sezvinodiwa neAuth0).
Dzokera kupeji rules uye tarisa kuti une mitemo miviri yakanyorwa nenzira inotevera:
- auth0-mvumo-yekuwedzera
- Wedzera Group Claim
Kurongeka kwakakosha nekuti munda weboka unogamuchira mutemo asynchronously auth0-mvumo-yekuwedzera uye mushure mazvo inowedzerwa sechikumbiro nemurairo wechipiri. Mhedzisiro iratidziro yekuwana seizvi:
{
"https://sa.io/group": "Moderators",
"iss": "https://sentiment-analysis.eu.auth0.com/",
"sub": "google-oauth2|196405271625531691872"
// [ΡΠΎΠΊΡΠ°ΡΠ΅Π½ΠΎ Π΄Π»Ρ Π½Π°Π³Π»ΡΠ΄Π½ΠΎΡΡΠΈ]
}
Iye zvino iwe unofanirwa kugadzirisa iyo Envoy proxy kuti utarise kuwana kwemushandisi, iyo iyo boka richabviswa kubva pakuda (https://sa.io/group) muchiratidzo chekuwana chakadzorerwa. Uyu ndiwo musoro wechikamu chinotevera chechinyorwa.
Kugadziriswa kwemvumo muIstio
Kuti mvumo ishande, unofanirwa kugonesa RBAC yeIstio. Kuti tiite izvi, isu tinoshandisa inotevera configuration:
apiVersion: "rbac.istio.io/v1alpha1"
kind: RbacConfig
metadata:
name: default
spec:
mode: 'ON_WITH_INCLUSION' # 1
inclusion:
services: # 2
- "sa-frontend.default.svc.cluster.local"
- "sa-web-app.default.svc.cluster.local"
- "sa-feedback.default.svc.cluster.local" Tsananguro:
- 1 -gonesa RBAC chete kumasevhisi uye nzvimbo dzezita dzakanyorwa mumunda
Inclusion; - 2 - tinonyora runyoro rwemasevhisi edu.
Ngatishandise gadziriro nemurairo unotevera:
$ kubectl apply -f resource-manifests/istio/security/enable-rbac.yaml
rbacconfig.rbac.istio.io/default created
Masevhisi ese zvino anoda Role-Based Access Control. Mune mamwe mazwi, kuwana masevhisi ese kunorambidzwa uye zvinozoguma nemhinduro RBAC: access denied. Zvino ngatibvumirei kuwana kune vashandisi vane mvumo.
Kuwana gadziriso yevashandisi venguva dzose
Vese vashandisi vanofanirwa kuwana iyo SA-Frontend uye SA-WebApp masevhisi. Inoitwa uchishandisa zvinotevera Istio zviwanikwa:
- ServiceRole - inotarisa kodzero dzine mushandisi;
- ServiceRoleBinding - inosarudza kuti iyi ServiceRole ndeyaani.
Kune vashandisiwo zvavo isu tichabvumira kuwana kune mamwe masevhisi ():
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
name: regular-user
namespace: default
spec:
rules:
- services:
- "sa-frontend.default.svc.cluster.local"
- "sa-web-app.default.svc.cluster.local"
paths: ["*"]
methods: ["*"]
Uye kuburikidza regular-user-binding shandisa ServiceRole kune vese vashanyi vepeji ():
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
name: regular-user-binding
namespace: default
spec:
subjects:
- user: "*"
roleRef:
kind: ServiceRole
name: "regular-user"Ko "vashandisi vese" zvinoreva here kuti vashandisi vasina kutenderwa vachawanawo mukana weSA WebApp? Aiwa, mutemo unotarisa huchokwadi hwechiratidzo cheJWT.
Ngatishandise zvigadziriso:
$ kubectl apply -f resource-manifests/istio/security/user-role.yaml
servicerole.rbac.istio.io/regular-user created
servicerolebinding.rbac.istio.io/regular-user-binding createdSvika gadziriso yevanotungamira
Kune ma moderator, tinoda kugonesa kuwana masevhisi ese ():
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
name: mod-user
namespace: default
spec:
rules:
- services: ["*"]
paths: ["*"]
methods: ["*"]
Asi isu tinoda kodzero dzakadaro chete kune avo vashandisi vane chiratidzo chekuwana chine chirevo https://sa.io/group zvine zvazvinoreva Moderators ():
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
name: mod-user-binding
namespace: default
spec:
subjects:
- properties:
request.auth.claims[https://sa.io/group]: "Moderators"
roleRef:
kind: ServiceRole
name: "mod-user" Ngatishandise zvigadziriso:
$ kubectl apply -f resource-manifests/istio/security/mod-role.yaml
servicerole.rbac.istio.io/mod-user created
servicerolebinding.rbac.istio.io/mod-user-binding createdNekuda kwekuchengetedza vatumwa, zvinogona kutora maminetsi mashoma kuti mitemo yemvumo itange kushanda. Iwe unogona ipapo kuve nechokwadi chekuti vashandisi nevatungamiriri vane mazinga akasiyana ekuwana.
Mhedziso pachikamu ichi
Zvakaoma hazvo, wakamboona nzira iri nyore, isingashande, inokwenenzvera uye yakachengeteka yekusimbisa nemvumo?
Zvitatu chete zveIstio zviwanikwa (RbacConfig, ServiceRole, uye ServiceRoleBinding) zvaidiwa kuti zviwane kutonga kwakanaka-kwechokwadi pamusoro pehuchokwadi uye mvumo yekusvika kwevashandisi vekupedzisira kune masevhisi.
Pamusoro pezvo, isu takatarisira nyaya idzi kubva kune edu enhume masevhisi, tichiwana:
- kuderedza kuwanda kwekodhi generic inogona kunge iine matambudziko ekuchengetedza uye bugs;
- kuderedza nhamba yemamiriro ezvinhu eupenzi umo imwe magumo akave anowanikwa kubva kunze uye akakanganwa kuitaurira;
- kubvisa kudiwa kwekuvandudza masevhisi ese pese painowedzerwa basa idzva kana kodzero;
- kuti masevhisi matsva anoramba ari nyore, akachengeteka uye achikurumidza.
mhedziso
Istio inobvumira zvikwata kuti zvitarise zviwanikwa zvavo pamabasa akakosha ebhizinesi pasina kuwedzera pamusoro kumasevhisi, vachivadzosera kune diki chimiro.
Chinyorwa (muzvikamu zvitatu) chakapa ruzivo rwekutanga uye yakagadzirira-yakagadzirwa mirairo inoshanda yekutanga neIstio mumapurojekiti chaiwo.
PS kubva kumushanduri
Verenga zvakare pablog yedu:
- "Kudzokera kumamicroservices neIstio": , ;
- Β«";
- Β«".
Source: www.habr.com