TL; DR: pachave netsanangudzo yeKeycloak, yakavhurika sosi yekuwana yekudzora system, kuongororwa kwemukati chimiro, dhizaini yekumisikidza.
Nhanganyaya uye Mazano Akakosha
Muchikamu chino, tichaona iwo ekutanga mazano ekuchengeta mupfungwa kana uchiendesa Keycloak cluster pamusoro peKubernetes.
Kana iwe uchida kuziva zvakawanda nezve Keycloak, tarisa kune zvinongedzo pakupera kwechinyorwa. Kuti uwedzere kunyura mukudzidzira, unogona kudzidza ine module inoshandisa pfungwa huru dzechinyorwa ichi (gwaro rekutanga riripo, chinyorwa ichi chinopa tarisiro yechishandiso uye marongero, approx. mushanduri).
Keycloak ndeye yakazara sisitimu yakanyorwa muJava uye yakavakirwa pamusoro pesevha yekushandisa . Muchidimbu, igadziriro yemvumo inopa vashandisi vekushandisa mubatanidzwa uye SSO (kusaina kumwechete) kugona.
Tinokukoka iwe kuti uverenge mukuru kana kuti uwane kunzwisisa kwakadzama.
Kutanga Keycloak
Keycloak inoda maviri anoenderera data masosi kuti aite:
- Dhatabhesi rinoshandiswa kuchengetedza data rakasimbiswa, senge ruzivo rwemushandisi
- Datagrid cache, iyo inoshandiswa kuchengetedza data kubva mudhatabhesi, pamwe nekuchengetedza mamwe mapfupi uye anogara achichinja metadata, akadai semasesheni evashandisi. Implemented , iyo inowanzo kurumidza zvakanyanya kupfuura database. Asi chero zvakadaro, iyo data yakachengetwa muInfinispan ndeye ephemeral - uye haidi kuchengetwa chero kupi kana cluster yatangwazve.
Keycloak inoshanda nenzira ina dzakasiyana:
- zvamazuva ose - imwechete uye imwe chete maitiro, akagadziriswa kuburikidza nefaira yakazvimirira.xml
- Regular cluster (yakanyanya kuwanikwa sarudzo) - ese maitiro anofanirwa kushandisa dhizaini yakafanana, iyo inofanirwa kuwiriraniswa nemaoko. Zvirongwa zvakachengetwa mufaira standalone-ha.xml, mukuwedzera iwe unofanirwa kuita kuti ugovane kuwana kune dhatabhesi uye mutoro wemuyero.
- Domain cluster - kutanga sumbu mune yakajairwa modhi inokurumidza kuve yenguva uye inofinha basa sezvo sumbu rinokura, sezvo pese panochinja gadziriro, shanduko dzese dzinofanirwa kuitwa pane imwe neimwe cluster node. Domain mode yekushanda inogadzirisa nyaya iyi nekumisikidza imwe nzvimbo yekuchengetera yakagovaniswa uye kushambadza zvigadziriso. Aya marongero akachengetwa mufaira domain.xml
- Kudzokorora pakati pe data data - kana iwe uchida kumhanya Keycloak muchikwata che akati wandei data nzvimbo, kazhinji munzvimbo dzakasiyana dzenzvimbo. Mune iyi sarudzo, nzvimbo yega yega yedata ichave neyayo cluster yeKeycloak maseva.
Munyaya ino tichakurukura zvakadzama sarudzo yechipiri, kureva nguva dzose cluster, uye isu tichabatawo zvishoma pamusoro pechinyorwa chekudzokorora pakati penzvimbo dzedata, sezvo zvine musoro kumhanya idzi mbiri sarudzo muKubernetes. Neraki, muKubernetes hapana dambudziko nekuyananisa zvigadziriso zvemapodhi akati wandei (Keycloak nodes), saka domain cluster Hazvizonyanya kuoma kuita.
Ndokumbirawo mucherechedze kuti izwi kusangana kune chasara chinyorwa chinozoshanda chete kuboka reKeycloak node rinoshanda pamwe chete, hapana chikonzero chekutaura kune Kubernetes cluster.
Regular Keycloak cluster
Kuti umhanye Keycloak mune iyi modhi iwe unoda:
- gadzira dhatabhesi rekunze rakagovaniswa
- isa mutoro balancer
- iva netiweki yemukati ine IP multicast rutsigiro
Hatisi kuzokurukura nezvekumisa dhatabhesi rekunze, nekuti hachisi chinangwa chechinyorwa chino. Ngatifungei kuti kune dhatabhesi inoshanda kumwe kunhu - uye isu tine nzvimbo yekubatanidza kwairi. Isu tichangowedzera iyi data kune zvakatipoteredza zvinosiyana.
Kuti unzwisise zviri nani kuti Keycloak inoshanda sei mufailover (HA) cluster, zvakakosha kuti uzive kuti zvakadii zvese zvinoenderana nekugona kweWildfly kusanganisa.
Wildfly inoshandisa akati wandei masisitimu, mamwe acho anoshandiswa seyekuremedza, mamwe ekushivirira kukanganisa. Iyo inoremedza balancer inovimbisa kuwanikwa kweapp kana cluster node yaremerwa, uye kukanganisa kushivirira kunovimbisa kuwanikwa kweapp kunyangwe mamwe masumbu masumbu akatadza. Mamwe eaya ma subsystems:
-
mod_cluster: Inoshanda pamwe chete neApache seHTTP inoremedza balancer, zvinoenderana neTCP multicast kuti uwane vanogamuchira nekukasira. Inogona kutsiviwa nekunze kwekuenzanisa. -
infinispan: Cache yakagovaniswa uchishandisa JGroups chiteshi seyekutakura layer. Pamusoro pezvo, inogona kushandisa iyo HotRod protocol kutaurirana neyekunze Infinispan cluster kuwiriranisa zvirimo zvecache. -
jgroups: Inopa rutsigiro rwekutaurirana kweboka kune masevhisi anowanikwa zvakanyanya akavakirwa paJGroups chiteshi. Mapombi ane zita anobvumira zviitiko zvekushandisa musumbu kuti zvibatanidzwe mumapoka kuitira kuti kutaurirana kuve nezvimiro zvakaita sekuvimbika, kurongeka, uye kunzwa kune kukundikana.
Load Balancer
Kana uchiisa balancer se ingress controller muKubernetes cluster, zvakakosha kuchengeta zvinhu zvinotevera mupfungwa:
Keycloak inofungidzira kuti kero iri kure yemutengi inobatanidza kuburikidza neHTTP kune yekusimbisa server ndiyo chaiyo IP kero yemutengi komputa. Balancer uye ingress marongero anofanirwa kuseta misoro yeHTTP nemazvo X-Forwarded-For ΠΈ X-Forwarded-Proto, uye zvakare chengetedza zita rekutanga HOST. Latest version ingress-nginx (> 0.22.0)
Kuita mureza proxy-address-forwarding nekuisa shanduko yemhoteredzo PROXY_ADDRESS_FORWARDING Π² true inopa Keycloak kunzwisisa kuti iri kushanda kuseri kweproxy.
Iwe unofanirwawo kugonesa misangano inonamira ingress. Keycloak inoshandisa yakagoverwa Infinispan cache kuchengetedza data rine chekuita neiyo yazvino yekusimbisa chikamu uye mushandisi musangano. Cache inoshanda nemuridzi mumwechete nekusarudzika, nemamwe mazwi, iyo chaiyo chikamu chinochengetwa pane imwe node musumbu, uye mamwe ma node anofanirwa kubvunza ari kure kana achida kuwana chikamu ichocho.
Kunyanya, zvinopesana nezvinyorwa, kubatanidza chikamu chine zita cookie hazvina kushanda kwatiri
AUTH_SESSION_ID. Keycloak ine redirect loop, saka isu tinokurudzira kusarudza rakasiyana cookie zita reinonamira chikamu.
Keycloak inonamirawo zita renode rakapindura pekutanga AUTH_SESSION_ID, uye sezvo node imwe neimwe mushanduro inowanikwa zvakanyanya inoshandisa dhatabhesi imwechete, imwe neimwe yadzo yakaparadzana uye yakasarudzika node identifier yekutarisira kutengeserana. Inokurudzirwa kuisa mukati JAVA_OPTS parameters jboss.node.name ΠΈ jboss.tx.node.id yakasarudzika kune imwe neimwe node - iwe unogona, semuenzaniso, kuisa zita repodhi. Kana iwe ukaisa zita repodhi, usakanganwe nezve makumi maviri nenhatu muganho weiyo jboss zvinosiyana, saka zviri nani kushandisa StatefulSet pane Deployment.
Imwe rake - kana iyo pod yadzimwa kana kutangiswazve, cache yayo inorasika. Tichifunga izvi, zvakakodzera kuseta nhamba yevaridzi vecache kune ese macache kusvika maviri, kuitira kuti kopi yecache irambe iripo. Mhinduro ndeyekumhanya paunotanga pod, uchiisa mudhairekitori /opt/jboss/startup-scripts mumudziyo:
Script Zviri mukati
embed-server --server-config=standalone-ha.xml --std-out=echo
batch
echo * Setting CACHE_OWNERS to "${env.CACHE_OWNERS}" in all cache-containers
/subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:1})
/subsystem=infinispan/cache-container=keycloak/distributed-cache=authenticationSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:1})
/subsystem=infinispan/cache-container=keycloak/distributed-cache=actionTokens:write-attribute(name=owners, value=${env.CACHE_OWNERS:1})
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:1})
/subsystem=infinispan/cache-container=keycloak/distributed-cache=clientSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:1})
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineClientSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:1})
/subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures:write-attribute(name=owners, value=${env.CACHE_OWNERS:1})
run-batch
stop-embedded-serverwobva waisa kukosha kwekusiyana kwezvakatipoteredza CACHE_OWNERS kune zvinodiwa.
Yakavanzika network ine IP multicast rutsigiro
Kana ukashandisa Weavenet seCNI, multicast ichashanda nekukasira - uye Keycloak node dzako dzinozoonana padzinotangwa.
Kana iwe usina ip multicast rutsigiro mune yako Kubernetes cluster, unogona kugadzirisa JGroups kushanda nemamwe maprotocol kuti uwane node.
Sarudzo yekutanga ndeye kushandisa KUBE_DNSiyo inoshandisa headless service kuti uwane Keycloak node, unongopfuura JGroups zita rebasa rinozoshandiswa kutsvaga node.
Imwe sarudzo ndeye kushandisa nzira KUBE_PING, iyo inoshanda neAPI kutsvaga node (iwe unofanirwa kugadzirisa serviceAccount nekodzero list ΠΈ get, uye wozogadzirisa mapodhi kuti ashande neizvi serviceAccount).
Nzira iyo JGroups inowana node inogadziriswa nekuisa nharaunda zvinosiyana JGROUPS_DISCOVERY_PROTOCOL ΠΈ JGROUPS_DISCOVERY_PROPERTIES. nokuti KUBE_PING unofanirwa kusarudza mapodhi nekubvunza namespace ΠΈ labels.
οΈ Kana iwe ukashandisa multicast uye uchimhanyisa maviri kana anopfuura Keycloak masumbu mune imwe Kubernetes cluster (ngatitaure imwe mune namespace
production, wechipiri -staging) - node dzeimwe Keycloak cluster inogona kujoina rimwe sumbu. Iva nechokwadi chekushandisa yakasarudzika multicast kero kune yega yega cluster nekuseta zvinosiyanajboss.default.multicast.addressΠΈjboss.modcluster.multicast.addressΠ²JAVA_OPTS.
Kudzokorora pakati pe data data
Π‘Π²ΡΠ·Ρ
Keycloak inoshandisa akawanda akaparadzana eInfinispan cache masumbu enzvimbo yega yega data uko Keycloak masumbu anogadzirwa neKeycloak node anowanikwa. Asi hapana musiyano pakati peKeycloak node munzvimbo dzakasiyana dze data.
Keycloak node dzinoshandisa yekunze Java Data Grid (Infinispan maseva) yekukurukurirana pakati pe data data. Kukurukurirana kunoshanda maererano neprotocol .
Infinispan caches inofanirwa kugadzirwa nehunhu remoteStore, kuitira kuti data ichengetwe kure (mune imwe nzvimbo yedata, approx. mushanduri) caches. Kune akaparadzana infinispan masumbu pakati peJDG maseva, kuitira kuti iyo data yakachengetwa paJDG1 pane saiti. site1 ichadzokororwa kuJDG2 panzvimbo site2.
Uye pakupedzisira, iyo JDG inogashira server inozivisa iyo Keycloak maseva eboka rayo kuburikidza nevatengi vekubatanidza, inova chikamu cheHotRod protocol. Keycloak nodes on site2 gadziridza yavo Infinispan cache uye chaiyo mushandisi chikamu inowanikwawo pane Keycloak node pa site2.
Kune mamwe macache, zvinogoneka zvakare kusaita mabhapu uye kudzivirira kunyora data kuburikidza neInfinispan server zvachose. Kuti uite izvi unoda kubvisa kuiswa remote-store chaiyo Infinispan cache (mune faira standalone-ha.xml), mushure mezvo mamwe chaiwo replicated-cache zvakare haichadiwi padivi reInfinispan server.
Kugadzira cache
Kune marudzi maviri e cache mu Keycloak:
-
Local. Inowanikwa pedyo nedhatabhesi uye inoshumira kuderedza mutoro pane database, uyewo kuderedza mhinduro latency. Iyi mhando ye cache inochengetedza umambo, vatengi, mabasa, uye metadata yemushandisi. Iyi mhando ye cache haina kudzokororwa, kunyangwe iyo cache iri chikamu cheKeycloak cluster. Kana iyo yekupinda mune cache ichichinja, meseji nezve shanduko inotumirwa kune akasara maseva ari musumbu, mushure meiyo yekupinda inobviswa kubva kune cache. Ona tsananguro
workOna pazasi kuti uwane tsananguro yakadzama yemaitiro. -
Replicated. Inogadzirisa masesheni evashandisi, ma tokeni asiri pamhepo, uye zvakare anotarisisa zvikanganiso zvekupinda kuti aone password yekuedza phishing uye kumwe kurwiswa. Iyo data yakachengetwa mune aya macache ndeyechinguva, yakachengetwa muRAM chete, asi inogona kudzokororwa pane iyo cluster.
Infinispan caches
Zvikamu - chirevo muKeycloak, cache yakaparadzana inonzi authenticationSessions, inoshandiswa kuchengetedza data yevashandisi chaivo. Zvikumbiro kubva kumacache aya zvinowanzodiwa nebrowser uye Keycloak maseva, kwete nemaapplication. Apa ndipo panotanga kutsamira pazvikamu zvinonamira, uye macache akadaro pachawo haafanire kudzokororwa, kunyangwe kana iri Active-Active mode.
Action Tokens. Imwe pfungwa, inowanzo shandiswa kune akasiyana mamiriro apo, semuenzaniso, mushandisi anofanira kuita chimwe chinhu asynchronously netsamba. Somuenzaniso, panguva nzira forget password cache actionTokens inoshandiswa kuronda metadata yematokeni akabatana - semuenzaniso, chiratidzo chakatoshandiswa uye hachigone kuvhurwa zvakare. Iyi mhando ye cache inowanzoda kudzokororwa pakati pe data data.
Caching uye kuchembera kwe data rakachengetwa inoshanda kusunungura mutoro pane database. Iyi mhando ye caching inovandudza mashandiro, asi inowedzera dambudziko riri pachena. Kana imwe Keycloak server ichigadziridza data, mamwe maseva anofanirwa kuziviswa kuti agone kugadzirisa iyo data mumacache avo. Keycloak inoshandisa macache emunharaunda realms, users ΠΈ authorization ye caching data kubva kune database.
Panewo cache yakasiyana work, iyo inodzokororwa munzvimbo dzese dzedata. Iyo pachayo haichengete chero data kubva kune dhatabhesi, asi inoshanda kutumira mameseji nezve data kuchembera kune masumbu node pakati pe data data. Mune mamwe mazwi, nekukurumidza kana data ichivandudzwa, iyo Keycloak node inotumira meseji kune dzimwe node munzvimbo yayo yedata, pamwe nemanodhi mune dzimwe nzvimbo dze data. Mushure mekugamuchira meseji yakadai, node imwe neimwe inobvisa data inoenderana mumacache ayo emunharaunda.
Zvirongwa zvemushandisi. Caches ane mazita sessions, clientSessions, offlineSessions ΠΈ offlineClientSessions, dzinowanzodzokororwa pakati penzvimbo dzedata uye dzinoshanda kuchengetedza data nezvesesheni yevashandisi iyo inoshanda apo mushandisi ari kushanda mubrowser. Aya ma cache anoshanda neayo application kugadzirisa zvikumbiro zveHTTP kubva kuvashandisi vekupedzisira, saka iwo ane hukama nemasesheni anonamira uye anofanirwa kudzokororwa pakati penzvimbo dzedata.
Brute simba kudzivirira. Cache loginFailures Inoshandiswa kuteedzera dhata rekukanganisa, sekuti kangani mushandisi akaisa password isiriyo. Kudzokorora kweiyi cache ibasa remutungamiriri. Asi pakuverenga kwakaringana, zvakakodzera kumisa kudzokorora pakati penzvimbo dzedata. Asi kune rimwe divi, kana ukasadzokorora iyi data, unovandudza mashandiro, uye kana nyaya iyi ikamuka, kudzokorora kunogona kusaitwa.
Paunenge uchiburitsa Infinispan cluster, unofanirwa kuwedzera cache tsananguro kune iyo faira yekuisa:
<replicated-cache-configuration name="keycloak-sessions" mode="ASYNC" start="EAGER" batching="false">
</replicated-cache-configuration>
<replicated-cache name="work" configuration="keycloak-sessions" />
<replicated-cache name="sessions" configuration="keycloak-sessions" />
<replicated-cache name="offlineSessions" configuration="keycloak-sessions" />
<replicated-cache name="actionTokens" configuration="keycloak-sessions" />
<replicated-cache name="loginFailures" configuration="keycloak-sessions" />
<replicated-cache name="clientSessions" configuration="keycloak-sessions" />
<replicated-cache name="offlineClientSessions" configuration="keycloak-sessions" />Iwe unofanirwa kugadzirisa uye kutanga Infinispan cluster usati watanga Keycloak cluster
Ipapo unofanira kugadzirisa remoteStore ye Keycloak caches. Kuti uite izvi, script yakakwana, iyo inoitwa zvakafanana kune yapfuura, iyo inoshandiswa kugadzirisa shanduko CACHE_OWNERS, unofanira kuichengeta kufaira woiisa mudhairekitori /opt/jboss/startup-scripts:
Script Zviri mukati
embed-server --server-config=standalone-ha.xml --std-out=echo
batch
echo *** Update infinispan subsystem ***
/subsystem=infinispan/cache-container=keycloak:write-attribute(name=module, value=org.keycloak.keycloak-model-infinispan)
echo ** Add remote socket binding to infinispan server **
/socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=remote-cache:add(host=${remote.cache.host:localhost}, port=${remote.cache.port:11222})
echo ** Update replicated-cache work element **
/subsystem=infinispan/cache-container=keycloak/replicated-cache=work/store=remote:add(
passivation=false,
fetch-state=false,
purge=false,
preload=false,
shared=true,
remote-servers=["remote-cache"],
cache=work,
properties={
rawValues=true,
marshaller=org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory,
protocolVersion=${keycloak.connectionsInfinispan.hotrodProtocolVersion}
}
)
/subsystem=infinispan/cache-container=keycloak/replicated-cache=work:write-attribute(name=statistics-enabled,value=true)
echo ** Update distributed-cache sessions element **
/subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions/store=remote:add(
passivation=false,
fetch-state=false,
purge=false,
preload=false,
shared=true,
remote-servers=["remote-cache"],
cache=sessions,
properties={
rawValues=true,
marshaller=org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory,
protocolVersion=${keycloak.connectionsInfinispan.hotrodProtocolVersion}
}
)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions:write-attribute(name=statistics-enabled,value=true)
echo ** Update distributed-cache offlineSessions element **
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions/store=remote:add(
passivation=false,
fetch-state=false,
purge=false,
preload=false,
shared=true,
remote-servers=["remote-cache"],
cache=offlineSessions,
properties={
rawValues=true,
marshaller=org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory,
protocolVersion=${keycloak.connectionsInfinispan.hotrodProtocolVersion}
}
)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions:write-attribute(name=statistics-enabled,value=true)
echo ** Update distributed-cache clientSessions element **
/subsystem=infinispan/cache-container=keycloak/distributed-cache=clientSessions/store=remote:add(
passivation=false,
fetch-state=false,
purge=false,
preload=false,
shared=true,
remote-servers=["remote-cache"],
cache=clientSessions,
properties={
rawValues=true,
marshaller=org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory,
protocolVersion=${keycloak.connectionsInfinispan.hotrodProtocolVersion}
}
)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=clientSessions:write-attribute(name=statistics-enabled,value=true)
echo ** Update distributed-cache offlineClientSessions element **
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineClientSessions/store=remote:add(
passivation=false,
fetch-state=false,
purge=false,
preload=false,
shared=true,
remote-servers=["remote-cache"],
cache=offlineClientSessions,
properties={
rawValues=true,
marshaller=org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory,
protocolVersion=${keycloak.connectionsInfinispan.hotrodProtocolVersion}
}
)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineClientSessions:write-attribute(name=statistics-enabled,value=true)
echo ** Update distributed-cache loginFailures element **
/subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures/store=remote:add(
passivation=false,
fetch-state=false,
purge=false,
preload=false,
shared=true,
remote-servers=["remote-cache"],
cache=loginFailures,
properties={
rawValues=true,
marshaller=org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory,
protocolVersion=${keycloak.connectionsInfinispan.hotrodProtocolVersion}
}
)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures:write-attribute(name=statistics-enabled,value=true)
echo ** Update distributed-cache actionTokens element **
/subsystem=infinispan/cache-container=keycloak/distributed-cache=actionTokens/store=remote:add(
passivation=false,
fetch-state=false,
purge=false,
preload=false,
shared=true,
cache=actionTokens,
remote-servers=["remote-cache"],
properties={
rawValues=true,
marshaller=org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory,
protocolVersion=${keycloak.connectionsInfinispan.hotrodProtocolVersion}
}
)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=actionTokens:write-attribute(name=statistics-enabled,value=true)
echo ** Update distributed-cache authenticationSessions element **
/subsystem=infinispan/cache-container=keycloak/distributed-cache=authenticationSessions:write-attribute(name=statistics-enabled,value=true)
echo *** Update undertow subsystem ***
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true)
run-batch
stop-embedded-serverUsakanganwa kuisa JAVA_OPTS kuti Keycloak node imhanye HotRod: remote.cache.host, remote.cache.port uye zita rebasa jboss.site.name.
Links uye mamwe magwaro
Chinyorwa chakaturikirwa uye chakagadzirirwa Habr nevashandi - makosi akasimba, makosi evhidhiyo uye kudzidziswa kwemakambani kubva kune vanodzidzira nyanzvi (Kubernetes, DevOps, Docker, Ansible, Ceph, SRE)
Source: www.habr.com