Waan ku faraxsanahay inaan soo bandhigno nooca horudhaca
NSM waa bilaash
Dhaqangelinta habka adeeg-yaraha ayaa waxaa ka buuxa dhibaatooyin marka baaxadda gaarsiinta ay koreyso, iyo sidoo kale kakanaanta. Xidhiidhka u dhexeeya adeegyada ayaa noqda mid aad u adag, dhibaatooyinka wax-ka-hortagga ayaa noqda kuwa aad u adag, iyo adeegyo badan oo badan ayaa u baahan ilo badan oo lagu maareeyo.
NSM waxay xallisaa dhibaatooyinkan iyagoo ku siinaya:
- Amniga, oo hadda aad uga muhiimsan sidii hore. Jebinta xogta waxay ku kici kartaa shirkad malaayiin doolar sannadkii dakhli iyo sumcad lumis. NSM waxay hubisaa in dhammaan isku xidhka lagu sir gareeyay mTLS, markaa ma jirto xog xasaasi ah oo ay xadi karaan haakarisku shabakada. Xakamaynta gelitaanka ayaa kuu ogolaanaysa inaad dejiso siyaasadaha sida adeegyadu ula xiriiraan adeegyada kale.
- Maamulka Gaadiidka. Markaad direyso nooc cusub oo arji ah, waxaa laga yaabaa inaad rabto inaad bilowdo adigoo xaddidaya taraafikada soo galaya haddii ay dhacdo qalad. Iyada oo la adeegsanayo maamulka taraafikada weel ee caqliga leh ee NSM, waxaad dejin kartaa siyaasada xaddidaadda taraafikada ee adeegyada cusub taasoo kordhin doonta taraafikada waqti ka dib. Sifooyin kale, sida xawliga xaddidaadda iyo wareegyada wareegga, waxay ku siinayaan koontarool buuxa oo ku saabsan socodka gaadiidka ee dhammaan adeegyadaada.
- Muujinta. Maareynta kumanaan adeegyo waxay noqon kartaa riyo-dejin iyo sawir-qaadid. NSM waxay ka caawisaa wax ka qabashada xaaladdan iyada oo ku dhex jirta Grafana dashboard oo soo bandhigaya dhammaan sifooyinka laga heli karo NGINX Plus. Iyo sidoo kale Baafinta Furan ee la hirgaliyay waxay kuu ogolaanaysaa inaad si faahfaahsan ula socoto wax kala iibsiga.
- Dhalinta isku dhafan, haddii shirkaddaada, sida kuwa kale intooda badan, aysan isticmaalin kaabayaasha ku shaqeeya gebi ahaanba Kubernetes. NSM waxay hubisaa in codsiyada dhaxalgalka ah aan looga tagin iyada oo aan cidina ilaalin. Iyadoo la kaashanayo NGINX Kubernetes Ingress Controller oo la hirgeliyay, adeegyada dhaxalka ah waxay awoodi doonaan inay la xiriiraan adeegyada mesh, iyo lidka ku ah.
NSM waxa kale oo ay hubisaa amniga codsiga ee jawi aaminaad eber ah iyada oo si hufan u codsanaysa sirta iyo xaqiijinta taraafikada weelka. Waxa kale oo ay bixisaa aragtida wax kala iibsiga iyo falanqaynta, kaa caawinaysa inaad si dhakhso ah oo sax ah u bilowdo hawlgelinta iyo dhibaatooyinka xalinta. Waxa kale oo ay bixisaa kontoroolka taraafig ee granular, taasoo u oggolaanaysa kooxaha DevOps in ay hawlgeliyaan oo ay hagaajiyaan qaybo ka mid ah codsiyada iyada oo u oggolaanaysa horumariyeyaasha inay dhisaan oo si fudud ugu xidhaan codsiyadooda la qaybiyey.
Sidee buu u shaqeeyaa Mesh Service NGINX?
NSM waxay ka kooban tahay diyaarad xog midaysan oo loogu talagalay taraafikada jiifka (adeegga-adeegga) iyo NGINX Plus Ingress Controller ee taraafikada tooska ah, oo ay maamusho hal diyaarad oo kantarool ah.
Diyaarada kontoroolka ayaa si gaar ah loogu nashqadeeyay oo loo habeeyay xogta NGINX Plus waxayna qeexdaa shuruucda xakamaynta taraafikada ee loo qaybiyay NGINX Plus gawaadhida dhinaceeda.
Gudaha NSM, sidecars proxies ayaa lagu rakibay adeeg kasta oo mesh ah. Waxay ku xidhan yihiin xalalka il furan ee soo socda:
- Grafana, Prometheus parameter visualization, NSM ku dhex dhisan ayaa kaa caawinaysa shaqadaada;
- Kubernetes Ingress Controllers, ee maaraynta taraafikada soo galaya iyo kuwa baxaya ee mesh;
- SPIRE, CA ee maaraynta, qaybinta iyo cusboonaysiinta shahaadooyinka mesh;
- NATS, nidaam la miisaami karo oo loogu diro fariimaha, sida cusboonaysiinta dariiqa, laga bilaabo diyaaradda kontoroolka ilaa gawaarida dhinaceeda;
- Baafinta furan, qaladka la qaybiyay (Zipkin iyo Jaeger waa la taageeray);
- Prometheus, ururiya oo kaydiya sifooyinka NGINX Plus garabyada, sida tirada codsiyada, xidhiidhada iyo gacan-qaadka SSL.
Hawlaha iyo qaybaha
NGINX Plus sida diyaarad xogeed waxay dabooshaa wakiilka gawaarida ee sidecar (taraafikada horizontal) iyo kantaroolaha soo gelida (toosan), dhexda iyo maaraynta taraafikada weelka ee u dhexeeya adeegyada.
Tilmaamaha waxaa ka mid ah:
- Xaqiijinta labada TLS (mTLS);
- Isku dheelitirka culeyska;
- Dulqaadka qaladka;
- Xadka xawaaraha;
- Jabinta wareegga;
- geynta buluug-cagaaran iyo kanary-ga;
- Xakamaynta gelitaanka
Bilaabida Mesh Adeegga NGINX
Si aad u socodsiiso NSM waxaad u baahan tahay:
- gelitaanka deegaanka Kubernetes. Mesh Adeegga NGINX waxaa lagu taageeraa goobo badan oo Kubernetes ah, oo ay ku jiraan Amazon Elastic Container Service ee Kubernetes (EKS), Adeegga Azure Kubernetes (AKS), Google Kubernetes Engine (GKE), VMware vSphere, iyo kooxo Kubernetes joogto ah oo la geeyo server-yada qalabka;
- Qalabka
kubectl
, oo lagu rakibay mishiinka NSM lagu rakibi doono; - Helitaanka xirmooyinka Mesh Adeegga NGINX Xirmadu waxay ka kooban tahay sawirada NSM ee loo baahan yahay in lagu shubo diiwaanka gaarka ah ee weelasha laga heli karo kooxda Kubernetes. Xirmada ayaa sidoo kale ka kooban
nginx-meshctl
, loo baahan yahay in la geeyo NSM.
Si aad NSM ugu dirto dejimaha caadiga ah, socodsii amarka soo socda. Inta lagu jiro daabulidda, fariimaha ayaa la soo bandhigayaa kuwaas oo tilmaamaya rakibaadda guusha leh ee qaybaha iyo, ugu dambeyntii, fariin muujinaysa in NSM ay ku socoto meel magac gaar ah (waxaad u baahan tahay inaad marka hore
$ DOCKER_REGISTRY=your-Docker-registry ; MESH_VER=0.6.0 ;
./nginx-meshctl deploy
--nginx-mesh-api-image "${DOCKER_REGISTRY}/nginx-mesh-api:${MESH_VER}"
--nginx-mesh-sidecar-image "${DOCKER_REGISTRY}/nginx-mesh-sidecar:${MESH_VER}"
--nginx-mesh-init-image "${DOCKER_REGISTRY}/nginx-mesh-init:${MESH_VER}"
--nginx-mesh-metrics-image "${DOCKER_REGISTRY}/nginx-mesh-metrics:${MESH_VER}"
Created namespace "nginx-mesh".
Created SpiffeID CRD.
Waiting for Spire pods to be running...done.
Deployed Spire.
Deployed NATS server.
Created traffic policy CRDs.
Deployed Mesh API.
Deployed Metrics API Server.
Deployed Prometheus Server nginx-mesh/prometheus-server.
Deployed Grafana nginx-mesh/grafana.
Deployed tracing server nginx-mesh/zipkin.
All resources created. Testing the connection to the Service Mesh API Server...
Connected to the NGINX Service Mesh API successfully.
NGINX Service Mesh is running.
Si aad u hesho doorashooyin badan, oo ay ku jiraan dejinta horumarsan, socodsii amarkan:
$ nginx-meshctl deploy βh
Hubi in diyaaradda kontoroolka ay si sax ah ugu shaqeyso goobta magaca nginx-mesh, waad jeclaan kartaa sidan:
$ kubectl get pods βn nginx-mesh
NAME READY STATUS RESTARTS AGE
grafana-6cc6958cd9-dccj6 1/1 Running 0 2d19h
mesh-api-6b95576c46-8npkb 1/1 Running 0 2d19h
nats-server-6d5c57f894-225qn 1/1 Running 0 2d19h
prometheus-server-65c95b788b-zkt95 1/1 Running 0 2d19h
smi-metrics-5986dfb8d5-q6gfj 1/1 Running 0 2d19h
spire-agent-5cf87 1/1 Running 0 2d19h
spire-agent-rr2tt 1/1 Running 0 2d19h
spire-agent-vwjbv 1/1 Running 0 2d19h
spire-server-0 2/2 Running 0 2d19h
zipkin-6f7cbf5467-ns6wc 1/1 Running 0 2d19h
Iyada oo ku xidhan goobaha geynta ee dejiya siyaasadaha duritaanka tooska ah ama gacanta, NGINX sidecars proxies ayaa lagu dari doonaa codsiyada si caadi ah. Si aad u joojiso isku-darka tooska ah, akhri
Tusaale ahaan, haddii aan geyno codsiga hurdo magac ahaan Default, ka dibna hubi Pod - waxaan arki doonaa laba weel oo socda, codsiga hurdo iyo baabuurka la xidhiidha:
$ kubectl apply βf sleep.yaml
$ kubectl get pods βn default
NAME READY STATUS RESTARTS AGE
sleep-674f75ff4d-gxjf2 2/2 Running 0 5h23m
Waxaan sidoo kale la socon karnaa codsiga hurdo gudaha NGINX Plus panel, ku socodsiiya amarkan si aad u gasho dhinaca mashiinka deegaankaaga:
$ kubectl port-forward sleep-674f75ff4d-gxjf2 8080:8886
Markaa waanu galnay uun
Waxaad u isticmaali kartaa shakhsi ahaanta Kubernetes si aad u habayso siyaasadaha taraafikada, sida xakamaynta gelitaanka, xaddidida heerka iyo jebinta wareegga, tan eeg
gunaanad
Mesh Adeegga NGINX wuxuu diyaar u yahay soo dejin bilaash ah
Si aad isugu daydo NGINX Plus Ingress Controller, dhaqaaji
Turjumaada Pavel Demkovich, injineerka shirkadda
Source: www.habr.com