ProHoster > Π‘Π»ΠΎΠ³ > Maamulka > Mesh Adeegga NGINX waa la heli karaa

Mesh Adeegga NGINX waa la heli karaa

Mesh Adeegga NGINX waa la heli karaa

Waan ku faraxsanahay inaan soo bandhigno nooca horudhaca Mesh Adeegga NGINX (NSM), mesh adeeg fudud oo la soo xidhay oo adeegsata xogta NGINX Plus ku salaysan si ay u maamusho taraafikada weelka ee deegaanka Kubernetes.

NSM waa bilaash soo qaado halkan. Waxaan rajeyneynaa inaad isku daydo dev oo aad tijaabiso jawiga - oo aad sugto jawaab celintaada ku yaal GitHub.

Dhaqangelinta habka adeeg-yaraha ayaa waxaa ka buuxa dhibaatooyin marka baaxadda gaarsiinta ay koreyso, iyo sidoo kale kakanaanta. Xidhiidhka u dhexeeya adeegyada ayaa noqda mid aad u adag, dhibaatooyinka wax-ka-hortagga ayaa noqda kuwa aad u adag, iyo adeegyo badan oo badan ayaa u baahan ilo badan oo lagu maareeyo.

NSM waxay xallisaa dhibaatooyinkan iyagoo ku siinaya:

  • Amniga, oo hadda aad uga muhiimsan sidii hore. Jebinta xogta waxay ku kici kartaa shirkad malaayiin doolar sannadkii dakhli iyo sumcad lumis. NSM waxay hubisaa in dhammaan isku xidhka lagu sir gareeyay mTLS, markaa ma jirto xog xasaasi ah oo ay xadi karaan haakarisku shabakada. Xakamaynta gelitaanka ayaa kuu ogolaanaysa inaad dejiso siyaasadaha sida adeegyadu ula xiriiraan adeegyada kale.
  • Maamulka Gaadiidka. Markaad direyso nooc cusub oo arji ah, waxaa laga yaabaa inaad rabto inaad bilowdo adigoo xaddidaya taraafikada soo galaya haddii ay dhacdo qalad. Iyada oo la adeegsanayo maamulka taraafikada weel ee caqliga leh ee NSM, waxaad dejin kartaa siyaasada xaddidaadda taraafikada ee adeegyada cusub taasoo kordhin doonta taraafikada waqti ka dib. Sifooyin kale, sida xawliga xaddidaadda iyo wareegyada wareegga, waxay ku siinayaan koontarool buuxa oo ku saabsan socodka gaadiidka ee dhammaan adeegyadaada.
  • Muujinta. Maareynta kumanaan adeegyo waxay noqon kartaa riyo-dejin iyo sawir-qaadid. NSM waxay ka caawisaa wax ka qabashada xaaladdan iyada oo ku dhex jirta Grafana dashboard oo soo bandhigaya dhammaan sifooyinka laga heli karo NGINX Plus. Iyo sidoo kale Baafinta Furan ee la hirgaliyay waxay kuu ogolaanaysaa inaad si faahfaahsan ula socoto wax kala iibsiga.
  • Dhalinta isku dhafan, haddii shirkaddaada, sida kuwa kale intooda badan, aysan isticmaalin kaabayaasha ku shaqeeya gebi ahaanba Kubernetes. NSM waxay hubisaa in codsiyada dhaxalgalka ah aan looga tagin iyada oo aan cidina ilaalin. Iyadoo la kaashanayo NGINX Kubernetes Ingress Controller oo la hirgeliyay, adeegyada dhaxalka ah waxay awoodi doonaan inay la xiriiraan adeegyada mesh, iyo lidka ku ah.

NSM waxa kale oo ay hubisaa amniga codsiga ee jawi aaminaad eber ah iyada oo si hufan u codsanaysa sirta iyo xaqiijinta taraafikada weelka. Waxa kale oo ay bixisaa aragtida wax kala iibsiga iyo falanqaynta, kaa caawinaysa inaad si dhakhso ah oo sax ah u bilowdo hawlgelinta iyo dhibaatooyinka xalinta. Waxa kale oo ay bixisaa kontoroolka taraafig ee granular, taasoo u oggolaanaysa kooxaha DevOps in ay hawlgeliyaan oo ay hagaajiyaan qaybo ka mid ah codsiyada iyada oo u oggolaanaysa horumariyeyaasha inay dhisaan oo si fudud ugu xidhaan codsiyadooda la qaybiyey.

Sidee buu u shaqeeyaa Mesh Service NGINX?

NSM waxay ka kooban tahay diyaarad xog midaysan oo loogu talagalay taraafikada jiifka (adeegga-adeegga) iyo NGINX Plus Ingress Controller ee taraafikada tooska ah, oo ay maamusho hal diyaarad oo kantarool ah.

Diyaarada kontoroolka ayaa si gaar ah loogu nashqadeeyay oo loo habeeyay xogta NGINX Plus waxayna qeexdaa shuruucda xakamaynta taraafikada ee loo qaybiyay NGINX Plus gawaadhida dhinaceeda.

Gudaha NSM, sidecars proxies ayaa lagu rakibay adeeg kasta oo mesh ah. Waxay ku xidhan yihiin xalalka il furan ee soo socda:

  • Grafana, Prometheus parameter visualization, NSM ku dhex dhisan ayaa kaa caawinaysa shaqadaada;
  • Kubernetes Ingress Controllers, ee maaraynta taraafikada soo galaya iyo kuwa baxaya ee mesh;
  • SPIRE, CA ee maaraynta, qaybinta iyo cusboonaysiinta shahaadooyinka mesh;
  • NATS, nidaam la miisaami karo oo loogu diro fariimaha, sida cusboonaysiinta dariiqa, laga bilaabo diyaaradda kontoroolka ilaa gawaarida dhinaceeda;
  • Baafinta furan, qaladka la qaybiyay (Zipkin iyo Jaeger waa la taageeray);
  • Prometheus, ururiya oo kaydiya sifooyinka NGINX Plus garabyada, sida tirada codsiyada, xidhiidhada iyo gacan-qaadka SSL.

Hawlaha iyo qaybaha

NGINX Plus sida diyaarad xogeed waxay dabooshaa wakiilka gawaarida ee sidecar (taraafikada horizontal) iyo kantaroolaha soo gelida (toosan), dhexda iyo maaraynta taraafikada weelka ee u dhexeeya adeegyada.

Tilmaamaha waxaa ka mid ah:

  • Xaqiijinta labada TLS (mTLS);
  • Isku dheelitirka culeyska;
  • Dulqaadka qaladka;
  • Xadka xawaaraha;
  • Jabinta wareegga;
  • geynta buluug-cagaaran iyo kanary-ga;
  • Xakamaynta gelitaanka

Bilaabida Mesh Adeegga NGINX

Si aad u socodsiiso NSM waxaad u baahan tahay:

  • gelitaanka deegaanka Kubernetes. Mesh Adeegga NGINX waxaa lagu taageeraa goobo badan oo Kubernetes ah, oo ay ku jiraan Amazon Elastic Container Service ee Kubernetes (EKS), Adeegga Azure Kubernetes (AKS), Google Kubernetes Engine (GKE), VMware vSphere, iyo kooxo Kubernetes joogto ah oo la geeyo server-yada qalabka;
  • Qalabka kubectl, oo lagu rakibay mishiinka NSM lagu rakibi doono;
  • Helitaanka xirmooyinka Mesh Adeegga NGINX Xirmadu waxay ka kooban tahay sawirada NSM ee loo baahan yahay in lagu shubo diiwaanka gaarka ah ee weelasha laga heli karo kooxda Kubernetes. Xirmada ayaa sidoo kale ka kooban nginx-meshctl, loo baahan yahay in la geeyo NSM.

Si aad NSM ugu dirto dejimaha caadiga ah, socodsii amarka soo socda. Inta lagu jiro daabulidda, fariimaha ayaa la soo bandhigayaa kuwaas oo tilmaamaya rakibaadda guusha leh ee qaybaha iyo, ugu dambeyntii, fariin muujinaysa in NSM ay ku socoto meel magac gaar ah (waxaad u baahan tahay inaad marka hore ΡΠΊΠ°Ρ‡Π°Ρ‚ΡŒ oo geli diiwaanka, qiyaastii turjumaan):

$ DOCKER_REGISTRY=your-Docker-registry ; MESH_VER=0.6.0 ; 
 ./nginx-meshctl deploy  
  --nginx-mesh-api-image "${DOCKER_REGISTRY}/nginx-mesh-api:${MESH_VER}" 
  --nginx-mesh-sidecar-image "${DOCKER_REGISTRY}/nginx-mesh-sidecar:${MESH_VER}" 
  --nginx-mesh-init-image "${DOCKER_REGISTRY}/nginx-mesh-init:${MESH_VER}" 
  --nginx-mesh-metrics-image "${DOCKER_REGISTRY}/nginx-mesh-metrics:${MESH_VER}"
Created namespace "nginx-mesh".
Created SpiffeID CRD.
Waiting for Spire pods to be running...done.
Deployed Spire.
Deployed NATS server.
Created traffic policy CRDs.
Deployed Mesh API.
Deployed Metrics API Server.
Deployed Prometheus Server nginx-mesh/prometheus-server.
Deployed Grafana nginx-mesh/grafana.
Deployed tracing server nginx-mesh/zipkin.
All resources created. Testing the connection to the Service Mesh API Server...

Connected to the NGINX Service Mesh API successfully.
NGINX Service Mesh is running.

Si aad u hesho doorashooyin badan, oo ay ku jiraan dejinta horumarsan, socodsii amarkan:

$ nginx-meshctl deploy –h

Hubi in diyaaradda kontoroolka ay si sax ah ugu shaqeyso goobta magaca nginx-mesh, waad jeclaan kartaa sidan:

$ kubectl get pods –n nginx-mesh
NAME                                 READY   STATUS    RESTARTS   AGE
grafana-6cc6958cd9-dccj6             1/1     Running   0          2d19h
mesh-api-6b95576c46-8npkb            1/1     Running   0          2d19h
nats-server-6d5c57f894-225qn         1/1     Running   0          2d19h
prometheus-server-65c95b788b-zkt95   1/1     Running   0          2d19h
smi-metrics-5986dfb8d5-q6gfj         1/1     Running   0          2d19h
spire-agent-5cf87                    1/1     Running   0          2d19h
spire-agent-rr2tt                    1/1     Running   0          2d19h
spire-agent-vwjbv                    1/1     Running   0          2d19h
spire-server-0                       2/2     Running   0          2d19h
zipkin-6f7cbf5467-ns6wc              1/1     Running   0          2d19h

Iyada oo ku xidhan goobaha geynta ee dejiya siyaasadaha duritaanka tooska ah ama gacanta, NGINX sidecars proxies ayaa lagu dari doonaa codsiyada si caadi ah. Si aad u joojiso isku-darka tooska ah, akhri halkan

Tusaale ahaan, haddii aan geyno codsiga hurdo magac ahaan Default, ka dibna hubi Pod - waxaan arki doonaa laba weel oo socda, codsiga hurdo iyo baabuurka la xidhiidha:

$ kubectl apply –f sleep.yaml
$ kubectl get pods –n default
NAME                     READY   STATUS    RESTARTS   AGE
sleep-674f75ff4d-gxjf2   2/2     Running   0          5h23m

Waxaan sidoo kale la socon karnaa codsiga hurdo gudaha NGINX Plus panel, ku socodsiiya amarkan si aad u gasho dhinaca mashiinka deegaankaaga:

$ kubectl port-forward sleep-674f75ff4d-gxjf2 8080:8886

Markaa waanu galnay uun halkan browserka. Waxa kale oo aad ku xidhi kartaa Prometheus si aad ula socoto codsiga hurdo.

Waxaad u isticmaali kartaa shakhsi ahaanta Kubernetes si aad u habayso siyaasadaha taraafikada, sida xakamaynta gelitaanka, xaddidida heerka iyo jebinta wareegga, tan eeg dukumeenti

gunaanad

Mesh Adeegga NGINX wuxuu diyaar u yahay soo dejin bilaash ah portal F5. Isku day in aad dev iyo tijaabiso jawiga iyo noo qor natiijada.

Si aad isugu daydo NGINX Plus Ingress Controller, dhaqaaji muddada tijaabada bilaashka ah 30 maalmood, ama Nala soo xiriir si aad ugala hadasho kiisaska isticmaalkaaga.

Turjumaada Pavel Demkovich, injineerka shirkadda Southbridge. Maamulka nidaamka ee RUB 15 bishii. Iyo sida qayb gaar ah - xarun tababar Dabeeto, ku-dhaqanka iyo wax aan ahayn ku-dhaqanka.

Source: www.habr.com

Add a comment