Hordhac Ogolaanshaha Kubernetes Qunsulka Hashicorp

Taasi waa sax, ka dib marka la sii daayo Qunsulka Hashicorp 1.5.0 Bilawga Maajo 2019, qunsulka waxaad ku oggolaan kartaa codsiyada iyo adeegyada ka socda Kubernetes asal ahaan.

Tababarkan waxaan ku abuuri doonaa talaabo talaabo POC (Caddaynta fikradda, PoC) muujinta sifadan cusub waxaa lagaa filayaa inaad yeelato aqoonta aasaasiga ah ee Kubernetes iyo Qunsulka Hashicorp.

guudmar

Haddaynu tagno Dukumentiga qunsulka ee habka oggolaanshaha, waxaan heli doonaa dulmar degdeg ah oo ku saabsan ujeedada iyo isticmaalka kiis, iyo sidoo kale qaar ka mid ah faahfaahinta farsamada iyo dulmar guud ee macquulka ah. Waxaan aad ugu talinayaa in aan akhriyo ugu yaraan hal mar ka hor intaanan sii wadin, maadaama aan hadda sharxi doono oo aan ku calalin doono dhammaan.

Jaantuska 1: Dulmarka rasmiga ah ee habka oggolaanshaha Qunsulka

Aan eegno gudaha dukumeenti loogu talagalay habka oggolaanshaha Kubernetes ee gaarka ah.

Hubaal, waxaa jira macluumaad faa'iido leh halkaas, laakiin ma jiro hage ku saabsan sida dhabta ah loo isticmaalo oo dhan. Marka, sida qof kasta oo miyir qaba, waxaad u baahataa internetka hagitaan. Kadibna... Waad guuldarraysatay. Way dhacdaa. Aan hagaajino tan.

Kahor intaanan u gudbin abuurista POC, aan dib ugu noqono dulmarka hababka oggolaanshaha Qunsulka (Jaantuska 1) oo aan ku sifayno macnaha Kubernetes.

naqshadaha

Casharradan, waxaanu ku abuuri doonaa adeegaha Qunsulka mishiin gaar ah oo kula xidhiidhi doona kooxda Kubernetes ee macmiilka Qunsulka ku rakiban yahay. Waxaan markaa ku dhex abuuri doonaa arjigayaga khamiirka ah oo aan isticmaalno habka oggolaanshaha qaabaysan si aan uga akhrino dukaanka qunsulka / qiimaha.

Jaantuska hoose wuxuu faahfaahinayaa qaab dhismeedka aan ku abuureyno casharkan, iyo sidoo kale macquulka ka dambeeya habka oggolaanshaha, kaas oo dib loo sharxi doono.

Jaantuska 2: Dulmarka Habka Oggolaanshaha Kubernetes

Ogeysiis degdeg ah: Adeegga Qunsulka uma baahna inuu ku noolaado meel ka baxsan kooxda Kubernetes si ay tani u shaqeyso. Laakiin haa, wuu samayn karaa sidan iyo sidaas.

Haddaba, qaadashada jaantuska guud ee Qunsulka (Jaantuska 1) oo aan ku dabaqno Kubernetes, waxaanu helnaa jaantuska kore (Jaantuska 2), caqli-galkuna waa sidan soo socota:

1. Boodh kastaa waxa uu lahaan doona akoon adeeg oo ku lifaaqan calaamad JWT ah oo ay samaysay oo ay taqaan Kubernetes. Calaamadan sidoo kale waxaa la geliyey podpuska si caadi ah.
2. Codsigayaga ama adeeggayaga gudaha boodhka waxa uu bilaabayaa amar galitaanka macmiilkayaga Qunsulka. Codsiga gelitaanka waxa kale oo ku jiri doona calaamadayada iyo magacayada si gaar ah loo abuuray habka oggolaanshaha (nooca Kubernetes). Tallaabadan #2 waxay u dhigantaa tillaabada 1 ee jaantuska Qunsulka (Qorshaha 1).
3. Macmiilkayaga Qunsulka ayaa markaa codsigan u gudbin doona server-ka Qunsulka.
4. SIxir! Halkani waa halka server-ka Qunsulka uu ka xaqiijiyo saxnimada codsiga, uu ururiyo macluumaadka ku saabsan aqoonsiga codsiga oo uu la barbar dhigo sharci kasta oo la sii cayimay. Hoos waxaa ku yaal jaantus kale oo tan muujinaya. Talaabadani waxay u dhigantaa tillaabooyinka 3, 4 iyo 5 ee jaantuska guud ee Qunsulka (Jaantuska 1).
5. Server-kayaga Qunsulka waxa uu soo saara calaamada Qunsulka oo leh ogolaansho iyadoo la raacayo xeerarkayaga habka oggolaanshaha ee cayiman (oo aan qeexnay) ee khuseeya aqoonsiga codsadaha. Waxay markaa dib u soo diri doontaa calaamadaas. Tani waxay u dhigantaa tallaabada 6 ee jaantuska Qunsulka (Jaantuska 1).
6. Macmiilkayaga Qunsulka wuxuu u gudbiyaa calaamada codsiga ama adeegga codsiga.

Codsigayaga ama adeegayagu hadda waxa ay isticmaali karaan calaamaddan qunsulka si aan ula xidhiidhno xogta qunsulka, sida lagu go'aamiyo mudnaanta calaamadda.

Sixirka ayaa shaaca ka qaaday!

Kuwa idinka mid ah oo aan ku faraxsanayn kaliya bakayle koofiyad ka soo baxay oo doonaya inay ogaadaan sida ay u shaqeyso... aan "ku tuso sida qoto dheer godka bakayle".

Sidaan hore u soo sheegnay, tillaabadayada “sixirka” (Jaantuska 2: Talaabada 4) waa halka uu qunsuligu ku xaqiijiyo codsiga, ururiyo macluumaadka ku saabsan codsiga, oo uu barbar dhigo sharci kasta oo la sii cayimay. Talaabadani waxay u dhigantaa tillaabooyinka 3, 4 iyo 5 ee jaantuska guud ee Qunsulka (Jaantuska 1). Hoos waxaa ku yaal jaantus (Jaantus 3), ujeeddadiisu waa in si cad loo muujiyo waxa dhabta ah ee dhacaya daboolka hoostiisa habka oggolaanshaha Kubernetes ee gaarka ah.

Jaantuska 3: Sixirka ayaa shaaca laga qaaday!

1. Bilawga, macmiilkayaga Qunsulka wuxuu u gudbiyaa codsiga galitaanka server-kayaga Qubernetes calaamada akoontada Kubernetes iyo magaca tusaale gaar ah ee habka oggolaanshaha ee hore loo abuuray. Tallaabadani waxay u dhigantaa tillaabada 3 ee sharraxaadda wareegga hore.
2. Hadda server-ka Qunsulka (ama hoggaamiyaha) wuxuu u baahan yahay inuu xaqiijiyo saxnimada calaamadda la helay. Sidaa darteed, waxay la tashan doontaa kooxda Kubernetes (iyada oo loo marayo macmiilka Qunsulka) iyo, ogolaanshaha ku habboon, waxaan ogaan doonaa haddii calaamaddu ay dhab tahay iyo cidda ay ka tirsan tahay.
3. Codsiga la ansaxiyay ayaa markaa lagu soo celiyaa hogaamiyaha Qunsulka, iyo server-ka Qunsulka wuxuu eegayaa habka oggolaanshaha tusaale ahaan magaca la cayimay ee codsiga soo gelida (iyo nooca Kubernetes).
4. Hogaamiyaha qunsuliyada ayaa tilmaamaya tusaalaha habka oggolaanshaha ee la cayimay (haddii la helo) oo akhriya nidaamka xidhitaanka ee ku lifaaqan. Kadib waxay akhridaa xeerarkan oo ay barbardhigtaa sifada aqoonsiga ee la xaqiijiyay.
5. TA-daa! Aan u gudubno tallaabada 5 ee sharraxaadda wareegga hore.

Ku socodsii Consul-server mashin caadi ah

Hadda wixii ka dambeeya, waxaan inta badan bixin doonaa tilmaamo ku saabsan sida loo abuuro POC-gan, inta badan meelaha rasaasta ah, iyada oo aan lahayn sharraxaadyo jumlad oo dhammaystiran. Sidoo kale, sidii hore loo sheegay, waxaan isticmaali doonaa GCP si aan u abuuro dhammaan kaabayaasha, laakiin waxaad samayn kartaa kaabayaal isku mid ah meel kasta oo kale.

• Bilow mashiinka farsamada (tusaale/server).

• U samee sharci dab-damiska (kooxda amniga ee AWS):
• Waxaan jeclahay in aan ku meeleeyo magaca mashiinka isku midka ah qaanuunka iyo summada shabakadda labadaba, kiiskan "skywiz-consul-server-poc".
• Soo hel ciwaanka IP-ga kombayutarka deegaankaaga oo ku dar liiska ilaha ciwaanka IP-ga si aanu u galno is dhexgalka isticmaalaha (UI).
• U fur dekedda 8500 ee UI. Guji Abuur Waxaan bedeli doonaa dabkan mar kale dhawaan [ссылка].
• Tusaalaha ku dar xeerka dab-damiska. Ku laabo dashboardka VM ee qunsulka oo ku dar "skywiz-consul-server-poc" goobta sumadaha shabakada. Guji Save.

• Ku rakib qunsulka mashiinka farsamada, halkan ka hubi. Xusuusnow inaad u baahan tahay nooca Qunsulka ≥ 1.5 [link]
• Aan abuurno qunsul quraarad - qaabeyntu waa sida soo socota.

groupadd --system consul
useradd -s /sbin/nologin --system -g consul consul
mkdir -p /var/lib/consul
chown -R consul:consul /var/lib/consul
chmod -R 775 /var/lib/consul
mkdir /etc/consul.d
chown -R consul:consul /etc/consul.d

• Si aad u hesho hage faahfaahsan oo ku saabsan rakibidda Qunsulka iyo dejinta koox ka kooban 3 nood, eeg halkan.
• U samee fayl /etc/consul.d/agent.json sida soo socota [ссылка]:

### /etc/consul.d/agent.json
{
 "acl" : {
 "enabled": true,
 "default_policy": "deny",
 "enable_token_persistence": true
 }
}

• Bilow server-ka Qunsulka:

consul agent 
-server 
-ui 
-client 0.0.0.0 
-data-dir=/var/lib/consul 
-bootstrap-expect=1 
-config-dir=/etc/consul.d

• Waa inaad aragto farabadan oo wax soo saar ah oo aad ku dhamaato "... cusbooneysiinta waxaa xannibay ACLs."
• Soo hel cinwaanka IP-ga dibadeed ee server-ka Qunsulka oo fur browser leh ciwaanka IP-ga ee dekedda 8500. Hubi in UI furmo.
• Isku day inaad ku darto lamaane fure/qiimo leh. Waa in uu khalad jiraa. Tani waa sababta oo ah waxaan ku soo shubnay server-ka Qunsulka ACL oo aan naafonay dhammaan sharciyadii.
• Ku laabo qolofkaaga server-ka Qunsulka oo ka bilow habka gadaal ama si kale si aad u socodsiiso oo geli tan soo socota:

consul acl bootstrap

• Soo hel qiimaha "SecretID" oo ku soo celi UI. Gudaha ACL tab, geli aqoonsiga sirta ah ee calaamada aad hadda koobiyaysay. Ku koobbi SecretID meel kale, waanu u baahan doonaa hadhow.
• Hadda ku dar furaha/lammaanaha qiimaha. POC kan, ku dar kuwan soo socda: furaha: "custom-ns/test_key", qiimee: "Waxaan ku jiraa galka custom-ns!"

Bilaabida kutlada Kubernetes ee codsigayaga macmiilka qunsulka sida Daemonset ahaan

• Samee koox K8s (Kubernetes). Waxaan ku abuuri doonaa isla aagga server-ka si dhakhso leh loo galo, si aan u isticmaali karno isla subnet-ka si aan si fudud ugu xidhno cinwaannada IP-ga gudaha ah. Waxaan ugu yeeri doonaa "skywiz-app-with-consul-client-poc".

• Xusuus ahaan, halkan waa casharro wanaagsan oo aan la kulmay markii aan dejinayay kooxda Qunsulka POC oo leh Qunsulka Xiriirinta.
• Waxa kale oo aanu adeegsan doonaa jaantuska hashicorp helm oo leh faylal qiimahiisu fidsan yahay.
• Ku rakib oo habee Helm. Talaabooyinka habaynta:

kubectl create serviceaccount tiller --namespace kube-system
kubectl create clusterrolebinding tiller-admin-binding 
   --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
./helm init --service-account=tiller
./helm update

• shaxda koofiyadda: https://www.consul.io/docs/platform/k8s/helm.html
• Isticmaal faylka qiimaha ee soo socda (xusuusnow in aan inta badan naafo):

### poc-helm-consul-values.yaml
global:
 enabled: false
 image: "consul:latest"
# Expose the Consul UI through this LoadBalancer
ui:
 enabled: false
# Allow Consul to inject the Connect proxy into Kubernetes containers
connectInject:
 enabled: false
# Configure a Consul client on Kubernetes nodes. GRPC listener is required for Connect.
client:
 enabled: true
 join: ["<PRIVATE_IP_CONSUL_SERVER>"]
 extraConfig: |
{
  "acl" : {
 "enabled": true,   
 "default_policy": "deny",   
 "enable_token_persistence": true 
  }
}
# Minimal Consul configuration. Not suitable for production.
server:
 enabled: false
# Sync Kubernetes and Consul services
syncCatalog:
 enabled: false

• Codso jaantuska cirifka:

./helm install -f poc-helm-consul-values.yaml ./consul-helm - name skywiz-app-with-consul-client-poc

• Marka ay isku daydo in ay shaqeyso, waxay u baahan doontaa ogolaansho server-ka Qunsulka, markaa aan ku darno.
• U fiirso "Cinwaanka Pod Range" ee ku yaal dashboard-ka kooxda oo dib ugu celi qaanuunkayaga "skywiz-consul-server-poc" firewall.
• Ku dar kala duwanaanshaha ciwaanka boodhka liiska cinwaannada IP-ga oo fur dekedaha 8301 iyo 8300.

• Tag Qunsulka UI oo dhowr daqiiqo ka dib waxaad arki doontaa kooxaheenna oo ka muuqda tabka noodhka.

Dejinta Habka Ogolaanshaha iyadoo la isku darayo Qunsulka iyo Kubernetes

• Ku soo laabo qolofka server-ka Qunsulka oo dhoofi calaamadda aad hore u kaydsatay:

export CONSUL_HTTP_TOKEN=<SecretID>

• Waxaan uga baahan doonaa macluumaadka kooxdayada Kubernetes si aan u abuurno tusaale habka aqoonsiga:
• kubernetes-martigeliyaha

kubectl get endpoints | grep kubernetes

• kubernetes-adeegga-akoonka-jwt

kubectl get sa <helm_deployment_name>-consul-client -o yaml | grep "- name:"
kubectl get secret <secret_name_from_prev_command> -o yaml | grep token:

• Calaamaduhu waa base64, markaa fur si aad u dejiso adoo isticmaalaya qalabka aad jeceshahay [ссылка]
• kubernetes-ca-cert

kubectl get secret <secret_name_from_prev_command> -o yaml | grep ca.crt:

• Qaado shahaadada "ca.crt" (ka dib markii base64 decoding) oo ku qor faylka "ca.crt".
• Hadda ku dagdag habka auth, ku beddel meel-hayeyaasha qiyamka aad hadda heshay.

consul acl auth-method create 
-type "kubernetes" 
-name "auth-method-skywiz-consul-poc" 
-description "This is an auth method using kubernetes for the cluster skywiz-app-with-consul-client-poc" 
-kubernetes-host "<k8s_endpoint_retrieved earlier>" 
[email protected] 
-kubernetes-service-account-
jwt="<decoded_token_retrieved_earlier>"

• Marka xigta waxaynu u baahanahay in aynu samayno xeer oo aynu ku lifaaqno doorka cusub. Qaybtan waxaad isticmaali kartaa Consul UI, laakiin waxaan isticmaali doonaa khadka taliska.
• Qor xeer

### kv-custom-ns-policy.hcl
key_prefix "custom-ns/" {
 policy = "write"
}

• Codso xeerka

consul acl policy create 
-name kv-custom-ns-policy 
-description "This is an example policy for kv at custom-ns/" 
-rules @kv-custom-ns-policy.hcl

• Soo hel aqoonsiga sharciga aad hadda ka abuurtay soo-saarka.
• Abuur door leh xeer cusub.

consul acl role create 
-name "custom-ns-role" 
-description "This is an example role for custom-ns namespace" 
-policy-id <policy_id>

• Hadda waxaan ku xidhidhi doonaa doorkeena cusub tusaalaha habka auth. Ogsoonow in calanka "dooraha" go'aamiyo in codsigayaga galitaanka uu heli doono doorkan. Halkan ka hubi xulashooyinka kale ee doorashada: https://www.consul.io/docs/acl/auth-methods/kubernetes.html#trusted-identity-attributes

consul acl binding-rule create 
-method=auth-method-skywiz-consul-poc 
-bind-type=role 
-bind-name='custom-ns-role' 
-selector='serviceaccount.namespace=="custom-ns"'

Ugu danbayn qaabaynta

Xuquuqda galitaanka

• Abuur xuquuqda gelitaanka Waxaan u baahanahay inaan siino Qunsulka ogolaansho si loo xaqiijiyo oo aan u aqoonsano aqoonsiga calaamada adeega K8s.
• Ku qor waxa soo socda faylka [link]:

###skywiz-poc-consul-server_rbac.yaml
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: review-tokens
 namespace: default
subjects:
- kind: ServiceAccount
 name: skywiz-app-with-consul-client-poc-consul-client
 namespace: default
roleRef:
 kind: ClusterRole
 name: system:auth-delegator
 apiGroup: rbac.authorization.k8s.io
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: service-account-getter
 namespace: default
rules:
- apiGroups: [""]
 resources: ["serviceaccounts"]
 verbs: ["get"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: get-service-accounts
 namespace: default
subjects:
- kind: ServiceAccount
 name: skywiz-app-with-consul-client-poc-consul-client
 namespace: default
roleRef:
 kind: ClusterRole
 name: service-account-getter
 apiGroup: rbac.authorization.k8s.io

• Aan abuurno xuquuqda gelitaanka

kubectl create -f skywiz-poc-consul-server_rbac.yaml

Ku xidhida Macmiilka Qunsulka

• Sida lagu xusay halkanWaxaa jira dhowr ikhtiyaar oo lagu xiri karo daemonset, laakiin waxaan u gudbi doonaa xalkan fudud ee soo socda:
• Codso faylka soo socdaссылка].

### poc-consul-client-ds-svc.yaml
apiVersion: v1
kind: Service
metadata:
 name: consul-ds-client
spec:
 selector:
   app: consul
   chart: consul-helm
   component: client
   hasDNS: "true"
   release: skywiz-app-with-consul-client-poc
 ports:
 - protocol: TCP
   port: 80
   targetPort: 8500

• Kadib adeegso amarka soo socda ee la dhisay si aad u abuurto qaabaynta [configmap]ссылка]. Fadlan ogow in aan tixraaceyno magaca adeeggayaga, beddel haddii loo baahdo.

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
 labels:
   addonmanager.kubernetes.io/mode: EnsureExists
 name: kube-dns
 namespace: kube-system
data:
 stubDomains: |
   {"consul": ["$(kubectl get svc consul-ds-client -o jsonpath='{.spec.clusterIP}')"]}
EOF

Tijaabinta habka aqoonsiga

Hadda aan aragno sixirka ficilka!

• Samee dhowr fayl oo kale oo muhiim ah oo wata isla furaha heerka sare (ie. /sample_key) iyo qiimaha aad dooratay. U samee siyaasado iyo doorar ku habboon waddooyinka muhiimka ah ee cusub. Waxaan sameyn doonaa xirmooyinka dambe.

Imtixaanka meelaynta gaarka ah:

• Aan sameysano meel magac noo gaar ah:

kubectl create namespace custom-ns

• Aan ku abuurno meel magaceed cusub. Qor qaabeynta boodhka.

###poc-ubuntu-custom-ns.yaml
apiVersion: v1
kind: Pod
metadata:
 name: poc-ubuntu-custom-ns
 namespace: custom-ns
spec:
 containers:
 - name: poc-ubuntu-custom-ns
   image: ubuntu
   command: ["/bin/bash", "-ec", "sleep infinity"]
 restartPolicy: Never

• Hoos ku samee:

kubectl create -f poc-ubuntu-custom-ns.yaml

• Marka weelku socdo, tag halkaas oo ku rakib curlka.

kubectl exec poc-ubuntu-custom-ns -n custom-ns -it /bin/bash
apt-get update && apt-get install curl -y

• Hadda waxaan u diri doonaa codsi soo gal Qunsulka annaga oo adeegsanayna habka oggolaanshaha ee aan hore u abuurnay [ссылка].
• Si aad u aragto calaamada laga soo galiyay akoonkaaga adeega:

cat /run/secrets/kubernetes.io/serviceaccount/token

• Waxa soo socda ku qor fayl ku jira weelka:

### payload.json
{
 "AuthMethod": "auth-method-test",
 "BearerToken": "<jwt_token>"
}

• Soo gal!

curl 
--request POST 
--data @payload.json 
consul-ds-client.default.svc.cluster.local/v1/acl/login

• Si loo dhamaystiro tillaabooyinka kore hal sadar (maadaama aanu ku socon doono imtixaano badan), waxaad samayn kartaa waxyaabaha soo socda:

echo "{ 
"AuthMethod": "auth-method-skywiz-consul-poc", 
"BearerToken": "$(cat /run/secrets/kubernetes.io/serviceaccount/token)" 
}" 
| curl 
--request POST 
--data @- 
consul-ds-client.default.svc.cluster.local/v1/acl/login

• shaqeeya Ugu yaraan waa in. Hadda qaado SecretID oo isku day inaad gasho furaha/qiimaha ay tahay inaan marin u helno.

curl 
consul-ds-client.default.svc.cluster.local/v1/kv/custom-ns/test_key --header “X-Consul-Token: <SecretID_from_prev_response>”

• Waxaad sal64 u dejin kartaa "Qiimaha" oo aad aragto inay ku habboon tahay qiimaha custom-ns/test_key ee UI. Haddii aad ku isticmaashay isla qiimaha kore ee casharkan, qiimahaagu wuxuu noqonayaa IkknbSBpbiB0aGUgY3VzdG9tLW5zIGZvbGRlciEi.

Imtixaanka koontada adeegga isticmaalaha:

• Abuur ServiceAccount caado ah adigoo isticmaalaya amarka soo socda [ссылка].

kubectl apply -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
 name: custom-sa
EOF

• U samee fayl habayn cusub boobka Fadlan ogow in aan ku daray rakibaadda curl si loo badbaadiyo foosha :)

###poc-ubuntu-custom-sa.yaml
apiVersion: v1
kind: Pod
metadata:
 name: poc-ubuntu-custom-sa
 namespace: default
spec:
 serviceAccountName: custom-sa
 containers:
 - name: poc-ubuntu-custom-sa
   image: ubuntu
   command: ["/bin/bash","-ec"]
   args: ["apt-get update && apt-get install curl -y; sleep infinity"]
 restartPolicy: Never

• Intaa ka dib, ku orod qolof gudaha weelka.

kubectl exec -it poc-ubuntu-custom-sa /bin/bash

• Soo gal!

echo "{ 
"AuthMethod": "auth-method-skywiz-consul-poc", 
"BearerToken": "$(cat /run/secrets/kubernetes.io/serviceaccount/token)" 
}" 
| curl 
--request POST 
--data @- 
consul-ds-client.default.svc.cluster.local/v1/acl/login

• Ogolaanshaha waa la diiday Oh, waxaan ilownay inaan ku darno xeerar cusub oo ku xiran ogolaanshaha ku habboon, aan hadda sameyno taas.

Ku soo celi talaabooyinkii hore ee sare:
a) U samee siyaasad isku mid ah horgalaha “custom-sa/”.
b) Samee door, ugu yeer "caadada-sa-doorka"
c) Ku lifaaq siyaasadda doorka.

• Samee Xeer-ilaaliye (kaliya waxaa suurtagal ah cli/api). U fiirso macnaha kala duwan ee calanka xulashada.

consul acl binding-rule create 
-method=auth-method-skywiz-consul-poc 
-bind-type=role 
-bind-name='custom-sa-role' 
-selector='serviceaccount.name=="custom-sa"'

• Mar kale ka soo gal weelka "poc-ubuntu-custom-sa". Guul!
• Hubi gelitaankayaga dariiqa gaarka ah-sa/ furaha

curl 
consul-ds-client.default.svc.cluster.local/v1/kv/custom-sa/test_key --header “X-Consul-Token: <SecretID>”

• Waxa kale oo aad hubin kartaa in calaamaddani aanay ku siin kv "custom-ns/". Kaliya ku celi amarka sare ka dib markaad ku badasho "custom-sa" horgalaha "custom-ns".
  Ogolaanshaha waa la diiday

Tusaalaha dulsaar:

• Waxaa xusid mudan in dhammaan khariidadaha xeer-dejinta lagu dari doono calaamadda xuquuqdan.
• Weelkayaga "poc-ubuntu-custom-sa" wuxuu ku yaalaa meelaynta magaca caadiga ah - markaa aynu u isticmaalno xeer ka duwan.
• Ku celi talaabooyinkii hore:
  a) U samee siyaasad isku mid ah horgalaha furaha "default/"
  b) Abuur Door, u magacow "default-ns-role"
  c) Ku lifaaq siyaasadda doorka.
• Abuur Xeer-ku-xidhitaan (kaliya suurtagal ka cli/api)

consul acl binding-rule create 
-method=auth-method-skywiz-consul-poc 
-bind-type=role 
-bind-name='default-ns-role' 
-selector='serviceaccount.namespace=="default"'

• Ku laabo weelkayaga "poc-ubuntu-custom-sa" oo isku day inaad gasho jidka "default/" kv.
• Ogolaanshaha waa la diiday
  Waxaad ka arki kartaa aqoonsiga la cayimay ee calaamad kasta oo ku jirta UI ee hoos timaada ACL> Tokens. Sida aad arki karto, calaamadayada hadda waxa ku lifaaqan hal “caado-sa-door” oo kaliya. Calaamadda aan hadda isticmaaleyno waxay dhalatay markii aan galnay oo waxaa jiray hal sharci oo keliya oo markaas ku habboonaa. Waxaan u baahanahay inaan markale galno oo aan isticmaalno calaamada cusub.
• Hubi inaad wax ka akhrin karto labadaba "custom-sa/" iyo "default/" kv paths.
  Success!
  Tani waa sababta oo ah "poc-ubuntu-custom-sa" waxay ku habboon tahay xeerarka "custom-sa" iyo "default-ns" ee xidhitaanka.

gunaanad

Token TTL mgmt?

Waqtiga qoraalkan, ma jirto hab isku dhafan oo lagu go'aamiyo TTL ee calaamadaha lagu sameeyay habkan oggolaanshaha. Waxay noqon doontaa fursad cajiib ah in la bixiyo automation sugan ee oggolaanshaha Qunsulka.

Waxaa jira ikhtiyaar ah in gacanta lagu sameeyo calaamad TTL:

• https://www.consul.io/docs/acl/acl-system.html#acl-tokens
  Waqtiga dhicitaanka - Waqtiga calaamaddan la burin doono. (Ikhtiyaar ah; lagu daray Qunsulka 1.5.0)
• Waxa jira oo kaliya abuurista/cusboonaysiinta gacanta https://www.consul.io/api/acl/tokens.html#expirationtime

Waxaan rajeyneynaa mustaqbalka dhow inaan awood u yeelan doono inaan xakameyno sida loo sameeyo calaamadaha (xeerka ama habka oggolaanshaha) oo aan ku darno TTL.

Ilaa markaas, waxaa lagu soo jeedinayaa inaad isticmaashid meesha ugu dambaysa ee calaamadaynta caqligaaga.

• https://www.consul.io/api/acl/acl.html#logout-from-auth-method
• https://www.consul.io/docs/acl/acl-auth-methods.html#overall-login-process

Sidoo kale akhri maqaallo kale oo ku jira blog-keena:

• Maxay keentay ka guurista ClickHouse iyada oo aan oggolaansho loo haysan ClickHouse oo leh oggolaansho?
• Sida loo maamulo dhuumo badan iyadoo la isticmaalayo GitLab CI/CD
• Saddex khiyaamo oo Fudud oo lagu yareeyo Sawirrada Docker
• Traefik oo ah kontaroolaha Ingress ee K8S
• Kaabista tiro badan oo mashruucyo shabakadeed oo kala duwan
• Telegram bot ee Redmine. Sida loo fududeeyo nolosha naftaada iyo kuwa kaleba

Source: www.habr.com