Hlokomela. fetolela.: letoto lena le ne le ikemiselitse ho tseba bokhoni ba Istio le ho ba bontša ka liketso, - tsamaiso e hlophisitsoeng hantle le taolo ea sephethephethe sa marang-rang. Hona joale re tla bua ka ts'ireletso: ho bontša mesebetsi ea motheo e amanang le eona, mongoli o sebelisa tšebeletso ea boitsebiso ba Auth0, empa bafani ba bang ba ka lokisoa ka tsela e tšoanang.
Re thehile sehlopha sa Kubernetes moo re sebelisitseng Istio le mohlala oa kopo ea microservice, Sentiment Analysis, ho bontša bokhoni ba Istio.
Ka Istio, re khonne ho boloka lits'ebeletso tsa rona li le nyane hobane ha li hloke ho kenya tšebetsong likarolo tse kang Retries, Timeouts, Circuit Breakers, Tracing, Monitoring. . Ho feta moo, re sebelisitse liteko tse tsoetseng pele le mekhoa ea ho tsamaisa: tlhahlobo ea A/B, seipone le li-canary rollouts.
Sehloohong se secha, re tla sebetsana le mekhahlelo ea ho qetela tseleng ea boleng ba khoebo: netefatso le tumello - le ho Istio ke thabo ea sebele!
Netefatso le tumello ho Istio
Ha ho mohla nkileng ka lumela hore ke tla bululeloa ke netefatso le tumello. Istio e ka fana ka eng ho latela pono ea theknoloji ho etsa hore lihlooho tsee li be monate, le ho feta, li u khothatse?
Karabo e bonolo: Istio e tlosa boikarabello ba bokhoni bona ho tsoa lits'ebeletso tsa hau ho ea ho moemeli oa moemeli. Nakong eo likopo li fihlang lits'ebeletso, li se li netefalitsoe ebile li fuoe tumello, kahoo sohle seo u lokelang ho se etsa ke ho ngola khoutu e sebetsang khoebong.
E utloahala e le ntle? Ha re shebeng ka hare!
Netefatso ka Auth0
Joalo ka seva bakeng sa boitsebiso le taolo ea phihlello, re tla sebelisa Auth0, e nang le mofuta oa teko, e bonolo ho e sebelisa, 'me ke e rata feela. Leha ho le joalo, melao-motheo e tšoanang e ka sebelisoa ho tse ling kaofela : KeyCloak, IdentityServer le tse ling tse ngata.
Ho qala, e ea ho ka akhaonto ea hau, theha moahi (mohiri - "mohiri", yuniti e utloahalang ea ho itšehla thajana, bakeng sa lintlha tse ling bona - hoo e ka bang. fetolela.) le ho ea ho Lisebelisoa > Sesebelisoa sa kamehlaho khetha domain name, joalo ka ha ho bonts'itsoe skrineng se ka tlase:
Hlalosa sebaka sena faeleng resource-manifests/istio/security/auth-policy.yaml ():
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: auth-policy
spec:
targets:
- name: sa-web-app
- name: sa-feedback
origins:
- jwt:
issuer: "https://{YOUR_DOMAIN}/"
jwksUri: "https://{YOUR_DOMAIN}/.well-known/jwks.json"
principalBinding: USE_ORIGIN
Ka sesebelisoa se joalo, Pilot (e 'ngoe ea likarolo tse tharo tsa motheo tsa Sefofane sa Taolo ho Istio - approx. transl.) e hlophisa Envoy ho netefatsa likopo pele o li fetisetsa litšebeletsong: sa-web-app и sa-feedback. Ka nako e ts'oanang, tlhophiso ha e sebelisoe ho Baemeli ba litšebeletso sa-frontend, e re lumellang hore re tlohe sebakeng se ka pele re sa netefatsoa. Ho sebelisa Policy, tsamaisa taelo:
$ kubectl apply -f resource-manifests/istio/security/auth-policy.yaml
policy.authentication.istio.io “auth-policy” createdKhutlela leqepheng 'me u etse kopo - u tla bona hore e qetella ka boemo 401 ha e amohelehe. Joale ha re lebiseng basebelisi ba pele ho netefatsa ka Auth0.
Netefatsa likopo ka Auth0
Ho netefatsa likopo tsa basebelisi, o hloka ho theha API ho Auth0 e tla emela litšebeletso tse netefalitsoeng (litlhahlobo, lintlha, le lintlha). Ho theha API, ea ho Auth0 Portal > APIs > Theha API mme o tlatse foromo:
Litaba tsa bohlokoa mona ke Boitsebiso, eo re tla e sebelisa hamorao sengolong. Ha re e ngole tjena:
- bamameli ba: {BATHEELETSI_BA HAO}
Lintlha tse setseng tseo re li hlokang li fumaneha ho Auth0 Portal karolong eo dikopo — khetha Teko Kopo (e thehiloe ka bo eona hammoho le API).
Mona re tla ngola:
- domain name: {OUR_DOMAIN}
- Id ea moreki: {HAO_CLIENT_ID}
Tsamaisetsa ho Teko Kopo ho ea sebakeng sa mongolo Li-URL tsa Callback tse lumelletsoeng (li-URL tse rarollotsoeng bakeng sa mohala), moo re hlakisang URL eo mohala o lokelang ho romelloa ka mor'a hore netefatso e phetheloe. Tabeng ea rona ke:
http://{EXTERNAL_IP}/callbackLe bakeng sa E lumelletsoe ho tsoa li-URL (li-URL tse lumelletsoeng bakeng sa ho tsoa) eketsa:
http://{EXTERNAL_IP}/logoutHa re feteleng pele.
Nchafatso e ka pele
Fetolela lekaleng auth0 polokelo [istio-mastery]. Lekaleng lena, khoutu e ka pele e fetotsoe ho fetisetsa basebelisi ho Auth0 bakeng sa netefatso le ho sebelisa lets'oao la JWT ho kopa lits'ebeletso tse ling. Ea ho qetela e sebelisoa ka tsela e latelang ():
analyzeSentence() {
fetch('/sentiment', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Authorization': `Bearer ${auth.getAccessToken()}` // Access Token
},
body: JSON.stringify({ sentence: this.textField.getValue() })
})
.then(response => response.json())
.then(data => this.setState(data));
}
Ho fetola sebaka se ka pele ho sebelisa data ea mohiri ho Auth0, bula sa-frontend/src/services/Auth.js 'me u nkele sebaka sa litekanyetso tseo re li ngotseng ka holimo ():
const Config = {
clientID: '{YOUR_CLIENT_ID}',
domain:'{YOUR_DOMAIN}',
audience: '{YOUR_AUDIENCE}',
ingressIP: '{EXTERNAL_IP}' // Используется для редиректа после аутентификации
}Kopo e se e loketse. Hlalosa ID ea hau ea Docker ho litaelo tse ka tlase ha u haha le ho tsamaisa liphetoho tse entsoeng:
$ docker build -f sa-frontend/Dockerfile
-t $DOCKER_USER_ID/sentiment-analysis-frontend:istio-auth0
sa-frontend
$ docker push $DOCKER_USER_ID/sentiment-analysis-frontend:istio-auth0
$ kubectl set image deployment/sa-frontend
sa-frontend=$DOCKER_USER_ID/sentiment-analysis-frontend:istio-auth0Leka sesebelisoa! O tla fetisetsoa ho Auth0, moo o hlokang ho kena (kapa ho ingolisa), ka mor'a moo o tla khutlisetsoa leqepheng leo ho tla etsoa likopo tse seng li netefalitsoe. Haeba u leka litaelo tse boletsoeng likarolong tsa pele tsa sehlooho ka curl, u tla fumana khoutu 401 Khoutu ya Boemo, e leng se bontšang hore kopo ha ea lumelloa.
Ha re nke mohato o latelang - ho fana ka tumello ea likopo.
Tumello le Auth0
Netefatso e re fa monyetla oa ho utloisisa hore na mosebelisi ke mang, empa tumello ea hlokahala ho tseba hore na ba ka fihlella eng. Istio e fana ka lisebelisoa bakeng sa sena le eona.
E le mohlala, ha re theheng lihlopha tse peli tsa basebelisi (sheba setšoantšo se ka tlase):
- Basebelisi (basebelisi) - ka phihlello ea litšebeletso tsa SA-WebApp le SA-Frontend feela;
- Batsamaisi (baokameli) — ka phihlello ya ditshebeletso tse tharo kaofela.
Khopolo ea tumello
Ho theha lihlopha tsena, re tla sebelisa katoloso ea Auth0 Authorization le ho sebelisa Istio ho li fa maemo a fapaneng a phihlello.
Ho kenya le ho hlophisoa ha Auth0 Authorization
Ho Auth0 portal, ea ho li-extensions (Extensions) ebe o kenya Auth0 Authorization. Ka mor'a ho kenya, e-ea ho Katoloso ea tumello, 'me moo - ho tlhophiso ea mohiri ka ho tobetsa ka holimo ho le letona le ho khetha khetho e nepahetseng ea menu. (Tlhophiso). Kenya dihlopha tshebetsong (Dihlopha) ebe o tobetsa konopo ea ho phatlalatsa molao (Molao oa ho phatlalatsa).
Ho theha lihlopha
Ho Authorization Extension ea ho Groups le ho theha sehlopha Lisebelisoa. Kaha re tla tšoara basebelisi bohle ba netefalitsoeng joalo ka basebelisi ba kamehla, ha ho na tlhoko ea ho theha sehlopha se eketsehileng bakeng sa bona.
Khetha sehlopha Lisebelisoa, Tobetsa Eketsa Litho, eketsa ak'haonte ea hau ea mantlha. Tlohela basebelisi ba bang ntle le sehlopha ho etsa bonnete ba hore ba haneloa ho kena. (Basebelisi ba bacha ba ka etsoa ka letsoho ka Auth0 Portal > Basebedisi > Theha mosebedisi.)
Kenya Claim Group to Access Token
Basebedisi ba kenyelelitsoe lihlopheng, empa tlhahisoleseding ena e tlameha ho bontšoa le ho li-tokens tsa ho fihlella. Ho latela OpenID Connect mme ka nako e ts'oanang re khutlisetse lihlopha tseo re li hlokang, letšoao le tla hloka ho eketsa ea lona. . E sebelisoa ka melao ea Auth0.
Ho theha molao, ea ho Auth0 Portal ho Rules, Tobetsa Theha Molao ebe o kgetha molao o se nang letho ho dithempleite.
Kopitsa khoutu e ka tlase 'me u e boloke e le molao o mocha Kenya Klemo ea Sehlopha ():
function (user, context, callback) {
context.accessToken['https://sa.io/group'] = user.groups[0];
return callback(null, user, context);
}mantsoe: Khoutu ena e nka sehlopha sa pele sa basebelisi se hlalositsoeng ho Katoloso ea Katoloso ebe e se eketsa tokeneng ea phihlello e le tleleime ea tloaelo (tlas'a sebaka sa mabitso sa eona, joalo ka ha ho hlokoa ke Auth0).
Khutlela leqepheng Rules 'me u hlahlobe hore na u na le melao e' meli e ngotsoeng ka tatellano e latelang:
- Auth0-tumello-katoloso
- Kenya Klemo ea Sehlopha
Taelo e bohlokoa hobane lebala la sehlopha le amohela molao ka mokhoa o ts'oanang Auth0-tumello-katoloso mme kamora moo e eketswa e le tseko ka molao wa bobedi. Sephetho ke tokene ea phihlello e kang ena:
{
"https://sa.io/group": "Moderators",
"iss": "https://sentiment-analysis.eu.auth0.com/",
"sub": "google-oauth2|196405271625531691872"
// [сокращено для наглядности]
}
Hona joale o hloka ho lokisa moemeli oa moemeli ho hlahloba phihlello ea basebelisi, eo sehlopha se tla huleloa ho tsoa tleleime (https://sa.io/group) ho tokeneng ea phihlello e khutlisitsoeng. Ena ke sehlooho sa karolo e latelang ea sengoloa.
Tlhophiso ea tumello ho Istio
Hore tumello e sebetse, o tlameha ho nolofalletsa RBAC bakeng sa Istio. Ho etsa sena, re tla sebelisa tlhophiso e latelang:
apiVersion: "rbac.istio.io/v1alpha1"
kind: RbacConfig
metadata:
name: default
spec:
mode: 'ON_WITH_INCLUSION' # 1
inclusion:
services: # 2
- "sa-frontend.default.svc.cluster.local"
- "sa-web-app.default.svc.cluster.local"
- "sa-feedback.default.svc.cluster.local" Litlhaloso:
- 1 - lumella RBAC feela bakeng sa lits'ebeletso le libaka tsa mabitso tse thathamisitsoeng tšimong
Inclusion; - 2 - re thathamisa lethathamo la litšebeletso tsa rona.
Ha re sebeliseng tlhophiso ka taelo e latelang:
$ kubectl apply -f resource-manifests/istio/security/enable-rbac.yaml
rbacconfig.rbac.istio.io/default created
Litšebeletso tsohle joale li hloka Taolo ea Phihlello e thehiloeng ho Karolo. Ka mantsoe a mang, phihlello ea lits'ebeletso tsohle e thibetsoe mme e tla fella ka karabelo RBAC: access denied. Joale ha re lumelle ho fihlella ho basebelisi ba lumelletsoeng.
Litlhophiso tsa phihlello bakeng sa basebelisi ba kamehla
Basebelisi bohle ba tlameha ho fumana litšebeletso tsa SA-Frontend le SA-WebApp. E sebelisitsoe ho sebelisa lisebelisoa tse latelang tsa Istio:
- ServiceRole - e hlwaya ditokelo tseo mosebedisi a nang le tsona;
- ServiceRoleBinding - e etsa qeto ea hore na ServiceRole ena ke ea mang.
Bakeng sa basebelisi ba tloaelehileng re tla lumella ho fumana litšebeletso tse itseng ():
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
name: regular-user
namespace: default
spec:
rules:
- services:
- "sa-frontend.default.svc.cluster.local"
- "sa-web-app.default.svc.cluster.local"
paths: ["*"]
methods: ["*"]
Le ho feta regular-user-binding sebelisa ServiceRole ho baeti bohle ba maqephe ():
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
name: regular-user-binding
namespace: default
spec:
subjects:
- user: "*"
roleRef:
kind: ServiceRole
name: "regular-user"Na "basebelisi bohle" ho bolela hore basebelisi ba sa netefatsoang ba tla ba le phihlello ho SA WebApp? Che, leano le tla hlahloba bonnete ba tokeneng ea JWT.
Ha re sebeliseng litlhophiso:
$ kubectl apply -f resource-manifests/istio/security/user-role.yaml
servicerole.rbac.istio.io/regular-user created
servicerolebinding.rbac.istio.io/regular-user-binding createdLitlhophiso tsa phihlello bakeng sa balaoli
Bakeng sa batsamaisi, re batla ho lumella ho fihlella lits'ebeletso tsohle ():
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
name: mod-user
namespace: default
spec:
rules:
- services: ["*"]
paths: ["*"]
methods: ["*"]
Empa re batla litokelo tse joalo feela bakeng sa basebelisi bao letšoao la bona la phihlello le nang le tseko https://sa.io/group e nang le moelelo Moderators ():
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
name: mod-user-binding
namespace: default
spec:
subjects:
- properties:
request.auth.claims[https://sa.io/group]: "Moderators"
roleRef:
kind: ServiceRole
name: "mod-user" Ha re sebeliseng litlhophiso:
$ kubectl apply -f resource-manifests/istio/security/mod-role.yaml
servicerole.rbac.istio.io/mod-user created
servicerolebinding.rbac.istio.io/mod-user-binding createdKa lebaka la "caching" ea baemeli, ho ka nka metsotso e 'maloa hore melao ea tumello e sebetse. Joale o ka etsa bonnete ba hore basebelisi le batsamaisi ba na le maemo a fapaneng a phihlello.
Qetello karolong ena
Leha ho le joalo, ka botebo, na u kile ua bona mokhoa o bonolo, o sa sebetseng, o ka senyehang le o sireletsehileng oa ho netefatsa le ho fana ka tumello?
Ho ne ho hlokahala lisebelisoa tse tharo feela tsa Istio (RbacConfig, ServiceRole, le ServiceRoleBinding) ho finyella taolo e ntle ea ho netefatsa le ho fana ka tumello ea ho fumana litšebeletso tsa basebelisi ba ho qetela.
Ho feta moo, re hlokometse lintlha tsena ho tsoa litšebeletsong tsa rona tsa baemeli, re fihletse:
- ho fokotsa palo ea khoutu ea generic e ka 'nang ea e-ba le mathata a tšireletso le likokoana-hloko;
- ho fokotsa palo ea maemo a hlokang kelello moo ntlha e le 'ngoe e ileng ea fumaneha ho tsoa ka ntle' me ea lebala ho e tlaleha;
- ho felisa tlhoko ea ho nchafatsa litšebeletso tsohle nako le nako ha karolo e ncha kapa tokelo e eketsoa;
- hore litšebeletso tse ncha li lule li le bonolo, li sireletsehile ebile li potlakile.
fihlela qeto e
Istio e lumella lihlopha ho tsepamisa lisebelisoa tsa tsona mesebetsing ea bohlokoa ea khoebo ntle le ho eketsa lits'ebeletso, ho li khutlisetsa maemong a manyane.
Sengoloa (ka likarolo tse tharo) se fane ka tsebo ea mantlha le litaelo tse sebetsang tse lokiselitsoeng ho qala ka Istio mererong ea 'nete.
PS ho tsoa ho mofetoleli
Bala hape ho blog ea rona:
- "Khutlela ho li-microservices le Istio": , ;
- «";
- «".
Source: www.habr.com