Iyẹn tọ, lẹhin itusilẹ ni ibẹrẹ May 2019, ni Consul o le fun laṣẹ awọn ohun elo ati iṣẹ ṣiṣe ni Kubernetes ni abinibi.
Ninu ikẹkọ yii a yoo ṣẹda igbese nipa igbese (Ẹri ti Erongba, PoC) ti n ṣe afihan ẹya tuntun yii O nireti lati ni imọ ipilẹ ti Kubernetes ati Consul Hashicorp. Lakoko ti o le lo eyikeyi iru ẹrọ awọsanma tabi agbegbe agbegbe, ninu ikẹkọ yii a yoo lo Google's Cloud Platform.
Akopọ
Ti a ba lọ si , a yoo gba atokọ ni iyara ti idi rẹ ati ọran lilo, bakanna bi diẹ ninu awọn alaye imọ-ẹrọ ati akopọ gbogbogbo ti kannaa. Mo ṣeduro gíga kika kika rẹ o kere ju lẹẹkan ṣaaju lilọsiwaju, bi Emi yoo ṣe alaye ni bayi ati jijẹ lori gbogbo rẹ.
Aworan 1: Akopọ osise ti ọna aṣẹ Consul
Jẹ ki a wo inu .
Daju, alaye to wulo wa nibẹ, ṣugbọn ko si itọsọna lori bi o ṣe le lo gbogbo rẹ ni otitọ. Nitorinaa, bii eniyan ti o ni oye, o ṣawari Intanẹẹti fun itọsọna. Ati lẹhinna... O kuna. O n ṣẹlẹ. Jẹ ki a ṣatunṣe eyi.
Ṣaaju ki a to lọ si ṣiṣẹda POC wa, jẹ ki a pada si atokọ ti awọn ọna aṣẹ Consul (Aworan 1) ki o tun ṣe ni ipo ti Kubernetes.
faaji
Ninu ikẹkọ yii, a yoo ṣẹda olupin Consul kan lori ẹrọ lọtọ ti yoo ṣe ibasọrọ pẹlu iṣupọ Kubernetes pẹlu alabara Consul ti a fi sori ẹrọ. A yoo ṣẹda ohun elo apanirun wa ni adarọ-ese ati lo ọna atunto wa lati ka lati ile-itaja bọtini Consul/iye.
Aworan ti o wa ni isalẹ ṣe alaye faaji ti a n ṣẹda ninu ikẹkọ yii, bakanna bi ọgbọn ti o wa lẹhin ọna aṣẹ, eyiti yoo ṣe alaye nigbamii.
Aworan 2: Akopọ Ọna Aṣẹ Kubernetes
Akọsilẹ iyara: olupin Consul ko nilo lati gbe ni ita ti iṣupọ Kubernetes fun eyi lati ṣiṣẹ. Ṣugbọn bẹẹni, o le ṣe ni ọna yii ati bẹ.
Nitorinaa, mu aworan atọka Akopọ Consul (Aworan 1) ati fifi Kubernetes si, a gba aworan atọka loke (Aworan 2), ati pe ọgbọn-ọrọ nibi jẹ atẹle yii:
- Podu kọọkan yoo ni akọọlẹ iṣẹ ti a so mọ rẹ ti o ni ami-ami JWT ti ipilẹṣẹ ati ti a mọ nipasẹ Kubernetes. Aami yii tun ti fi sii sinu adarọ ese nipasẹ aiyipada.
- Ohun elo wa tabi iṣẹ inu adarọ ese bẹrẹ aṣẹ iwọle si alabara Consul wa. Ibere iwọle yoo tun pẹlu aami ati orukọ wa pataki da ọna aṣẹ (iru Kubernetes). Igbesẹ #2 yii ni ibamu si igbesẹ 1 ti aworan atọka Consul (Eto 1).
- Onibara Consul wa yoo firanṣẹ ibeere yii si olupin Consul wa.
- IDAN! Eyi ni ibi ti olupin Consul ti ṣe idaniloju otitọ ti ibeere naa, gba alaye nipa idanimọ ti ibeere naa ati ṣe afiwe pẹlu awọn ofin ti a ti pinnu tẹlẹ. Ni isalẹ ni aworan atọka miiran lati ṣapejuwe eyi. Igbesẹ yii ni ibamu si awọn igbesẹ 3, 4 ati 5 ti Apejuwe Akopọ Consul (Aworan 1).
- Olupin Consul wa ṣe agbekalẹ ami-ami Consul kan pẹlu awọn igbanilaaye ni ibamu si awọn ofin ọna aṣẹ ti a ti sọ pato (ti a ti ṣalaye) nipa idanimọ ti olubẹwẹ naa. Yoo firanṣẹ ami yẹn pada. Eyi ni ibamu si igbesẹ 6 ti aworan atọka Consul (Aworan 1).
- Onibara Consul wa dari ami si ohun elo tabi iṣẹ ti o beere.
Ohun elo tabi iṣẹ wa le lo ami-ami Consul yii lati ṣe ibasọrọ pẹlu data Consul wa, gẹgẹbi ipinnu nipasẹ awọn anfani ti ami naa.
Idan ti han!
Fun awọn ti o ko ni idunnu pẹlu ehoro kan lati inu ijanilaya ti o fẹ lati mọ bi o ṣe n ṣiṣẹ… jẹ ki n ṣe afihan ọ bi o ti jin to. ehoro iho».
Gẹgẹbi a ti sọ tẹlẹ, igbesẹ “idan” wa (Aworan 2: Igbesẹ 4) ni ibiti olupin Consul ti jẹri ibeere naa, gba alaye nipa ibeere naa, ati ṣe afiwe si eyikeyi awọn ofin asọye ti o ni ibatan. Igbesẹ yii ni ibamu si awọn igbesẹ 3, 4 ati 5 ti Apejuwe Akopọ Consul (Aworan 1). Ni isalẹ ni aworan atọka (Aworan 3), idi rẹ ni lati ṣafihan ohun ti n ṣẹlẹ ni kedere labẹ awọn Hood kan pato Kubernetes ašẹ ọna.
Aworan atọka 3: Idan ti han!
- Gẹgẹbi aaye ibẹrẹ, alabara Consul wa dari ibeere iwọle si olupin Consul wa pẹlu ami akọọlẹ Kubernetes ati orukọ apẹẹrẹ pato ti ọna aṣẹ ti o ṣẹda tẹlẹ. Igbese yii ni ibamu si igbesẹ 3 ni alaye iyika iṣaaju.
- Bayi olupin Consul (tabi adari) nilo lati rii daju otitọ ti ami ti o gba. Nitorinaa, yoo kan si iṣupọ Kubernetes (nipasẹ alabara Consul) ati, pẹlu awọn igbanilaaye ti o yẹ, a yoo rii boya ami naa jẹ tootọ ati ẹniti o jẹ ti.
- Ibeere ti a fọwọsi lẹhinna pada si oludari Consul, ati olupin Consul n wo apẹẹrẹ ọna aṣẹ pẹlu orukọ pàtó kan lati ibeere iwọle (ati iru Kubernetes).
- Aṣáájú iaknsi naa n ṣe idanimọ ọna apẹẹrẹ ti a fun ni aṣẹ (ti o ba rii) ati ka ṣeto awọn ofin abuda ti o somọ. Lẹhinna o ka awọn ofin wọnyi ati ṣe afiwe wọn si awọn abuda idanimọ ti a ti rii daju.
- TA-dah! Jẹ ki a lọ si igbesẹ 5 ni alaye iyika iṣaaju.
Ṣiṣe olupin Consul lori ẹrọ foju deede
Lati isisiyi lọ, Emi yoo ma funni ni awọn itọnisọna lori bii o ṣe le ṣẹda POC yii, nigbagbogbo ni awọn aaye ọta ibọn, laisi awọn alaye gbolohun ni kikun. Paapaa, bi a ti ṣe akiyesi tẹlẹ, Emi yoo lo GCP lati ṣẹda gbogbo awọn amayederun, ṣugbọn o le ṣẹda awọn amayederun kanna nibikibi miiran.
- Bẹrẹ ẹrọ foju (apẹẹrẹ / olupin).
- Ṣẹda ofin fun ogiriina (ẹgbẹ aabo ni AWS):
- Mo fẹ lati fi orukọ ẹrọ kanna si mejeeji ofin ati aami netiwọki, ninu ọran yii "skywiz-consul-server-poc".
- Wa adiresi IP kọnputa agbegbe rẹ ki o ṣafikun si atokọ ti awọn adirẹsi IP orisun ki a le wọle si wiwo olumulo (UI).
- Ṣii ibudo 8500 fun UI. Tẹ Ṣẹda. A yoo yi ogiriina pada lẹẹkansi laipẹ [].
- Ṣafikun ofin ogiriina kan si apẹẹrẹ. Pada si dasibodu VM lori olupin Consul ki o ṣafikun “skywiz-consul-server-poc” si aaye awọn ami nẹtiwọọki. Tẹ Fipamọ.
- Fi Consul sori ẹrọ foju kan, ṣayẹwo Nibi. Ranti pe o nilo ẹya Consul ≥ 1.5 [ọna asopọ]
- Jẹ ká ṣẹda kan nikan ipade Consul - awọn iṣeto ni bi wọnyi.
groupadd --system consul
useradd -s /sbin/nologin --system -g consul consul
mkdir -p /var/lib/consul
chown -R consul:consul /var/lib/consul
chmod -R 775 /var/lib/consul
mkdir /etc/consul.d
chown -R consul:consul /etc/consul.d- Fun itọsọna alaye diẹ sii lori fifi Consul sori ẹrọ ati ṣeto iṣupọ ti awọn apa 3, wo .
- Ṣẹda faili kan /etc/consul.d/agent.json bi atẹle []:
### /etc/consul.d/agent.json
{
"acl" : {
"enabled": true,
"default_policy": "deny",
"enable_token_persistence": true
}
}- Bẹrẹ olupin Consul wa:
consul agent
-server
-ui
-client 0.0.0.0
-data-dir=/var/lib/consul
-bootstrap-expect=1
-config-dir=/etc/consul.d- O yẹ ki o wo akojọpọ iṣelọpọ ati pari pẹlu “... imudojuiwọn dina nipasẹ ACLs.”
- Wa adiresi IP ita ti olupin Consul ati ṣii ẹrọ aṣawakiri kan pẹlu adiresi IP yii lori ibudo 8500. Rii daju pe UI ṣii.
- Gbiyanju fifi bọtini/meji iye kun. Asise gbọdọ wa. Eyi jẹ nitori a kojọpọ olupin Consul pẹlu ACL ati alaabo gbogbo awọn ofin.
- Pada si ikarahun rẹ lori olupin Consul ki o bẹrẹ ilana ni abẹlẹ tabi ọna miiran lati jẹ ki o ṣiṣẹ ki o tẹ atẹle naa:
consul acl bootstrap- Wa iye “SecretID” ki o pada si UI. Ni awọn ACL taabu, tẹ awọn ìkọkọ ID ti àmi ti o kan daakọ. Daakọ SecretID ni ibomiiran, a yoo nilo rẹ nigbamii.
- Bayi ṣafikun bọtini/ bata iye. Fun POC yii, ṣafikun atẹle wọnyi: bọtini: “custom-ns/test_key”, iye: “Mo wa ninu folda custom-ns!”
Ifilọlẹ iṣupọ Kubernetes kan fun ohun elo wa pẹlu alabara Consul bi Daemonset kan
- Ṣẹda akojọpọ K8s (Kubernetes). A yoo ṣẹda rẹ ni agbegbe kanna bi olupin fun iraye si iyara, ati nitorinaa a le lo subnet kanna lati sopọ ni irọrun pẹlu awọn adirẹsi IP inu. A yoo pe ni "skywiz-app-with-consul-client-poc".
- Gẹgẹbi akọsilẹ ẹgbẹ, eyi ni ikẹkọ ti o dara ti Mo wa lakoko ti o ṣeto iṣupọ Consul POC kan pẹlu Consul Connect.
- A yoo tun lo iwe itẹwe Hashicorp Helm pẹlu faili iye ti o gbooro sii.
- Fi sori ẹrọ ati tunto Helm. Awọn igbesẹ iṣeto:
kubectl create serviceaccount tiller --namespace kube-system
kubectl create clusterrolebinding tiller-admin-binding
--clusterrole=cluster-admin --serviceaccount=kube-system:tiller
./helm init --service-account=tiller
./helm update- aworan atọka:
- Lo faili iye wọnyi (akiyesi Mo ti pa pupọ julọ):
### poc-helm-consul-values.yaml
global:
enabled: false
image: "consul:latest"
# Expose the Consul UI through this LoadBalancer
ui:
enabled: false
# Allow Consul to inject the Connect proxy into Kubernetes containers
connectInject:
enabled: false
# Configure a Consul client on Kubernetes nodes. GRPC listener is required for Connect.
client:
enabled: true
join: ["<PRIVATE_IP_CONSUL_SERVER>"]
extraConfig: |
{
"acl" : {
"enabled": true,
"default_policy": "deny",
"enable_token_persistence": true
}
}
# Minimal Consul configuration. Not suitable for production.
server:
enabled: false
# Sync Kubernetes and Consul services
syncCatalog:
enabled: false- Waye iwe afọwọkọ:
./helm install -f poc-helm-consul-values.yaml ./consul-helm - name skywiz-app-with-consul-client-poc- Nigbati o ba gbiyanju lati ṣiṣẹ, yoo nilo awọn igbanilaaye fun olupin Consul, nitorinaa jẹ ki a ṣafikun wọn.
- Ṣe akiyesi “Range Adirẹsi Pod” ti o wa lori dasibodu iṣupọ ki o tọka pada si ofin ogiriina “skywiz-consul-server-poc” wa.
- Ṣafikun ibiti adirẹsi fun adarọ-ese si atokọ ti awọn adirẹsi IP ati ṣiṣi awọn ebute oko oju omi 8301 ati 8300.
- Lọ si Consul UI ati lẹhin iṣẹju diẹ iwọ yoo rii iṣupọ wa ti o han ni awọn apa apa.
Ṣiṣeto Ọna Aṣẹ nipasẹ Ṣiṣepọ Consul pẹlu Kubernetes
- Pada si ikarahun olupin Consul ki o gbejade ami-ami ti o fipamọ tẹlẹ:
export CONSUL_HTTP_TOKEN=<SecretID>- A yoo nilo alaye lati inu iṣupọ Kubernetes wa lati ṣẹda apẹẹrẹ ti ọna auth:
- kubernetes-ogun
kubectl get endpoints | grep kubernetes- kubernetes-iṣẹ-iroyin-jwt
kubectl get sa <helm_deployment_name>-consul-client -o yaml | grep "- name:"
kubectl get secret <secret_name_from_prev_command> -o yaml | grep token:- Aami naa jẹ koodu koodu base64, nitorinaa yọkuro rẹ nipa lilo ohun elo ayanfẹ rẹ []
- kubernetes-ca-cert
kubectl get secret <secret_name_from_prev_command> -o yaml | grep ca.crt:- Mu iwe-ẹri “ca.crt” (lẹhin ti ipilẹ ipilẹ64) ki o kọ sinu faili “ca.crt”.
- Bayi tẹ ọna afọwọsi naa, rọpo awọn aye pẹlu awọn iye ti o ṣẹṣẹ gba.
consul acl auth-method create
-type "kubernetes"
-name "auth-method-skywiz-consul-poc"
-description "This is an auth method using kubernetes for the cluster skywiz-app-with-consul-client-poc"
-kubernetes-host "<k8s_endpoint_retrieved earlier>"
[email protected]
-kubernetes-service-account-
jwt="<decoded_token_retrieved_earlier>"- Nigbamii ti a nilo lati ṣẹda ofin kan ati ki o so mọ ipa tuntun. Fun apakan yii o le lo Consul UI, ṣugbọn a yoo lo laini aṣẹ.
- Kọ ofin kan
### kv-custom-ns-policy.hcl
key_prefix "custom-ns/" {
policy = "write"
}- Waye ofin naa
consul acl policy create
-name kv-custom-ns-policy
-description "This is an example policy for kv at custom-ns/"
-rules @kv-custom-ns-policy.hcl- Wa ID ti ofin ti o ṣẹṣẹ ṣẹda lati inu iṣelọpọ.
- Ṣẹda ipa pẹlu ofin titun kan.
consul acl role create
-name "custom-ns-role"
-description "This is an example role for custom-ns namespace"
-policy-id <policy_id>- Bayi a yoo ṣepọ ipa tuntun wa pẹlu apẹẹrẹ ọna auth. Ṣe akiyesi pe asia “oluyan” pinnu boya ibeere iwọle wa yoo gba ipa yii. Ṣayẹwo nibi fun awọn aṣayan yiyan miiran:
consul acl binding-rule create
-method=auth-method-skywiz-consul-poc
-bind-type=role
-bind-name='custom-ns-role'
-selector='serviceaccount.namespace=="custom-ns"'Awọn atunto ikẹhin
Awọn ẹtọ iraye si
- Ṣẹda awọn ẹtọ wiwọle. A nilo lati fun Consul ni igbanilaaye lati ṣayẹwo ati ṣe idanimọ idanimọ ti ami akọọlẹ iṣẹ K8s.
- Kọ atẹle si faili naa :
###skywiz-poc-consul-server_rbac.yaml
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: review-tokens
namespace: default
subjects:
- kind: ServiceAccount
name: skywiz-app-with-consul-client-poc-consul-client
namespace: default
roleRef:
kind: ClusterRole
name: system:auth-delegator
apiGroup: rbac.authorization.k8s.io
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: service-account-getter
namespace: default
rules:
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: get-service-accounts
namespace: default
subjects:
- kind: ServiceAccount
name: skywiz-app-with-consul-client-poc-consul-client
namespace: default
roleRef:
kind: ClusterRole
name: service-account-getter
apiGroup: rbac.authorization.k8s.io- Jẹ ki a ṣẹda awọn ẹtọ wiwọle
kubectl create -f skywiz-poc-consul-server_rbac.yamlNsopọ si Onibara Consul
- Gẹgẹbi a ti ṣe akiyesi Awọn aṣayan pupọ lo wa fun sisopọ si daemonset, ṣugbọn a yoo tẹsiwaju si ojutu irọrun atẹle:
- Waye faili atẹle yii [].
### poc-consul-client-ds-svc.yaml
apiVersion: v1
kind: Service
metadata:
name: consul-ds-client
spec:
selector:
app: consul
chart: consul-helm
component: client
hasDNS: "true"
release: skywiz-app-with-consul-client-poc
ports:
- protocol: TCP
port: 80
targetPort: 8500- Lẹhinna lo aṣẹ ti a ṣe sinu atẹle lati ṣẹda iṣeto atunto kan []. Jọwọ ṣe akiyesi pe a n tọka si orukọ iṣẹ wa, rọpo rẹ ti o ba jẹ dandan.
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
labels:
addonmanager.kubernetes.io/mode: EnsureExists
name: kube-dns
namespace: kube-system
data:
stubDomains: |
{"consul": ["$(kubectl get svc consul-ds-client -o jsonpath='{.spec.clusterIP}')"]}
EOFIdanwo ọna auth
Bayi jẹ ki a wo idan ni iṣe!
- Ṣẹda ọpọlọpọ awọn folda bọtini diẹ sii pẹlu bọtini ipele oke kanna (ie. /sample_key) ati iye ti o fẹ. Ṣẹda awọn eto imulo ti o yẹ ati awọn ipa fun awọn ọna bọtini tuntun. A yoo ṣe awọn ìde nigbamii.
Idanwo aaye orukọ aṣa:
- Jẹ ki a ṣẹda aaye orukọ tiwa:
kubectl create namespace custom-ns- Jẹ ki a ṣẹda adarọ-ese ni aaye orukọ tuntun wa. Kọ iṣeto ni fun podu naa.
###poc-ubuntu-custom-ns.yaml
apiVersion: v1
kind: Pod
metadata:
name: poc-ubuntu-custom-ns
namespace: custom-ns
spec:
containers:
- name: poc-ubuntu-custom-ns
image: ubuntu
command: ["/bin/bash", "-ec", "sleep infinity"]
restartPolicy: Never- Ṣẹda labẹ:
kubectl create -f poc-ubuntu-custom-ns.yaml- Ni kete ti eiyan naa ba nṣiṣẹ, lọ sibẹ ki o fi curl sori ẹrọ.
kubectl exec poc-ubuntu-custom-ns -n custom-ns -it /bin/bash
apt-get update && apt-get install curl -y- Bayi a yoo firanṣẹ ibeere iwọle si Consul ni lilo ọna aṣẹ ti a ṣẹda tẹlẹ [].
- Lati wo ami ti a tẹ lati akọọlẹ iṣẹ rẹ:
cat /run/secrets/kubernetes.io/serviceaccount/token- Kọ nkan wọnyi si faili kan ninu apoti:
### payload.json
{
"AuthMethod": "auth-method-test",
"BearerToken": "<jwt_token>"
}- Wo ile!
curl
--request POST
--data @payload.json
consul-ds-client.default.svc.cluster.local/v1/acl/login- Lati pari awọn igbesẹ ti o wa loke ni laini kan (niwọn igba ti a yoo nṣiṣẹ awọn idanwo pupọ), o le ṣe atẹle naa:
echo "{
"AuthMethod": "auth-method-skywiz-consul-poc",
"BearerToken": "$(cat /run/secrets/kubernetes.io/serviceaccount/token)"
}"
| curl
--request POST
--data @-
consul-ds-client.default.svc.cluster.local/v1/acl/login- Awọn iṣẹ! O kere o yẹ. Bayi mu SecretID ki o gbiyanju lati wọle si bọtini / iye ti a yẹ ki o ni iwọle si.
curl
consul-ds-client.default.svc.cluster.local/v1/kv/custom-ns/test_key --header “X-Consul-Token: <SecretID_from_prev_response>”- O le ṣe ipilẹ64 pinnu “Iye” ki o rii pe o baamu iye ni aṣa-ns/test_key ninu UI. Ti o ba lo iye kanna loke ninu ikẹkọ yii, iye ti a fi koodu rẹ jẹ IkknbSBpbiB0aGUgY3VzdG9tLW5zIGZvbGRlciEi.
Idanwo akọọlẹ iṣẹ olumulo:
- Ṣẹda Account Service aṣa kan nipa lilo aṣẹ atẹle [].
kubectl apply -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: custom-sa
EOF- Ṣẹda titun iṣeto ni faili fun awọn podu. Jọwọ ṣe akiyesi pe Mo ṣafikun fifi sori curl lati ṣafipamọ iṣẹ laala :)
###poc-ubuntu-custom-sa.yaml
apiVersion: v1
kind: Pod
metadata:
name: poc-ubuntu-custom-sa
namespace: default
spec:
serviceAccountName: custom-sa
containers:
- name: poc-ubuntu-custom-sa
image: ubuntu
command: ["/bin/bash","-ec"]
args: ["apt-get update && apt-get install curl -y; sleep infinity"]
restartPolicy: Never- Lẹhin iyẹn, ṣiṣe ikarahun kan ninu apo eiyan naa.
kubectl exec -it poc-ubuntu-custom-sa /bin/bash- Wo ile!
echo "{
"AuthMethod": "auth-method-skywiz-consul-poc",
"BearerToken": "$(cat /run/secrets/kubernetes.io/serviceaccount/token)"
}"
| curl
--request POST
--data @-
consul-ds-client.default.svc.cluster.local/v1/acl/login- Ti kọ iyọọda. Oh, a gbagbe lati ṣafikun awọn ofin tuntun ti o somọ pẹlu awọn igbanilaaye ti o yẹ, jẹ ki a ṣe iyẹn ni bayi.
Tun awọn igbesẹ ti tẹlẹ loke:
a) Ṣẹda Ilana kanna fun ìpele “aṣa-sa/”.
b) Ṣẹda ipa kan, pe ni “aṣa-sa-ipa”
c) So Ilana si Ipa.
- Ṣẹda Ofin-Asopọ (o ṣee ṣe nikan lati cli/api). Ṣe akiyesi itumọ oriṣiriṣi ti asia oluyan.
consul acl binding-rule create
-method=auth-method-skywiz-consul-poc
-bind-type=role
-bind-name='custom-sa-role'
-selector='serviceaccount.name=="custom-sa"'- Wọle lẹẹkansi lati inu apoti "poc-ubuntu-custom-sa". Aseyori!
- Ṣayẹwo wiwọle wa si aṣa-sa/ ọna bọtini.
curl
consul-ds-client.default.svc.cluster.local/v1/kv/custom-sa/test_key --header “X-Consul-Token: <SecretID>”- O tun le rii daju pe ami yii ko funni ni iwọle si kv ni “aṣa-ns/”. Kan tun aṣẹ ti o wa loke pada lẹhin ti o rọpo “custom-sa” pẹlu ìpele “aṣa-ns”.
Ti kọ iyọọda.
Apeere apọju:
- O tọ lati ṣe akiyesi pe gbogbo awọn aworan atọka ti ofin yoo jẹ afikun si ami-ami pẹlu awọn ẹtọ wọnyi.
- Eiyan wa "poc-ubuntu-custom-sa" wa ninu aaye orukọ aiyipada - nitorinaa jẹ ki a lo fun isọdọkan ofin ti o yatọ.
- Tun awọn igbesẹ ti tẹlẹ ṣe:
a) Ṣẹda Ilana kanna fun “aiyipada/” ìpele bọtini.
b) Ṣẹda ipa kan, lorukọ rẹ “ayipada-ns-ipa”
c) So Ilana si Ipa. - Ṣẹda Ofin-Asopọ (o ṣee ṣe nikan lati cli/api)
consul acl binding-rule create
-method=auth-method-skywiz-consul-poc
-bind-type=role
-bind-name='default-ns-role'
-selector='serviceaccount.namespace=="default"'- Pada si apoti “poc-ubuntu-custom-sa” wa ki o gbiyanju lati wọle si ọna “aiyipada/” kv.
- Ti kọ iyọọda.
O le wo awọn iwe-ẹri pato fun ami-ami kọọkan ninu UI labẹ ACL> Awọn ami. Gẹgẹbi o ti le rii, ami-ami lọwọlọwọ wa nikan ni “aṣa-sa-ipa” kan ti o so mọ rẹ. Àmi tí a ń lò lọ́wọ́lọ́wọ́ jẹ́ ìpilẹ̀ṣẹ̀ nígbà tí a wọlé àti pé ìdè òfin kan ṣoṣo ló wà tí ó bára mu nígbà náà. A nilo lati buwolu wọle lẹẹkansi ati lo ami tuntun naa. - Rii daju pe o le ka lati mejeeji "aṣa-sa/" ati "aiyipada/" awọn ọna kv.
Aseyori!
Eyi jẹ nitori “poc-ubuntu-custom-sa” wa ni ibamu pẹlu awọn isọdọmọ ofin “custom-sa” ati “default-ns”.
ipari
TTL àmi mgmt?
Ni akoko kikọ yii, ko si ọna iṣọpọ lati pinnu TTL fun awọn ami ti ipilẹṣẹ nipasẹ ọna aṣẹ yii. Yoo jẹ aye ikọja lati pese adaṣe to ni aabo ti aṣẹ Consul.
Aṣayan wa lati ṣẹda pẹlu ọwọ pẹlu TTL:
Akoko Ipari - Akoko ti aami yi yoo fagile. (Aṣayan; fi kun ni Consul 1.5.0)- Wa fun afọwọṣe ẹda/imudojuiwọn nikan
Nireti ni ọjọ iwaju ti o sunmọ a yoo ni anfani lati ṣakoso bi awọn ami ti ṣe ipilẹṣẹ (fun ofin tabi ọna aṣẹ) ati ṣafikun TTL.
Titi di igba naa, o daba pe ki o lo aaye ipari ipari jade ninu ọgbọn rẹ.
Tun ka awọn nkan miiran lori bulọọgi wa:
orisun: www.habr.com