Consul部署【在kubernetes集群中部署】【实现ACL机制】

  • consul具体配置、ACL配置可以参考Consul系列文章
  • 首先创建k8s-consul-config.json文件,注意token需要自己创建一个,这里加密处理了
{
    "datacenter":"dc8",
    "primary_datacenter":"dc8",
    "acl":{
        "enabled":true,
        "default_policy":"deny",
        "enable_token_persistence":true,
        "enable_key_list_policy":true,
        "tokens":{
            "master":"14d54c5e-24ca-****-*******-*********"
        }
    }
}
  • 创建configmap

kubectl  create configmap consul --from-file=k8s-consul-config.json

上述命令创建一个名称为consul,内容为一个文件,文件名为k8s-consul-config.json,configmap可以挂载在volume下

  • 修改 k8s-consul-statefulset.yaml文件

注意内容:

1、在配置最后挂载了volumes-configmap,就是我们刚刚创建的consul

2、- "-config-file=/etc/consul/config/k8s-consul-config.json" 配置了我们保存的consul ACL相关配置

3、requiredDuringSchedulingIgnoredDuringExecution,我们增加了这个配置,保证了consul的pod不会在同一台机器上运行【反亲和特性】,因为我们将consul/data挂载的是hostPath,如果一台机器启动多个会有冲突导致consul启动卡住。

apiVersion: apps/v1beta1
kind: StatefulSet
metadata:
  name: consul
spec:
  serviceName: consul
  replicas: 3
  template:
    metadata:
      labels:
        app: consul
        component: server
    spec:
      serviceAccountName: consul
      affinity:
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            - labelSelector:
                matchExpressions:
                  - key: app
                    operator: In
                    values:
                      - consul
              topologyKey: kubernetes.io/hostname
      terminationGracePeriodSeconds: 10
      containers:
      - name: consul
        image: consul:1.6.0
        args:
          - "agent"
          - "-server"
          - "-bootstrap-expect=3"
          - "-ui"
          - "-data-dir=/consul/data"
          - "-config-file=/etc/consul/config/k8s-consul-config.json"
          - "-bind=0.0.0.0"
          - "-client=0.0.0.0"
          - "-advertise=$(PODIP)"
          - "-retry-join=consul-0.consul.$(NAMESPACE).svc.cluster.local"
          - "-retry-join=consul-1.consul.$(NAMESPACE).svc.cluster.local"
          - "-retry-join=consul-2.consul.$(NAMESPACE).svc.cluster.local"
          - "-domain=cluster.local"
          - "-disable-host-node-id"
        volumeMounts:
          - name: data
            mountPath: /consul/data
          - name: config
            mountPath: /etc/consul/config
        env:
          - name: PODIP
            valueFrom:
              fieldRef:
                fieldPath: status.podIP
          - name: NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
        ports:
          - containerPort: 8500
            name: ui-port
          - containerPort: 8400
            name: alt-port
          - containerPort: 53
            name: udp-port
          - containerPort: 8443
            name: https-port
          - containerPort: 8080
            name: http-port
          - containerPort: 8301
            name: serflan
          - containerPort: 8302
            name: serfwan
          - containerPort: 8600
            name: consuldns
          - containerPort: 8300
            name: server
      volumes:
        - name: data
          hostPath:
            path: /root/consul/data
        - name: config
          configMap:
            name: consul
  •  最后根据上面的配置重新创建consul的StatefulSet,启动完成后根据之前consul的知识,我们需要使用master token登录到ui,创建Agent token,然后修改configmap中acl配置,增加agent token,具体可以参考之前的文章。然后删除consul的pod,让k8s重新创建新的pod,使我们新的configmap生效即可。

你可能感兴趣的:(kubernetes,consul)