概述
Consul 集群(三個節點)部署方式使用 StatefulSet
Consul 集群成員之間使用TLS進行安全通信 TLS and encryption keys
先決條件
主節點需要安裝以下工具:cfssl 、 cfssljson、consul
# cfssl cfssljson 安裝教程 wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 chmod a+x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64 mv cfssl_linux-amd64 /usr/local/bin/cfssl mv cfssljson_linux-amd64 /usr/local/bin/cfssljson mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo # consul 安裝教程(一般下載比較慢,可以使用文章底部百度雲盤下載地址—) wget https://releases.hashicorp.com/consul/1.7.1/consul_1.7.1_linux_amd64.zip unzip consul_1.7.1_linux_amd64.zip mv consul /usr/local/bin/
克隆 Github 項目
git clone https://github.com/kelseyhightower/consul-on-kubernetes.git
cd consul-on-kubernetes
生成 TLS 證書
cfssl gencert -initca ca/ca-csr.json | cfssljson -bare ca
cfssl gencert \
-ca=ca.pem \ -ca-key=ca-key.pem \ -config=ca/ca-config.json \ -profile=default \ ca/consul-csr.json | cfssljson -bare consul
生成 Consul Gossip 加密密鑰
GOSSIP_ENCRYPTION_KEY=$(consul keygen)
創建 Consul 集群Secret 和 Configmap
kubectl create secret generic consul \ --from-literal="gossip-encryption-key=${GOSSIP_ENCRYPTION_KEY}" \ --from-file=ca.pem \ --from-file=consul.pem \ --from-file=consul-key.pem
kubectl create configmap consul --from-file=configs/server.json
創建 Consul 集群 Persistent Volume
mkdir -p /data/pv/consul-0 /data/pv/consul-1 /data/pv/consul-2
vim consul-pv.yaml # 內容如下
kubectl create -f consul-pv.yaml
apiVersion: v1 kind: PersistentVolume metadata: labels: app: data-consul-0 name: data-consul-0 spec: capacity: storage: 10Gi volumeMode: Filesystem accessModes: - ReadWriteOnce persistentVolumeReclaimPolicy: Recycle hostPath: path: /data/pv/consul-0 --- apiVersion: v1 kind: PersistentVolume metadata: labels: app: data-consul-1 name: data-consul-1 spec: capacity: storage: 10Gi volumeMode: Filesystem accessModes: - ReadWriteOnce persistentVolumeReclaimPolicy: Recycle hostPath: path: /data/pv/consul-1 --- apiVersion: v1 kind: PersistentVolume metadata: labels: app: data-consul-2 name: data-consul-2 spec: capacity: storage: 10Gi volumeMode: Filesystem accessModes: - ReadWriteOnce persistentVolumeReclaimPolicy: Recycle hostPath: path: /data/pv/consul-2
創建 Consul 集群 StatefulSet、Serviceaccount 、Clusterroles、Service
kubectl create -f statefulsets/consul.yaml
kubectl apply -f serviceaccounts/consul.yaml
kubectl apply -f clusterroles/consul.yaml
kubectl create -f services/consul.yaml
等待 Consul 所有節點 Running
kubectl get pods
NAME READY STATUS RESTARTS AGE consul-0 1/1 Running 0 50s consul-1 1/1 Running 0 29s consul-2 1/1 Running 0 15s
查看 Consul 集群狀態
kubectl logs consul-0
[root@k8s-master]# kubectl exec -it consul-0 /bin/sh / # consul members Node Address Status Type Build Protocol DC Segment consul-0 10.11.3.139:8301 alive server 1.4.0rc1 2 dc1 <all> consul-1 10.11.5.11:8301 alive server 1.4.0rc1 2 dc1 <all> consul-2 10.11.0.9:8301 alive server 1.4.0rc1 2 dc1 <all> / # ^C / # exit command terminated with exit code 130
訪問 Consul 集群 Web UI
1)本地訪問
kubectl port-forward consul-0 8500:8500
然后本地瀏覽器訪問 http://127.0.0.1:8500 即可。
2)通過 NodePort 對外暴露端口
vim services/consul.yaml # 修改如下
kubectl replace -f services/consul.yaml
apiVersion: v1 kind: Service metadata: name: consul labels: name: consul spec: #clusterIP: None type: NodePort ports: - name: http port: 8500 nodePort: 30500 targetPort: 8500
- ......
然后任意瀏覽器訪問 http://masterip:30500 即可。
3)通過 Ingress 暴露外網地址
暫不做說明
清理 Consul 相關資源
bash cleanup
【參考】: https://github.com/kelseyhightower/consul-on-kubernetes
【Consul】: https://pan.baidu.com/s/1sePwMD0yKL62FvlMSn8dyw (kkua)
作者:Leozhanggg
出處:https://www.cnblogs.com/leozhanggg/p/12849392.html
本文版權歸作者和博客園共有,歡迎轉載,但未經作者同意必須保留此段聲明,且在文章頁面明顯位置給出原文連接,否則保留追究法律責任的權利。