从领事-连接服务-网格访问领事-api

Question

在一个领事-连接-服务-网格(使用k8)，你如何到达领事-api本身？例如，访问领事-kv。

我正在研究这个教程，并且我想知道如何将服务中的consul (http) api绑定到本地主机。

您必须进一步配置Helm图表吗？我原以为领事代理会一直是上游的服务。

我发现访问api的唯一方法是通过K8服务领事服务器。

环境：

• k8 (1.22.5，停靠-桌面)
• 行政领事(0.42)
• 领事(1.11.3)
• 使用头盔-yaml

global:
  name: consul
  datacenter: dc1
server:
  replicas: 1
  securityContext:
    runAsNonRoot: false
    runAsGroup: 0
    runAsUser: 0
    fsGroup: 0
ui:
  enabled: true
  service:
    type: 'NodePort'
connectInject:
  enabled: true
controller:
  enabled: true

Answer 1

我目前的最终解决方案是基于反向代理(nginx)的(Connect)服务，该服务的目标是领事。

apiVersion: v1
kind: ConfigMap
metadata:
  name: consul-kv-proxy
data:
 nginx.conf.template: |
    error_log /dev/stdout info;
    server {
      listen 8500;    
      location / {
        access_log off;
        proxy_pass http://${MY_NODE_IP}:8500;
        error_log /dev/stdout;          
      }         
    }    
---
apiVersion: v1
kind: Service
metadata:
  # This name will be the service name in Consul.
  name: consul-kv-proxy
spec:
  selector:
    app: consul-kv-proxy
  ports:
    - protocol: TCP
      port: 8500      
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: consul-kv-proxy
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: consul-kv-proxy
spec:
  replicas: 1
  selector:
    matchLabels:
      app: consul-kv-proxy
  template:
    metadata:
      name: consul-kv-proxy
      labels:
        app: consul-kv-proxy
      annotations:
        'consul.hashicorp.com/connect-inject': 'true'
    spec:
      containers:
        - name: consul-kv-proxy
          image: nginx:1.14.2            
          volumeMounts:
          - name: config
            mountPath: "/usr/local/nginx/conf"
            readOnly: true           
          command: ['/bin/bash']
          #we have to transform the nginx config to use the node ip address
          args:
            - -c
            - envsubst < /usr/local/nginx/conf/nginx.conf.template > /etc/nginx/conf.d/consul-kv-proxy.conf && nginx -g 'daemon off;'
          ports:
            - containerPort: 8500
              name: http
          env:
            - name: MY_NODE_IP
              valueFrom:
                fieldRef:
                  fieldPath: status.hostIP      
      volumes:
        - name: config
          configMap:
            name: consul-kv-proxy
      
      # If ACLs are enabled, the serviceAccountName must match the Consul service name.
      serviceAccountName: consul-kv-proxy

现在可以像下面这样声明下游服务(称为静态客户端)

apiVersion: v1
kind: Service
metadata:
  name: static-client
spec:
  selector:
    app: static-client
  ports:
    - port: 80
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: static-client
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: static-client
spec:
  replicas: 1
  selector:
    matchLabels:
      app: static-client
  template:
    metadata:
      name: static-client
      labels:
        app: static-client
      annotations:
        'consul.hashicorp.com/connect-inject': 'true'         
        'consul.hashicorp.com/connect-service-upstreams': 'consul-kv-proxy:8500'     
    spec:
      containers:
        - name: static-client
          image: curlimages/curl:latest
          # Just spin & wait forever, we'll use `kubectl exec` to demo
          command: ['/bin/sh', '-c', '--']
          args: ['while true; do sleep 30; done;']
      serviceAccountName: static-client

假设我们在领事中有一个名为“测试”的键值。从静态客户端的一个荚，我们现在可以访问领事web-api使用：

curl http://localhost:8500/v1/kv/test

这个解决方案仍然缺乏微调(我还没有尝试过https或ACL)。

Answer 2

您可以通过使用Kubernetes向下的API将环境变量注入到容器中，并使用主机的IP地址来访问本地代理上的Consul。这是在Consul.io下的在Kubernetes上安装领事:访问Consul中记录的。

您还需要使用consul.hashicorp.com/transparent-proxy-exclude-outbound-ports标签从重定向中排除端口8500 (或8501)。