0

语境

我正在尝试使用 OpenCensus 和 Linkerd。尽管 Linkerd 可以选择在其命名空间中自动配置 OpenCensus 和 jaeger,但我不想使用它们。相反,我自己在名为“ops”的命名空间下独立部署了它们。

问题

  1. OpenCensus 收集器是否应该由 Linkerd 注入。

在官方文档的最后(正好是最后的第 4 行) ,它说,

确保 OpenCensus 收集器注入了 Linkerd 代理。

这是什么意思?
我应该将 linkerd sidecar 注入 OpenCensus 收集器 pod 吗?
如果是这样,为什么?

  1. 我应该按命名空间为 serviceaccount 名称添加后缀吗?

例如,假设我已经像这样配置了默认命名空间。

apiVersion: v1
kind: Namespace
metadata:
  name: default
  annotations:
    linkerd.io/inject: enabled
    config.linkerd.io/trace-collector: my-opencensus-collector.ops:12345
    config.alpha.linkerd.io/trace-collector-service-account: my-opencensus-collector-service-account

my-opencensus-collector位于ops命名空间中,因此我将其放在.ops其服务名称的末尾,结果为my-opencensus-collector.ops:12345. OpenCensus 收集器的专用服务帐户ops也存在于命名空间中。在这种情况下,我是否也应该将命名空间名称放在服务帐户名称的末尾?

哪一个是对的?

config.alpha.linkerd.io/trace-collector-service-account: my-opencensus-collector-service-account

或者

config.alpha.linkerd.io/trace-collector-service-account: my-opencensus-collector-service-account.ops

谢谢!

4

1 回答 1

0
  1. Whether OpenCensus collector should be injected by Linkerd.

Yes, the OpenCensus collector should be injected with the Linkerd proxy because the proxies themselves send the span info using mTLS. With mTLS, the sending (client) and receiving (server) sides of the request must present certificates to each other in to verify that identities to each other in a way that validates that the identity was issued by the same trusted source.

The Linkerd service mesh is made up of the control plane and the data plane. The control plane is a set of services that run within the cluster to implement the features of the service mesh. Mutual TLS (mTLS) is one of those features and is implemented by the linkerd-identity component of the control plane.

The data plane is comprised of any number of the Linkerd proxies which are injected into the services in the application, like the OpenCensus collector. Whenever a proxy is started within a pod, it sends a certificate signing request to the linkerd-identity component and receives a certificate in return.

So, when the Linkerd proxies in the control plane send the spans to the collector, they authenticate themselves with those certificates, which must be verified by the proxy injected into the OpenCensus collector Pod. This ensures that all traffic, even distributed traces, are sent securely within the cluster.

  1. Should I suffix serviceaccount name by namespace?

In your case, you should suffix the service account with the namespace. By default, Linkerd will use the Pod namespace, so if the service account doesn't exist in the Pod namespace, then the configuration will be invalid. The logic has a function that checks for a namespace in the annotation name and appends it, if it exists:

func ammendSvcAccount(ns string, params *Params) {
    hostAndPort := strings.Split(params.CollectorSvcAddr, ":")
    hostname := strings.Split(hostAndPort[0], ".")
    if len(hostname) > 1 {
        ns = hostname[1]
    }
    params.CollectorSvcAccount = fmt.Sprintf("%s.%s", params.CollectorSvcAccount, ns)
}

So, this one is correct:

config.alpha.linkerd.io/trace-collector-service-account: my-opencensus-collector-service-account.ops
于 2020-12-28T23:18:49.290 回答