如果可以使用 Fabio 作为负载平衡器,您能否澄清一下使 Consul 在本地机器上运行(而不是在开发模式(!))上运行以连接例如来自另一个微服务的微服务的主要步骤是什么。我应该使用 acl 和 ets 创建数据中心吗?太多的文档,但仍然不清楚从什么开始。非常感谢!
问问题
318 次
1 回答
1
这是一个分步示例,说明如何配置 Fabio 以路由到在受 ACL 保护的 Consul 服务器环境中注册的微服务。
首先,您需要为 Consul 和 Fabio 创建一些配置文件。
$ tree
.
├── conf.d
│ ├── config.hcl
│ └── web.hcl
├── fabio-policy.hcl
└── fabio.properties
以下是我们将添加到这些文件中的内容的简要概述。
conf.d- 领事服务器配置目录。config.hcl它定义了 Consul 服务器配置,web.hcl它是我们示例 Web 服务的服务定义。fabio-policy.hcl- Consul ACL 策略将分配给为 Fabio LB 创建的令牌。fabio.properties- 法比奥配置文件。
创建配置文件
conf.d/config.hcl
这是一个启用 ACL 的基本单节点 Consul 服务器集群(推荐使用 3 个或更多用于生产)。
# Configure the Consul agent to operate as a server
server = true
# Expect only one server member in this cluster
bootstrap_expect = 1
# Persistent storage path. Should not be under /tmp for production envs.
data_dir = "/tmp/consul-fabio-so"
acl {
# Enable ACLs
enabled = true
# Set default ACL policy to deny
default_policy = "deny"
}
# Enable the Consul UI
ui_config {
enabled = true
}
web.hcl
这是一个服务定义,它将名为“web”的服务注册到 Consul 目录中。
service {
# Define the name of the service'
name = "web"
# Specify the listening port for the service
port = 8080
# Register a HTTP health check (requried by Fabio) for this service
# By default Fabio will only route to healthy services in the Consul catalog.
check {
id = "web"
http = "http://localhost:8080"
interval = "10s"
timeout = "1s"
}
# Fabio dynamically configures itself based on tags assigned to services in
# the Consul catalog. By default, 'urlprefix-` is the prefix for tags which
# define routes. Services which define routes publish one or more tags with
# host/path # routes which they serve. These tags must have this prefix to be
# recognized as routes.
#
# Configure Fabio to route requests to '/' to our backend service.
tags = [
"urlprefix-/"
]
}
fabio-policy.hcl
此 ACL 策略允许 Fabio 将自己注册到 Consul 目录、发现后端服务和其他 Fabio 配置。该策略将在引导 ACL 系统后在 Consul 中创建。
# Allow Fabio to discover which agent it is running on.
# Can be scoped to specific node(s) if additional security is requried
agent_prefix "" {
policy = "read"
}
# Allow Fabio to lookup any service in Consul's catalog
service_prefix "" {
policy = "read"
}
# Allow Fabio to lookup nodes so that it can resolve services endpoints to the
# correct node IP.
node_prefix "" {
policy = "read"
}
# Allow Fabio to register itself as a service in Consul.
# This used for Fabio instances to be discoverable in Consul's catalog, and for
# Consul to execute health checks against Fabio.
service "fabio" {
policy = "write"
}
# Allow Fabio to read configuration overrides from the KV store
# https://github.com/fabiolb/fabio/wiki/Routing#manual-overrides
key_prefix "fabio/config" {
policy = "read"
}
fabio.properties
这是 Fabio 的配置文件。
Configures the ACL token to use when authenticating to Consul.
registry.consul.token = "<token. To be created later>"
启动和配置 Consul
启动 Consul 服务器(不在开发模式下)。
$ consul agent -config-dir=conf.d ==> Starting Consul agent... Version: '1.9.5' Node ID: 'f80693eb-0f47-1f9f-e8cc-063ad28ca8da' Node name: 'b1000.local' Datacenter: 'dc1' (Segment: '<all>') Server: true (Bootstrap: true) Client Addr: [127.0.0.1] (HTTP: 8500, HTTPS: -1, gRPC: -1, DNS: 8600) Cluster Addr: 10.0.0.21 (LAN: 8301, WAN: 8302) Encrypt: Gossip: false, TLS-Outgoing: false, TLS-Incoming: false, Auto-Encrypt-TLS: false ==> Log data will now stream in as it occurs: ...引导 ACL 系统。这将为整个集群创建一个具有特权的管理令牌。保存此信息。
$ consul acl bootstrap AccessorID: e135b234-2227-71fe-1999-ffb75c659110 SecretID: ef475ff8-5f92-6f8e-0a59-2ad3f8ed8dda Description: Bootstrap Token (Global Management) Local: false Create Time: 2021-06-05 14:26:07.02198 -0700 PDT Policies: 00000000-0000-0000-0000-000000000001 - global-management将
CONSUL_HTTP_TOKEN环境变量设置为我们的秘密 ID 的值。这将用于后续的管理命令。$ export CONSUL_HTTP_TOKEN="ef475ff8-5f92-6f8e-0a59-2ad3f8ed8dda"为 Fabio 创建 ACL 策略
$ consul acl policy create -name=fabio-policy -rules=@fabio-policy.hcl <output snipped> ...为使用此策略的 Fabio 创建一个令牌。
$ consul acl token create -description="Token for Fabio LB" -policy-name="fabio-policy" AccessorID: 474db6b0-73b0-3149-dafc-a50bab41b574 SecretID: b6490a01-89a8-01a1-bbdf-5c7e9898d6ea Description: Token for Fabio LB Local: false Create Time: 2021-06-05 15:13:09.124182 -0700 PDT Policies: fc0c6a84-8633-72cc-5d59-4e0e60087199 - fabio-policy更新 fabio.properties 并设置令牌 ID。
# registry.consul.token configures the acl token for consul. registry.consul.token = b6490a01-89a8-01a1-bbdf-5c7e9898d6e
启动 Web 服务器和 Fabio
启动后端 Web 服务器,以便它可以接受连接。对于这个例子,我将使用devd.
此命令指示 devd 侦听系统上所有 IP 的端口 8080,并提供当前目录中的内容。
$ devd --all --port=8080 .
15:21:46: Route / -> reads files from .
15:21:46: Listening on http://devd.io:8080 ([::]:8080)
接下来,启动法比奥。
$ fabio -cfg fabio.properties
2021/06/05 15:22:40 [INFO] Setting log level to INFO
2021/06/05 15:22:40 [INFO] Runtime config
<snip>
...
2021/06/05 15:22:40 [INFO] Version 1.5.14 starting
2021/06/05 15:22:40 [INFO] Go runtime is go1.16.2
2021/06/05 15:22:40 [INFO] Metrics disabled
2021/06/05 15:22:40 [INFO] Setting GOGC=100
2021/06/05 15:22:40 [INFO] Setting GOMAXPROCS=16
2021/06/05 15:22:40 [INFO] consul: Connecting to "localhost:8500" in datacenter "dc1"
2021/06/05 15:22:40 [INFO] Admin server access mode "rw"
2021/06/05 15:22:40 [INFO] Admin server listening on ":9998"
2021/06/05 15:22:40 [INFO] Waiting for first routing table
2021/06/05 15:22:40 [INFO] consul: Using dynamic routes
2021/06/05 15:22:40 [INFO] consul: Using tag prefix "urlprefix-"
2021/06/05 15:22:40 [INFO] consul: Watching KV path "/fabio/config"
2021/06/05 15:22:40 [INFO] consul: Watching KV path "/fabio/noroute.html"
2021/06/05 15:22:40 [INFO] HTTP proxy listening on :9999
2021/06/05 15:22:40 [INFO] Access logging disabled
2021/06/05 15:22:40 [INFO] Using routing strategy "rnd"
2021/06/05 15:22:40 [INFO] Using route matching "prefix"
2021/06/05 15:22:40 [INFO] Config updates
+ route add web / http://10.0.0.21:8080/
2021/06/05 15:22:40 [INFO] consul: Registered fabio as "fabio"
...
虽然省略了一些输出,但我们可以看到 Fabio 正在侦听端口 9999,成功地观察 Consul 的 KV 进行配置,成功地发现了我们的“web”服务,并将自己注册到 Consul 的目录中。
如果您通过 http://localhost:9999 连接到 Fabio,您应该会看到后端 Web 服务器 devd 返回的目录列表,它正在侦听端口 8080。
于 2021-06-05T22:31:30.317 回答