Consul 集群部署

2024-08-07 12:45:42 浏览数 (2)

集群部署

节点IP

节点名称

192.168.1.181

consul-01

192.168.1.182

consul-02

192.168.1.183

consul-03

节点一配置

代码语言:javascript复制
# 创建目录
mkdir -p /data/consul/{data,conf,bin,logs}

# 下载consul压缩包,解压到/data/consul/bin/目录下

# 创建配置文件
vim /data/consul/conf/consul-01.json

{
    "datacenter": "dc1",
    "primary_datacenter": "dc1",
    "bootstrap_expect": 3,
    "start_join":[
        "192.168.1.181",
        "192.168.1.182",
        "192.168.1.183"
    ],
    "retry_join":[
        "192.168.1.181",
        "192.168.1.182",
        "192.168.1.183"
    ],
    "advertise_addr": "192.168.1.181",
    "bind_addr": "192.168.1.181",
    "client_addr": "0.0.0.0"
    "server": true,
    "ui": true,
    "connect":{
        "enabled": true
    },
    "node_name": "consul-01",
    "data_dir": "/data/consul/data/",
    "enable_script_checks": false,
    "enable_local_script_checks": false,
    "log_file": "/data/consul/logs/",
    "log_level": "info",
    "log_rotate_bytes": 100000000,
    "log_rotate_duration": "24h",
    "encrypt": "Nliwp 3S19aCAY8Sq7G5NJUqVkBwqNyG13v1BExCMd4=",	# consul keygen 生成
    "acl": {
        "enabled": true,
        "default_policy": "deny",		# 默认allow,如果需要自定义权限,将其设置为deny
        "enable_token_persistence": true,	# 开启token持久化,持久化到磁盘上
	"enable_key_list_policy":true		# 允许KV的递归操作
    }
}
代码语言:javascript复制
# 创建启动脚本
vim /usr/lib/systemd/system/consul.service


[Unit]
Description="HashiCorp Consul - A service mesh solution"
Documentation=https://www.consul.io/
Requires=network-online.target
After=network-online.target

[Service]
Type=notify
User=root
ExecStart=/data/consul/bin/consul agent -config-dir=/data/consul/conf/
ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
KillSignal=SIGTERM
Restart=on-failure
LimitNOFILE=10240
LimitNPROC=10240

[Install]
WantedBy=multi-user.target
代码语言:javascript复制
# 启动服务
systemctl daemon-reload
systemctl enable consul
systemctl start consul

节点二配置

代码语言:javascript复制
# 创建目录
mkdir -p /data/consul/{data,conf,bin,logs}

# 下载consul压缩包,解压到/data/consul/bin/目录下

# 创建配置文件
vim /data/consul/conf/consul-02.json

{
    "datacenter": "dc1",
    "primary_datacenter": "dc1",
    "bootstrap_expect": 3,
    "start_join":[
        "192.168.1.181",
        "192.168.1.182",
        "192.168.1.183"
    ],
    "retry_join":[
        "192.168.1.181",
        "192.168.1.182",
        "192.168.1.183"
    ],
    "advertise_addr": "192.168.1.182",
    "bind_addr": "192.168.1.182",
    "client_addr": "0.0.0.0",
    "server": true,
    "ui": true,
    "connect":{
        "enabled": true
    },
    "node_name": "consul-02",
    "data_dir": "/data/consul/data/",
    "enable_script_checks": false,
    "enable_local_script_checks": false,
    "log_file": "/data/consul/logs/",
    "log_level": "info",
    "log_rotate_bytes": 100000000,
    "log_rotate_duration": "24h",
    "encrypt": "Nliwp 3S19aCAY8Sq7G5NJUqVkBwqNyG13v1BExCMd4=",
    "acl": {
        "enabled": true,
        "default_policy": "deny",
        "enable_token_persistence": true,
	"enable_key_list_policy":true
    }
}
代码语言:javascript复制
# 创建启动脚本
vim /usr/lib/systemd/system/consul.service


[Unit]
Description="HashiCorp Consul - A service mesh solution"
Documentation=https://www.consul.io/
Requires=network-online.target
After=network-online.target

[Service]
Type=notify
User=root
ExecStart=/data/consul/bin/consul agent -config-dir=/data/consul/conf/
ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
KillSignal=SIGTERM
Restart=on-failure
LimitNOFILE=10240
LimitNPROC=10240

[Install]
WantedBy=multi-user.target
代码语言:javascript复制
# 启动服务
systemctl daemon-reload
systemctl enable consul
systemctl start consul

节点三配置

代码语言:javascript复制
# 创建目录
mkdir -p /data/consul/{data,conf,bin,logs}

# 下载consul压缩包,解压到/data/consul/bin/目录下

# 创建配置文件
vim /data/consul/conf/consul-03.json

{
    "datacenter": "dc1",
    "primary_datacenter": "dc1",
    "bootstrap_expect": 3,
    "start_join":[
        "192.168.1.181",
        "192.168.1.182",
        "192.168.1.183"
    ],
    "retry_join":[
        "192.168.1.181",
        "192.168.1.182",
        "192.168.1.183"
    ],
    "advertise_addr": "192.168.1.183",
    "bind_addr": "192.168.1.183",
    "client_addr": "0.0.0.0",
    "server": true,
    "ui": true,
    "connect":{
        "enabled": true
    },
    "node_name": "consul-03",
    "data_dir": "/data/consul/data/",
    "enable_script_checks": false,
    "enable_local_script_checks": false,
    "log_file": "/data/consul/logs/",
    "log_level": "info",
    "log_rotate_bytes": 100000000,
    "log_rotate_duration": "24h",
    "encrypt": "Nliwp 3S19aCAY8Sq7G5NJUqVkBwqNyG13v1BExCMd4=",
    "acl": {
        "enabled": true,
        "default_policy": "deny",
        "enable_token_persistence": true,
	"enable_key_list_policy":true
    }
}
代码语言:javascript复制
# 创建启动脚本
vim /usr/lib/systemd/system/consul.service


[Unit]
Description="HashiCorp Consul - A service mesh solution"
Documentation=https://www.consul.io/
Requires=network-online.target
After=network-online.target

[Service]
Type=notify
User=root
ExecStart=/data/consul/bin/consul agent -config-dir=/data/consul/conf/
ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
KillSignal=SIGTERM
Restart=on-failure
LimitNOFILE=10240
LimitNPROC=10240

[Install]
WantedBy=multi-user.target
代码语言:javascript复制
# 启动服务
systemctl daemon-reload
systemctl enable consul
systemctl start consul

启用 ACL 访问控制

代码语言:javascript复制
# 重新启动consul,在任意一节点上初始化consul acl
[root@i-lra7lmuy ~]# consul acl bootstrap
AccessorID:       9bf939ae-cb49-655a-0cc5-adbf6d29b239
SecretID:         98633362-4795-75e0-2c4b-849a7195e3c9
Description:      Bootstrap Token (Global Management)
Local:            false
Create Time:      2022-04-03 12:34:28.883028023  0800 CST
Policies:
   00000000-0000-0000-0000-000000000001 - global-management
该命令只能执行一次,生成的SecretID拥有最高权限

# 修改三个节点的配置文件,启用ACL
...
    "acl": {
        "enabled": true,
        "default_policy": "deny",
        "enable_token_persistence": true,
	"enable_key_list_policy":true,
	"tokens": {
            "master": "98633362-4795-75e0-2c4b-849a7195e3c9",
	    "agent": "98633362-4795-75e0-2c4b-849a7195e3c9"
        }
    }

配置规则

浏览器访问http://ip:8500,输入上面生成的SecretID

image.pngimage.png

默认Policy:global-management,这个是拥有最高权限的SecretID,等于超级管理员

AccessorID:访问ID。唯一,对应有一个token Scope:作用范围 Roles & Policies:拥有权限或者策略,AccessorID通过关联不同角色和策略来控制访问权限

代码语言:javascript复制
# 服务策略
service_prefix "" {
    policy = "write"		# 表示所有服务可写
}

# node策略
node_prefix "" {
    policy = "write"
}

# kv 策略
kv_prefix "" {
    policy = "list"		# 所有kv可执行递归list操作
}

kv_prefix "" {
    policy = "write"		# 所有kv可执行写操作
}

kv_prefix "config/" {
    policy = "read"		# 以config/开头的key可执行读操作
}

0 人点赞