# springCloud-k8s

**Repository Path**: weilus923/springCloud-k8s

## Basic Information

- **Project Name**: springCloud-k8s
- **Description**: springCloud基于k8s发现服务
- **Primary Language**: Java
- **License**: Not specified
- **Default Branch**: master
- **Homepage**: None
- **GVP Project**: No

## Statistics

- **Stars**: 8
- **Forks**: 8
- **Created**: 2020-03-27
- **Last Updated**: 2023-09-18

## Categories & Tags

**Categories**: Uncategorized

**Tags**: None

## README

# springCloud

### kuberbetes 镜像仓库访问权限
```shell
kubectl create secret docker-registry docker-registry-key \
--docker-username=646154945@qq.com \
--docker-password=[PASSWORD] \
--docker-email=646154945@qq.com \
--docker-server=registry.cn-hangzhou.aliyuncs.com \
-n weilus-cloud
```

### kubernetes 服务访问权限
```shell
kubectl apply -f fabric8-rbac.yaml
```

### 基础设施 db redis
```shell
kubectl create -f https://gitee.com/weilus923/jik/raw/master/postgres/postgres.yml
kubectl create -f https://gitee.com/weilus923/jik/raw/master/mysql/mysql-svc.yaml
kubectl create -f https://gitee.com/weilus923/jik/raw/master/redis/standlone/redis-standlone.yaml
```

### kubernetes 集中配置管理
> 1.spring-cloud-starter-kubernetes-config
    
    kubernetes configMap配置

> 2.自动更新配置
```shell
kubectl -n weilus-cloud edit cm gateway 
kubectl -n weilus-cloud edit cm flux-call
kubectl -n weilus-cloud edit cm flux-service
```

> 3.fabric8插件ConfigMap配置中文乱码

    IDEA: settings -> Maven -> runner -> VmOptions: -Dfile.encoding=UTF-8
    mvn命令: 配置系统环境变量 MAVEN_OPTS=-Dfile.encoding=UTF-8
```
C:/Users/Adminstrator> mvn -v

Maven home: D:\Program Files\apache-maven-3.6.2\bin\..
Java version: 1.8.0_221, vendor: Oracle Corporation, runtime: D:\Program Files\Java\jdk1.8.0_221\jre
Default locale: zh_CN, platform encoding: UTF-8
OS name: "windows 10", version: "10.0", arch: "amd64", family: "windows"
```
### 用户中心 auth
```shell
auth> mvn clean package -P kubernetes fabric8:deploy
```
#### 用户申请令牌
```shell
curl -X POST http://acme:acmesecret@10.244.1.33:8080/auth/oauth/token \
-d 'grant_type=password&client_id=acme&username=liutaiq&password=123456'
```

#### 受信任的机构申请令牌
```shell
curl -X POST http://accc:acccsecret@10.244.1.137:8080/auth/oauth/token \
-d 'grant_type=client_credentials'
```

#### 授权码申请令牌

> 1.引导用户授权
```http request
http://127.0.0.1:8080/oauth/authorize?client_id=acau&response_type=code&scope=user_info&redirect_uri=http://aa.ccdd
```

> 2.机构获取授权码; 申请令牌
```shell
curl -X POST http://acau:acausecret@10.96.10.96:8088/oauth/oauth/token \
-d 'grant_type=authorization_code&code=pg4Vz2&redirect_uri=http://aa.ccdd'
```

### 网关 gateway

微服务路由, 统一外网入口,限流,负载,鉴权
> 1.部署
```shell
gateway> mvn clean package -P kubernetes fabric8:deploy
```
> 2.配置路由
```shell
gateway> vim src/main/resources/configmap.yml
gateway> mvn fabric8:resource fabric8:apply
```
> 3.查看路由配置
```shell
    curl http://10.244.1.130:8080/actuator/gateway/routes
```

### 熔断器 resilience4j
> 1.flux-call 部署
```shell
flux-call> mvn clean package -P kubernetes fabric8:deploy
```

> 2.flux-service 部署
```shell
flux-service> mvn clean package -P kubernetes fabric8:deploy
```
    访问flux-call
    curl http://10.244.1.128:8080/test/sayName
    curl http://10.244.1.128:8080/test/sayHello
    访问flux-service
    curl -H "Content-Type: application/json" -X POST  --data '{"name":"德华"}' http://10.244.1.129:8080/api/sayHello

    经网关访问flux-call
    curl http://10.244.1.131:8080/flux-call/test/sayHello

### 微服务监控 prometheus + Grafana

> 1.prometheus采集actuator指标
```http request
https://gitee.com/weilus923/jik/tree/master/prometheus
```    
  
> 2.导入Grafana模板

    例如模板: Actuator,Hystrix Dashboard
    https://grafana.com/grafana/dashboards

### 微服务日志采集EFK(Elasticsearch + Fluent-bit + Kibana)

```http request
https://gitee.com/weilus923/jik/tree/master/es-fluent-kibana
```

### 微服务文档生成 asciidoctor-maven-plugin

> 1.文档服务器访问账号

编辑: <HOME>/.m2/settings.xml
```xml
  <servers>
    <server>
        <id>doc-site</id>
        <username>root</username>
        <password>admin</password>
    </server>
  </servers>
```

> 2.文档生成并发布到服务器
```shell
mvn clean asciidoctor:process-asciidoc wagon:upload-single
```

### 微服务K8S部署 fabric8-maven-plugin 

> 1.Docker仓库访问账号

编辑: <HOME>/.m2/settings.xml
```xml
<settings>
  <pluginGroups>
	<pluginGroup>io.fabric8</pluginGroup>
  </pluginGroups>
  <servers>
    <server>
        <id>registry.cn-hangzhou.aliyuncs.com</id>
        <username>用户名</username>
        <password>密码明文</password>
    </server>
  </servers>
</settings>  
```

> 2.Kubernetes ApiServer访问

    拷贝Kubernetes Master:/<HOME>/.kube/config 到 <HOME>/.kube/config
    例如: C:/Users/Administrator/.kube/config
    scp root@192.168.1.38:/root/.kube/config .kube

### Kubernetes创建基于SSL/TLS的认证的自定义用户账号

使用kubeadmin部署的kubernetes集群默认提供了拥有集群管理权限的kubeconfig配置文件/etc/Kubernetes/admin.conf，
它可被复制到任何有着kubectl的主机上以用于管理整个集群。
管理员可以创建基于SSL/TLS认证的自定义用户账号，以授权非管理员的集群资源使用权限，配置过程如下：
> 1.首先为用户创建私钥及证书文件，保存于/etc/Kubernetes/pki目录中：
```
#创建私钥文件
cd /etc/kubernetes/pki/
(umask 077;openssl genrsa -out liutq.key 2048)
#创建证书签署请求
openssl req -new -key liutq.key -out liutq.csr -subj "/CN=liutq/O=kubernetes"
#签署证书
openssl x509 -req -in liutq.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out liutq.crt -days 3650
#验证证书信息
openssl x509 -in liutq.crt -text -noout
```
证书文件创建完成后需要以默认的管理员kubernetes-admin@kubernetes为新建的liutq设定kubeconfig配置文件，
默认会保存于当前系统用户的.kube/config文件中，
也可以通过kubectl使用—kubeconfig选项指定自定义的专用文件路劲。
```
#配置集群信息
kubectl config set-cluster kubernetes --embed-certs=true --certificate-authority=/etc/kubernetes/pki/ca.crt --server=https://192.168.1.38:6443
#配置客户端证书及秘钥
kubectl config set-credentials liutq --embed-certs=true --client-certificate=/etc/kubernetes/pki/liutq.crt --client-key=/etc/kubernetes/pki/liutq.key
#配置context,用来组合cluster和credentials
kubectl config set-context liutq@kubernetes --cluster=kubernetes --user=liutq
#切换到新建的用户
kubectl config use-context liutq@kubernetes
#由于没有授权所以不能请求pod
kubectl get pods
Error from server (Forbidden): pods is forbidden: User "liutq" cannot list resource "pods" in API group "" in the namespace "default"
#继续切回到admin用户
kubectl config use-context kubernetes-admin@kubernetes
```


> 2.基于角色的访问控制

编辑rb-liutq.yaml:
```
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: null
  name: pods-reader
rules:
- apiGroups: ["","apps","extensions"]
  resources: ["namespaces","pods","pods/log","services","configmaps","deployments"]
  verbs: ["create","update","delete","post","put","get","list","watch","patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: null
  name: rb-liutq
  namespace: weilus-cloud
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: pods-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: liutq
```

授权用户liutq的权限:
```
kubectl apply -f rb-liutq.yaml -n weilus-cloud
#切换到新建的用户
kubectl config use-context liutq@kubernetes
#由于没有授权所以不能请求pod
kubectl get pods -n weilus-cloud
```

> 3.配置config到客户端
  
    <HOME>/.kube/config 删掉kubernetes-admin相关信息; C:/Users/Administrator/.kube/config