k8s+有状态nacos账户密码安全认证开启+springcloud 配置

 

1. nacos 账号密码登录，默认未开启验证权限，不登录也能访问nacos控制台配置文件,生产环境非常不安全。所以需要手动开启安全认证。
2. 本地启动nacos的 application.properties配置文件更改如下：

   ### The auth system to use, currently only 'nacos' and 'ldap' is supported:
   nacos.core.auth.system.type=nacos
   
   ### If turn on auth system:
   nacos.core.auth.enabled=true
   
   ### Turn on/off caching of auth information. By turning on this switch, the update of auth information would have a 15 seconds delay.
   nacos.core.auth.caching.enabled=true
   
   ### Since 1.4.1, Turn on/off white auth for user-agent: nacos-server, only for upgrade from old version.
   nacos.core.auth.enable.userAgentAuthWhite=false
   
   ### Since 1.4.1, worked when nacos.core.auth.enabled=true and nacos.core.auth.enable.userAgentAuthWhite=false.
   ### The two properties is the white list for auth and used by identity the request from other server.
   nacos.core.auth.server.identity.key=serverIdentity
   nacos.core.auth.server.identity.value=security
   
   ### worked when nacos.core.auth.system.type=nacos
   ### The token expiration in seconds:
   nacos.core.auth.plugin.nacos.token.expire.seconds=18000
   ### The default token:
   nacos.core.auth.plugin.nacos.token.secret.key=UmVhbGl6ZSFAIzEyMyFAI1JlYWxpemUhQCMxMjMhQCNSZWFsaXplIUAjMTIzIUAj

3. k8s里部署有状态nacos 的k8s-nacos-statefulSet-real.yaml 配置

   #headless service
   apiVersion: v1
   kind: Service
   metadata:
     name: nacos-headless
     namespace: rz-dt
     labels:
       app: nacos
     annotations:
       service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
   spec:
     ports:
       - protocol: TCP
         port: 8848
         name: server
         targetPort: 8848
       - protocol: TCP
         port: 9848
         name: client-rpc
         targetPort: 9848
       - protocol: TCP
         port: 9849
         name: server-rpc
         targetPort: 9849
     clusterIP: None
     selector:
       app: nacos
   ---
   #StatefulSet
   apiVersion: apps/v1
   kind: StatefulSet
   metadata:
     name: nacos
     namespace: rz-dt
   spec:
     serviceName: nacos-headless
     replicas: 3
     template:
       metadata:
         labels:
           app: nacos
         annotations:
           pod.alpha.kubernetes.io/initialized: "true"
       spec:
         affinity:
           podAntiAffinity:
             requiredDuringSchedulingIgnoredDuringExecution:
               - labelSelector:
                   matchExpressions:
                     - key: "app"
                       operator: In
                       values:
                         - nacos-headless
                 topologyKey: "kubernetes.io/hostname"
         #从私有仓库拉取镜像凭证
         imagePullSecrets:
           - name: rz-dt-xxx-miyue-vpc
         containers:
           - name: k8snacos
             imagePullPolicy: Always
             #v2.1.2可以重启nacos服务自动注册  2.0.3 重启服务不会自动注册 ， 对应库nacos_config
             image: xxx-xxx-image-server-registry-vpc.cn-shanghai.cr.aliyuncs.com/rz-dt-real/nacos-server:v2.1.2
             resources:
               limits:
                 cpu: 900m
                 memory: 2Gi
               requests:
                 cpu: 10m
                 memory: 50Mi
             ports:
               - containerPort: 8848
                 name: client-port
               - containerPort: 9848
                 name: client-grpc
               - containerPort: 9849
                 name: server-grpc
             env:
               - name: NACOS_REPLICAS
                 value: "3"
               - name: NACOS_AUTH_SYSTEM_TYPE
                 value: "nacos"
               - name: NACOS_AUTH_ENABLE
                 value: "true"
               - name: NACOS_AUTH_IDENTITY_KEY
                 value: "serverIdentity"
               - name: NACOS_AUTH_IDENTITY_VALUE
                 value: "security"
               - name: NACOS_AUTH_TOKEN_EXPIRE_SECONDS
                 value: "18000"
               - name: NACOS_AUTH_TOKEN
                 value: "UmVhbGl6ZSFAIzEyMyFAI1JlYWxpemUhQCMxMjMhQCNSZWFsaXplIUAjMTIzIUAj"
               - name: NACOS_AUTH_CACHE_ENABLE
                 value: "true"
               - name: MYSQL_SERVICE_HOST
                 valueFrom:
                   configMapKeyRef:
                     name: nacos-cm
                     key: mysql.host
               - name: MYSQL_SERVICE_DB_NAME
                 valueFrom:
                   configMapKeyRef:
                     name: nacos-cm
                     key: mysql.db.name
               - name: MYSQL_SERVICE_PORT
                 valueFrom:
                   configMapKeyRef:
                     name: nacos-cm
                     key: mysql.port
               - name: MYSQL_SERVICE_USER
                 valueFrom:
                   configMapKeyRef:
                     name: nacos-cm
                     key: mysql.user
               - name: MYSQL_SERVICE_PASSWORD
                 valueFrom:
                   configMapKeyRef:
                     name: nacos-cm
                     key: mysql.password
               - name: MODE
                 value: "cluster"
               - name: NACOS_SERVER_PORT
                 value: "8848"
               - name: PREFER_HOST_MODE
                 value: "hostname"
               - name: NACOS_SERVERS
                 value: "nacos-0.nacos-headless.rz-dt.svc.cluster.local:8848 nacos-1.nacos-headless.rz-dt.svc.cluster.local:8848 nacos-2.nacos-headless.rz-dt.svc.cluster.local:8848"
     selector:
       matchLabels:
         app: nacos
   ---
   # Service
   apiVersion: v1
   kind: Service
   metadata:
     name: nacos-service
     namespace: rz-dt
     annotations:
       nginx.ingress.kubernetes.io/affinity: "true"
       nginx.ingress.kubernetes.io/session-cookie-name: backend
       nginx.ingress.kubernetes.io/load-balancer-method: drr
   
   spec:
     selector:
       app: nacos
     ports:
       - name: nacos-headless
         protocol: TCP
         port: 8848
         targetPort: 8848
         nodePort: 30048
       - name: nacos-rpc
         protocol: TCP
         port: 9848
         targetPort: 9848
         nodePort: 31048
       - name: nacos-grpc
         protocol: TCP
         port: 9849
         targetPort: 9849
         nodePort: 31049
     type: NodePort
   ---
    #Ingress
   apiVersion: extensions/v1beta1
   kind: Ingress
   metadata:
     name: nacos-web
     namespace: rz-dt
   spec:
     rules:
       - host: nacos.xxx.com
         http:
           paths:
             - path: /nacos
               backend:
                 serviceName: nacos-service
                 servicePort: 8848
   ---
    #ConfigMap
   apiVersion: v1
   kind: ConfigMap
   metadata:
     name: nacos-cm
     namespace: rz-dt
   data:
     mysql.host: "rm-uf6l6XXX.mysql.rds.aliyuncs.com"
     mysql.db.name: "nacos_config"
     mysql.port: "3306"
     mysql.user: "xxx"
     mysql.password: "xxx"
   
   
   
   

4. springcloud 微服务yaml配置nacos控制台登录的账号密码

   # Tomcat
   server:
     port: 9200
   
   # Spring
   spring:
     application:
       # 应用名称
       name: application-auth
     profiles:
       # 环境配置
       active: dev
     cloud:
       nacos:
         username: nacos
         password: Realize
         discovery:
           # 服务注册地址
           #server-addr: 127.0.0.1:8848
           #server-addr: nacos-0.nacos-headless.rz-dt.svc.cluster.local:8848,nacos-1.nacos-headless.rz-dt.svc.cluster.local:8848,nacos-2.nacos-headless.rz-dt.svc.cluster.local:8848
           
           metadata:
             preserved.heart.beat.interval: 1000
             preserved.heart.beat.timeout: 3000
             preserved.ip.delete.timeout: 3000
         config:
           # 配置中心地址
           #server-addr: 127.0.0.1:8848
           #server-addr: nacos-0.nacos-headless.rz-dt.svc.cluster.local:8848,nacos-1.nacos-headless.rz-dt.svc.cluster.local:8848,nacos-2.nacos-headless.rz-dt.svc.cluster.local:8848
         
           # 配置文件格式
           file-extension: yml
           # 共享配置
           shared-configs:
             - application-${spring.profiles.active}.${spring.cloud.nacos.config.file-extension}
   

5. k8s一键发布nacos执行脚本,sh real.sh

echo "开始制作镜像..."
image_name=k8s-nacos-statefulSet

echo "k8s一键部署"
export IMG_NAME=${image_name}
envsubst < ${image_name}'-real'.yaml | kubectl --kubeconfig ~/.kube-rz-real/config apply -f -