Skip to content
Branch: master
Find file History
Latest commit 6054e8b Mar 22, 2019
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
cmd custom atapter Mar 2, 2019
config custom atapter Mar 2, 2019
operatorconfig Istio版本提升到1.1.0-rc.3 Mar 12, 2019
testdata 自定义Adapter Mar 5, 2019
Dockerfile custom atapter Mar 2, 2019
README.md istio版本 Mar 22, 2019
auth.go mixer cache实践 Mar 6, 2019

README.md

自定义Adapter

配置关系及执行流程如图: auth-adapter

  • 属性:使用istioattributesistio/mixer/testdata/config/attributes.yaml
  • 属性与适配器输入映射模板:使用istioauthorization模板,istio/mixer/template/authorization/template.yaml,通过template.proto查看协议内容
  • 适配器,micro-mesh/examples/adapter/auth/config/auth-adapter.yaml
    • go generate ./...自动生成
  • 适配器服务启动配置,micro-mesh/examples/adapter/auth/config/config.proto
  • 适配器服务实例,micro-mesh/examples/adapter/auth/operatorconfig/cluster-service.yaml
  • 适配器配置,micro-mesh/examples/adapter/auth/operatorconfig/operator-cfg.yaml
目录结构
bin                         执行文件
cmd                         
  └ main.go                 适配器入口
config                      配置协议
  ├ adapter.auth.config.pb.html                 #go generate ./... 自动生成
  ├ auth-adapter.yaml       适配器描述文件       #go generate ./... 自动生成
  ├ config.pb.go                                #go generate ./... 自动生成
  ├ config.proto            适配器服务启动配置
  └ config.proto_descriptor                     #go generate ./... 自动生成
operatorconfig              k8s配置
  ├ attributes.yaml         属性                  #copy istio/mixer/testdata/config/attributes.yaml
  ├ cluster-service.yaml    适配器服务实例
  ├ operator-cfg.yaml       适配器配置
  └ template.yaml           属性与适配器输入模板    #copy istio/mixer/template/authorization/template.yaml
testdata                    测试配置
  ├ attributes.yaml         属性                  #copy istio/mixer/testdata/config/attributes.yaml
  ├ auth-adapter.yaml       适配器描述文件         #copy config/auth-adapter.yaml
  ├ operator-cfg.yaml       适配器配置
  └ template.yaml           属性与适配器输入模板    #copy istio/mixer/template/authorization/template.yaml
auth.go                     适配器服务实现
Dockerfile                  Docker镜像

有3处与适配器实现相关:

  • 适配器服务启动配置config/config.proto
  • 适配器服务实现auth.go
  • 适配器入口cmd/main.go

步骤

开发环境

  • OSX
  • Go 1.11.1
  • protoc libprotoc 3.6.1
  • Istio 1.1.

1.Istio源码

mkdir -p $GOPATH/src/istio.io/
cd $GOPATH/src/istio.io/
git clone https://github.com/istio/istio.git

2.micro-mesh源码

git clone https://github.com/hb-go/micro-mesh.git

3.Mixer开发工具

# build mixer server & client 
cd istio
make mixs
make mixc

$GOPATH/out/darwin_amd64/release/生成mixsmixc

4.构建Auth adapter项目(optional)

# copy auth adapter example
cp {micro-mesh path}/examples/adapter/auth mixer/adapter/auth

cd mixer/adapter/auth

optional

# 可以删除`config`目录除`config.proto`外的其他文件,看执行go generate后的结果
go generate ./...
go build ./...

go generate根据config/config.proto以及auth.go的注释自动生成config目录下的其他文件:

  • adapter.auth.config.pb.html
  • auth-adapter.yaml
  • config.pb.go
  • config.proto_descriptor

根据auth.go的以下注释,mixer_codegen.sh使用authorization模板生成nameauth-adapter的适配器

// nolint:lll
// Generates the auth adapter's resource yaml. It contains the adapter's configuration, name, supported template
// names (metric in this case), and whether it is session or no-session based.
//go:generate $GOPATH/src/istio.io/istio/bin/mixer_codegen.sh -a mixer/adapter/auth/config/config.proto -x "-s=false -n auth-adapter -t authorization"

5.本地测试

本地测试使用testdata下的配置,其中operator-cfg.yaml有几处与正式部署不同:

  • handleraddress使用本地服务"[::]:44225"
  • 为了方便测试instanceparams参数以及rulemath条件做了简化
# 启动适配器服务
go run cmd/main.go 44225

# 使用testdata下配置启动mixer server
$GOPATH/out/darwin_amd64/release/mixs server \
--configStoreURL=fs://$GOPATH/src/istio.io/istio/mixer/adapter/auth/testdata \
--log_output_level=attributes:debug

# 测试Adapter是否生效
$GOPATH/out/darwin_amd64/release/mixc check -s request.host="localhost" --stringmap_attributes "request.headers=x-custom-token:efg"
# Check RPC completed successfully. Check status was PERMISSION_DENIED (mm-example-auth.handler.istio-system:Unauthorized...)

$GOPATH/out/darwin_amd64/release/mixc check -s request.host="localhost" --stringmap_attributes "request.headers=x-custom-token:abc"
# Check RPC completed successfully. Check status was OK

NOTE:出现预期结果不一致可能是由于mixer cache导致Valid use count: 10000, valid duration: 9.726875254s,请参考Istio Mixer Cache系列文章了解

6.打包镜像

# build执行文件
CGO_ENABLED=0 GOOS=linux \
    go build -a -installsuffix cgo -v -o bin/auth ./cmd/
    
# docker镜像
docker build -t hbchen/micro-mesh-example-adapter-auth:v0.0.1 .
docker push hbchen/micro-mesh-example-adapter-auth:v0.0.1

7.Istio环境部署

部署环境

  • GKE 1.12.5-gke.10
  • Istio 1.1.0
# 属性、模板
# attributes.yaml -> istio/mixer/testdata/config/attributes.yaml 
# template.yaml -> istio/mixer/template/authorization/template.yaml
kubectl apply -f examples/adapter/auth/operatorconfig/attributes.yaml -f examples/adapter/auth/operatorconfig/template.yaml

# 适配器
kubectl apply -f examples/adapter/auth/config/auth-adapter.yaml

operator-cfg.yaml与本地测试配置不同:

  • handleraddress使用集群服务"mm-example-auth-adapter-service:44225"
  • instanceparams根据authorization模板及auth-adapter服务的需求配置
  • rulematch条件使用destination.service.name == "mm-example-api"destination.service.host == "mm-example-api.default.svc.cluster.local",仅对mm-example-api服务生效
# 适配器服务实例部署
kubectl apply -f examples/adapter/auth/operatorconfig/cluser-service.yaml

# 适配器配置
kubectl apply -f examples/adapter/auth/operatorconfig/operator-cfg.yaml

8.Istio环境部署测试

如果没有开Gateway的JWT验证可以忽略Authorization,其实做了自定义Auth后是多余的😂

TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/release-1.1/security/tools/jwt/samples/demo.jwt -s)

curl -H "Authorization: Bearer $TOKEN" -H "x-custom-token: efg" -H "Grpc-Metadata-x-tier: 2" -X GET http://35.192.111.18/v1/example/call/Hobo
curl -H "Authorization: Bearer $TOKEN" -H "x-custom-token: abc" -H "Grpc-Metadata-x-tier: 2" -X GET http://35.192.111.18/v1/example/call/Hobo

参考

You can’t perform that action at this time.