- nacos 账号密码登录,默认未开启验证权限,不登录也能访问nacos控制台配置文件,生产环境非常不安全。所以需要手动开启安全认证。
- 本地启动nacos的 application.properties配置文件更改如下:
### The auth system to use, currently only 'nacos' and 'ldap' is supported:
nacos.core.auth.system.type=nacos
### If turn on auth system:
nacos.core.auth.enabled=true
### Turn on/off caching of auth information. By turning on this switch, the update of auth information would have a 15 seconds delay.
nacos.core.auth.caching.enabled=true
### Since 1.4.1, Turn on/off white auth for user-agent: nacos-server, only for upgrade from old version.
nacos.core.auth.enable.userAgentAuthWhite=false
### Since 1.4.1, worked when nacos.core.auth.enabled=true and nacos.core.auth.enable.userAgentAuthWhite=false.
### The two properties is the white list for auth and used by identity the request from other server.
nacos.core.auth.server.identity.key=serverIdentity
nacos.core.auth.server.identity.value=security
### worked when nacos.core.auth.system.type=nacos
### The token expiration in seconds:
nacos.core.auth.plugin.nacos.token.expire.seconds=18000
### The default token:
nacos.core.auth.plugin.nacos.token.secret.key=UmVhbGl6ZSFAIzEyMyFAI1JlYWxpemUhQCMxMjMhQCNSZWFsaXplIUAjMTIzIUAj
- k8s里部署有状态nacos 的k8s-nacos-statefulSet-real.yaml 配置
#headless service
apiVersion: v1
kind: Service
metadata:
name: nacos-headless
namespace: rz-dt
labels:
app: nacos
annotations:
service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
spec:
ports:
- protocol: TCP
port: 8848
name: server
targetPort: 8848
- protocol: TCP
port: 9848
name: client-rpc
targetPort: 9848
- protocol: TCP
port: 9849
name: server-rpc
targetPort: 9849
clusterIP: None
selector:
app: nacos
---
#StatefulSet
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: nacos
namespace: rz-dt
spec:
serviceName: nacos-headless
replicas: 3
template:
metadata:
labels:
app: nacos
annotations:
pod.alpha.kubernetes.io/initialized: "true"
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: "app"
operator: In
values:
- nacos-headless
topologyKey: "kubernetes.io/hostname"
#从私有仓库拉取镜像凭证
imagePullSecrets:
- name: rz-dt-xxx-miyue-vpc
containers:
- name: k8snacos
imagePullPolicy: Always
#v2.1.2可以重启nacos服务自动注册 2.0.3 重启服务不会自动注册 , 对应库nacos_config
image: xxx-xxx-image-server-registry-vpc.cn-shanghai.cr.aliyuncs.com/rz-dt-real/nacos-server:v2.1.2
resources:
limits:
cpu: 900m
memory: 2Gi
requests:
cpu: 10m
memory: 50Mi
ports:
- containerPort: 8848
name: client-port
- containerPort: 9848
name: client-grpc
- containerPort: 9849
name: server-grpc
env:
- name: NACOS_REPLICAS
value: "3"
- name: NACOS_AUTH_SYSTEM_TYPE
value: "nacos"
- name: NACOS_AUTH_ENABLE
value: "true"
- name: NACOS_AUTH_IDENTITY_KEY
value: "serverIdentity"
- name: NACOS_AUTH_IDENTITY_VALUE
value: "security"
- name: NACOS_AUTH_TOKEN_EXPIRE_SECONDS
value: "18000"
- name: NACOS_AUTH_TOKEN
value: "UmVhbGl6ZSFAIzEyMyFAI1JlYWxpemUhQCMxMjMhQCNSZWFsaXplIUAjMTIzIUAj"
- name: NACOS_AUTH_CACHE_ENABLE
value: "true"
- name: MYSQL_SERVICE_HOST
valueFrom:
configMapKeyRef:
name: nacos-cm
key: mysql.host
- name: MYSQL_SERVICE_DB_NAME
valueFrom:
configMapKeyRef:
name: nacos-cm
key: mysql.db.name
- name: MYSQL_SERVICE_PORT
valueFrom:
configMapKeyRef:
name: nacos-cm
key: mysql.port
- name: MYSQL_SERVICE_USER
valueFrom:
configMapKeyRef:
name: nacos-cm
key: mysql.user
- name: MYSQL_SERVICE_PASSWORD
valueFrom:
configMapKeyRef:
name: nacos-cm
key: mysql.password
- name: MODE
value: "cluster"
- name: NACOS_SERVER_PORT
value: "8848"
- name: PREFER_HOST_MODE
value: "hostname"
- name: NACOS_SERVERS
value: "nacos-0.nacos-headless.rz-dt.svc.cluster.local:8848 nacos-1.nacos-headless.rz-dt.svc.cluster.local:8848 nacos-2.nacos-headless.rz-dt.svc.cluster.local:8848"
selector:
matchLabels:
app: nacos
---
# Service
apiVersion: v1
kind: Service
metadata:
name: nacos-service
namespace: rz-dt
annotations:
nginx.ingress.kubernetes.io/affinity: "true"
nginx.ingress.kubernetes.io/session-cookie-name: backend
nginx.ingress.kubernetes.io/load-balancer-method: drr
spec:
selector:
app: nacos
ports:
- name: nacos-headless
protocol: TCP
port: 8848
targetPort: 8848
nodePort: 30048
- name: nacos-rpc
protocol: TCP
port: 9848
targetPort: 9848
nodePort: 31048
- name: nacos-grpc
protocol: TCP
port: 9849
targetPort: 9849
nodePort: 31049
type: NodePort
---
#Ingress
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: nacos-web
namespace: rz-dt
spec:
rules:
- host: nacos.xxx.com
http:
paths:
- path: /nacos
backend:
serviceName: nacos-service
servicePort: 8848
---
#ConfigMap
apiVersion: v1
kind: ConfigMap
metadata:
name: nacos-cm
namespace: rz-dt
data:
mysql.host: "rm-uf6l6XXX.mysql.rds.aliyuncs.com"
mysql.db.name: "nacos_config"
mysql.port: "3306"
mysql.user: "xxx"
mysql.password: "xxx"
- springcloud 微服务yaml配置nacos控制台登录的账号密码
# Tomcat
server:
port: 9200
# Spring
spring:
application:
# 应用名称
name: application-auth
profiles:
# 环境配置
active: dev
cloud:
nacos:
username: nacos
password: Realize
discovery:
# 服务注册地址
#server-addr: 127.0.0.1:8848
#server-addr: nacos-0.nacos-headless.rz-dt.svc.cluster.local:8848,nacos-1.nacos-headless.rz-dt.svc.cluster.local:8848,nacos-2.nacos-headless.rz-dt.svc.cluster.local:8848
metadata:
preserved.heart.beat.interval: 1000
preserved.heart.beat.timeout: 3000
preserved.ip.delete.timeout: 3000
config:
# 配置中心地址
#server-addr: 127.0.0.1:8848
#server-addr: nacos-0.nacos-headless.rz-dt.svc.cluster.local:8848,nacos-1.nacos-headless.rz-dt.svc.cluster.local:8848,nacos-2.nacos-headless.rz-dt.svc.cluster.local:8848
# 配置文件格式
file-extension: yml
# 共享配置
shared-configs:
- application-${spring.profiles.active}.${spring.cloud.nacos.config.file-extension}
- k8s一键发布nacos执行脚本,sh real.sh
echo "开始制作镜像..."
image_name=k8s-nacos-statefulSet
echo "k8s一键部署"
export IMG_NAME=${image_name}
envsubst < ${image_name}'-real'.yaml | kubectl --kubeconfig ~/.kube-rz-real/config apply -f -
