在Kubernetes上尝试GemFire认证功能
之前在这篇文章中确认了GemFire的认证方式。
现在要在GemFire for Kubernetes中确认一下。
GemFire for Kubernetes的jar文件导入方法很特殊,可以在GemFireCluster的Manifest中的Locator和Server部分指定包含jar文件的容器映像和jar文件的路径,如下所示:
kind: GemFireCluster
Locators:
– name: locator-1
image: <容器映像名称>
jarPath: <jar文件路径>
Servers:
– name: server-1
image: <容器映像名称>
jarPath: <jar文件路径>
locators:
libraries:
- name: my-custom-security-manager
container:
image: my.company.com/myImage:1.0.0
path: "/build/libs/*.jar"
imagePullSecretRef:
name: pull-secret-name
因此,首先需要将jar文件容器化。
尽管这次想要直接重用上一次创建的jar文件,但在Kubernetes版中,gemfire.properties的security-peer-auth-init的使用是必需的,并且需要指定AuthInitialize类,因此需要按照以下步骤添加AuthInitialize类并重新构建。
cat << EOF > ./src/main/java/com/vmware/gemfire/UserPasswordAuthInit.java
package com.vmware.gemfire;
import org.apache.geode.distributed.DistributedMember;
import org.apache.geode.security.AuthInitialize;
import org.apache.geode.security.AuthenticationFailedException;
import java.util.Properties;
public class UserPasswordAuthInit implements AuthInitialize {
@Override
public Properties getCredentials(Properties properties, DistributedMember distributedMember, boolean isPeer) throws AuthenticationFailedException {
properties.setProperty("security-username", "gemfire");
properties.setProperty("security-password", "changeme");
return properties;
}
}
EOF
mvn clean package
在重建之后,我们需要创建一个用于将jar打包到容器中的Dockerfile。
cat << EOF > ./Dockerfile
FROM alpine:latest
COPY BasicSecurityManager-1.0-SNAPSHOT.jar .
CMD ["sleep", "365d"]
EOF
用这个方式,将 BasicSecurityManager-1.0-SNAPSHOT.jar 文件直接放置在容器的根目录下。
构建并推送。
DOCKER_REPO=myrepo
docker build -t ${DOCKER_REPO}/basic-security-manager-jar --platform linux/x86_64 .
docker push ${DOCKER_REPO}/basic-security-manager-jar
根据此文档,GemFire Operator需要事先创建用于身份验证的凭据,并将其指定到kind: GemFireCluster的spec.security.mgmtSvcCredentialsSecretName中,因此需要提前创建。
USERNAME=operator
PASSWORD=secret
kubectl create secret generic basic-auth-security-manager --from-literal=username=$USERNAME --from-literal=password=$PASSWORD
此外,在指定security-manager时,有以下限制。
-
- LocatorとServerで同じSecurityManagerを指定が必須
security-peer-auth-initの指定必須
根据上述内容,创建并应用以下的Manifest。
cat << EOF > ./gemfire-cluster-auth.yaml
apiVersion: gemfire.vmware.com/v1
kind: GemFireCluster
metadata:
name: gemfire1
spec:
image: registry.tanzu.vmware.com/pivotal-gemfire/vmware-gemfire:10.0.0
security:
mgmtSvcCredentialsSecretName: basic-auth-security-manager
tls: {}
locators:
libraries:
- name: basic-security-manager-jar
container:
image: ${DOCKER_REPO}/basic-security-manager-jar:latest
path: "/*.jar"
imagePullSecretRef:
name: dockerhub
overrides:
gemFireProperties:
- name: "security-manager"
value: "com.vmware.gemfire.BasicSecurityManager"
- name: "security-peer-auth-init"
value: "com.vmware.gemfire.UserPasswordAuthInit"
servers:
overrides:
gemFireProperties:
- name: "security-manager"
value: "com.vmware.gemfire.BasicSecurityManager"
- name: "security-peer-auth-init"
value: "com.vmware.gemfire.UserPasswordAuthInit"
EOF
kubectl apply -f ./gemfire-cluster-auth.yaml
当Pod启动时,可以在日志中找到关于指定的jar文件的描述。
$ kubectl logs gemfire1-locator-0
[info 2023/10/30 10:36:30.011 GMT <main> tid=0x1] Creating automatic module for resource roots: [/gemfire/extensions/BasicSecurityManager-1.0-SNAPSHOT.jar, /gemfire/tools/Modules/gemfire-prometheus-metrics/simpleclient-0.9.0.jar, /gemfire/tools/Modules/gemfire-prometheus-metrics/simpleclient_common-0.9.0.jar, /gemfire/tools/Modules/gemfire-prometheus-metrics/gemfire-prometheus-metrics-10.0.0-build.1630.jar, /gemfire/tools/Modules/gemfire-prometheus-metrics/micrometer-registry-prometheus-1.6.3.jar, /gemfire/tools/Modules/gemfire-prometheus-metrics/gson-2.8.9.jar]
--- BasicSecurityManager-1.0-SNAPSHOT.jar
使用GemFire镜像启动一个能够通过gfsh访问的Pod,实际进行访问。
kubectl run --image registry.tanzu.vmware.com/pivotal-gemfire/vmware-gemfire:10.0.0 debug
进入Pod,并启动gfsh。
kubectl exec -it debug -- bash
gfsh
试着连接一下。在上一次创建的jar文件中,可以使用用户名为operator、密码为secret进行登录。
gfsh>connect --locator gemfire1-locator-0[10334]
Connecting to Locator at [host=gemfire1-locator-0, port=10334] ..
Connecting to Manager at [host=gemfire1-locator-0.gemfire1-locator.default.svc.cluster.local, port=1099] ..
user: operator
password: ******
Successfully connected to: [host=gemfire1-locator-0.gemfire1-locator.default.svc.cluster.local, port=1099]
似乎無事認證已經啟動。
