本文深入探讨了Springcloud OAuth2与Kubernetes的集成,实现微服务架构下的高可用性和负载均衡。通过K8s Service和LB策略,结合Springcloud Gateway,详细阐述了鉴权中心与客户端服务的HA交互过程。
在前面两篇文章中,分别写到Springcloud Oauth2 基础篇、Springcloud Oauth2 进阶篇。基于Springcloud 结合了Oauth2分析了其各种模式下的鉴权认证,本文接下来分析其结合k8s作高可用。
首先,其鉴权的方式在Springcloud Oauth2 进阶篇一文中已经讲解的非常详细了,如有忘记,请查阅该文章。下面着重讲的是如何利用k8s来作HA。
回顾历史:
记得前面说过的代码结构:
鉴权中心:Oauth2服务
订单系统:Oauth2的客户端1
用户管理系统:Oauth2的客户端2
在上面的系统中,每个服务之间的耦合性很低,但是又有着很频繁的调用,这就涉及到UI与其之间的频繁流量交互。如何做到其HA,这里引入k8s的Service方法:
在Spring Cloud Kubernetes之实战二服务注册与发现一文中,就讲解了k8s的Service方式创建服务,然后可以部署多个pod,同时结合Spring Cloud Kubernetes之实战三网关Gateway来实现LB,类似通过域名来解析其服务,并根据所定义的规则进行LB。同样,本文则是Oauth2的基础上,结合这些来实现微服务的LB。同时此处利用了k8s来作主要处理,如果是其他语言(Python、Go、Rust等),的客户端服务,则自身可以通过逻辑来控制其鉴权以及获取流量的。这可以验证了这一篇文章:浅谈微服务-兼容性,微服务无语言化。所有语言的服务可统一管理。
注意点:由于各微服务与鉴权中心有交互,故鉴权中心需要提供HA服务,即先在启动类加入@EnableDiscoveryClient ,后续在注入bean时,@LoadBalanced来实现LB鉴权中心。
package com.damon;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.boot.autoconfigure.security.oauth2.client.EnableOAuth2Sso;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.client.discovery.EnableDiscoveryClient;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import com.damon.config.EnvConfig;
/**
* @author Damon
* @date 2020年1月13日 下午3:23:06
*
*/
@EnableOAuth2Sso
@Configuration
@EnableAutoConfiguration
@ComponentScan(basePackages = {"com.damon"})
@EnableConfigurationProperties(EnvConfig.class)
@EnableDiscoveryClient #为LB多节点鉴权中心准备
public class AdminApp {
public static void main(String[] args) {
SpringApplication.run(AdminApp.class, args);
}
}
@Configuration
public class BeansConfig {
@Resource
private Environment env;
@LoadBalanced
@Bean
public RestTemplate restTemplate() {
SimpleClientHttpRequestFactory requestFactory = new SimpleClientHttpRequestFactory();
requestFactory.setReadTimeout(env.getProperty("client.http.request.readTimeout", Integer.class, 15000));
requestFactory.setConnectTimeout(env.getProperty("client.http.request.connectTimeout", Integer.class, 3000));
RestTemplate rt = new RestTemplate(requestFactory);
return rt;
}
}
另外本身在配置交互的时候,需要加上域名等形式来实现LB,这里利用了k8s的Service来实现。
cas-server-url: http://cas-server-service #这里配置成HA地址 or http://localhost:2000#设置可以访问的地址
security:
oauth2: #与cas-server对应的配置
client:
client-id: admin-web
client-secret: admin-web-123
user-authorization-uri: ${cas-server-url}/oauth/authorize #是授权码认证方式需要的
access-token-uri: ${cas-server-url}/oauth/token #是密码模式需要用到的获取 token 的接口
resource:
loadBalanced: true
id: admin-web
user-info-uri: ${cas-server-url}/api/user #指定user info的URI
prefer-token-info: false
到此,消费端即配置完成,同样需要把消费客户端以service形式提供给UI,此时需要借助网关Spring Cloud Kubernetes之实战三网关Gateway和nginx代理服务。
接下来实现Test:
curl -i -X POST -d "username=admin&password=123456&grant_type=password&client_id=admin-web&client_secret=admin-web-123" http://192.168.8.10:5556/cas-server/oauth/token
HTTP/1.1 200 OK
transfer-encoding: chunked
Cache-Control: no-store
X-XSS-Protection: 1; mode=block
Pragma: no-cache
X-Frame-Options: DENY
Date: Thu, 27 Feb 2020 06:49:17 GMT
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
{"access_token":"5a7892b0-7483-4f60-89fd-44255a429ff6","token_type":"bearer","refresh_token":"23f2e8ea-f091-4ab0-822c-f28bebc4ec08","expires_in":3599,"scope":"all"}
通过获取到的access_token来访问对应的客户端:
curl -i -H "Accept: application/json" -H "Authorization:bearer 5a7892b0-7483-4f60-89fd-44255a429ff6" -X GET http://192.168.8.10:5556/admin-web/api/user/getCurrentUser
{"authorities":[{"authority":"admin"}],"details":{"remoteAddress":"10.244.0.196","sessionId":null,"tokenValue":"5a7892b0-7483-4f60-89fd-44255a429ff6","tokenType":"bearer","decodedDetails":null},"authenticated":true,"userAuthentication":{"authorities":[{"authority":"admin"}],"details":{"authorities":[{"authority":"admin"}],"details":{"remoteAddress":"10.244.0.201","sessionId":null,"tokenValue":"5a7892b0-7483-4f60-89fd-44255a429ff6","tokenType":"Bearer","decodedDetails":null},"authenticated":true,"userAuthentication":{"authorities":[{"authority":"admin"}],"details":{"client_secret":"admin-web-123","grant_type":"password","client_id":"admin-web","username":"admin"},"authenticated":true,"principal":{"password":null,"username":"admin","authorities":[{"authority":"admin"}],"accountNonExpired":true,"accountNonLocked":true,"credentialsNonExpired":true,"enabled":true},"credentials":null,"name":"admin"},"oauth2Request":{"clientId":"admin-web","scope":["all"],"requestParameters":{"grant_type":"password","client_id":"admin-web","username":"admin"},"resourceIds":[],"authorities":[],"approved":true,"refresh":false,"redirectUri":null,"responseTypes":[],"extensions":{},"grantType":"password","refreshTokenRequest":null},"principal":{"password":null,"username":"admin","authorities":[{"authority":"admin"}],"accountNonExpired":true,"accountNonLocked":true,"credentialsNonExpired":true,"enabled":true},"credentials":"","clientOnly":false,"name":"admin"},"authenticated":true,"principal":"admin","credentials":"N/A","name":"admin"},"clientOnly":false,"credentials":"","principal":"admin","oauth2Request":{"clientId":"admin-web","scope":[],"requestParameters":{},"resourceIds":[],"authorities":[],"approved":true,"refresh":false,"redirectUri":null,"responseTypes":[],"extensions":{},"refreshTokenRequest":null,"grantType":null},"name":"admin"}
到此,客户端与鉴权中心(Oauth2)的HA交互,动态LB功能即实现完成。
如果感觉文章有帮助,请帮忙转发以帮助更多人。
个人网站:http://www.damon8.cn
欢迎加入知识星球,一起讨论技术。免费星球哟!
扫一扫
1044
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
