一、概述
security-api-gateway模块通过调用 kong api,实现功能有如下:
- 检测kong 服务器是否正常
- 检测vault 服务器是否正常(调用vault的v1/sys/health)
- 将edgexfoundry各微服务注册到kong
- 设置edgexfoundry各微服务路由
- 开启edgexfoundry各微服务JWT安全插件
- 注册admin服务到kong,即8001功能通过8000端访问实现,也需要JWT
- 启用证书访问(证书存储在vault中,动态获取)
- 创建用户(消费者),返回JWT字串、删除用户
- 清空资源(复位),即将kong中初始化的资源全部删除,包括用户、各edgexfoundry的service/routes等所有的资源
二、功能实现过程
2.1 检查kong是正常启动
图片详见:点击进入
2.2 检查vault是正常启动
2.3 初始化kong
三、实操示例
3.1 增加用户
3.1.1 首先,看一下镜像名
执行命令:
- docker ps -a
结果如下,镜像为;edgexfoundry/docker-edgex-proxy-go:security,如下图
3.1.2 查看此docker-compose网络名
执行命令:
- docker network ls
结果如下,记下网络名:dockercompose_edgex-network,为什么是这样的?是由执行docker-compse命令的当前目录名与docker-compose.yml文件中的networks bridge组成的
3.1.3 查看帮助
执行如下命令,其中
- --network所指的是上面查到的网络名:dockercompose_edgex-network
- edgexfoundry/docker-edgex-proxy-go:security为镜像
- -h 运行参数为查看帮助,会传入到ENTRYPOINT
- docker run --network=dockercompose_edgex-network --rm=true edgexfoundry/docker-edgex-proxy-go:security -h
3.1.4 增加用户
执行如下命令创建用户testuser:
- docker run --network=dockercompose_edgex-network --rm=true edgexfoundry/docker-edgex-proxy-go:security --useradd=testuser
返回testuser的JWT字串:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiI0aURyVEJodXFPdURoYnpLaWkwZ1QxMlUxa1IwZ2c3biIsImFjY291bnQiOiJ0ZXN0dXNlciJ9.5eYeOJNN2zbMAlpCV2bvSFR-B4MRS3_EC6bPUHtJDTE
此字串要记下来保留好,以后将用它访问kong,错语的JWT会鉴权失败。
如下图:
3.1.4 通过kong访问edgexfoundry微服
假设我们访问command模块ping功能,执行命令如下:
- curl -k -v -H "host: edgex" https://172.21.0.7:8443/command/api/v1/ping?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiI0aURyVEJodXFPdURoYnpLaWkwZ1QxMlUxa1IwZ2c3biIsImFjY291bnQiOiJ0ZXN0dXNlciJ9.5eYeOJNN2zbMAlpCV2bvSFR-B4MRS3_EC6bPUHtJDTE
- 或者:
- curl -k -v -H "host: edgex" http://172.21.0.7:8000/command/api/v1/ping?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiI0aURyVEJodXFPdURoYnpLaWkwZ1QxMlUxa1IwZ2c3biIsImFjY291bnQiOiJ0ZXN0dXNlciJ9.5eYeOJNN2zbMAlpCV2bvSFR-B4MRS3_EC6bPUHtJDTE
说明:上面的172.21.0.7也可改为宿主机的IP
返回结果如下,说明已功访问到command微服务,并返回了预期的 “pong”,如下图:
命令说明如下三点说明:
1) 为什么是https://172.21.0.7:8443
因为hostname :命令行不能访问docker-composep定义的hostname(即"kong"),
可以通过 service docker status 命令,查看到IP是可用的,如下图:
2)host: edgex,为什么是edgex
如果host写错了,会提示:{"message":"no route and no API found with those values"}
3)jwt 是上面创建用户时返回的字串jwt出错会提示:{"message":"Bad token; invalid signature"}
3.1.5 删除用户
- pongmyEdgex@instance-nbpv5z80docker run --network=dockercompose_edgex-network --rm=true edgexfoundry/docker-edgex-proxy-go:security --userdel=testuser
- INFO: 2018/10/22 00:41:10 Reverse proxy is up successfully.
- INFO: 2018/10/22 00:41:10 Secret management service is up successfully.
- INFO: 2018/10/22 00:41:10 Successful to delete testuser at consumers/.
用户被删除后,再去访问kong,会提示:{"message":"No credentials found for given 'iss'"}
3.1.6 复位/重置kong
- myEdgex@instance-nbpv5z80:~/docker-compose$ docker run --network=dockercompose_edgex-network --rm=true edgexfoundry/docker-edgex-proxy-go:security --reset=true
- INFO: 2018/10/22 00:52:54 Reverse proxy is up successfully.
- INFO: 2018/10/22 00:52:54 Secret management service is up successfully.
- INFO: 2018/10/22 00:52:54 Successful to delete 054d19da-07c1-48ea-bd5b-4c1acfa761ab at routes/.
- INFO: 2018/10/22 00:52:54 Successful to delete 2d5164d1-790b-48b5-91d1-b485e1e0aa4f at routes/.
- INFO: 2018/10/22 00:52:54 Successful to delete 427f0acf-16e0-48b9-a616-b7ebfd31f401 at routes/.
- INFO: 2018/10/22 00:52:54 Successful to delete 4e05176f-5c49-4ffe-b613-1dca18ef5b68 at routes/.
- INFO: 2018/10/22 00:52:54 Successful to delete 673a0f92-ac5e-4920-8719-59d83c614d19 at routes/.
- INFO: 2018/10/22 00:52:54 Successful to delete 9efedde9-f005-4852-bca8-e5c6af58aadd at routes/.
- INFO: 2018/10/22 00:52:54 Successful to delete a6d32fbc-8c5e-491d-ac7e-cb46c3ac9aef at routes/.
- INFO: 2018/10/22 00:52:54 Successful to delete b822fae6-ebc2-490e-802d-24630be81eec at routes/.
- INFO: 2018/10/22 00:52:54 Successful to delete d1826d8e-359f-4660-a66b-9fb5cf1b653b at routes/.
- INFO: 2018/10/22 00:52:54 Successful to delete f3e29be9-8827-4447-8f6b-0eab062977a8 at routes/.
- INFO: 2018/10/22 00:52:54 Successful to delete 060be224-2dd7-4cd7-913e-71dfc78e29e8 at services/.
- INFO: 2018/10/22 00:52:54 Successful to delete 06f81d5e-d114-445f-8947-e5b3090f6f8d at services/.
- INFO: 2018/10/22 00:52:54 Successful to delete 1e907583-33f8-45f0-b4aa-608fa700d848 at services/.
- INFO: 2018/10/22 00:52:54 Successful to delete 39792666-906d-47fc-8814-ff02b060c3af at services/.
- INFO: 2018/10/22 00:52:54 Successful to delete 48ec0716-96b3-4198-ba58-437edddf54e7 at services/.
- INFO: 2018/10/22 00:52:54 Successful to delete 9d8c21fe-244c-4ada-95dd-ec95f5c5c22b at services/.
- INFO: 2018/10/22 00:52:54 Successful to delete a3015780-3d24-4d0b-b0a7-d74cea2032c4 at services/.
- INFO: 2018/10/22 00:52:54 Successful to delete ab468f76-44e9-464d-95b7-e8a1bb4537c7 at services/.
- INFO: 2018/10/22 00:52:54 Successful to delete ae487501-a655-40ab-903d-a5c5863ffc64 at services/.
- INFO: 2018/10/22 00:52:54 Successful to delete eeac3c76-839a-4497-b3c1-6c46204c3c62 at services/.
- INFO: 2018/10/22 00:52:54 Successful to delete 30d54bc7-8c17-4c69-9ba7-a1796c832071 at consumers/.
- INFO: 2018/10/22 00:52:54 Successful to delete adcd1227-e4c8-4809-932f-ae7956a547dc at certificates/.