nacos 账号密码登录,默认未开启验证权限,不登录也能访问nacos控制台配置文件,生产环境非常不安全。所以需要手动开启安全认证。 本地启动nacos的 application.properties配置文件更改如下: ### The auth system to use, currently only 'nacos' and 'ldap' is supported:
nacos.core.auth.system.type=nacos### If turn on auth system:
nacos.core.auth.enabled=true### Turn on/off caching of auth information. By turning on this switch, the update of auth information would have a 15 seconds delay.
nacos.core.auth.caching.enabled=true### Since 1.4.1, Turn on/off white auth for user-agent: nacos-server, only for upgrade from old version.
nacos.core.auth.enable.userAgentAuthWhite=false### Since 1.4.1, worked when nacos.core.auth.enabled=true and nacos.core.auth.enable.userAgentAuthWhite=false.
### The two properties is the white list for auth and used by identity the request from other server.
nacos.core.auth.server.identity.key=serverIdentity
nacos.core.auth.server.identity.value=security### worked when nacos.core.auth.system.type=nacos
### The token expiration in seconds:
nacos.core.auth.plugin.nacos.token.expire.seconds=18000
### The default token:
nacos.core.auth.plugin.nacos.token.secret.key=UmVhbGl6ZSFAIzEyMyFAI1JlYWxpemUhQCMxMjMhQCNSZWFsaXplIUAjMTIzIUAj
k8s里部署有状态nacos 的k8s-nacos-statefulSet-real.yaml 配置 #headless service
apiVersion: v1
kind: Service
metadata:name: nacos-headlessnamespace: rz-dtlabels:app: nacosannotations:service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
spec:ports:- protocol: TCPport: 8848name: servertargetPort: 8848- protocol: TCPport: 9848name: client-rpctargetPort: 9848- protocol: TCPport: 9849name: server-rpctargetPort: 9849clusterIP: Noneselector:app: nacos
---
#StatefulSet
apiVersion: apps/v1
kind: StatefulSet
metadata:name: nacosnamespace: rz-dt
spec:serviceName: nacos-headlessreplicas: 3template:metadata:labels:app: nacosannotations:pod.alpha.kubernetes.io/initialized: "true"spec:affinity:podAntiAffinity:requiredDuringSchedulingIgnoredDuringExecution:- labelSelector:matchExpressions:- key: "app"operator: Invalues:- nacos-headlesstopologyKey: "kubernetes.io/hostname"#从私有仓库拉取镜像凭证imagePullSecrets:- name: rz-dt-xxx-miyue-vpccontainers:- name: k8snacosimagePullPolicy: Always#v2.1.2可以重启nacos服务自动注册 2.0.3 重启服务不会自动注册 , 对应库nacos_configimage: xxx-xxx-image-server-registry-vpc.cn-shanghai.cr.aliyuncs.com/rz-dt-real/nacos-server:v2.1.2resources:limits:cpu: 900mmemory: 2Girequests:cpu: 10mmemory: 50Miports:- containerPort: 8848name: client-port- containerPort: 9848name: client-grpc- containerPort: 9849name: server-grpcenv:- name: NACOS_REPLICASvalue: "3"- name: NACOS_AUTH_SYSTEM_TYPEvalue: "nacos"- name: NACOS_AUTH_ENABLEvalue: "true"- name: NACOS_AUTH_IDENTITY_KEYvalue: "serverIdentity"- name: NACOS_AUTH_IDENTITY_VALUEvalue: "security"- name: NACOS_AUTH_TOKEN_EXPIRE_SECONDSvalue: "18000"- name: NACOS_AUTH_TOKENvalue: "UmVhbGl6ZSFAIzEyMyFAI1JlYWxpemUhQCMxMjMhQCNSZWFsaXplIUAjMTIzIUAj"- name: NACOS_AUTH_CACHE_ENABLEvalue: "true"- name: MYSQL_SERVICE_HOSTvalueFrom:configMapKeyRef:name: nacos-cmkey: mysql.host- name: MYSQL_SERVICE_DB_NAMEvalueFrom:configMapKeyRef:name: nacos-cmkey: mysql.db.name- name: MYSQL_SERVICE_PORTvalueFrom:configMapKeyRef:name: nacos-cmkey: mysql.port- name: MYSQL_SERVICE_USERvalueFrom:configMapKeyRef:name: nacos-cmkey: mysql.user- name: MYSQL_SERVICE_PASSWORDvalueFrom:configMapKeyRef:name: nacos-cmkey: mysql.password- name: MODEvalue: "cluster"- name: NACOS_SERVER_PORTvalue: "8848"- name: PREFER_HOST_MODEvalue: "hostname"- name: NACOS_SERVERSvalue: "nacos-0.nacos-headless.rz-dt.svc.cluster.local:8848 nacos-1.nacos-headless.rz-dt.svc.cluster.local:8848 nacos-2.nacos-headless.rz-dt.svc.cluster.local:8848"selector:matchLabels:app: nacos
---
# Service
apiVersion: v1
kind: Service
metadata:name: nacos-servicenamespace: rz-dtannotations:nginx.ingress.kubernetes.io/affinity: "true"nginx.ingress.kubernetes.io/session-cookie-name: backendnginx.ingress.kubernetes.io/load-balancer-method: drrspec:selector:app: nacosports:- name: nacos-headlessprotocol: TCPport: 8848targetPort: 8848nodePort: 30048- name: nacos-rpcprotocol: TCPport: 9848targetPort: 9848nodePort: 31048- name: nacos-grpcprotocol: TCPport: 9849targetPort: 9849nodePort: 31049type: NodePort
---#Ingress
apiVersion: extensions/v1beta1
kind: Ingress
metadata:name: nacos-webnamespace: rz-dt
spec:rules:- host: nacos.xxx.comhttp:paths:- path: /nacosbackend:serviceName: nacos-serviceservicePort: 8848
---#ConfigMap
apiVersion: v1
kind: ConfigMap
metadata:name: nacos-cmnamespace: rz-dt
data:mysql.host: "rm-uf6l6XXX.mysql.rds.aliyuncs.com"mysql.db.name: "nacos_config"mysql.port: "3306"mysql.user: "xxx"mysql.password: "xxx"
springcloud 微服务yaml配置nacos控制台登录的账号密码 # Tomcat
server:port: 9200# Spring
spring:application:# 应用名称name: application-authprofiles:# 环境配置active: devcloud:nacos:username: nacospassword: Realizediscovery:# 服务注册地址#server-addr: 127.0.0.1:8848#server-addr: nacos-0.nacos-headless.rz-dt.svc.cluster.local:8848,nacos-1.nacos-headless.rz-dt.svc.cluster.local:8848,nacos-2.nacos-headless.rz-dt.svc.cluster.local:8848metadata:preserved.heart.beat.interval: 1000preserved.heart.beat.timeout: 3000preserved.ip.delete.timeout: 3000config:# 配置中心地址#server-addr: 127.0.0.1:8848#server-addr: nacos-0.nacos-headless.rz-dt.svc.cluster.local:8848,nacos-1.nacos-headless.rz-dt.svc.cluster.local:8848,nacos-2.nacos-headless.rz-dt.svc.cluster.local:8848# 配置文件格式file-extension: yml# 共享配置shared-configs:- application-${spring.profiles.active}.${spring.cloud.nacos.config.file-extension}
k8s一键发布nacos执行脚本,sh real.sh echo "开始制作镜像..."
image_name=k8s-nacos-statefulSetecho "k8s一键部署"
export IMG_NAME=${image_name}
envsubst < ${image_name}'-real'.yaml | kubectl --kubeconfig ~/.kube-rz-real/config apply -f -
