概述

Consul 集群（三个节点）部署方式使用 StatefulSet

Consul 集群成员之间使用TLS进行安全通信 TLS and encryption keys

先决条件

　　主节点需要安装以下工具：cfssl 、 cfssljson、consul

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod a+x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo

wget https://releases.hashicorp.com/consul/1.7.1/consul_1.7.1_linux_amd64.zip
unzip consul_1.7.1_linux_amd64.zip
mv consul /usr/local/bin/

consul一般下载比较慢，以下提供百度云下载地址：
链接: https://pan.baidu.com/s/1sePwMD0yKL62FvlMSn8dyw 提取码: kkua

安装教程

克隆 Github 项目

git clone https://github.com/kelseyhightower/consul-on-kubernetes.git
cd consul-on-kubernetes

生成 TLS 证书

cfssl gencert -initca ca/ca-csr.json | cfssljson -bare ca
cfssl gencert   -ca=ca.pem   -ca-key=ca-key.pem   -config=ca/ca-config.json   -profile=default   ca/consul-csr.json | cfssljson -bare consul

生成 Consul Gossip 加密密钥

GOSSIP_ENCRYPTION_KEY=$(consul keygen)

创建 Consul 集群Secret 和 Configmap

kubectl create secret generic consul   --from-literal="gossip-encryption-key=${GOSSIP_ENCRYPTION_KEY}"   --from-file=ca.pem   --from-file=consul.pem   --from-file=consul-key.pem
kubectl create configmap consul --from-file=configs/server.json

创建 Consul 集群 Persistent Volume

mkdir -p /data/pv/consul-0 /data/pv/consul-1 /data/pv/consul-2
vim consul-pv.yaml　　　　# 内容如下
kubectl create -f consul-pv.yaml 

apiVersion: v1
kind: PersistentVolume
metadata:
  labels:
    app: data-consul-0
  name: data-consul-0
spec:
  capacity:
    storage: 10Gi
  volumeMode: Filesystem
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Recycle
  hostPath:
    path: /data/pv/consul-0
---
apiVersion: v1
kind: PersistentVolume
metadata:
  labels:
    app: data-consul-1
  name: data-consul-1
spec:
  capacity:
    storage: 10Gi
  volumeMode: Filesystem
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Recycle
  hostPath:
    path: /data/pv/consul-1
---
apiVersion: v1
kind: PersistentVolume
metadata:
  labels:
    app: data-consul-2
  name: data-consul-2
spec:
  capacity:
    storage: 10Gi
  volumeMode: Filesystem
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Recycle
  hostPath:
    path: /data/pv/consul-2

consul-pv.yaml

创建 Consul 集群 StatefulSet、Serviceaccount 、Clusterroles、Service

kubectl create -f services/consul.yaml
kubectl apply -f serviceaccounts/consul.yaml
kubectl apply -f clusterroles/consul.yaml
kubectl create -f services/consul.yaml 

等待 Consul 所有节点 Running

kubectl get pods
NAME       READY     STATUS    RESTARTS   AGE
consul-0   1/1       Running   0          50s
consul-1   1/1       Running   0          29s
consul-2   1/1       Running   0          15s

查看 Consul 集群状态

kubectl logs consul-0

[]# kubectl exec -it consul-0 /bin/sh
/ # consul members
Node      Address           Status  Type    Build     Protocol  DC   Segment
consul-0  10.11.3.139:8301  alive   server  1.4.0rc1  2         dc1  <all>
consul-1  10.11.5.11:8301   alive   server  1.4.0rc1  2         dc1  <all>
consul-2  10.11.0.9:8301    alive   server  1.4.0rc1  2         dc1  <all>
/ # ^C
/ # exit
command terminated with exit code 130

访问 Consul 集群 Web UI

1）本地访问

kubectl port-forward consul-0 8500:8500

然后本地浏览器访问 http://127.0.0.1:8500 即可。

2）通过 NodePort 对外暴露端口

vim services/consul.yaml　　　　# 修改如下
kubectl replace -f services/consul.yaml

apiVersion: v1
kind: Service
metadata:
  name: consul
  labels:
    name: consul
spec:
  #clusterIP: None
  type: NodePort
  ports:
    - name: http
      port: 8500
      nodePort: 30500
      targetPort: 8500    - ......

然后任意浏览器访问 http://masterip:30500 即可。

3）通过 Ingress 暴露外网地址

暂不做说明

清理 Consul 相关资源

bash cleanup

【参考】：https://github.com/kelseyhightower/consul-on-kubernetes