總覽
本步驟說明如何為上一個步驟中建立的 Google Cloud 服務帳戶設定驗證方法。
選取要使用的驗證方式,然後按照相關說明操作。如要瞭解各種驗證方法,請參閱「Apigee Hybrid 中的服務帳戶驗證方法」。
Kubernetes Secret
服務帳戶
您需要為下列服務帳戶建立 Kubernetes 密鑰:
正式環境
apigee-cassandraapigee-loggerapigee-martapigee-metricsapigee-mint-task-scheduler(如果您使用 Apigee Hybrid 營利)apigee-runtimeapigee-synchronizerapigee-udcaapigee-watcher
非正式環境
apigee-non-prod
這個程序會使用下列選用環境變數:
$APIGEE_HELM_CHARTS_HOME$APIGEE_NAMESPACE$PROJECT_ID
如果您未定義這些變數,請在程式碼範例中,為每個變數代入適當的值。
建立 Kubernetes Secret
建立 Kubernetes 密鑰,儲存服務帳戶金鑰。
下列程式碼範例中的 kubectl create secret 指令具有下列結構:
kubectl create secret generic SECRET_NAME \ --from-file="client_secret.json=PATH_TO_SERVICE_ACCOUNT_KEY" \ -n $APIGEE_NAMESPACE
正式環境
kubectl create secret generic apigee-logger-svc-account \
--from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/service-accounts/$PROJECT_ID-apigee-logger.json" \
-n $APIGEE_NAMESPACE
kubectl create secret generic apigee-metrics-svc-account \
--from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/service-accounts/$PROJECT_ID-apigee-metrics.json" \
-n $APIGEE_NAMESPACE
kubectl create secret generic apigee-watcher-svc-account \
--from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/service-accounts/$PROJECT_ID-apigee-watcher.json" \
-n $APIGEE_NAMESPACE
kubectl create secret generic apigee-udca-svc-account \
--from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/service-accounts/$PROJECT_ID-apigee-udca.json" \
-n $APIGEE_NAMESPACE
kubectl create secret generic apigee-mart-svc-account \
--from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/service-accounts/$PROJECT_ID-apigee-mart.json" \
-n $APIGEE_NAMESPACE
kubectl create secret generic apigee-synchronizer-svc-account \
--from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/service-accounts/$PROJECT_ID-apigee-synchronizer.json" \
-n $APIGEE_NAMESPACE
kubectl create secret generic apigee-runtime-svc-account \
--from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/service-accounts/$PROJECT_ID-apigee-runtime.json" \
-n $APIGEE_NAMESPACE如果您使用 Apigee hybrid 的營利功能,也需要為 apigee-mint-task-scheduler 服務帳戶建立 Kubernetes 密鑰:
kubectl create secret generic apigee-mint-task-scheduler-svc-account \ --from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/service-accounts/$PROJECT_ID-apigee-mint-task-scheduler.json" \ -n APIGEE_NAMESPACE
非正式環境
kubectl create secret generic apigee-non-prod-svc-account \ --from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/service-accounts/$PROJECT_ID-apigee-non-prod.json" \ -n $APIGEE_NAMESPACE
選用:建立 Kubernetes Secret 後,您可以刪除服務帳戶 JSON 檔案。
如要進一步瞭解如何搭配使用 Kubernetes 密鑰與 Apigee Hybrid,請參閱「在 Kubernetes 密鑰中儲存服務帳戶金鑰」。
JSON 檔案
使用 JSON 檔案設定驗證時,不需要採取額外步驟。請繼續進行步驟 6:建立傳輸層安全標準 (TLS) 憑證。
保管箱
設定在 Vault 中儲存服務帳戶密鑰
安裝 CSI 驅動程式和 Vault 供應商
如果尚未在叢集上使用 Helm 安裝 CSI 驅動程式,請按照「Secrets Store CSI Driver: Installation」一文中的指示操作。詳情請參閱 Vault 說明文件中的「安裝 Vault CSI 供應商」。
如要瞭解 Apigee Hybrid 支援的最低 CSI 驅動程式版本,請參閱「Apigee Hybrid 支援的平台和版本」。
建立 Vault 密鑰、政策和角色
使用 Vault UI 或 API 建立密鑰,並授予 Apigee Hybrid 使用的 Kubernetes 服務帳戶讀取這些密鑰的權限。
-
以以下格式建立機構和環境專屬的密鑰:
密鑰 密鑰資料 secret/data/apigee/orgsakeys
{ "cassandraBackup": "***", "cassandraRestore": "***", "connectAgent": "***", "logger": "***", "mart": "***", "metrics": "***", "mint": "***", "udca": "***", "watcher": "***" }secret/data/apigee/envsakeys-ENV_NAME
{ "runtime": "***", "synchronizer": "***", "udca": "***". }將每對
"***"替換為對應 apigee 元件的 Google 服務帳戶 .json 檔案內容。apigee-cassandra-backup和apigee-cassandra-restore都使用apigee-cassandra服務帳戶。例如:{ "cassandraBackup": "{ "type": "service_account", "project_id": "myhybridorg", "private_key_id": "PRIVATE_KEY_ID", "private_key": "-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY_TEXT\n-----END PRIVATE KEY-----\n", "client_email": "apigee-cassandra@myhybridorg.iam.gserviceaccount.com", "client_id": "123456789012345678901", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/apigee-cassandra%40myhybridorg.iam.gserviceaccount.com", "universe_domain": "googleapis.com" }", "cassandraRestore":... ... } - 授予機構密鑰的存取權。建立名為 orgsakeys-auth-policy.txt 的文字檔,並在其中加入下列內容:
path "secret/data/apigee/orgsakeys" { capabilities = ["read"] } -
在 Vault 中建立政策,授予機構密鑰的存取權:
vault policy write apigee-orgsakeys-auth orgsakeys-auth-policy.txt
-
為每個環境建立名為
envsakeys-ENV_NAME-auth-policy.txt的文字檔案,並在其中加入下列內容:path "secret/data/apigee/envsakeys-ENV_NAME" { capabilities = ["read"] }針對每個環境重複這個步驟。
-
在 Vault 中建立政策,授予環境密鑰的存取權:
vault policy write apigee-envsakeys-ENV_NAME-auth envsakeys-ENV_NAME-auth-policy.txt
針對每個環境重複這個步驟。
-
建立名為
generate-encoded-sas.sh的指令碼,內容如下:# generate-encoded-sas.sh ORG=$APIGEE_ORG # Apigee organization name ENVS=$APIGEE_ENV_LIST # comma separated env names, for example: dev,prod ORG_SHORT_NAME=$(echo $ORG | head -c 15) ENCODE=$(echo -n $ORG | shasum -a 256 | head -c 7) ORG_ENCODE=$(echo "$ORG_SHORT_NAME-$ENCODE") NAMES=apigee-manager,apigee-cassandra-default,apigee-cassandra-backup-sa,apigee-cassandra-restore-sa,apigee-cassandra-schema-setup-${ORG_ENCODE},apigee-cassandra-schema-val-${ORG_ENCODE},apigee-cassandra-user-setup-${ORG_ENCODE},apigee-mart-${ORG_ENCODE},apigee-mint-task-scheduler-${ORG_ENCODE},apigee-connect-agent-${ORG_ENCODE},apigee-watcher-${ORG_ENCODE},apigee-udca-${ORG_ENCODE},apigee-metrics-apigee-telemetry,apigee-open-telemetry-collector-apigee-telemetry,apigee-logger-apigee-telemetry for ENV in ${ENVS//,/ } do ENV_SHORT_NAME=$(echo $ENV | head -c 15) ENCODE=$(echo -n $ORG:$ENV | shasum -a 256 | head -c 7) ENV_ENCODE=$(echo "$ORG_SHORT_NAME-$ENV_SHORT_NAME-$ENCODE") NAMES+=,apigee-synchronizer-${ENV_ENCODE},apigee-runtime-${ENV_ENCODE} done echo $NAMES -
執行指令碼,產生要繫結政策的服務帳戶名稱清單:
./generate-encoded-sas.sh
輸出內容應為以半形逗號分隔的 Kubernetes 服務帳戶名稱清單,類似於下列範例:
./generate-encoded-sas.shapigee-manager,apigee-cassandra-default,apigee-cassandra-backup-sa, apigee-cassandra-restore-sa,apigee-cassandra-schema-setup-myhybrido rg-5b044c1,apigee-cassandra-schema-val-myhybridorg-5b044c1,apigee-c assandra-user-setup-myhybridorg-5b044c1,apigee-mart-myhybridorg-5b0 44c1,apigee-mint-task-scheduler-myhybridorg-5b044c1,apigee-connect- agent-myhybridorg-5b044c1,apigee-watcher-myhybridorg-5b044c1,apigee -udca-myhybridorg-5b044c1,apigee-metrics-apigee-telemetry,apigee-op en-telemetry-collector-apigee-telemetry,apigee-logger-apigee-teleme try,apigee-synchronizer-myhybridorg-dev-ee52aca,apigee-runtime-myhy bridorg-dev-ee52aca,apigee-synchronizer-myhybridorg-prod-2d0221c,ap igee-runtime-myhybridorg-prod-2d0221c -
將輸出文字複製到並分成清單,一個清單用於 org 服務帳戶名稱,另一個清單用於每個環境的 env 服務帳戶名稱。輸出清單中會優先列出 org 服務帳戶,最多
apigee-logger-apigee-telemetry個。上一個範例中的 org 服務名稱清單:
apigee-manager,apigee-cassandra-default,apigee-cassandra-backup-sa, apigee-cassandra-restore-sa,apigee-cassandra-schema-setup-myhybrido rg-5b044c1,apigee-cassandra-schema-val-myhybridorg-5b044c1,apigee-c assandra-user-setup-myhybridorg-5b044c1,apigee-mart-myhybridorg-5b0 44c1,apigee-mint-task-scheduler-myhybridorg-5b044c1,apigee-connect- agent-myhybridorg-5b044c1,apigee-watcher-myhybridorg-5b044c1,apigee -udca-myhybridorg-5b044c1,apigee-metrics-apigee-telemetry,apigee-op en-telemetry-collector-apigee-telemetry,apigee-logger-apigee-teleme try
env 服務帳戶名稱的模式為
apigee-synchronizer-ORG_NAME-ENV_NAME-HASH_TEXT和apigee-runtime-ORG_NAME-ENV_NAME-HASH_TEXT。請為每個環境分別建立清單。舉例來說,上一個範例的輸出內容可以分成以下兩個清單:dev環境:apigee-synchronizer-myhybridorg-dev-ee52aca,apigee-runtime-myhybrid org-dev-ee52aca
prod環境:apigee-synchronizer-myhybridorg-prod-2d0221c,apigee-runtime-myhybri dorg-prod-2d0221c
-
使用這項政策建立保管箱角色,繫結機構專屬的 Apigee 服務帳戶:
vault write auth/kubernetes/role/apigee-orgsakeys \ bound_service_account_names=LIST_OF_ORG_SA_NAMES \ bound_service_account_namespaces=apigee \ policies=apigee-orgsakeys-auth \ ttl=1m -
為每個環境的服務帳戶金鑰建立 Vault 角色:
vault write auth/kubernetes/role/apigee-envsakeys-ENV_NAME \ bound_service_account_names=LIST_OF_ENV_NAME_SA_NAMES \ bound_service_account_namespaces=apigee \ policies=apigee-envsakeys-ENV_NAME-auth \ ttl=1m針對每個環境重複這個步驟。
建立 SecretProviderClass 物件
SecretProviderClass 資源會告知 CSI 驅動程式,要求密碼時要與哪個供應商通訊。服務帳戶金鑰必須透過這個物件設定。下表列出 Apigee Hybrid 預期的檔案名稱 (objectNames):
| 服務帳戶 | 預期的密鑰檔案名稱 |
|---|---|
| Cassandra 備份 | cassandraBackup |
| 還原 Cassandra | cassandraRestore |
| Connect 代理程式 | connectAgent |
| Logger | logger |
| MART | mart |
| 指標 | metrics |
| 營利 (如果使用 Apigee Hybrid 營利) |
mint |
| 執行階段 | runtime |
| 同步處理工具 | synchronizer |
| UDCA | udca |
| Watcher | watcher |
-
請使用下列
SecretProviderClass範本,為機構專屬密鑰設定這項資源:apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: apigee-orgsakeys-spc spec: provider: vault parameters: roleName: apigee-orgsakeys vaultAddress: VAULT_ADDRESS # "objectName" is an alias used within the SecretProviderClass to reference # that specific secret. This will also be the filename containing the secret. # Apigee Hybrid expects these exact values so they must not be changed. # "secretPath" is the path in Vault where the secret should be retrieved. # "secretKey" is the key within the Vault secret response to extract a value from. objects: | - objectName: "cassandraBackup" secretPath: "" secretKey: "" - objectName: "cassandraRestore" secretPath: "" secretKey: "" - objectName: "connectAgent" secretPath: "" secretKey: "" - objectName: "logger" secretPath: "" secretKey: "" - objectName: "mart" secretPath: "" secretKey: "" - objectName: "metrics" secretPath: "" secretKey: "" - objectName: "mint" secretPath: "" secretKey: "" - objectName: "udca" secretPath: "" secretKey: "" - objectName: "watcher" secretPath: "" secretKey: ""VAULT_ADDRESS 是 Vault 伺服器的執行端點。如果 Vault 與 Apigee 位於同一叢集,格式通常為
http://vault.$APIGEE_NAMESPACE.svc.cluster.local:VAULT_SERVICE_PORT。將範本儲存至名為
spc-org.yaml的檔案。 -
將機構專屬的
SecretProviderClass套用至 apigee 命名空間:kubectl -n $APIGEE_NAMESPACE apply -f spc-org.yaml
-
針對每個環境,請使用下列
SecretProviderClass範本,為環境專屬的密鑰設定這項資源。針對每個環境重複這個步驟:apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: apigee-envsakeys-ENV_NAME-spc spec: provider: vault parameters: roleName: apigee-envsakeys-ENV_NAME vaultAddress: VAULT_ADDRESS # "objectName" is an alias used within the SecretProviderClass to reference # that specific secret. This will also be the filename containing the secret. # Apigee Hybrid expects these exact values so they must not be changed. # "secretPath" is the path in Vault where the secret should be retrieved. # "secretKey" is the key within the Vault secret response to extract a value from. objects: | - objectName: "runtime" secretPath: "" secretKey: "" - objectName: "synchronizer" secretPath: "" secretKey: "" - objectName: "udca" secretPath: "" secretKey: ""VAULT_ADDRESS 是 Vault 伺服器的執行端點。如果 Vault 與 Apigee 位於同一個叢集和命名空間,格式通常為
http://vault.$APIGEE_NAMESPACE.svc.cluster.local:VAULT_SERVICE_PORT。將範本儲存至名為
spc-env-ENV_NAME.yaml的檔案。 -
針對每個環境,將環境專屬的
SecretProviderClass套用至 apigee 命名空間:kubectl -n $APIGEE_NAMESPACE apply -f spc-env-ENV_NAME.yaml
針對每個環境重複這個步驟。
-
選用:建立
SecretProviderClass物件後,您可以刪除服務帳戶 JSON 檔案。
GKE 的 WIF
準備設定 GKE 適用的工作負載身分聯盟
- 確認您已在覆寫檔案中啟用 GKE 適用的工作負載身分聯盟。您應在下列屬性的覆寫檔案中啟用這項功能。
- 「
namespace」是必填欄位。例如:instanceID: "hybrid-instance-1" namespace: "apigee"
- 如果您為所有元件使用單一服務帳戶 (非正式版),請使用下列指令指定該帳戶:
gcp.workloadIdentity.gsa。例如:gcp: workloadIdentity: enabled: true gsa: "apigee-non-prod@my-hybrid-project.iam.gserviceaccount.com" - 如果您為每個元件 (生產安裝) 使用個別的服務帳戶,請使用元件的
gsa屬性指定服務帳戶。例如:logger: gsa: "apigee-logger@my-hybrid-project.iam.gserviceaccount.com"
- 「
- 使用下列指令,確認目前的
gcloud設定已設為您的 Google Cloud 專案 ID:gcloud config get project
- 確認 GKE 叢集已啟用 Workload Identity Federation for GKE。在步驟 1:建立叢集中建立叢集時,步驟 6 是啟用 GKE 適用的 Workload Identity Federation。執行下列指令,確認是否已啟用:
地區性叢集
gcloud container clusters describe $CLUSTER_NAME \ --region $CLUSTER_LOCATION \ --project $PROJECT_ID \ --flatten 'workloadIdentityConfig'
區域叢集
gcloud container clusters describe $CLUSTER_NAME \ --zone $CLUSTER_LOCATION \ --project $PROJECT_ID \ --flatten 'workloadIdentityConfig'
輸出內容應如下所示:
--- workloadPool: $PROJECT_ID.svc.id.goog
如果結果顯示
null,請執行下列指令,為叢集啟用 Workload Identity Federation for GKE:地區性叢集
gcloud container clusters update $CLUSTER_NAME \ --workload-pool=$PROJECT_ID.svc.id.goog \ --project $PROJECT_ID \ --region $CLUSTER_LOCATION
區域叢集
gcloud container clusters update $CLUSTER_NAME \ --workload-pool=$PROJECT_ID.svc.id.goog \ --zone $CLUSTER_LOCATION \ --project $PROJECT_ID
-
使用下列指令,為每個節點集區啟用 Workload Identity Federation for GKE。這項作業最多需要 30 分鐘才能完成每個節點的升級:
地區性叢集
gcloud container node-pools update NODE_POOL_NAME \ --cluster=$CLUSTER_NAME \ --region $CLUSTER_LOCATION \ --project $PROJECT_ID \ --workload-metadata=GKE_METADATA
區域叢集
gcloud container node-pools update NODE_POOL_NAME \ --cluster=$CLUSTER_NAME \ --zone $CLUSTER_LOCATION \ --project $PROJECT_ID \ --workload-metadata=GKE_METADATA
其中 NODE_POOL_NAME 是各節點集區的名稱。在大多數 Apigee Hybrid 安裝作業中,這兩個預設節點集區分別命名為
apigee-data和apigee-runtime。 - 使用下列指令,確認節點集區已啟用 Workload Identity Federation for GKE:
地區性叢集
gcloud container node-pools describe apigee-data \ --cluster $CLUSTER_NAME \ --region $CLUSTER_LOCATION \ --project $PROJECT_ID \ --flatten "config:"
gcloud container node-pools describe apigee-runtime \ --cluster $CLUSTER_NAME \ --region $CLUSTER_LOCATION \ --project $PROJECT_ID \ --flatten "config:"
區域叢集
gcloud container node-pools describe apigee-data \ --cluster $CLUSTER_NAME \ --zone $CLUSTER_LOCATION \ --project $PROJECT_ID \ --flatten "config:"
gcloud container node-pools describe apigee-runtime \ --cluster $CLUSTER_NAME \ --zone $CLUSTER_LOCATION \ --project $PROJECT_ID \ --flatten "config:"
輸出內容應如下所示:
--- diskSizeGb: 100 diskType: pd-standard ... workloadMetadataConfig: mode: GKE_METADATA
視需要設定目前的 gcloud 設定:
gcloud config set project $PROJECT_ID
在其他平台使用 WIF
在 GKE 以外的平台上使用 Workload Identity Federation 時,您可以透過下列方法設定 SA 驗證:
- Kubernetes Secret
- 服務帳戶 JSON 檔案
- 保管箱
在下列操作說明中,選擇您使用的驗證方法分頁標籤。
這個程序會使用步驟 2:下載 Apigee Helm 圖表中定義的下列兩個環境變數。這些變數為選用項目。如果沒有定義這些變數,請在程式碼範例中,將每個變數替換為適當的目錄路徑。
-
$APIGEE_HELM_CHARTS_HOME:您下載 Apigee Helm 圖表的目錄,定義於步驟 2:下載 Apigee Helm 圖表。 -
$PROJECT_ID:您的 Google Cloud 專案 ID,定義於「第 1 部分:專案和機構設定 - 步驟 1:啟用 API」。
如要在 AKS 上安裝,請務必啟用 OpenID Connect (OIDC) 簽發者。您必須啟用這項功能,Workload Identity Federation 才能存取叢集的 OpenID Connect 中繼資料和 JSON Web Key Set (JWKS)。
設定叢集以使用 Workload Identity 聯盟。
-
使用下列指令,確認目前的
gcloud設定已設為您的 Google Cloud 專案 ID:gcloud config get project
-
啟用 Security Token Service API:
使用下列指令,確認已啟用 Security Token Service API:
gcloud services list --enabled --project $PROJECT_ID | grep sts.googleapis.com
如果 API 尚未啟用:
控制台
Enable the Security Token Service API.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles.指令列
使用下列指令啟用 API:
gcloud services enable sts.googleapis.com --project $PROJECT_ID
-
建立 workload identity pool 和提供者。
必要的角色
如要取得設定 Workload Identity 聯盟所需的權限,請要求管理員授予您專案的下列 IAM 角色:
-
Workload Identity Pool 管理員 (
roles/iam.workloadIdentityPoolAdmin) -
服務帳戶管理員 (
roles/iam.serviceAccountAdmin)
如要進一步瞭解如何授予角色,請參閱「管理專案、資料夾和機構的存取權」。
或者,IAM 擁有者 (
roles/owner) 基本角色也包含設定身分識別聯盟的權限。您不應在正式版環境中授予基本角色,但可以在開發或測試環境中授予。如要建立 workload identity pool 和提供者,請按照下列步驟操作:
-
判斷 AKS 叢集的核發者網址:
AKS
az aks show -n CLUSTER_NAME -g RESOURCE_GROUP --query "oidcIssuerProfile.issuerUrl" -otsv
取代下列項目:
CLUSTER_NAME:叢集名稱。RESOURCE_GROUP:叢集的資源群組。
指令會輸出簽發者網址。您將在後續步驟中用到簽發者網址。
如果指令未傳回簽發者網址,請確認您已啟用 OIDC 簽發者功能。
EKS
aws eks describe-cluster --name CLUSTER_NAME --query "cluster.identity.oidc.issuer" --output text
將
CLUSTER_NAME替換為叢集名稱。指令會輸出簽發者網址。您將在後續步驟中用到簽發者網址。
其他 Kubernetes
連線至 Kubernetes 叢集,並使用 `kubectl` 判斷叢集的簽發者網址:
kubectl get --raw /.well-known/openid-configuration | jq -r .issuer
您將在後續步驟中用到簽發者網址。
-
選用:如果 OIDC 簽發者無法公開存取,請下載叢集的 JSON Web Key Set (JWKS):
kubectl get --raw /openid/v1/jwks > cluster-jwks.json
如要檢查 OIDC 供應商是否公開可用,您應該可以使用 CURL 指令存取供應商網址,並收到 200 回應。
-
建立新的 workload identity pool:
gcloud iam workload-identity-pools create POOL_ID \ --location="global" \ --description="DESCRIPTION" \ --display-name="DISPLAY_NAME"請替換下列項目:
POOL_ID:集區的專屬 ID。DISPLAY_NAME:(選用) 集區的名稱。DESCRIPTION:(選用) 所選集區的說明。授予集區身分的存取權時會顯示這項說明。
例如:
gcloud iam workload-identity-pools create my-wi-pool --display-name="My workload pool" --description="My workload pool description" -
將叢集新增為 workload identity pool 提供者。根據 OIDC 核發者是否可公開存取,選擇建立供應商的指令:
可公開存取
如果 OIDC 簽發者可公開存取,請使用下列指令建立供應商:
gcloud iam workload-identity-pools providers create-oidc WORKLOAD_PROVIDER_ID \ --location="global" \ --workload-identity-pool="POOL_ID" \ --issuer-uri="ISSUER" \ --attribute-mapping="google.subject=assertion.sub"
-
Workload Identity Pool 管理員 (
視需要設定目前的 gcloud 設定:
gcloud config set project $PROJECT_ID
不公開
如果 OIDC 簽發者無法公開存取,請使用下列指令建立供應商:
gcloud iam workload-identity-pools providers create-oidc WORKLOAD_PROVIDER_ID \
--location="global" \
--workload-identity-pool="POOL_ID" \
--issuer-uri="ISSUER" \
--jwks-file="cluster-jwks.json" \
--attribute-mapping="google.subject=assertion.sub"請替換下列項目:
-
WORKLOAD_PROVIDER_ID:您選擇的不重複 workload identity pool 提供者 ID。 -
POOL_ID:您先前建立的工作負載身分集區 ID。 -
ISSUER:使用您先前決定的核發者網址做為核發者 URI。
attribute-mapping="google.subject=assertion.sub" 將 Kubernetes 主體對應至 IAM 主體。
建立憑證設定檔
如要部署可存取 Google Cloud 資源的 Kubernetes 工作負載,您必須先為每個 IAM 服務帳戶建立憑證設定檔:
-
使用下列指令列出 IAM 服務帳戶 (也稱為「Google 服務帳戶」):
gcloud iam service-accounts list --project $PROJECT_ID
您需要為下列 IAM 服務帳戶建立憑證設定檔:
正式版
正式環境:
DISPLAY NAME EMAIL DISABLED apigee-cassandra apigee-cassandra@my_project_id.iam.gserviceaccount.com False apigee-mart apigee-mart@my_project_id.iam.gserviceaccount.com False apigee-metrics apigee-metrics@my_project_id.iam.gserviceaccount.com False apigee-runtime apigee-runtime@my_project_id.iam.gserviceaccount.com False apigee-synchronizer apigee-synchronizer@my_project_id.iam.gserviceaccount.com False apigee-udca apigee-udca@my_project_id.iam.gserviceaccount.com False apigee-watcher apigee-watcher@my_project_id.iam.gserviceaccount.com False
如果您在 v1.15.1 以上版本使用 Apigee Hybrid 的營利功能,也需要為
apigee-mint-task-scheduler服務帳戶建立憑證設定檔。DISPLAY NAME EMAIL DISABLED ... apigee-mint-task-scheduler apigee-mint-task-scheduler@my_project_id.iam.gserviceaccount.com False ...
非正式環境
非正式環境:
DISPLAY NAME EMAIL DISABLED apigee-non-prod apigee-non-prod@my_project_id.iam.gserviceaccount.com False
-
為上一個清單中的每個 IAM 服務帳戶建立憑證設定檔。
WIF:秘密
這個方法會使用儲存在 Kubernetes Secret 中的憑證設定。在步驟 7:建立覆寫中建構覆寫檔案時,請使用
serviceAccountRef或envs.serviceAccountRefs屬性,為每個服務帳戶提供密鑰名稱。建立憑證設定檔
正式環境
您必須為下列服務帳戶建立憑證設定檔:
apigee-cassandraapigee-martapigee-metricsapigee-mint-task-scheduler如果您使用 Apigee Hybrid 的營利功能。apigee-runtimeapigee-synchronizerapigee-udca
- 為憑證設定檔建立目錄。目錄名稱不限。在本程序中,目錄名稱為
credential-configurations:mkdir $APIGEE_HELM_CHARTS_HOME/credential-configurations
-
為
apigee-cassandra建立憑證設定檔:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-cassandra@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/credential-configurations/apigee-cassandra-credential-configuration.json
其中:
-
PROJECT_NUMBER:包含 workload identity pool 的專案編號。請務必提供專案編號,而非專案 ID。 -
POOL_ID:工作負載身分集區的 ID -
WORKLOAD_PROVIDER_ID:工作負載身分集區提供者的 ID
-
-
為
apigee-mart建立憑證設定檔:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-mart@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/credential-configurations/apigee-mart-credential-configuration.json
-
為
apigee-metrics建立憑證設定檔:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-metrics@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/credential-configurations/apigee-metrics-credential-configuration.json
-
為
apigee-runtime建立憑證設定檔:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-runtime@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/credential-configurations/apigee-runtime-credential-configuration.json
-
為
apigee-synchronizer建立憑證設定檔:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-synchronizer@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/credential-configurations/apigee-synchronizer-credential-configuration.json
-
為
apigee-udca建立憑證設定檔:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-udca@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/credential-configurations/apigee-udca-credential-configuration.json
-
為
apigee-watcher建立憑證設定檔:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-watcher@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/credential-configurations/apigee-watcher-credential-configuration.json
-
如果您使用 Apigee Hybrid 的營利功能,也需要為
apigee-mint-task-scheduler建立憑證設定檔:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-mint-task-scheduler@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/credential-configurations/apigee-mint-task-scheduler-credential-configuration.json
非正式環境
- 為憑證設定檔建立目錄。目錄名稱不限。在本程序中,目錄名稱為
credential-configurations:mkdir $APIGEE_HELM_CHARTS_HOME/credential-configurations
-
在
credential-configurations目錄中,為apigee-non-prod服務帳戶建立憑證設定檔,請執行下列指令:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-non-prod@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/credential-configurations/apigee-non-prod-credential-configuration.json
其中:
-
PROJECT_NUMBER:包含 workload identity pool 的專案編號。請務必提供專案編號,而非專案 ID。 -
POOL_ID:工作負載身分集區的 ID -
WORKLOAD_PROVIDER_ID:工作負載身分集區提供者的 ID
-
建立 Kubernetes Secret
建立 Kubernetes 密鑰,儲存每個服務帳戶的憑證設定檔。
下列程式碼範例中的
kubectl create secret指令具有下列結構:kubectl create secret generic SECRET_NAME \ --from-file="client_secret.json=PATH_TO_CREDENTIAL_CONFIGURATION_FILE" \ -n APIGEE_NAMESPACE正式環境
-
為
apigee-cassandra建立密鑰檔案:kubectl create secret generic apigee-cassandra-svc-account \ --from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/credential-configurations/$PROJECT_ID-apigee-cassandra.json" \ -n APIGEE_NAMESPACE
-
為
apigee-mart建立密鑰檔案:kubectl create secret generic apigee-mart-svc-account \ --from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/credential-configurations/$PROJECT_ID-apigee-mart.json" \ -n APIGEE_NAMESPACE
-
為
apigee-metrics建立密鑰檔案:kubectl create secret generic apigee-metrics-svc-account \ --from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/credential-configurations/$PROJECT_ID-apigee-metrics.json" \ -n APIGEE_NAMESPACE
-
為
apigee-runtime建立密鑰檔案:kubectl create secret generic apigee-runtime-svc-account \ --from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/credential-configurations/$PROJECT_ID-apigee-runtime.json" \ -n APIGEE_NAMESPACE
-
為
apigee-synchronizer建立密鑰檔案:kubectl create secret generic apigee-synchronizer-svc-account \ --from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/credential-configurations/$PROJECT_ID-apigee-synchronizer.json" \ -n APIGEE_NAMESPACE
-
為
apigee-udca建立密鑰檔案:kubectl create secret generic apigee-udca-svc-account \ --from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/credential-configurations/$PROJECT_ID-apigee-udca.json" \ -n APIGEE_NAMESPACE
-
為
apigee-watcher建立密鑰檔案:kubectl create secret generic apigee-watcher-svc-account \ --from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/credential-configurations/$PROJECT_ID-apigee-watcher.json" \ -n APIGEE_NAMESPACE
-
如果您使用 Apigee Hybrid 的營利功能,請為
apigee-mint-task-scheduler建立密鑰檔案:kubectl create secret generic apigee-mint-task-scheduler-svc-account \ --from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/credential-configurations/$PROJECT_ID-apigee-mint-task-scheduler.json" \ -n APIGEE_NAMESPACE
為 apigee-non-prod建立密鑰檔案:非正式環境
kubectl create secret generic apigee-non-prod-svc-account \ --from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/credential-configurations/$PROJECT_ID-apigee-non-prod.json" \ -n APIGEE_NAMESPACEWIF:檔案
這種做法會使用憑證設定檔,取代 Google 服務帳戶金鑰檔案。在「步驟 7:建立覆寫」中建構覆寫檔案時,請為每個
serviceAccountPath或envs.serviceAccountPaths屬性提供憑證設定檔的路徑。正式環境
您需要在對應的圖表目錄中建立憑證設定檔:
服務帳戶 Apigee Helm 資訊套件目錄 apigee-cassandraapigee-datastore/apigee-martapigee-org/apigee-metricsapigee-telemetry/apigee-mint-task-scheduler
(如果使用 Apigee Hybrid 營利)apigee-org/apigee-runtimeapigee-env/apigee-synchronizerapigee-env/apigee-udcaapigee-org/
apigee-env/apigee-watcherapigee-org/使用下列指令建立憑證設定檔:
-
apigee-cassandra:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-cassandra@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/apigee-datastore/apigee-cassandra-credential-configuration.json
其中:
-
PROJECT_NUMBER:包含 workload identity pool 的專案編號。請務必提供專案編號,而非專案 ID。 -
POOL_ID:工作負載身分集區的 ID -
WORKLOAD_PROVIDER_ID:工作負載身分集區提供者的 ID
-
-
apigee-mart:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-mart@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/apigee-org/apigee-mart-credential-configuration.json
-
apigee-metrics:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-metrics@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/apigee-telemetry/apigee-metrics-credential-configuration.json
-
apigee-runtime:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-runtime@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/apigee-env/apigee-runtime-credential-configuration.json
-
apigee-synchronizer:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-synchronizer@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/apigee-env/apigee-synchronizer-credential-configuration.json
-
apigee-udca:apigee-udca服務帳戶會同時用於apigee-org和apigee-env圖表。-
在
apigee-org圖表目錄中建立憑證設定檔。gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-udca@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/apigee-org/apigee-udca-credential-configuration.json
-
將憑證設定檔複製到
apigee-env圖表目錄。cp $APIGEE_HELM_CHARTS_HOME/apigee-org/apigee-udca-credential-configuration.json \ $APIGEE_HELM_CHARTS_HOME/apigee-env/apigee-udca-credential-configuration.json
-
在
-
apigee-watcher:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-watcher@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/apigee-org/apigee-watcher-credential-configuration.json
-
如果您使用 href="monetization-for-hybrid">Apigee hybrid 的營利功能,也需要為
apigee-mint-task-scheduler建立憑證設定檔:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-mint-task-scheduler@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/apigee-org/apigee-mint-task-scheduler-credential-configuration.json
非正式環境
您需要建立憑證設定檔,並複製到對應的圖表目錄:
服務帳戶 Apigee Helm 圖表 apigee-non-prodapigee-datastore/
apigee-telemetry/
apigee-org/
apigee-env/-
在
apigee-datastore圖表目錄中,使用下列指令建立憑證設定檔:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-non-prod@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/apigee-datastore/apigee-non-prod-credential-configuration.json
其中:
-
PROJECT_NUMBER:包含 workload identity pool 的專案編號。請務必提供專案編號,而非專案 ID。 -
POOL_ID:工作負載身分集區的 ID -
WORKLOAD_PROVIDER_ID:工作負載身分集區提供者的 ID
-
-
將憑證設定檔複製到
apigee-env、apigee-org/和apigee-telemetry/圖表目錄。cp $APIGEE_HELM_CHARTS_HOME/apigee-datastore/apigee-non-prod-credential-configuration.json \ $APIGEE_HELM_CHARTS_HOME/apigee-env/apigee-non-prod-credential-configuration.json
cp $APIGEE_HELM_CHARTS_HOME/apigee-datastore/apigee-non-prod-credential-configuration.json \ $APIGEE_HELM_CHARTS_HOME/apigee-org/apigee-non-prod-credential-configuration.jsoncp $APIGEE_HELM_CHARTS_HOME/apigee-datastore/apigee-non-prod-credential-configuration.json \ $APIGEE_HELM_CHARTS_HOME/apigee-telemetry/apigee-non-prod-credential-configuration.json
WIF:保管箱
這個方法會使用儲存在外部密鑰管理工具 Hashicorp Vault 中的憑證設定。在步驟 7:建立覆寫項目中建構覆寫檔案時,請使用
serviceAccountSecretProviderClass或envs.serviceAccountSecretProviderClass屬性提供機構層級和環境層級的保存庫密鑰。建立憑證設定檔
正式環境
您必須為下列服務帳戶建立憑證設定檔:
apigee-cassandraapigee-martapigee-metricsapigee-mint-task-scheduler(如果使用 Apigee Hybrid 營利)apigee-runtimeapigee-synchronizerapigee-udca
- 為憑證設定檔建立目錄。目錄名稱不限。在本程序中,目錄名稱為
credential-configurations:mkdir $APIGEE_HELM_CHARTS_HOME/credential-configurations
-
為
apigee-cassandra建立憑證設定檔:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-cassandra@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/credential-configurations/apigee-cassandra-credential-configuration.json
其中:
-
PROJECT_NUMBER:包含 workload identity pool 的專案編號。請務必提供專案編號,而非專案 ID。 -
POOL_ID:工作負載身分集區的 ID -
WORKLOAD_PROVIDER_ID:工作負載身分集區提供者的 ID
-
-
為
apigee-mart建立憑證設定檔:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-mart@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/credential-configurations/apigee-mart-credential-configuration.json
-
為
apigee-metrics建立憑證設定檔:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-metrics@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/credential-configurations/apigee-metrics-credential-configuration.json
-
為
apigee-runtime建立憑證設定檔:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-runtime@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/credential-configurations/apigee-runtime-credential-configuration.json
-
為
apigee-synchronizer建立憑證設定檔:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-synchronizer@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/credential-configurations/apigee-synchronizer-credential-configuration.json
-
為
apigee-udca建立憑證設定檔:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-udca@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/credential-configurations/apigee-udca-credential-configuration.json
-
為
apigee-watcher建立憑證設定檔:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-watcher@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/credential-configurations/apigee-watcher-credential-configuration.json
-
如果您使用 Apigee Hybrid 的營利功能,也需要為
apigee-mint-task-scheduler建立憑證設定檔:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-mint-task-scheduler@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/credential-configurations/apigee-mint-task-scheduler-credential-configuration.json
非正式環境
- 為憑證設定檔建立目錄。目錄名稱不限。在本程序中,目錄名稱為
credential-configurations:mkdir $APIGEE_HELM_CHARTS_HOME/credential-configurations
-
在
credential-configurations目錄中,為apigee-non-prod服務帳戶建立憑證設定檔,請執行下列指令:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-non-prod@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/credential-configurations/apigee-non-prod-credential-configuration.json
其中:
-
PROJECT_NUMBER:包含 workload identity pool 的專案編號。請務必提供專案編號,而非專案 ID。 " -
POOL_ID:工作負載身分集區的 ID -
WORKLOAD_PROVIDER_ID:工作負載身分集區提供者的 ID
-
安裝 CSI 驅動程式和 Vault 供應商
如果尚未在叢集上使用 Helm 安裝 CSI 驅動程式,請按照「Secrets Store CSI Driver: Installation」一文中的指示操作。詳情請參閱 Vault 說明文件中的「安裝 Vault CSI 供應商」。
如要瞭解 Apigee Hybrid 支援的最低 CSI 驅動程式版本,請參閱「Apigee Hybrid 支援的平台和版本」。
建立 Vault 密鑰、政策和角色
使用 Vault UI 或 API 建立密鑰,並授予 Apigee Hybrid 使用的 Kubernetes 服務帳戶讀取這些密鑰的權限。
-
請按照下列格式建立機構和環境專屬的密鑰:
密鑰 密鑰資料 secret/data/apigee/orgsakeys
{ "cassandraBackup": "***", "cassandraRestore": "***", "connectAgent": "***", "logger": "***", "mart": "***", "metrics": "***", "mint": "***", "udca": "***", "watcher": "***" }secret/data/apigee/envsakeys-ENV_NAME
{ "runtime": "***", "synchronizer": "***", "udca": "***". }正式環境
在每對
"***"中,將其替換為對應 apigee 元件的 Google 服務帳戶憑證設定檔內容。apigee-cassandra-backup和apigee-cassandra-restore都使用apigee-cassandra服務帳戶。例如:{ "cassandraBackup": "{ "universe_domain": "googleapis.com", "type": "external_account:," "audience": "//iam.googleapis.com/projects/123123123123/locations/global/workloadIdentityPools/my-wi-pool/providers/my-wi-provider", "subject_token_type": "urn:ietf:params:oauth: token-type:jwt", "token_url": "https://sts.googleapis.com/v1/token", "service "impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/apigee-cassandra@my-project.iam.gserviceaccount.com:generateAccessToken", "credential_source": { "file": "/var/run/service-account/token", "format": { "type": "text" } } }", "cassandraRestore":... ... }非正式環境
將每對
"***"中的apigee-non-prod替換為apigee-non-prod服務帳戶的憑證設定檔內容。apigee-cassandra-backup和apigee-cassandra-restore都使用apigee-cassandra服務帳戶。例如:{ "cassandraBackup": "{ "universe_domain": "googleapis.com", "type": "external_account:," "audience": "//iam.googleapis.com/projects/123123123123/locations/global/workloadIdentityPools/my-wi-pool/providers/my-wi-provider", "subject_token_type": "urn:ietf:params:oauth: token-type:jwt", "token_url": "https://sts.googleapis.com/v1/token", "service "impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/apigee-non-prod@my-project.iam.gserviceaccount.com:generateAccessToken", "credential_source": { "file": "/var/run/service-account/token", "format": { "type": "text" } } }", "cassandraRestore":... ... } - 授予機構密鑰的存取權。建立名為 orgsakeys-auth-policy.txt 的文字檔,並在其中加入下列內容:
path "secret/data/apigee/orgsakeys" { capabilities = ["read"] } -
在 Vault 中建立政策,授予機構密鑰的存取權:
vault policy write apigee-orgsakeys-auth orgsakeys-auth-policy.txt
-
為每個環境建立名為
envsakeys-ENV_NAME-auth-policy.txt的文字檔案,並在其中加入下列內容:path "secret/data/apigee/envsakeys-ENV_NAME" { capabilities = ["read"] }針對每個環境重複這個步驟。
-
在 Vault 中建立政策,授予環境密碼的存取權:
vault policy write apigee-envsakeys-ENV_NAME-auth envsakeys-ENV_NAME-auth-policy.txt
針對每個環境重複這個步驟。
-
建立名為
generate-encoded-sas.sh的指令碼,內容如下:# generate-encoded-sas.sh ORG=$APIGEE_ORG # Apigee organization name ENVS=$APIGEE_ENV_LIST # comma separated env names, for example: dev,prod ORG_SHORT_NAME=$(echo $ORG | head -c 15) ENCODE=$(echo -n $ORG | shasum -a 256 | head -c 7) ORG_ENCODE=$(echo "$ORG_SHORT_NAME-$ENCODE") NAMES=apigee-manager,apigee-cassandra-default,apigee-cassandra-backup-sa,apigee-cassandra-restore-sa,apigee-cassandra-schema-setup-${ORG_ENCODE},apigee-cassandra-schema-val-${ORG_ENCODE},apigee-cassandra-user-setup-${ORG_ENCODE},apigee-mart-${ORG_ENCODE},apigee-mint-task-scheduler-${ORG_ENCODE},apigee-connect-agent-${ORG_ENCODE},apigee-watcher-${ORG_ENCODE},apigee-udca-${ORG_ENCODE},apigee-metrics-apigee-telemetry,apigee-open-telemetry-collector-apigee-telemetry,apigee-logger-apigee-telemetry for ENV in ${ENVS//,/ } do ENV_SHORT_NAME=$(echo $ENV | head -c 15) ENCODE=$(echo -n $ORG:$ENV | shasum -a 256 | head -c 7) ENV_ENCODE=$(echo "$ORG_SHORT_NAME-$ENV_SHORT_NAME-$ENCODE") NAMES+=,apigee-synchronizer-${ENV_ENCODE},apigee-runtime-${ENV_ENCODE} done echo $NAMES -
執行指令碼,產生要繫結政策的服務帳戶名稱清單:
./generate-encoded-sas.sh
輸出內容應為以半形逗號分隔的 Kubernetes 服務帳戶名稱清單,類似於下列範例:
./generate-encoded-sas.shapigee-manager,apigee-cassandra-default,apigee-cassandra-backup-sa, apigee-cassandra-restore-sa,apigee-cassandra-schema-setup-myhybrido rg-5b044c1,apigee-cassandra-schema-val-myhybridorg-5b044c1,apigee-c assandra-user-setup-myhybridorg-5b044c1,apigee-mart-myhybridorg-5b0 44c1,apigee-mint-task-scheduler-myhybridorg-5b044c1,apigee-connect- agent-myhybridorg-5b044c1,apigee-watcher-myhybridorg-5b044c1,apigee -udca-myhybridorg-5b044c1,apigee-metrics-apigee-telemetry,apigee-op en-telemetry-collector-apigee-telemetry,apigee-logger-apigee-teleme try,apigee-synchronizer-myhybridorg-dev-ee52aca,apigee-runtime-myhy bridorg-dev-ee52aca,apigee-synchronizer-myhybridorg-prod-2d0221c,ap igee-runtime-myhybridorg-prod-2d0221c -
將輸出文字複製到並分成清單,一個清單用於 org 服務帳戶名稱,另一個清單用於每個環境的 env 服務帳戶名稱。輸出清單中會優先列出 org 服務帳戶,最多
apigee-logger-apigee-telemetry個。上一個範例中的 org 服務名稱清單:
apigee-manager,apigee-cassandra-default,apigee-cassandra-backup-sa, apigee-cassandra-restore-sa,apigee-cassandra-schema-setup-myhybrido rg-5b044c1,apigee-cassandra-schema-val-myhybridorg-5b044c1,apigee-c assandra-user-setup-myhybridorg-5b044c1,apigee-mart-myhybridorg-5b0 44c1,apigee-mint-task-scheduler-myhybridorg-5b044c1,apigee-connect- agent-myhybridorg-5b044c1,apigee-watcher-myhybridorg-5b044c1,apigee -udca-myhybridorg-5b044c1,apigee-metrics-apigee-telemetry,apigee-op en-telemetry-collector-apigee-telemetry,apigee-logger-apigee-teleme try
env 服務帳戶名稱的模式為
apigee-synchronizer-ORG_NAME-ENV_NAME-HASH_TEXT和apigee-runtime-ORG_NAME-ENV_NAME-HASH_TEXT。請為每個環境分別建立清單。舉例來說,上一個範例的輸出內容可以分成以下兩個清單:dev環境:apigee-synchronizer-myhybridorg-dev-ee52aca,apigee-runtime-myhybrid org-dev-ee52aca
prod環境:apigee-synchronizer-myhybridorg-prod-2d0221c,apigee-runtime-myhybri dorg-prod-2d0221c
-
使用這項政策建立保管箱角色,繫結機構專屬的 Apigee 服務帳戶:
vault write auth/kubernetes/role/apigee-orgsakeys \ bound_service_account_names=LIST_OF_ORG_SA_NAMES \ bound_service_account_namespaces=apigee \ policies=apigee-orgsakeys-auth \ ttl=1m -
為每個環境的服務帳戶金鑰建立 Vault 角色:
vault write auth/kubernetes/role/apigee-envsakeys-ENV_NAME \ bound_service_account_names=LIST_OF_ENV_NAME_SA_NAMES \ bound_service_account_namespaces=apigee \ policies=apigee-envsakeys-ENV_NAME-auth \ ttl=1m
針對每個環境重複這個步驟。
建立
SecretProviderClass物件SecretProviderClass資源會告知 CSI 驅動程式,要求密碼時要與哪個供應商通訊。服務帳戶金鑰必須透過這個物件設定。下表列出 Apigee Hybrid 預期的檔案名稱 (objectNames):服務帳戶 預期的密鑰檔案名稱 Cassandra 備份 cassandraBackup還原 Cassandra cassandraRestoreConnect 代理程式 connectAgentMART mart指標 metrics營利
(如果使用 Monetization for Apigee Hybrid)mint執行階段 runtime同步處理工具 synchronizerUDCA udcaWatcher watcher-
請使用下列
SecretProviderClass範本,為機構專屬密鑰設定這項資源:apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: apigee-orgsakeys-spc spec: provider: vault parameters: roleName: apigee-orgsakeys vaultAddress: VAULT_ADDRESS # "objectName" is an alias used within the SecretProviderClass to reference # that specific secret. This will also be the filename containing the secret. # Apigee Hybrid expects these exact values so they must not be changed. # "secretPath" is the path in Vault where the secret should be retrieved. # "secretKey" is the key within the Vault secret response to extract a value from. objects: | - objectName: "cassandraBackup" secretPath: "" secretKey: "" - objectName: "cassandraRestore" secretPath: "" secretKey: "" - objectName: "connectAgent" secretPath: "" secretKey: "" - objectName: "logger" secretPath: "" secretKey: "" - objectName: "mart" secretPath: "" secretKey: "" - objectName: "metrics" secretPath: "" secretKey: "" - objectName: "mint" secretPath: "" secretKey: "" - objectName: "udca" secretPath: "" secretKey: "" - objectName: "watcher" secretPath: "" secretKey: ""VAULT_ADDRESS 是 Vault 伺服器的執行端點。如果 Vault 與 Apigee 位於同一叢集,格式通常為
http://vault.$APIGEE_NAMESPACE.svc.cluster.local:VAULT_SERVICE_PORT。將範本儲存至名為
spc-org.yaml的檔案。 -
將機構專屬的
SecretProviderClass套用至 apigee 命名空間:kubectl -n $APIGEE_NAMESPACE apply -f spc-org.yaml
-
針對每個環境,請使用下列
SecretProviderClass範本,為環境專屬的密鑰設定這項資源。針對每個環境重複這個步驟:apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: apigee-envsakeys-ENV_NAME-spc spec: provider: vault parameters: roleName: apigee-envsakeys-ENV_NAME vaultAddress: VAULT_ADDRESS # "objectName" is an alias used within the SecretProviderClass to reference # that specific secret. This will also be the filename containing the secret. # Apigee Hybrid expects these exact values so they must not be changed. # "secretPath" is the path in Vault where the secret should be retrieved. # "secretKey" is the key within the Vault secret response to extract a value from. objects: | - objectName: "runtime" secretPath: "" secretKey: "" - objectName: "synchronizer" secretPath: "" secretKey: "" - objectName: "udca" secretPath: "" secretKey: ""VAULT_ADDRESS 是 Vault 伺服器的執行端點。如果 Vault 與 Apigee 位於同一個叢集和命名空間,格式通常為
http://vault.$APIGEE_NAMESPACE.svc.cluster.local:VAULT_SERVICE_PORT。將範本儲存至名為
spc-env-ENV_NAME.yaml的檔案。 -
針對每個環境,將環境專屬的
SecretProviderClass套用至 apigee 命名空間:kubectl -n $APIGEE_NAMESPACE apply -f spc-env-ENV_NAME.yaml
針對每個環境重複這個步驟。