概览
此步骤介绍如何为在上一步中创建的 Google Cloud 服务账号设置身份验证方法。
选择您要使用的身份验证方法的说明。如需大致了解不同的身份验证方法,请参阅 Apigee Hybrid 中的服务账号身份验证方法。
Kubernetes Secret
服务账号
您需要为以下服务账号创建 Kubernetes Secret:
生产
apigee-cassandraapigee-loggerapigee-martapigee-metricsapigee-mint-task-scheduler(如果您使用的是 Apigee Hybrid 获利)apigee-runtimeapigee-synchronizerapigee-udcaapigee-watcher
非生产
apigee-non-prod
您将在创建替换文件步骤中提供这些 Secret。
此过程使用以下可选环境变量:
$APIGEE_HELM_CHARTS_HOME$APIGEE_NAMESPACE$PROJECT_ID
如果您没有定义这些变量,请将代码示例中的每个变量替换为适当的值。
创建 Kubernetes Secret
创建 Kubernetes Secret 以存储服务账号密钥。
以下代码示例中的 kubectl create secret 命令具有以下结构:
kubectl create secret generic SECRET_NAME \ --from-file="client_secret.json=PATH_TO_SERVICE_ACCOUNT_KEY" \ -n $APIGEE_NAMESPACE
生产
kubectl create secret generic apigee-logger-svc-account \
--from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/service-accounts/$PROJECT_ID-apigee-logger.json" \
-n $APIGEE_NAMESPACE
kubectl create secret generic apigee-metrics-svc-account \
--from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/service-accounts/$PROJECT_ID-apigee-metrics.json" \
-n $APIGEE_NAMESPACE
kubectl create secret generic apigee-watcher-svc-account \
--from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/service-accounts/$PROJECT_ID-apigee-watcher.json" \
-n $APIGEE_NAMESPACE
kubectl create secret generic apigee-udca-svc-account \
--from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/service-accounts/$PROJECT_ID-apigee-udca.json" \
-n $APIGEE_NAMESPACE
kubectl create secret generic apigee-mart-svc-account \
--from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/service-accounts/$PROJECT_ID-apigee-mart.json" \
-n $APIGEE_NAMESPACE
kubectl create secret generic apigee-synchronizer-svc-account \
--from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/service-accounts/$PROJECT_ID-apigee-synchronizer.json" \
-n $APIGEE_NAMESPACE
kubectl create secret generic apigee-runtime-svc-account \
--from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/service-accounts/$PROJECT_ID-apigee-runtime.json" \
-n $APIGEE_NAMESPACE如果您使用的是 Apigee Hybrid 的创收功能,还需要为 apigee-mint-task-scheduler 服务账号创建 Kubernetes Secret:
kubectl create secret generic apigee-mint-task-scheduler-svc-account \ --from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/service-accounts/$PROJECT_ID-apigee-mint-task-scheduler.json" \ -n APIGEE_NAMESPACE
非生产
kubectl create secret generic apigee-non-prod-svc-account \ --from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/service-accounts/$PROJECT_ID-apigee-non-prod.json" \ -n $APIGEE_NAMESPACE
可选:您可以在创建 Kubernetes Secret 后删除服务账号 JSON 文件。
如需详细了解如何将 Kubernetes Secret 与 Apigee Hybrid 搭配使用,请参阅在 Kubernetes Secret 中存储服务账号密钥。
JSON 文件
无需执行任何额外的步骤即可设置 JSON 文件身份验证。继续执行第 6 步:创建 TLS 证书。
保险柜
设置为在 Vault 中存储服务账号 Secret
安装 CSI 驱动程序和 Vault 提供程序
如果您尚未使用 Helm 在集群上安装 CSI 驱动程序,请按照 Secrets Store CSI 驱动程序:安装中的说明操作。如需了解详情,请参阅 Vault 文档中的安装 Vault CSI 提供程序。
如需了解 Apigee Hybrid 支持的最低 CSI 驱动程序版本,请参阅 Apigee Hybrid 支持的平台和版本。
创建 Vault Secret、政策和角色
使用 Vault 界面或 API 创建 Secret,并为 Apigee Hybrid 使用的 Kubernetes 服务账号授予权限以读取这些 Secret。
-
按以下格式创建特定于组织和环境的 Secret:
密钥 Secret 数据 secret/data/apigee/orgsakeys
{ "cassandraBackup": "***", "cassandraRestore": "***", "connectAgent": "***", "logger": "***", "mart": "***", "metrics": "***", "mint": "***", "udca": "***", "watcher": "***" }secret/data/apigee/envsakeys-ENV_NAME
{ "runtime": "***", "synchronizer": "***", "udca": "***". }将每对中的
"***"替换为与 Apigee 组件对应的 Google 服务账号的 .json 文件内容。apigee-cassandra-backup和apigee-cassandra-restore都使用apigee-cassandra服务账号。例如:{ "cassandraBackup": "{ "type": "service_account", "project_id": "myhybridorg", "private_key_id": "PRIVATE_KEY_ID", "private_key": "-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY_TEXT\n-----END PRIVATE KEY-----\n", "client_email": "apigee-cassandra@myhybridorg.iam.gserviceaccount.com", "client_id": "123456789012345678901", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/apigee-cassandra%40myhybridorg.iam.gserviceaccount.com", "universe_domain": "googleapis.com" }", "cassandraRestore":... ... } - 授予对组织 Secret 的访问权限。创建一个名为 orgsakeys-auth-policy.txt 的文本文件,其中包含以下内容:
path "secret/data/apigee/orgsakeys" { capabilities = ["read"] } -
在 Vault 中,创建政策以授予对组织 Secret 的访问权限:
vault policy write apigee-orgsakeys-auth orgsakeys-auth-policy.txt
-
对于每个环境,创建一个名为
envsakeys-ENV_NAME-auth-policy.txt的文本文件,其中包含以下内容:path "secret/data/apigee/envsakeys-ENV_NAME" { capabilities = ["read"] }对每个环境重复执行此步骤。
-
在 Vault 中,创建政策以授予对环境 Secret 的访问权限:
vault policy write apigee-envsakeys-ENV_NAME-auth envsakeys-ENV_NAME-auth-policy.txt
对每个环境重复执行此步骤。
-
创建一个名为
generate-encoded-sas.sh的脚本,其中包含以下内容:# generate-encoded-sas.sh ORG=$APIGEE_ORG # Apigee organization name ENVS=$APIGEE_ENV_LIST # comma separated env names, for example: dev,prod ORG_SHORT_NAME=$(echo $ORG | head -c 15) ENCODE=$(echo -n $ORG | shasum -a 256 | head -c 7) ORG_ENCODE=$(echo "$ORG_SHORT_NAME-$ENCODE") NAMES=apigee-manager,apigee-cassandra-default,apigee-cassandra-backup-sa,apigee-cassandra-restore-sa,apigee-cassandra-schema-setup-${ORG_ENCODE},apigee-cassandra-schema-val-${ORG_ENCODE},apigee-cassandra-user-setup-${ORG_ENCODE},apigee-mart-${ORG_ENCODE},apigee-mint-task-scheduler-${ORG_ENCODE},apigee-connect-agent-${ORG_ENCODE},apigee-watcher-${ORG_ENCODE},apigee-udca-${ORG_ENCODE},apigee-metrics-apigee-telemetry,apigee-open-telemetry-collector-apigee-telemetry,apigee-logger-apigee-telemetry for ENV in ${ENVS//,/ } do ENV_SHORT_NAME=$(echo $ENV | head -c 15) ENCODE=$(echo -n $ORG:$ENV | shasum -a 256 | head -c 7) ENV_ENCODE=$(echo "$ORG_SHORT_NAME-$ENV_SHORT_NAME-$ENCODE") NAMES+=,apigee-synchronizer-${ENV_ENCODE},apigee-runtime-${ENV_ENCODE} done echo $NAMES -
运行该脚本以生成将政策绑定到的服务账号名称列表:
./generate-encoded-sas.sh
输出应该是以英文逗号分隔的 Kubernetes 服务账号名称列表,类似于以下示例:
./generate-encoded-sas.shapigee-manager,apigee-cassandra-default,apigee-cassandra-backup-sa, apigee-cassandra-restore-sa,apigee-cassandra-schema-setup-myhybrido rg-5b044c1,apigee-cassandra-schema-val-myhybridorg-5b044c1,apigee-c assandra-user-setup-myhybridorg-5b044c1,apigee-mart-myhybridorg-5b0 44c1,apigee-mint-task-scheduler-myhybridorg-5b044c1,apigee-connect- agent-myhybridorg-5b044c1,apigee-watcher-myhybridorg-5b044c1,apigee -udca-myhybridorg-5b044c1,apigee-metrics-apigee-telemetry,apigee-op en-telemetry-collector-apigee-telemetry,apigee-logger-apigee-teleme try,apigee-synchronizer-myhybridorg-dev-ee52aca,apigee-runtime-myhy bridorg-dev-ee52aca,apigee-synchronizer-myhybridorg-prod-2d0221c,ap igee-runtime-myhybridorg-prod-2d0221c -
复制输出文本并分为各个列表,组织服务账号名称有一个对应的列表,而每个环境的环境服务账号名称都有一个对应的单独列表。组织服务账号是输出列表中的前几个账号(直到
apigee-logger-apigee-telemetry)。上一个示例中的组织服务名称列表:
apigee-manager,apigee-cassandra-default,apigee-cassandra-backup-sa, apigee-cassandra-restore-sa,apigee-cassandra-schema-setup-myhybrido rg-5b044c1,apigee-cassandra-schema-val-myhybridorg-5b044c1,apigee-c assandra-user-setup-myhybridorg-5b044c1,apigee-mart-myhybridorg-5b0 44c1,apigee-mint-task-scheduler-myhybridorg-5b044c1,apigee-connect- agent-myhybridorg-5b044c1,apigee-watcher-myhybridorg-5b044c1,apigee -udca-myhybridorg-5b044c1,apigee-metrics-apigee-telemetry,apigee-op en-telemetry-collector-apigee-telemetry,apigee-logger-apigee-teleme try
环境服务账号名称采用
apigee-synchronizer-ORG_NAME-ENV_NAME-HASH_TEXT和apigee-runtime-ORG_NAME-ENV_NAME-HASH_TEXT模式。系统会针对每个环境将它们分为单独的列表。例如,上一个示例的输出可分为以下两个列表:dev环境:apigee-synchronizer-myhybridorg-dev-ee52aca,apigee-runtime-myhybrid org-dev-ee52aca
prod环境:apigee-synchronizer-myhybridorg-prod-2d0221c,apigee-runtime-myhybri dorg-prod-2d0221c
-
使用政策创建绑定组织特定 Apigee 服务账号的 Vault 角色:
vault write auth/kubernetes/role/apigee-orgsakeys \ bound_service_account_names=LIST_OF_ORG_SA_NAMES \ bound_service_account_namespaces=apigee \ policies=apigee-orgsakeys-auth \ ttl=1m -
对于每个环境,为其服务账号密钥创建 Vault 角色:
vault write auth/kubernetes/role/apigee-envsakeys-ENV_NAME \ bound_service_account_names=LIST_OF_ENV_NAME_SA_NAMES \ bound_service_account_namespaces=apigee \ policies=apigee-envsakeys-ENV_NAME-auth \ ttl=1m对每个环境重复执行此步骤。
创建 SecretProviderClass 对象
SecretProviderClass 资源告知 CSI 驱动程序在请求 Secret 时要通信的提供程序。必须通过此对象配置服务账号密钥。下表显示了 Apigee Hybrid 预期的文件名 (objectNames):
| 服务账号 | 预期的 Secret 文件名 |
|---|---|
| Cassandra 备份 | cassandraBackup |
| Cassandra 恢复 | cassandraRestore |
| Connect Agent | connectAgent |
| Logger | logger |
| MART | mart |
| 指标 | metrics |
| Monetization (如果使用 Apigee Hybrid 创收功能) |
mint |
| 运行时 | runtime |
| 同步器 | synchronizer |
| UDCA | udca |
| Watcher | watcher |
-
使用以下
SecretProviderClass模板为特定于组织的 Secret 配置此资源:apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: apigee-orgsakeys-spc spec: provider: vault parameters: roleName: apigee-orgsakeys vaultAddress: VAULT_ADDRESS # "objectName" is an alias used within the SecretProviderClass to reference # that specific secret. This will also be the filename containing the secret. # Apigee Hybrid expects these exact values so they must not be changed. # "secretPath" is the path in Vault where the secret should be retrieved. # "secretKey" is the key within the Vault secret response to extract a value from. objects: | - objectName: "cassandraBackup" secretPath: "" secretKey: "" - objectName: "cassandraRestore" secretPath: "" secretKey: "" - objectName: "connectAgent" secretPath: "" secretKey: "" - objectName: "logger" secretPath: "" secretKey: "" - objectName: "mart" secretPath: "" secretKey: "" - objectName: "metrics" secretPath: "" secretKey: "" - objectName: "mint" secretPath: "" secretKey: "" - objectName: "udca" secretPath: "" secretKey: "" - objectName: "watcher" secretPath: "" secretKey: ""VAULT_ADDRESS 是 Vault 服务器运行的端点。如果 Vault 与 Apigee 在同一集群中运行,则格式通常为
http://vault.$APIGEE_NAMESPACE.svc.cluster.local:VAULT_SERVICE_PORT。将模板保存到名为
spc-org.yaml的文件中。 -
将特定于组织的
SecretProviderClass应用于 Apigee 命名空间:kubectl -n $APIGEE_NAMESPACE apply -f spc-org.yaml
-
对于每个环境,使用以下
SecretProviderClass模板为特定于环境的 Secret 配置此资源。对每个环境重复执行此步骤:apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: apigee-envsakeys-ENV_NAME-spc spec: provider: vault parameters: roleName: apigee-envsakeys-ENV_NAME vaultAddress: VAULT_ADDRESS # "objectName" is an alias used within the SecretProviderClass to reference # that specific secret. This will also be the filename containing the secret. # Apigee Hybrid expects these exact values so they must not be changed. # "secretPath" is the path in Vault where the secret should be retrieved. # "secretKey" is the key within the Vault secret response to extract a value from. objects: | - objectName: "runtime" secretPath: "" secretKey: "" - objectName: "synchronizer" secretPath: "" secretKey: "" - objectName: "udca" secretPath: "" secretKey: ""VAULT_ADDRESS 是 Vault 服务器运行的端点。如果 Vault 与 Apigee 在同一集群和命名空间中运行,则格式通常为
http://vault.$APIGEE_NAMESPACE.svc.cluster.local:VAULT_SERVICE_PORT。将模板保存到名为
spc-env-ENV_NAME.yaml的文件中。 -
对于每个环境,将特定于环境的
SecretProviderClass应用于 Apigee 命名空间:kubectl -n $APIGEE_NAMESPACE apply -f spc-env-ENV_NAME.yaml
对每个环境重复执行此步骤。
-
可选:您可以在创建
SecretProviderClass对象后删除服务账号 JSON 文件。
适用于 GKE 的 WIF
准备配置 Workload Identity Federation for GKE
- 验证替换文件中是否已启用 Workload Identity Federation for GKE。您应在替换文件的以下属性中启用它。
namespace为必填项。 例如:instanceID: "hybrid-instance-1" namespace: "apigee"
- 如果您要对所有组件使用一个服务账号(非生产),请使用
gcp.workloadIdentity.gsa指定该服务账号。例如:gcp: workloadIdentity: enabled: true gsa: "apigee-non-prod@my-hybrid-project.iam.gserviceaccount.com" - 如果您要对每个组件使用单独的服务账号(生产环境安装),请使用组件的
gsa属性指定服务账号。例如:logger: gsa: "apigee-logger@my-hybrid-project.iam.gserviceaccount.com"
- 使用以下命令检查
gcloud配置设置为您的 Google Cloud 项目 ID:gcloud config get project
- 验证已为 GKE 集群启用 Workload Identity Federation for GKE。在第 1 步:创建集群中创建集群时,第 6 步是启用 Workload Identity Federation for GKE。使用以下命令确认已启用该功能:
区域级集群
gcloud container clusters describe $CLUSTER_NAME \ --region $CLUSTER_LOCATION \ --project $PROJECT_ID \ --flatten 'workloadIdentityConfig'
可用区级集群
gcloud container clusters describe $CLUSTER_NAME \ --zone $CLUSTER_LOCATION \ --project $PROJECT_ID \ --flatten 'workloadIdentityConfig'
输出应如下所示:
--- workloadPool: $PROJECT_ID.svc.id.goog
如果结果中显示了
null,请运行以下命令来为集群启用适用于 GKE 的工作负载身份联合:区域级集群
gcloud container clusters update $CLUSTER_NAME \ --workload-pool=$PROJECT_ID.svc.id.goog \ --project $PROJECT_ID \ --region $CLUSTER_LOCATION
可用区级集群
gcloud container clusters update $CLUSTER_NAME \ --workload-pool=$PROJECT_ID.svc.id.goog \ --zone $CLUSTER_LOCATION \ --project $PROJECT_ID
-
使用以下命令为每个节点池启用 Workload Identity Federation for GKE。每个节点最多可能需要 30 分钟才能完成此操作:
区域级集群
gcloud container node-pools update NODE_POOL_NAME \ --cluster=$CLUSTER_NAME \ --region $CLUSTER_LOCATION \ --project $PROJECT_ID \ --workload-metadata=GKE_METADATA
可用区级集群
gcloud container node-pools update NODE_POOL_NAME \ --cluster=$CLUSTER_NAME \ --zone $CLUSTER_LOCATION \ --project $PROJECT_ID \ --workload-metadata=GKE_METADATA
其中 NODE_POOL_NAME 是每个节点池的名称。在大多数 Apigee Hybrid 安装中,两个默认节点池名为
apigee-data和apigee-runtime。 - 使用以下命令验证节点池上是否启用了适用于 GKE 的工作负载身份联合:
区域级集群
gcloud container node-pools describe apigee-data \ --cluster $CLUSTER_NAME \ --region $CLUSTER_LOCATION \ --project $PROJECT_ID \ --flatten "config:"
gcloud container node-pools describe apigee-runtime \ --cluster $CLUSTER_NAME \ --region $CLUSTER_LOCATION \ --project $PROJECT_ID \ --flatten "config:"
可用区级集群
gcloud container node-pools describe apigee-data \ --cluster $CLUSTER_NAME \ --zone $CLUSTER_LOCATION \ --project $PROJECT_ID \ --flatten "config:"
gcloud container node-pools describe apigee-runtime \ --cluster $CLUSTER_NAME \ --zone $CLUSTER_LOCATION \ --project $PROJECT_ID \ --flatten "config:"
输出应如下所示:
--- diskSizeGb: 100 diskType: pd-standard ... workloadMetadataConfig: mode: GKE_METADATA
如果需要,请设置当前 gcloud 配置:
gcloud config set project $PROJECT_ID
其他平台上的 WIF
在 GKE 以外的平台上使用工作负载身份联合时,您可以使用以下方法来配置 SA 身份验证:
- Kubernetes Secret
- 服务账号 JSON 文件
- 保险柜
在以下说明中,选择您所用身份验证方法的标签页。
此过程使用第 2 步:下载 Apigee Helm 图表中定义的以下两个环境变量。这些变量是可选的。如果您没有定义这些变量,请将代码示例中的每个变量替换为适当的目录路径。
-
$APIGEE_HELM_CHARTS_HOME:您下载 Apigee Helm 图表的目录,其定义见第 2 步:下载 Apigee Helm 图表。 -
$PROJECT_ID:您的 Google Cloud 项目 ID,其定义见第 1 部分:项目和组织设置 - 第 1 步:启用 API。
对于 AKS 上的安装,请确保已启用 OpenID Connect (OIDC) 颁发者。您必须启用此功能,以便工作负载身份联合可以访问集群的 OpenID Connect 元数据和 JSON Web 密钥集 (JWKS)。
配置集群以使用工作负载身份联合。
-
使用以下命令检查
gcloud配置是否设置为您的 Google Cloud 项目 ID:gcloud config get project
-
启用 Security Token Service API:
使用以下命令检查 Security Token Service API 是否已启用:
gcloud services list --enabled --project $PROJECT_ID | grep sts.googleapis.com
如果该 API 未启用,请执行以下操作:
控制台
Enable the Security Token Service API.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles.命令行
使用以下命令启用该 API:
gcloud services enable sts.googleapis.com --project $PROJECT_ID
-
创建工作负载身份池和提供方。
所需的角色
如需获得配置工作负载身份联合所需的权限,请让您的管理员为您授予项目的以下 IAM 角色:
-
Workload Identity Pool Admin (
roles/iam.workloadIdentityPoolAdmin) -
Service Account Admin (
roles/iam.serviceAccountAdmin)
如需详细了解如何授予角色,请参阅管理对项目、文件夹和组织的访问权限。
此外,IAM Owner (
roles/owner) 基本角色也具有配置身份联合所需的权限。您不应在生产环境中授予基本角色,但可以在开发或测试环境中授予这些角色。如需创建工作负载身份池和提供方,请执行以下操作:
-
确定 AKS 集群的颁发者网址:
AKS
az aks show -n CLUSTER_NAME -g RESOURCE_GROUP --query "oidcIssuerProfile.issuerUrl" -otsv
替换以下内容:
CLUSTER_NAME:集群的名称。RESOURCE_GROUP:集群的资源组。
该命令会输出颁发者网址。您将在后续的一个步骤中用到颁发者网址。
如果该命令未返回颁发者网址,请验证您是否已启用 OIDC 颁发者功能。
EKS
aws eks describe-cluster --name CLUSTER_NAME --query "cluster.identity.oidc.issuer" --output text
将
CLUSTER_NAME替换为集群的名称。该命令会输出颁发者网址。您将在后续的一个步骤中用到颁发者网址。
其他 Kubernetes
连接到您的 Kubernetes 集群,并使用“kubectl”确定集群的颁发者网址:
kubectl get --raw /.well-known/openid-configuration | jq -r .issuer
您将在后续的一个步骤中用到颁发者网址。
-
可选:如果您的 OIDC 颁发者无法公开访问,请下载集群的 JSON Web 密钥集 (JWKS):
kubectl get --raw /openid/v1/jwks > cluster-jwks.json
如要验证您的 OIDC 提供方可公开访问,则应该能够通过 CURL 命令访问提供方网址并收到 200 响应。
-
创建新的工作负载身份池:
gcloud iam workload-identity-pools create POOL_ID \ --location="global" \ --description="DESCRIPTION" \ --display-name="DISPLAY_NAME"替换以下内容:
POOL_ID:池的唯一 ID。DISPLAY_NAME:(可选)池的名称。DESCRIPTION:(可选)所选池的说明。当您授予对池身份的访问权限时,系统会显示此说明。
例如:
gcloud iam workload-identity-pools create my-wi-pool --display-name="My workload pool" --description="My workload pool description" -
将集群添加为工作负载身份池提供方。根据您的 OIDC 颁发者是否可公开访问,选择相应的命令来创建提供方:
可供公开访问
如果您的 OIDC 颁发者可公开访问,请使用以下命令创建提供方:
gcloud iam workload-identity-pools providers create-oidc WORKLOAD_PROVIDER_ID \ --location="global" \ --workload-identity-pool="POOL_ID" \ --issuer-uri="ISSUER" \ --attribute-mapping="google.subject=assertion.sub"不能公开访问
如果您的 OIDC 颁发者无法公开访问,请使用以下命令创建提供方:
gcloud iam workload-identity-pools providers create-oidc WORKLOAD_PROVIDER_ID \ --location="global" \ --workload-identity-pool="POOL_ID" \ --issuer-uri="ISSUER" \ --jwks-file="cluster-jwks.json" \ --attribute-mapping="google.subject=assertion.sub"替换以下内容:
-
WORKLOAD_PROVIDER_ID:您选择的唯一工作负载身份池提供方 ID。 -
POOL_ID:您之前创建的工作负载身份池 ID。 -
ISSUER:使用您之前确定的颁发者 URI 的颁发者网址。
attribute-mapping="google.subject=assertion.sub"会将 Kubernetes 正文映射到 IAM 正文。 -
-
Workload Identity Pool Admin (
如果需要,请设置当前 gcloud 配置:
gcloud config set project $PROJECT_ID
创建凭证配置文件
如需部署可访问 Google Cloud 资源的 Kubernetes 工作负载,您首先需要为每个 IAM 服务账号创建一个凭证配置文件:
-
使用以下命令列出 IAM 服务账号(也称为“Google 服务账号”):
gcloud iam service-accounts list --project $PROJECT_ID
您需要为以下 IAM 服务账号创建凭证配置文件:
生产环境
对于生产环境:
DISPLAY NAME EMAIL DISABLED apigee-cassandra apigee-cassandra@my_project_id.iam.gserviceaccount.com False apigee-mart apigee-mart@my_project_id.iam.gserviceaccount.com False apigee-metrics apigee-metrics@my_project_id.iam.gserviceaccount.com False apigee-runtime apigee-runtime@my_project_id.iam.gserviceaccount.com False apigee-synchronizer apigee-synchronizer@my_project_id.iam.gserviceaccount.com False apigee-udca apigee-udca@my_project_id.iam.gserviceaccount.com False apigee-watcher apigee-watcher@my_project_id.iam.gserviceaccount.com False
如果您在 v1.15.1 及更高版本中使用 Apigee Hybrid 的创收功能,还需要为
apigee-mint-task-scheduler服务账号创建凭证配置文件。DISPLAY NAME EMAIL DISABLED ... apigee-mint-task-scheduler apigee-mint-task-scheduler@my_project_id.iam.gserviceaccount.com False ...
非生产
对于非生产环境:
DISPLAY NAME EMAIL DISABLED apigee-non-prod apigee-non-prod@my_project_id.iam.gserviceaccount.com False
-
为上一个列表中的每个 IAM 服务账号创建一个凭证配置文件。
WIF:密钥
此方法使用存储在 Kubernetes Secret 中的凭据配置。在第 7 步:创建替换文件中构建替换文件时,您可以使用
serviceAccountRef或envs.serviceAccountRefs属性为每个服务账号提供 Secret 的名称。创建凭证配置文件
生产
您需要为以下服务账号创建凭证配置文件:
apigee-cassandraapigee-martapigee-metricsapigee-mint-task-scheduler如果您使用的是 Apigee Hybrid 创收。apigee-runtimeapigee-synchronizerapigee-udca
- 为凭据配置文件创建目录。该目录可以采用任何名称。在此过程中,目录名为
credential-configurations:mkdir $APIGEE_HELM_CHARTS_HOME/credential-configurations
-
为
apigee-cassandra创建凭据配置文件:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-cassandra@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/credential-configurations/apigee-cassandra-credential-configuration.json
其中:
-
PROJECT_NUMBER:包含工作负载身份池的项目的项目编号。此值必须是项目编号,而不是项目 ID。 -
POOL_ID:工作负载身份池的 ID -
WORKLOAD_PROVIDER_ID:工作负载身份池提供方的 ID
-
-
为
apigee-mart创建凭据配置文件:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-mart@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/credential-configurations/apigee-mart-credential-configuration.json
-
为
apigee-metrics创建凭据配置文件:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-metrics@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/credential-configurations/apigee-metrics-credential-configuration.json
-
为
apigee-runtime创建凭据配置文件:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-runtime@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/credential-configurations/apigee-runtime-credential-configuration.json
-
为
apigee-synchronizer创建凭据配置文件:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-synchronizer@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/credential-configurations/apigee-synchronizer-credential-configuration.json
-
为
apigee-udca创建凭据配置文件:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-udca@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/credential-configurations/apigee-udca-credential-configuration.json
-
为
apigee-watcher创建凭据配置文件:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-watcher@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/credential-configurations/apigee-watcher-credential-configuration.json
-
如果您使用的是 Apigee Hybrid 的创收功能,还需要为
apigee-mint-task-scheduler创建凭证配置文件:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-mint-task-scheduler@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/credential-configurations/apigee-mint-task-scheduler-credential-configuration.json
非生产
- 为凭据配置文件创建目录。该目录可以采用任何名称。在此过程中,目录名为
credential-configurations:mkdir $APIGEE_HELM_CHARTS_HOME/credential-configurations
-
使用以下命令在
credential-configurations目录中为apigee-non-prod服务账号创建凭据配置文件:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-non-prod@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/credential-configurations/apigee-non-prod-credential-configuration.json
其中:
-
PROJECT_NUMBER:包含工作负载身份池的项目的项目编号。此值必须是项目编号,而不是项目 ID。 -
POOL_ID:工作负载身份池的 ID -
WORKLOAD_PROVIDER_ID:工作负载身份池提供方的 ID
-
创建 Kubernetes Secret
创建 Kubernetes Secret 以存储每个服务账号的凭据配置文件。
以下代码示例中的
kubectl create secret命令具有以下结构:kubectl create secret generic SECRET_NAME \ --from-file="client_secret.json=PATH_TO_CREDENTIAL_CONFIGURATION_FILE" \ -n APIGEE_NAMESPACE生产
-
为
apigee-cassandra创建 Secret 文件:kubectl create secret generic apigee-cassandra-svc-account \ --from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/credential-configurations/$PROJECT_ID-apigee-cassandra.json" \ -n APIGEE_NAMESPACE
-
为
apigee-mart创建 Secret 文件:kubectl create secret generic apigee-mart-svc-account \ --from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/credential-configurations/$PROJECT_ID-apigee-mart.json" \ -n APIGEE_NAMESPACE
-
为
apigee-metrics创建 Secret 文件:kubectl create secret generic apigee-metrics-svc-account \ --from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/credential-configurations/$PROJECT_ID-apigee-metrics.json" \ -n APIGEE_NAMESPACE
-
为
apigee-runtime创建 Secret 文件:kubectl create secret generic apigee-runtime-svc-account \ --from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/credential-configurations/$PROJECT_ID-apigee-runtime.json" \ -n APIGEE_NAMESPACE
-
为
apigee-synchronizer创建 Secret 文件:kubectl create secret generic apigee-synchronizer-svc-account \ --from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/credential-configurations/$PROJECT_ID-apigee-synchronizer.json" \ -n APIGEE_NAMESPACE
-
为
apigee-udca创建 Secret 文件:kubectl create secret generic apigee-udca-svc-account \ --from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/credential-configurations/$PROJECT_ID-apigee-udca.json" \ -n APIGEE_NAMESPACE
-
为
apigee-watcher创建 Secret 文件:kubectl create secret generic apigee-watcher-svc-account \ --from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/credential-configurations/$PROJECT_ID-apigee-watcher.json" \ -n APIGEE_NAMESPACE
-
如果您使用的是 Apigee Hybrid 的创收功能,请为
apigee-mint-task-scheduler创建 Secret 文件:kubectl create secret generic apigee-mint-task-scheduler-svc-account \ --from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/credential-configurations/$PROJECT_ID-apigee-mint-task-scheduler.json" \ -n APIGEE_NAMESPACE
为 apigee-non-prod创建密钥文件:非生产
kubectl create secret generic apigee-non-prod-svc-account \ --from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/credential-configurations/$PROJECT_ID-apigee-non-prod.json" \ -n APIGEE_NAMESPACEWIF:文件
此方法使用凭据配置文件代替 Google 服务账号密钥文件。在第 7 步:创建替换文件中构建替换文件时,您需要为每个
serviceAccountPath或envs.serviceAccountPaths属性提供凭据配置文件的路径。生产
您需要在相应的图表目录中创建凭证配置文件:
服务账号 Apigee Helm 图表目录 apigee-cassandraapigee-datastore/apigee-martapigee-org/apigee-metricsapigee-telemetry/apigee-mint-task-scheduler
(如果使用 Monetization for Apigee Hybrid)apigee-org/apigee-runtimeapigee-env/apigee-synchronizerapigee-env/apigee-udcaapigee-org/
apigee-env/apigee-watcherapigee-org/使用以下命令创建凭证配置文件:
-
apigee-cassandra:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-cassandra@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/apigee-datastore/apigee-cassandra-credential-configuration.json
其中:
-
PROJECT_NUMBER:包含工作负载身份池的项目的项目编号。此值必须是项目编号,而不是项目 ID。 -
POOL_ID:工作负载身份池的 ID -
WORKLOAD_PROVIDER_ID:工作负载身份池提供方的 ID
-
-
apigee-mart:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-mart@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/apigee-org/apigee-mart-credential-configuration.json
-
apigee-metrics:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-metrics@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/apigee-telemetry/apigee-metrics-credential-configuration.json
-
apigee-runtime:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-runtime@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/apigee-env/apigee-runtime-credential-configuration.json
-
apigee-synchronizer:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-synchronizer@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/apigee-env/apigee-synchronizer-credential-configuration.json
-
apigee-udca:apigee-org和apigee-env图表都使用apigee-udca服务账号。-
在
apigee-org图表目录中创建凭据配置文件。gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-udca@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/apigee-org/apigee-udca-credential-configuration.json
-
将凭据配置文件复制到
apigee-env图表目录。cp $APIGEE_HELM_CHARTS_HOME/apigee-org/apigee-udca-credential-configuration.json \ $APIGEE_HELM_CHARTS_HOME/apigee-env/apigee-udca-credential-configuration.json
-
在
-
apigee-watcher:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-watcher@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/apigee-org/apigee-watcher-credential-configuration.json
-
如果您使用的是 href="monetization-for-hybrid">Apigee Hybrid 的创收功能,还需要为
apigee-mint-task-scheduler创建凭证配置文件:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-mint-task-scheduler@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/apigee-org/apigee-mint-task-scheduler-credential-configuration.json
非生产
您需要创建凭证配置文件并将其复制到相应的图表目录中:
服务账号 Apigee Helm 图表 apigee-non-prodapigee-datastore/
apigee-telemetry/
apigee-org/
apigee-env/-
使用以下命令在
apigee-datastore图表目录中创建凭据配置文件:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-non-prod@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/apigee-datastore/apigee-non-prod-credential-configuration.json
其中:
-
PROJECT_NUMBER:包含工作负载身份池的项目的项目编号。此值必须是项目编号,而不是项目 ID。 -
POOL_ID:工作负载身份池的 ID -
WORKLOAD_PROVIDER_ID:工作负载身份池提供方的 ID
-
-
将凭据配置文件复制到
apigee-env、apigee-org/和apigee-telemetry/图表目录。cp $APIGEE_HELM_CHARTS_HOME/apigee-datastore/apigee-non-prod-credential-configuration.json \ $APIGEE_HELM_CHARTS_HOME/apigee-env/apigee-non-prod-credential-configuration.json
cp $APIGEE_HELM_CHARTS_HOME/apigee-datastore/apigee-non-prod-credential-configuration.json \ $APIGEE_HELM_CHARTS_HOME/apigee-org/apigee-non-prod-credential-configuration.jsoncp $APIGEE_HELM_CHARTS_HOME/apigee-datastore/apigee-non-prod-credential-configuration.json \ $APIGEE_HELM_CHARTS_HOME/apigee-telemetry/apigee-non-prod-credential-configuration.json
WIF:保险柜
此方法使用存储在外部 Secret 管理器 Hashicorp Vault 中的凭据配置。在第 7 步:创建替换项中构建替换文件时,您可以使用
serviceAccountSecretProviderClass或envs.serviceAccountSecretProviderClass属性提供组织级和环境级 Secret Vault。创建凭证配置文件
生产
您需要为以下服务账号创建凭证配置文件:
apigee-cassandraapigee-martapigee-metricsapigee-mint-task-scheduler(如果使用 Monetization for Apigee Hybrid)apigee-runtimeapigee-synchronizerapigee-udca
- 为凭据配置文件创建目录。该目录可以采用任何名称。在此过程中,目录名为
credential-configurations:mkdir $APIGEE_HELM_CHARTS_HOME/credential-configurations
-
为
apigee-cassandra创建凭据配置文件:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-cassandra@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/credential-configurations/apigee-cassandra-credential-configuration.json
其中:
-
PROJECT_NUMBER:包含工作负载身份池的项目的项目编号。此值必须是项目编号,而不是项目 ID。 -
POOL_ID:工作负载身份池的 ID -
WORKLOAD_PROVIDER_ID:工作负载身份池提供方的 ID
-
-
为
apigee-mart创建凭据配置文件:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-mart@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/credential-configurations/apigee-mart-credential-configuration.json
-
为
apigee-metrics创建凭据配置文件:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-metrics@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/credential-configurations/apigee-metrics-credential-configuration.json
-
为
apigee-runtime创建凭据配置文件:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-runtime@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/credential-configurations/apigee-runtime-credential-configuration.json
-
为
apigee-synchronizer创建凭据配置文件:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-synchronizer@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/credential-configurations/apigee-synchronizer-credential-configuration.json
-
为
apigee-udca创建凭据配置文件:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-udca@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/credential-configurations/apigee-udca-credential-configuration.json
-
为
apigee-watcher创建凭据配置文件:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-watcher@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/credential-configurations/apigee-watcher-credential-configuration.json
-
如果您使用的是 Apigee Hybrid 的创收功能,还需要为
apigee-mint-task-scheduler创建凭证配置文件:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-mint-task-scheduler@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/credential-configurations/apigee-mint-task-scheduler-credential-configuration.json
非生产
- 为凭据配置文件创建目录。该目录可以采用任何名称。在此过程中,目录名为
credential-configurations:mkdir $APIGEE_HELM_CHARTS_HOME/credential-configurations
-
使用以下命令在
credential-configurations目录中为apigee-non-prod服务账号创建凭据配置文件:gcloud iam workload-identity-pools create-cred-config \ projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID \ --service-account=apigee-non-prod@$PROJECT_ID.iam.gserviceaccount.com \ --credential-source-file=/var/run/service-account/token \ --credential-source-type=text \ --output-file=$APIGEE_HELM_CHARTS_HOME/credential-configurations/apigee-non-prod-credential-configuration.json
其中:
-
PROJECT_NUMBER:包含工作负载身份池的项目的项目编号。此值必须是项目编号,而不是项目 ID。 “ -
POOL_ID:工作负载身份池的 ID -
WORKLOAD_PROVIDER_ID:工作负载身份池提供方的 ID
-
安装 CSI 驱动程序和 Vault 提供程序
如果您尚未使用 Helm 在集群上安装 CSI 驱动程序,请按照 Secrets Store CSI 驱动程序:安装中的说明操作。如需了解详情,请参阅 Vault 文档中的安装 Vault CSI 提供程序。
如需了解 Apigee Hybrid 支持的最低 CSI 驱动程序版本,请参阅 Apigee Hybrid 支持的平台和版本。
创建 Vault Secret、政策和角色
使用 Vault 界面或 API 创建 Secret,并为 Apigee Hybrid 使用的 Kubernetes 服务账号授予权限以读取这些 Secret。
-
按以下格式创建特定于组织和环境的 Secret:
密钥 Secret 数据 secret/data/apigee/orgsakeys
{ "cassandraBackup": "***", "cassandraRestore": "***", "connectAgent": "***", "logger": "***", "mart": "***", "metrics": "***", "mint": "***", "udca": "***", "watcher": "***" }secret/data/apigee/envsakeys-ENV_NAME
{ "runtime": "***", "synchronizer": "***", "udca": "***". }生产
将每对中的
"***"替换为与 Apigee 组件对应的 Google 服务账号的凭据配置文件内容。apigee-cassandra-backup和apigee-cassandra-restore都使用apigee-cassandra服务账号。例如:{ "cassandraBackup": "{ "universe_domain": "googleapis.com", "type": "external_account:," "audience": "//iam.googleapis.com/projects/123123123123/locations/global/workloadIdentityPools/my-wi-pool/providers/my-wi-provider", "subject_token_type": "urn:ietf:params:oauth: token-type:jwt", "token_url": "https://sts.googleapis.com/v1/token", "service "impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/apigee-cassandra@my-project.iam.gserviceaccount.com:generateAccessToken", "credential_source": { "file": "/var/run/service-account/token", "format": { "type": "text" } } }", "cassandraRestore":... ... }非生产
将每对中的
"***"替换为apigee-non-prod服务账号的凭据配置文件内容。apigee-cassandra-backup和apigee-cassandra-restore都使用apigee-cassandra服务账号。例如:{ "cassandraBackup": "{ "universe_domain": "googleapis.com", "type": "external_account:," "audience": "//iam.googleapis.com/projects/123123123123/locations/global/workloadIdentityPools/my-wi-pool/providers/my-wi-provider", "subject_token_type": "urn:ietf:params:oauth: token-type:jwt", "token_url": "https://sts.googleapis.com/v1/token", "service "impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/apigee-non-prod@my-project.iam.gserviceaccount.com:generateAccessToken", "credential_source": { "file": "/var/run/service-account/token", "format": { "type": "text" } } }", "cassandraRestore":... ... } - 授予对组织 Secret 的访问权限。创建一个名为 orgsakeys-auth-policy.txt 的文本文件,其中包含以下内容:
path "secret/data/apigee/orgsakeys" { capabilities = ["read"] } -
在 Vault 中,创建政策以授予对组织 Secret 的访问权限:
vault policy write apigee-orgsakeys-auth orgsakeys-auth-policy.txt
-
对于每个环境,创建一个名为
envsakeys-ENV_NAME-auth-policy.txt的文本文件,其中包含以下内容:path "secret/data/apigee/envsakeys-ENV_NAME" { capabilities = ["read"] }对每个环境重复执行此步骤。
-
在 Vault 中,创建政策以授予对环境 Secret 的访问权限:
vault policy write apigee-envsakeys-ENV_NAME-auth envsakeys-ENV_NAME-auth-policy.txt
对每个环境重复执行此步骤。
-
创建一个名为
generate-encoded-sas.sh的脚本,其中包含以下内容:# generate-encoded-sas.sh ORG=$APIGEE_ORG # Apigee organization name ENVS=$APIGEE_ENV_LIST # comma separated env names, for example: dev,prod ORG_SHORT_NAME=$(echo $ORG | head -c 15) ENCODE=$(echo -n $ORG | shasum -a 256 | head -c 7) ORG_ENCODE=$(echo "$ORG_SHORT_NAME-$ENCODE") NAMES=apigee-manager,apigee-cassandra-default,apigee-cassandra-backup-sa,apigee-cassandra-restore-sa,apigee-cassandra-schema-setup-${ORG_ENCODE},apigee-cassandra-schema-val-${ORG_ENCODE},apigee-cassandra-user-setup-${ORG_ENCODE},apigee-mart-${ORG_ENCODE},apigee-mint-task-scheduler-${ORG_ENCODE},apigee-connect-agent-${ORG_ENCODE},apigee-watcher-${ORG_ENCODE},apigee-udca-${ORG_ENCODE},apigee-metrics-apigee-telemetry,apigee-open-telemetry-collector-apigee-telemetry,apigee-logger-apigee-telemetry for ENV in ${ENVS//,/ } do ENV_SHORT_NAME=$(echo $ENV | head -c 15) ENCODE=$(echo -n $ORG:$ENV | shasum -a 256 | head -c 7) ENV_ENCODE=$(echo "$ORG_SHORT_NAME-$ENV_SHORT_NAME-$ENCODE") NAMES+=,apigee-synchronizer-${ENV_ENCODE},apigee-runtime-${ENV_ENCODE} done echo $NAMES -
运行该脚本以生成将政策绑定到的服务账号名称列表:
./generate-encoded-sas.sh
输出应该是以英文逗号分隔的 Kubernetes 服务账号名称列表,类似于以下示例:
./generate-encoded-sas.shapigee-manager,apigee-cassandra-default,apigee-cassandra-backup-sa, apigee-cassandra-restore-sa,apigee-cassandra-schema-setup-myhybrido rg-5b044c1,apigee-cassandra-schema-val-myhybridorg-5b044c1,apigee-c assandra-user-setup-myhybridorg-5b044c1,apigee-mart-myhybridorg-5b0 44c1,apigee-mint-task-scheduler-myhybridorg-5b044c1,apigee-connect- agent-myhybridorg-5b044c1,apigee-watcher-myhybridorg-5b044c1,apigee -udca-myhybridorg-5b044c1,apigee-metrics-apigee-telemetry,apigee-op en-telemetry-collector-apigee-telemetry,apigee-logger-apigee-teleme try,apigee-synchronizer-myhybridorg-dev-ee52aca,apigee-runtime-myhy bridorg-dev-ee52aca,apigee-synchronizer-myhybridorg-prod-2d0221c,ap igee-runtime-myhybridorg-prod-2d0221c -
复制输出文本并分为各个列表,组织服务账号名称有一个对应的列表,而每个环境的环境服务账号名称都有一个对应的单独列表。组织服务账号是输出列表中的前几个账号(直到
apigee-logger-apigee-telemetry)。上一个示例中的组织服务名称列表:
apigee-manager,apigee-cassandra-default,apigee-cassandra-backup-sa, apigee-cassandra-restore-sa,apigee-cassandra-schema-setup-myhybrido rg-5b044c1,apigee-cassandra-schema-val-myhybridorg-5b044c1,apigee-c assandra-user-setup-myhybridorg-5b044c1,apigee-mart-myhybridorg-5b0 44c1,apigee-mint-task-scheduler-myhybridorg-5b044c1,apigee-connect- agent-myhybridorg-5b044c1,apigee-watcher-myhybridorg-5b044c1,apigee -udca-myhybridorg-5b044c1,apigee-metrics-apigee-telemetry,apigee-op en-telemetry-collector-apigee-telemetry,apigee-logger-apigee-teleme try
环境服务账号名称采用
apigee-synchronizer-ORG_NAME-ENV_NAME-HASH_TEXT和apigee-runtime-ORG_NAME-ENV_NAME-HASH_TEXT模式。系统会针对每个环境将它们分为单独的列表。例如,上一个示例的输出可分为以下两个列表:dev环境:apigee-synchronizer-myhybridorg-dev-ee52aca,apigee-runtime-myhybrid org-dev-ee52aca
prod环境:apigee-synchronizer-myhybridorg-prod-2d0221c,apigee-runtime-myhybri dorg-prod-2d0221c
-
使用政策创建绑定组织特定 Apigee 服务账号的 Vault 角色:
vault write auth/kubernetes/role/apigee-orgsakeys \ bound_service_account_names=LIST_OF_ORG_SA_NAMES \ bound_service_account_namespaces=apigee \ policies=apigee-orgsakeys-auth \ ttl=1m -
对于每个环境,为其服务账号密钥创建 Vault 角色:
vault write auth/kubernetes/role/apigee-envsakeys-ENV_NAME \ bound_service_account_names=LIST_OF_ENV_NAME_SA_NAMES \ bound_service_account_namespaces=apigee \ policies=apigee-envsakeys-ENV_NAME-auth \ ttl=1m
对每个环境重复执行此步骤。
创建
SecretProviderClass对象SecretProviderClass资源告知 CSI 驱动程序在请求 Secret 时要通信的提供程序。必须通过此对象配置服务账号密钥。下表显示了 Apigee Hybrid 预期的文件名 (objectNames):服务账号 预期的 Secret 文件名 Cassandra 备份 cassandraBackupCassandra 恢复 cassandraRestoreConnect Agent connectAgentMART mart指标 metricsMonetization
(如果使用 Apigee Hybrid 创收功能)mint运行时 runtime同步器 synchronizerUDCA udcaWatcher watcher-
使用以下
SecretProviderClass模板为特定于组织的 Secret 配置此资源:apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: apigee-orgsakeys-spc spec: provider: vault parameters: roleName: apigee-orgsakeys vaultAddress: VAULT_ADDRESS # "objectName" is an alias used within the SecretProviderClass to reference # that specific secret. This will also be the filename containing the secret. # Apigee Hybrid expects these exact values so they must not be changed. # "secretPath" is the path in Vault where the secret should be retrieved. # "secretKey" is the key within the Vault secret response to extract a value from. objects: | - objectName: "cassandraBackup" secretPath: "" secretKey: "" - objectName: "cassandraRestore" secretPath: "" secretKey: "" - objectName: "connectAgent" secretPath: "" secretKey: "" - objectName: "logger" secretPath: "" secretKey: "" - objectName: "mart" secretPath: "" secretKey: "" - objectName: "metrics" secretPath: "" secretKey: "" - objectName: "mint" secretPath: "" secretKey: "" - objectName: "udca" secretPath: "" secretKey: "" - objectName: "watcher" secretPath: "" secretKey: ""VAULT_ADDRESS 是 Vault 服务器运行的端点。如果 Vault 与 Apigee 在同一集群中运行,则格式通常为
http://vault.$APIGEE_NAMESPACE.svc.cluster.local:VAULT_SERVICE_PORT。将模板保存到名为
spc-org.yaml的文件中。 -
将特定于组织的
SecretProviderClass应用于 Apigee 命名空间:kubectl -n $APIGEE_NAMESPACE apply -f spc-org.yaml
-
对于每个环境,使用以下
SecretProviderClass模板为特定于环境的 Secret 配置此资源。对每个环境重复执行此步骤:apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: apigee-envsakeys-ENV_NAME-spc spec: provider: vault parameters: roleName: apigee-envsakeys-ENV_NAME vaultAddress: VAULT_ADDRESS # "objectName" is an alias used within the SecretProviderClass to reference # that specific secret. This will also be the filename containing the secret. # Apigee Hybrid expects these exact values so they must not be changed. # "secretPath" is the path in Vault where the secret should be retrieved. # "secretKey" is the key within the Vault secret response to extract a value from. objects: | - objectName: "runtime" secretPath: "" secretKey: "" - objectName: "synchronizer" secretPath: "" secretKey: "" - objectName: "udca" secretPath: "" secretKey: ""VAULT_ADDRESS 是 Vault 服务器运行的端点。如果 Vault 与 Apigee 在同一集群和命名空间中运行,则格式通常为
http://vault.$APIGEE_NAMESPACE.svc.cluster.local:VAULT_SERVICE_PORT。将模板保存到名为
spc-env-ENV_NAME.yaml的文件中。 -
对于每个环境,将特定于环境的
SecretProviderClass应用于 Apigee 命名空间:kubectl -n $APIGEE_NAMESPACE apply -f spc-env-ENV_NAME.yaml
对每个环境重复执行此步骤。