kubevela
/
kubevela.github.io
mirror of https://github.com/kubevela/kubevela.github.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add a doc on how to secure your database by access the intranet host (#521) 

* Add a doc on how to secure your database by access the intranet host

Added a doc on how to secure Alibaba RDS database securely.

Signed-off-by: Zheng Xi Zhou <zzxwill@gmail.com>

* Add doc: how to secure your database connection

Added a doc on database

Signed-off-by: Zheng Xi Zhou <zzxwill@gmail.com>
This commit is contained in:
Zheng Xi Zhou 2022-03-02 17:40:10 +08:00 committed by GitHub
parent a50e0d0593
commit 74f05333d2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 261 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/end-user/components/cloud-services/provision-and-consume-cloud-services.md
View File

@ -86,7 +86,7 @@ spec:
secret: db-conn # 1) If the env name is the same as the secret key, secret key can be omitted.
endpoint:
secret: db-conn
key: DB_HOST # 2) If the env name is different from secret key, secret key has to be set.
key: DB_PUBLIC_HOS # 2) If the env name is different from secret key, secret key has to be set.
username:
secret: db-conn
key: DB_USER

55
docs/end-user/components/cloud-services/secure-your-database-connection.md Normal file
View File

@ -0,0 +1,55 @@
---
title: Secure your Database Connection
---
In the guide [Provision and Binding Cloud Resources](./provision-and-consume-cloud-services) and [Provision a Database and Import a SQL File for initialization](./provision-and-initiate-database),
a database's public host `DB_PUBLIC_HOS` is used to connect by business component. It's necessary when you want to have
a try, create a PoC, or use the database outside a cloud provider. But it's not secure for production use of database.
This tutorial will talk about how to secure your database connection.
## Provision a database
In the [reference doc for Alibaba Cloud RDS](./terraform/alibaba-rds), these two properties are essential.
| Name | Description | Type | Required | Default |
|----------------------------|--------------------------------------------------------------------------------------------------------------------------------|--------|----------|---------|
| vswitch_id | The vswitch id of the RDS instance. If set, the RDS instance will be created in VPC, or it will be created in classic network. | string | false | |
| allocate_public_connection | Whether to allocate public connection for a RDS instance. | bool | false | |
Set `vswitch_id` to the same as one of VSwitch of your ACK cluster, or a new VSwitch which belongs to the VPC of the cluster.
Set `allocation_public_connection` to `false` to disable internet connection.
Then using `DB_HOST` in business component to securely connect the database by intranet connection
```yaml
apiVersion: core.oam.dev/v1beta1
kind: Application
spec:
components:
- name: web
...
traits:
- type: service-binding
properties:
envMappings:
DATABASE_HOST:
secret: db-conn
- key: DB_PUBLIC_HOST
+ key: DB_HOST
- name: db
type: alibaba-rds
properties:
...
+ vswitch_id: xxx
+ allocate_public_connection: false
writeConnectionSecretToRef:
name: db-conn
```
## Run application
Continue samples in [Provision and Binding Cloud Resources](./provision-and-consume-cloud-services) and [Provision a Database and Import a SQL File for initialization](./provision-and-initiate-database).

2
i18n/zh/docusaurus-plugin-content-docs/current/end-user/components/cloud-services/provision-and-consume-cloud-services.md
View File

@ -123,7 +123,7 @@ spec:
secret: db-conn
endpoint:
secret: db-conn
key: DB_HOST
key: DB_PUBLIC_HOST
username:
secret: db-conn
key: DB_USER

54
i18n/zh/docusaurus-plugin-content-docs/current/end-user/components/cloud-services/secure-your-database-connection.md Normal file
View File

@ -0,0 +1,54 @@
---
title: 安全访问数据库
---
在指南 [创建和使用云资源](./provision-and-consume-cloud-services)和[数据库创建和初始化](./provision-and-initiate-database),业务组件
使用数据库的公网连接 `DB_PUBLIC_HOS` 来访问数据库。当你想试用,创建 PoC或在云提供商集群之外使用数据库时这是必要的。但是对于数据库的生产使用来说它是不安全的。
本教程将讨论如何安全访问你的数据库。
## 部署数据库
在[阿里云 RDS 参考文档](./terraform/alibaba-rds)中,这两个属性非常重要。
| 名称 | 描述 | 类型 | 是否必须 | 默认值 |
|----------------------------|--------------------------------------------------------------------------------------------------------------------------------|--------|-------|-----|
| vswitch_id | The vswitch id of the RDS instance. If set, the RDS instance will be created in VPC, or it will be created in classic network. | string | false | |
| allocate_public_connection | Whether to allocate public connection for a RDS instance. | bool | false | |
`vswitch_id` 设置为与你的 ACK 集群的子网之一,或属于集群 VPC 的一个新子网。
`allocation_public_connection` 设置为 `false` 以禁止创建互联网连接。
然后在业务组件中使用 `DB_HOST`,通过私有网络连接安全地连接数据库。
```yaml
apiVersion: core.oam.dev/v1beta1
kind: Application
spec:
components:
- name: web
...
traits:
- type: service-binding
properties:
envMappings:
DATABASE_HOST:
secret: db-conn
- key: DB_PUBLIC_HOST
+ key: DB_HOST
- name: db
type: alibaba-rds
properties:
...
+ vswitch_id: xxx
+ allocate_public_connection: false
writeConnectionSecretToRef:
name: db-conn
```
## 执行应用
你可以使用[创建和使用云资源](./provision-and-consume-cloud-services)和[数据库创建和初始化](./provision-and-initiate-database)的实例来安全访问数据库。

2
i18n/zh/docusaurus-plugin-content-docs/version-v1.2/end-user/components/cloud-services/provision-and-consume-cloud-services.md
View File

@ -123,7 +123,7 @@ spec:
secret: db-conn
endpoint:
secret: db-conn
key: DB_HOST
key: DB_PUBLIC_HOST
username:
secret: db-conn
key: DB_USER

54
i18n/zh/docusaurus-plugin-content-docs/version-v1.2/end-user/components/cloud-services/secure-your-database-connection.md Normal file
View File

@ -0,0 +1,54 @@
---
title: 安全访问数据库
---
在指南 [创建和使用云资源](./provision-and-consume-cloud-services)和[数据库创建和初始化](./provision-and-initiate-database),业务组件
使用数据库的公网连接 `DB_PUBLIC_HOS` 来访问数据库。当你想试用,创建 PoC或在云提供商集群之外使用数据库时这是必要的。但是对于数据库的生产使用来说它是不安全的。
本教程将讨论如何安全访问你的数据库。
## 部署数据库
在[阿里云 RDS 参考文档](./terraform/alibaba-rds)中,这两个属性非常重要。
| 名称 | 描述 | 类型 | 是否必须 | 默认值 |
|----------------------------|--------------------------------------------------------------------------------------------------------------------------------|--------|-------|-----|
| vswitch_id | The vswitch id of the RDS instance. If set, the RDS instance will be created in VPC, or it will be created in classic network. | string | false | |
| allocate_public_connection | Whether to allocate public connection for a RDS instance. | bool | false | |
`vswitch_id` 设置为与你的 ACK 集群的子网之一,或属于集群 VPC 的一个新子网。
`allocation_public_connection` 设置为 `false` 以禁止创建互联网连接。
然后在业务组件中使用 `DB_HOST`,通过私有网络连接安全地连接数据库。
```yaml
apiVersion: core.oam.dev/v1beta1
kind: Application
spec:
components:
- name: web
...
traits:
- type: service-binding
properties:
envMappings:
DATABASE_HOST:
secret: db-conn
- key: DB_PUBLIC_HOST
+ key: DB_HOST
- name: db
type: alibaba-rds
properties:
...
+ vswitch_id: xxx
+ allocate_public_connection: false
writeConnectionSecretToRef:
name: db-conn
```
## 执行应用
你可以使用[创建和使用云资源](./provision-and-consume-cloud-services)和[数据库创建和初始化](./provision-and-initiate-database)的实例来安全访问数据库。

9
sidebars.js
View File

@ -93,8 +93,13 @@ module.exports = {
items: [
"end-user/quick-start-cli",
"end-user/traits/ingress",
"end-user/components/cloud-services/provision-and-consume-cloud-services",
"end-user/components/cloud-services/provision-and-initiate-database",
{
"Cloud Resources": [
"end-user/components/cloud-services/provision-and-consume-cloud-services",
"end-user/components/cloud-services/provision-and-initiate-database",
"end-user/components/cloud-services/secure-your-database-connection",
],
},
"end-user/traits/rollout",
"end-user/policies/health",
"case-studies/multi-cluster",

2
versioned_docs/version-v1.2/end-user/components/cloud-services/provision-and-consume-cloud-services.md
View File

@ -86,7 +86,7 @@ spec:
secret: db-conn # 1) If the env name is the same as the secret key, secret key can be omitted.
endpoint:
secret: db-conn
key: DB_HOST # 2) If the env name is different from secret key, secret key has to be set.
key: DB_PUBLIC_HOS # 2) If the env name is different from secret key, secret key has to be set.
username:
secret: db-conn
key: DB_USER

55
versioned_docs/version-v1.2/end-user/components/cloud-services/secure-your-database-connection.md Normal file
View File

@ -0,0 +1,55 @@
---
title: Secure your Database Connection
---
In the guide [Provision and Binding Cloud Resources](./provision-and-consume-cloud-services) and [Provision a Database and Import a SQL File for initialization](./provision-and-initiate-database),
a database's public host `DB_PUBLIC_HOS` is used to connect by business component. It's necessary when you want to have
a try, create a PoC, or use the database outside a cloud provider. But it's not secure for production use of database.
This tutorial will talk about how to secure your database connection.
## Provision a database
In the [reference doc for Alibaba Cloud RDS](./terraform/alibaba-rds), these two properties are essential.
| Name | Description | Type | Required | Default |
|----------------------------|--------------------------------------------------------------------------------------------------------------------------------|--------|----------|---------|
| vswitch_id | The vswitch id of the RDS instance. If set, the RDS instance will be created in VPC, or it will be created in classic network. | string | false | |
| allocate_public_connection | Whether to allocate public connection for a RDS instance. | bool | false | |
Set `vswitch_id` to the same as one of VSwitch of your ACK cluster, or a new VSwitch which belongs to the VPC of the cluster.
Set `allocation_public_connection` to `false` to disable internet connection.
Then using `DB_HOST` in business component to securely connect the database by intranet connection
```yaml
apiVersion: core.oam.dev/v1beta1
kind: Application
spec:
components:
- name: web
...
traits:
- type: service-binding
properties:
envMappings:
DATABASE_HOST:
secret: db-conn
- key: DB_PUBLIC_HOST
+ key: DB_HOST
- name: db
type: alibaba-rds
properties:
...
+ vswitch_id: xxx
+ allocate_public_connection: false
writeConnectionSecretToRef:
name: db-conn
```
## Run application
Continue samples in [Provision and Binding Cloud Resources](./provision-and-consume-cloud-services) and [Provision a Database and Import a SQL File for initialization](./provision-and-initiate-database).

16
versioned_docs/version-v1.2/getting-started/introduction.md
View File

@ -6,18 +6,18 @@ slug: /
## What is KubeVela?
KubeVela is a modern application platform that makes it easier and faster to deliver and manage applications across hybrid, multi-cloud environments. At the meantime, it is highly extensible and programmable, which can adapt to your needs as they grow.
KubeVela is a modern application platform that makes it easier and faster to deliver and manage applications across hybrid, multi-cloud environments. At the mean time, it is highly extensible and programmable, which can adapt to your needs as they grow.
![](../resources/what-is-kubevela.png)
## Why KubeVela?
The trend of cloud-native technology is moving towards pursuing the consistent experience of application delivery across clouds and on-prem clusters. Kubernetes is becoming the standard layer which is excellent in abstracting away low-level infrastructure details. But it does not provide abstractions to model application deployment on top of hybrid and distributed environments. The lack of application-level context has impacted user experience, slowed down productivity, led to unexpected errors due to misconfigurations in production.
The trend of cloud-native technology is moving towards pursuing consistent experience of application delivery across clouds and on-prem clusters. Kubernetes is becoming the standard layer which is excellent in abstracting away low-level infrastructure details. But it does not provide abstractions to model application deployment on top of hybrid and distributed environments. The lack of application level context have impacted user experience, slowed down productivity, led to unexpected errors due to misconfigurations in production.
Meanwhile, modeling the deployment of a microservice application is a highly fragmented and challenging process. Thus, many solutions that tried to solve the problem so far are either oversimplified and could not fix the real issue, or too complicated to use at all. On the other hand, though many solutions provided a friendly UI layer, the platform themselves are not customizable. This means as the needs of your platform grow, it is inevitable for the feature requirements to outgrow the capabilities of such systems.
Meanwhile, modeling the deployment of a microservice application is a highly fragmented and challenging process. Thus, many solutions that tried to solve the problem so far are either over simplified and could not fix the real issue, or too complicated to use at all. On the other hand, though many solutions provided friendly UI layer, the platform themselves are not customizable. This means as the needs of your platform grow, it is inevitable for the feature requirements to outgrow the capabilities of such systems.
This is why KubeVela appears here. It can simplify the application delivery experience across hybrid environments (e.g. multi-cluster/multi-cloud/hybrid-cloud/distributed-cloud), while also being flexible enough to satisfy the fast growth of businesses requirements. KubeVela can be used by platform engineers as an extensible application engine, while developers can also use it as an out-of-box application platform with lots of addons available.
This is why KubeVela appears here. It can simplify the application delivery experience across hybrid environments (e.g. multi-cluster/multi-cloud/hybrid-cloud/distributed-cloud), while also be flexible enough to satisfy the fast growth of businesses requirements. KubeVela can be used by platform-engineers as an extensible application engine, while developers can also use it as an out-of-box application platforms with lots of addons available.
## Who should use KubeVela?
@ -33,7 +33,7 @@ This is why KubeVela appears here. It can simplify the application delivery expe
### KubeVela vs. CI/CD systems
KubeVela is a CD (Continuous Delivery) control plane that works at downstream of your CI process. So you will reuse the CI process you already adopted and KubeVela will take over the CD process by empowering it with modern application delivery best practices such as declarative CD workflow, programmable workflow steps, pull model, multi-cloud/cluster delivery, unified cloud resource provision/binding, and much more.
KubeVela is a CD (Continuous Delivery) control plane that works at downstream of your CI process. So you will reuse the CI process you already adopted and KubeVela will take over CD process by empowering it with modern application delivery best practices such as declarative CD workflow, programmable workflow steps, pull model, multi-cloud/cluster delivery, unified cloud resource provision/binding, and much more.
If you already adopted GitOps practice in CD section, KubeVela is even easier to fit in as it's fully declarative by design. All KubeVela features including CD workflow and multi-cloud/cluster delivery will be immediately available in your GitOps process by simply putting a KubeVela application YAML inside your configuration repository.
@ -51,9 +51,9 @@ Also, as a CD control plane, KubeVela is working on top of runtime infrastructur
### KubeVela vs. Serverless
A Serverless platform such as AWS Lambda provides extraordinary user experience and agility to deploy serverless applications. However, those platforms impose even more constraints in extensibility. They are arguably "hard-coded" PaaS, so KubeVela differ from them in similar way.
Serverless platform such as AWS Lambda provides extraordinary user experience and agility to deploy serverless applications. However, those platforms impose even more constraints in extensibility. They are arguably "hard-coded" PaaS, so KubeVela differ from them in similar way.
On the other hand, KubeVela can easily deploy both Kubernetes-based serverless workloads such as Knative/OpenFaaS, or cloud-based functions such as AWS Lambda.
On the other hand, KubeVela can easily deploy both Kubernetes based serverless workloads such as Knative/OpenFaaS, or cloud based functions such as AWS Lambda.
### KubeVela vs. Platform agnostic developer tools
@ -65,7 +65,7 @@ KubeVela can be integrated with such tools seamlessly. In this case, developers
Helm is a package manager for Kubernetes that provides package, install, and upgrade a set of YAML files for Kubernetes as a unit.
KubeVela as a modern deployment system can naturally deploy Helm charts. For example, you could use KubeVela to define an application that is composed of a WordPress chart and a AWS RDS Terraform module, orchestrate the components' topology, and then deploy them to multiple environments following certain strategy.
KubeVela as a modern deployment system can naturally deploy Helm charts. For example, you could use KubeVela to define an application that is composed by a WordPress chart and a AWS RDS Terraform module, orchestrate the components' topology, and then deploy them to multiple environments following certain strategy.
Of course, KubeVela also supports other encapsulation formats including Kustomize etc.

2
versioned_docs/version-v1.2/how-to/cli/addon/addon.md
View File

@ -68,7 +68,6 @@ $ vela addon registry delete experimental
Successfully delete an addon registry experimental
```
## Enable Addon offline
For some reason, if your cluster network cannot request the official addon registry you can enable an addon with a local dir. eg:
@ -83,7 +82,6 @@ Addon: velaux enabled Successfully
Please notice that, while a addon installing cluster maybe still need pull some images or helm charts.If your cluster cannot reach these resources please refer [docs](../../../platform-engineers/system-operation/enable-addon-offline) to do complete installation without Internet.
## Make your own addon
Refer to extension documents to learn how to [make your own addon and registry](../../../platform-engineers/addon/intro).

12
versioned_docs/version-v1.2/platform-engineers/system-operation/enable-addon-offline.md
View File

@ -7,10 +7,12 @@ title: Enable Addon without Internet Access
If your environments don't have access to `https://addons.kubevela.net` or `https://github.com/oam-dev/catalog`, you should git clone the repo `https://github.com/oam-dev/catalog/tree/master/addons` locally. You can specify a local addon directory when enable an addon for installation.
Before installing an addon, you should check if the addon contains any container images or other sub helm charts in it. If so, the addon also can't be installed well. You can follow these steps to make it success.
1. Git clone [the catalog repo](https://github.com/oam-dev/catalog) to download these addon files.You can find all official addons in subdirectory `./addons/` and experimental addons in subdirectory `./experimental/addons`
1. Git clone [the catalog repo](https://github.com/oam-dev/catalog) to download these addon files.You can find all official addons in subdirectory `./addons/` and experimental addons in subdirectory `./experimental/addons`.
```yaml
git clone https://github.com/oam-dev/catalog
```
2. Sync the container images relied on by addon to your own image repository.
For example, you want sync the image of the helm controller image of fluxcd addon.
@ -18,6 +20,7 @@ git clone https://github.com/oam-dev/catalog
$ docker pull fluxcd/helm-controller:v0.11.1
$ docker push <your repo url>/fluxcd/helm-controller:v0.11.1
```
3. Parts of addons maybe rely on some helm charts such as terraform addon. You should sync these helm charts to your own chart repository.
```yaml
@ -29,11 +32,10 @@ $ helm push terraform-controller-0.3.5.tgz <your charts repo url>
You can read this [docs](https://helm.sh/docs/topics/chart_repository/) to get knowledge how to build your own helm repo.
4. Modify the values of addon by referring to your own image/chart repository.
Generally you can find all relied on images/charts in the files of subdirectory `resources/` and modify them.
For example, you can modify the fluxcd addon files `addons/fluxcd/resources/deployment/helm-controller.yaml` field `spec.sepc.containers[0].image` to your own image repo.
4. Modify the values of addon by referring to your own image/chart repository. You can find all relied on images/charts in the files of subdirectory `resources/` and modify them.
For example, you can modify the fluxcd addon files `addons/fluxcd/resources/deployment/helm-controller.yaml` the deployment object's field `spec.sepc.containers[0].image` to your own image repo.We will introduce what images/helm charts needed to sync for each addon below.
5. Use `vela cli` to enable an addon with specify a local addon dir to install offline.We will introduce what images/helm charts needed to sync for each addon below.
5. Use `vela cli` to enable an addon with specify a local addon dir to install offline.
```yaml
$ vela addon enable <dir>

23
versioned_sidebars/version-v1.2-sidebars.json
View File

@ -187,12 +187,23 @@
"id": "version-v1.2/end-user/traits/ingress"
},
{
"type": "doc",
"id": "version-v1.2/end-user/components/cloud-services/provision-and-consume-cloud-services"
},
{
"type": "doc",
"id": "version-v1.2/end-user/components/cloud-services/provision-and-initiate-database"
"collapsed": true,
"type": "category",
"label": "Cloud Resources",
"items": [
{
"type": "doc",
"id": "version-v1.2/end-user/components/cloud-services/provision-and-consume-cloud-services"
},
{
"type": "doc",
"id": "version-v1.2/end-user/components/cloud-services/provision-and-initiate-database"
},
{
"type": "doc",
"id": "version-v1.2/end-user/components/cloud-services/secure-your-database-connection"
}
]
},
{
"type": "doc",