trace - Linkerd 使用 OpenCensus 进行分布式跟踪
问题描述
语境
我正在尝试使用 OpenCensus 和 Linkerd。尽管 Linkerd 可以选择在其命名空间中自动配置 OpenCensus 和 jaeger,但我不想使用它们。相反,我自己在名为“ops”的命名空间下独立部署了它们。
问题
- OpenCensus 收集器是否应该由 Linkerd 注入。
在官方文档的最后(正好是最后的第 4 行) ,它说,
确保 OpenCensus 收集器注入了 Linkerd 代理。
这是什么意思?
我应该将 linkerd sidecar 注入 OpenCensus 收集器 pod 吗?
如果是这样,为什么?
- 我应该按命名空间为 serviceaccount 名称添加后缀吗?
例如,假设我已经像这样配置了默认命名空间。
apiVersion: v1
kind: Namespace
metadata:
name: default
annotations:
linkerd.io/inject: enabled
config.linkerd.io/trace-collector: my-opencensus-collector.ops:12345
config.alpha.linkerd.io/trace-collector-service-account: my-opencensus-collector-service-account
my-opencensus-collector
位于ops
命名空间中,因此我将其放在.ops
其服务名称的末尾,结果为my-opencensus-collector.ops:12345
. OpenCensus 收集器的专用服务帐户ops
也存在于命名空间中。在这种情况下,我是否也应该将命名空间名称放在服务帐户名称的末尾?
哪一个是对的?
config.alpha.linkerd.io/trace-collector-service-account: my-opencensus-collector-service-account
或者
config.alpha.linkerd.io/trace-collector-service-account: my-opencensus-collector-service-account.ops
谢谢!
解决方案
- Whether OpenCensus collector should be injected by Linkerd.
Yes, the OpenCensus collector should be injected with the Linkerd proxy because the proxies themselves send the span info using mTLS. With mTLS, the sending (client) and receiving (server) sides of the request must present certificates to each other in to verify that identities to each other in a way that validates that the identity was issued by the same trusted source.
The Linkerd service mesh is made up of the control plane and the data plane. The control plane is a set of services that run within the cluster to implement the features of the service mesh. Mutual TLS (mTLS) is one of those features and is implemented by the linkerd-identity
component of the control plane.
The data plane is comprised of any number of the Linkerd proxies which are injected into the services in the application, like the OpenCensus collector. Whenever a proxy is started within a pod, it sends a certificate signing request to the linkerd-identity
component and receives a certificate in return.
So, when the Linkerd proxies in the control plane send the spans to the collector, they authenticate themselves with those certificates, which must be verified by the proxy injected into the OpenCensus collector Pod. This ensures that all traffic, even distributed traces, are sent securely within the cluster.
- Should I suffix serviceaccount name by namespace?
In your case, you should suffix the service account with the namespace. By default, Linkerd will use the Pod namespace, so if the service account doesn't exist in the Pod namespace, then the configuration will be invalid. The logic has a function that checks for a namespace in the annotation name and appends it, if it exists:
func ammendSvcAccount(ns string, params *Params) {
hostAndPort := strings.Split(params.CollectorSvcAddr, ":")
hostname := strings.Split(hostAndPort[0], ".")
if len(hostname) > 1 {
ns = hostname[1]
}
params.CollectorSvcAccount = fmt.Sprintf("%s.%s", params.CollectorSvcAccount, ns)
}
So, this one is correct:
config.alpha.linkerd.io/trace-collector-service-account: my-opencensus-collector-service-account.ops
推荐阅读
- sql - 如何查看在给定时间段内传入和传出 sql server 的数据量?
- gnuplot - 平滑图的边界 - gnuplot
- asp.net - 替换 Scaffold-DbContext 中的连接字符串
- assembly - GNU ARM 汇编器将 mov 更改为添加?
- database - MongoDB Atlas 初始连接数和存储量很高
- ios - UICollectionViewCell 填充了错误的数据
- php - 在 Laravel 控制器中访问多维数组数据
- python - MATLAB 的 fread 与 Python 中的 skip 参数等效吗?
- pytorch - 将内核应用于 gpytorch 中的单独维度
- swift - 无法在 XCODE 中将类型“ForumViewController”的返回表达式转换为返回类型“UITableViewCell”错误