运行一个nodejs服务,先发布为deployment,然后创建service,让集群外可以访问
问题来源
海口-老男人 17:42:43就是我要运行一个nodejs服务,先发布为deployment,然后创建service,让集群外可以访问旧报纸 17:43:35也就是 你的需求为 一个app 用delployment 发布 然后service 然后 代理 对吧
解决方案:
部署traefik发布deployment pod创建servicetraefik 代理service外部访问
环境
docker 19.03.5
kubernetes 1.17.2
traefik部署
为什么选择 traefik,抛弃nginx:
https://www.php.cn/nginx/422461.html特别说明:traefik 2.1 版本更新了灰色发布和流量复制功能 为容器/微服务而生traefik 官网写的都很不错了 附带一篇 快速入门博文:https://www.qikqiak.com/post/traefik-2.1-101/建议部署traefik 不要用上述链接的方案
注意:这里 Traefik 是部署在 assembly Namespace 下,如果不是需要修改下面部署文件中的 Namespace 属性。
traefik-crd.yaml
在 traefik v2.1 版本后,开始使用 CRD(Custom Resource Definition)来完成路由配置等,所以需要提前创建 CRD 资源。
# cat traefik-crd.yaml###########################################################################Author: zisefeizhu#QQ: 2********0#Date: 2020-03-16#FileName: traefik-crd.yaml#URL: https://www.cnblogs.com/zisefeizhu/#Description: The test script#Copyright (C): 2020 All rights reserved############################################################################# IngressRouteapiVersion: apiextensions.k8s.io/v1beta1kind: CustomResourceDefinitionmetadata:name: ingressroutes.traefik.containo.usspec:scope: Namespacedgroup: traefik.containo.usversion: v1alpha1names:kind: IngressRouteplural: ingressroutessingular: ingressroute---## IngressRouteTCPapiVersion: apiextensions.k8s.io/v1beta1kind: CustomResourceDefinitionmetadata:name: ingressroutetcps.traefik.containo.usspec:scope: Namespacedgroup: traefik.containo.usversion: v1alpha1names:kind: IngressRouteTCPplural: ingressroutetcpssingular: ingressroutetcp---## MiddlewareapiVersion: apiextensions.k8s.io/v1beta1kind: CustomResourceDefinitionmetadata:name: middlewares.traefik.containo.usspec:scope: Namespacedgroup: traefik.containo.usversion: v1alpha1names:kind: Middlewareplural: middlewaressingular: middleware---## TLSOptionapiVersion: apiextensions.k8s.io/v1beta1kind: CustomResourceDefinitionmetadata:name: tlsoptions.traefik.containo.usspec:scope: Namespacedgroup: traefik.containo.usversion: v1alpha1names:kind: TLSOptionplural: tlsoptionssingular: tlsoption---## TraefikServiceapiVersion: apiextensions.k8s.io/v1beta1kind: CustomResourceDefinitionmetadata:name: traefikservices.traefik.containo.usspec:scope: Namespacedgroup: traefik.containo.usversion: v1alpha1names:kind: TraefikServiceplural: traefikservicessingular: traefikservice
创建RBAC权限
Traefik 需要一定的权限,所以这里提前创建好 Traefik ServiceAccount 并分配一定的权限。
# cat traefik-rbac.yaml###########################################################################Author: zisefeizhu#QQ: 2********0#Date: 2020-03-16#FileName: traefik-rbac.yaml#URL: https://www.cnblogs.com/zisefeizhu/#Description: The test script#Copyright (C): 2020 All rights reserved############################################################################# ServiceAccountapiVersion: v1kind: ServiceAccountmetadata:namespace: kube-systemname: traefik-ingress-controller---## ClusterRolekind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1beta1metadata:name: traefik-ingress-controllerrules:- apiGroups: [""]resources: ["services","endpoints","secrets"]verbs: ["get","list","watch"]- apiGroups: ["extensions"]resources: ["ingresses"]verbs: ["get","list","watch"]- apiGroups: ["extensions"]resources: ["ingresses/status"]verbs: ["update"]- apiGroups: ["traefik.containo.us"]resources: ["middlewares"]verbs: ["get","list","watch"]- apiGroups: ["traefik.containo.us"]resources: ["ingressroutes"]verbs: ["get","list","watch"]- apiGroups: ["traefik.containo.us"]resources: ["ingressroutetcps"]verbs: ["get","list","watch"]- apiGroups: ["traefik.containo.us"]resources: ["tlsoptions"]verbs: ["get","list","watch"]- apiGroups: ["traefik.containo.us"]resources: ["traefikservices"]verbs: ["get","list","watch"]---## ClusterRoleBindingkind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1beta1metadata:name: traefik-ingress-controllerroleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: traefik-ingress-controllersubjects:- kind: ServiceAccountname: traefik-ingress-controllernamespace: kube-system
创建traefik配置文件
由于 Traefik 配置很多,通过 CLI 定义不是很方便,一般时候选择将其配置选项放到配置文件中,然后存入 ConfigMap,将其挂入 traefik 中。
traefik-config.yaml
# cat traefik-config.yaml###########################################################################Author: zisefeizhu#QQ: 2********0#Date: 2020-03-16#FileName: traefik-config.yaml#URL: https://www.cnblogs.com/zisefeizhu/#Description: The test script#Copyright (C): 2020 All rights reserved###########################################################################kind: ConfigMapapiVersion: v1metadata:name: traefik-confignamespace: kube-systemdata:traefik.yaml: |-ping: "" ## 启用 PingserversTransport:insecureSkipVerify: true ## Traefik 忽略验证代理服务的 TLS 证书api:insecure: true ## 允许 HTTP 方式访问 APIdashboard: true ## 启用 Dashboarddebug: false ## 启用 Debug 调试模式metrics:prometheus: "" ## 配置 Prometheus 监控指标数据,并使用默认配置entryPoints:web:address: ":80" ## 配置 80 端口,并设置入口名称为 webwebsecure:address: ":443" ## 配置 443 端口,并设置入口名称为 websecureredis:address: ":663"providers:kubernetesCRD: "" ## 启用 Kubernetes CRD 方式来配置路由规则kubernetesIngress: "" ## 启动 Kubernetes Ingress 方式来配置路由规则log:filePath: "" ## 设置调试日志文件存储路径,如果为空则输出到控制台level: error ## 设置调试日志级别format: json ## 设置调试日志格式accessLog:filePath: "" ## 设置访问日志文件存储路径,如果为空则输出到控制台format: json ## 设置访问调试日志格式bufferingSize: 0 ## 设置访问日志缓存行数filters:#statusCodes: ["200"] ## 设置只保留指定状态码范围内的访问日志retryAttempts: true ## 设置代理访问重试失败时,保留访问日志minDuration: 20 ## 设置保留请求时间超过指定持续时间的访问日志fields: ## 设置访问日志中的字段是否保留(keep 保留、drop 不保留)defaultMode: keep ## 设置默认保留访问日志字段names: ## 针对访问日志特别字段特别配置保留模式ClientUsername: dropheaders: ## 设置 Header 中字段是否保留defaultMode: keep ## 设置默认保留 Header 中字段names: ## 针对 Header 中特别字段特别配置保留模式User-Agent: redactAuthorization: dropContent-Type: keep
关键配置部分
entryPoints:web:address: ":80" ## 配置 80 端口,并设置入口名称为 webwebsecure:address: ":443" ## 配置 443 端口,并设置入口名称为 websecureredis:address: ":6379" ## 配置 6379 端口,并设置入口名称为 redis
部署traefik
采用daemonset这种方式部署Traefik,所以需要提前给节点设置 Label,这样当程序部署时 Pod 会自动调度到设置 Label 的节点上
traefik-deploy.yaml
kubectl label nodes 20.0.0.202 IngressProxy=true#cat traefik-deploy.yaml###########################################################################Author: zisefeizhu#QQ: 2********0#Date: 2020-03-16#FileName: traefik-deploy.yaml#URL: https://www.cnblogs.com/zisefeizhu/#Description: The test script#Copyright (C): 2020 All rights reserved###########################################################################apiVersion: v1kind: Servicemetadata:name: traefiknamespace: kube-systemspec:type: NodePortports:- name: webport: 80- name: websecureport: 443- name: adminport: 8080- name: redisport: 6379selector:app: traefik---apiVersion: apps/v1kind: DaemonSetmetadata:name: traefik-ingress-controllernamespace: kube-systemlabels:app: traefikspec:selector:matchLabels:app: traefiktemplate:metadata:name: traefiklabels:app: traefikspec:serviceAccountName: traefik-ingress-controllerterminationGracePeriodSeconds: 1containers:- image: traefik:v2.1.2name: traefik-ingress-lbports:- name: webcontainerPort: 80hostPort: 80 ## 将容器端口绑定所在服务器的 80 端口- name: websecurecontainerPort: 443hostPort: 443 ## 将容器端口绑定所在服务器的 443 端口- name: rediscontainerPort: 6379hostPort: 6379- name: admincontainerPort: 8080 ## Traefik Dashboard 端口resources:limits:cpu: 2000mmemory: 1024Mirequests:cpu: 1000mmemory: 1024MisecurityContext:capabilities:drop:- ALLadd:- NET_BIND_SERVICEargs:- --configfile=/config/traefik.yamlvolumeMounts:- mountPath: "/config"name: "config"volumes:- name: configconfigMap:name: traefik-configtolerations: ## 设置容忍所有污点,防止节点被设置污点- operator: "Exists"nodeSelector: ## 设置node筛选器,在特定label的节点上启动IngressProxy: "true"
Traefik2.1 应用已经部署完成,但是想让外部访问 Kubernetes 内部服务,还需要配置路由规则,这里开启了 Traefik Dashboard 配置,所以首先配置 Traefik Dashboard 看板的路由规则,使外部能够访问 Traefik Dashboard。
部署traefik dashboard
# cat traefik-dashboard-route.yaml###########################################################################Author: zisefeizhu#QQ: 2********0#Date: 2020-03-16#FileName: traefik-dashboard-route.yaml#URL: https://www.cnblogs.com/zisefeizhu/#Description: The test script#Copyright (C): 2020 All rights reserved###########################################################################apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: traefik-dashboard-routenamespace: kube-systemspec:entryPoints:- webroutes:- match: Host(`traefik.linux.com`)kind: Ruleservices:- name: traefikport: 8080
本地host解析
其实到这里 已经能基本看出traefik是如何进行代理的了
apiVersion: v1kind: Servicemetadata:name: traefiknamespace: kube-systemspec:type: NodePortports:- name: webport: 80- name: websecureport: 443- name: adminport: 8080selector:app: traefikapiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: traefik-dashboard-routenamespace: kube-systemspec:entryPoints:- web //入口routes:- match: Host(`traefik.linux.com`) //外部访问域名kind: Ruleservices:- name: traefik //service.selectorport: 8080 //service.ports
代理一个deployment pod
问题要求是: 部署一个app 用delployment 发布 然后service 然后 代理
端口是3009
那这里就用个应用实验吧 这里我随便用个prometheus 应用吧
[root@bs-k8s-master01 prometheus]# cat prometheus-cm.yaml###########################################################################Author: zisefeizhu#QQ: 2********0#Date: 2020-03-20#FileName: prometheus-cm.yaml#URL: https://www.cnblogs.com/zisefeizhu/#Description: The test script#Copyright (C): 2020 All rights reserved###########################################################################apiVersion: v1kind: ConfigMapmetadata:name: prometheus-confignamespace: assemblydata:prometheus.yml: |global:scrape_interval: 15sscrape_timeout: 15salerting:alertmanagers:- static_configs:- targets: ["alertmanager-svc:9093"]rule_files:- /etc/prometheus/rules.yamlscrape_configs:- job_name: 'prometheus'static_configs:- targets: ['localhost:9090']- job_name: 'traefik'static_configs:- targets: ['traefik.kube-system.svc.cluster.local:8080']- job_name: "kubernetes-nodes"kubernetes_sd_configs:- role: noderelabel_configs:- source_labels: [__address__]regex: '(.*):10250'replacement: '${1}:9100'target_label: __address__action: replace- action: labelmapregex: __meta_kubernetes_node_label_(.+)- job_name: 'kubernetes-kubelet'kubernetes_sd_configs:- role: nodescheme: httpstls_config:ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crtinsecure_skip_verify: truebearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/tokenrelabel_configs:- action: labelmapregex: __meta_kubernetes_node_label_(.+)- job_name: "kubernetes-apiserver"kubernetes_sd_configs:- role: endpointsscheme: httpstls_config:ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crtbearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/tokenrelabel_configs:- source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]action: keepregex: default;kubernetes;https- job_name: "kubernetes-scheduler"kubernetes_sd_configs:- role: endpoints- job_name: 'kubernetes-cadvisor'kubernetes_sd_configs:- role: nodescheme: httpstls_config:ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crtbearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/tokenrelabel_configs:- action: labelmapregex: __meta_kubernetes_node_label_(.+)- target_label: __address__replacement: kubernetes.default.svc:443- source_labels: [__meta_kubernetes_node_name]regex: (.+)target_label: __metrics_path__replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor- job_name: 'kubernetes-service-endpoints'kubernetes_sd_configs:- role: endpointsrelabel_configs:- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape]action: keepregex: true- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme]action: replacetarget_label: __scheme__regex: (https?)- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path]action: replacetarget_label: __metrics_path__regex: (.+)- source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port]action: replacetarget_label: __address__regex: ([^:]+)(?::\d+)?;(\d+)replacement: $1:$2- action: labelmapregex: __meta_kubernetes_service_label_(.+)- source_labels: [__meta_kubernetes_namespace]action: replacetarget_label: kubernetes_namespace- source_labels: [__meta_kubernetes_service_name]action: replacetarget_label: kubernetes_namerules.yaml: |groups:- name: test-rulerules:- alert: NodeMemoryUsageexpr: (sum(node_memory_MemTotal_bytes) - sum(node_memory_MemFree_bytes + node_memory_Buffers_bytes+node_memory_Cached_bytes)) / sum(node_memory_MemTotal_bytes) * 100 > 5for: 2mlabels:team: nodeannotations:summary: "{{$labels.instance}}: High Memory usage detected"description: "{{$labels.instance}}: Memory usage is above 80% (current value is: {{ $value }}"[root@bs-k8s-master01 prometheus]# cat prometheus-rbac.yaml###########################################################################Author: zisefeizhu#QQ: 2********0#Date: 2020-03-20#FileName: prometheus-rbac.yaml#URL: https://www.cnblogs.com/zisefeizhu/#Description: The test script#Copyright (C): 2020 All rights reserved###########################################################################apiVersion: v1kind: ServiceAccountmetadata:name: prometheusnamespace: assembly---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:name: prometheusrules:- apiGroups:- ""resources:- nodes- services- endpoints- pods- nodes/proxyverbs:- get- list- watch- apiGroups:- ""resources:- configmaps- nodes/metricsverbs:- get- nonResourceURLs:- /metricsverbs:- get---apiVersion: rbac.authorization.k8s.io/v1beta1kind: ClusterRoleBindingmetadata:name: prometheusroleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: prometheussubjects:- kind: ServiceAccountname: prometheusnamespace: assembly# cat prometheus-deploy.yaml###########################################################################Author: zisefeizhu#QQ: 2********0#Date: 2020-03-20#FileName: prometheus-deploy.yaml#URL: https://www.cnblogs.com/zisefeizhu/#Description: The test script#Copyright (C): 2020 All rights reserved###########################################################################apiVersion: apps/v1kind: Deploymentmetadata:name: prometheusnamespace: assemblylabels:app: prometheusspec:selector:matchLabels:app: prometheustemplate:metadata:labels:app: prometheusspec:imagePullSecrets:- name: k8s-harbor-loginserviceAccountName: prometheuscontainers:- image: harbor.linux.com/prometheus/prometheus:v2.4.3name: prometheuscommand:- "/bin/prometheus"args:- "--config.file=/etc/prometheus/prometheus.yml"- "--storage.tsdb.path=/prometheus"- "--storage.tsdb.retention=24h"- "--web.enable-admin-api" # 控制对admin HTTP API的访问,其中包括删除时间序列等功能- "--web.enable-lifecycle" # 支持热更新,直接执行localhost:9090/-/reload立即生效ports:- containerPort: 9090protocol: TCPname: httpvolumeMounts:- mountPath: "/prometheus"subPath: prometheusname: data- mountPath: "/etc/prometheus"name: config-volumeresources:requests:cpu: 100mmemory: 512Milimits:cpu: 100mmemory: 512MisecurityContext:runAsUser: 0volumes:- name: datapersistentVolumeClaim:claimName: prometheus-pvc- configMap:name: prometheus-configname: config-volumenodeSelector: ## 设置node筛选器,在特定label的节点上启动prometheus: "true"[root@bs-k8s-master01 prometheus]# cat prometheus-svc.yaml###########################################################################Author: zisefeizhu#QQ: 2********0#Date: 2020-03-20#FileName: prometheus-svc.yaml#URL: https://www.cnblogs.com/zisefeizhu/#Description: The test script#Copyright (C): 2020 All rights reserved###########################################################################apiVersion: v1kind: Servicemetadata:name: prometheusnamespace: assemblylabels:app: prometheusspec:selector:app: prometheustype: NodePortports:- name: webport: 9090targetPort: http[root@bs-k8s-master01 prometheus]# cat prometheus-ingressroute.yaml###########################################################################Author: zisefeizhu#QQ: 2********0#Date: 2020-03-20#FileName: prometheus-ingressroute.yaml#URL: https://www.cnblogs.com/zisefeizhu/#Description: The test script#Copyright (C): 2020 All rights reserved###########################################################################apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: prometheusnamespace: assemblyspec:entryPoints:- webroutes:- match: Host(`prometheus.linux.com`)kind: Ruleservices:- name: prometheusport: 9090
验证
显然已经代理成功了 本地hosts解析
还是没得问题的
运行一个nodejs服务,先发布为deployment,然后创建service,让集群外可以访问的更多相关文章
- 【Azure微服务 Service Fabric 】使用az命令创建Service Fabric集群
问题描述 在使用Service Fabric的快速入门文档: 将 Windows 容器部署到 Service Fabric. 其中在创建Service Fabric时候,示例代码中使用的是PowerS ...
- 庐山真面目之十微服务架构 Net Core 基于 Docker 容器部署 Nginx 集群
庐山真面目之十微服务架构 Net Core 基于 Docker 容器部署 Nginx 集群 一.简介 前面的两篇文章,我们已经介绍了Net Core项目基于Docker容器部署在Linux服 ...
- k8s暴露集群内和集群外服务的方法
集群内服务 一般 pod 都是根据 service 资源来进行集群内的暴露,因为 k8s 在 pod 启动前就已经给调度节点上的 pod 分配好 ip 地址了,因此我们并不能提前知道提供服务的 pod ...
- 【Azure微服务 Service Fabric 】因证书过期导致Service Fabric集群挂掉(升级无法完成,节点不可用)
问题描述 创建Service Fabric时,证书在整个集群中是非常重要的部分,有着用户身份验证,节点之间通信,SF升级时的身份及授权认证等功能.如果证书过期则会导致节点受到影响集群无法正常工作. 当 ...
- 微服务之:从零搭建ocelot网关和consul集群
介绍 微服务中有关键的几项技术,其中网关和服务服务发现,服务注册相辅相成. 首先解释几个本次教程中需要的术语 网关 Gateway(API GW / API 网关),顾名思义,是企业 IT 在系统边界 ...
- Spark运行模式_spark自带cluster manager的standalone cluster模式(集群)
这种运行模式和"Spark自带Cluster Manager的Standalone Client模式(集群)"还是有很大的区别的.使用如下命令执行应用程序(前提是已经启动了spar ...
- Nginx(http协议代理 搭建虚拟主机 服务的反向代理 在反向代理中配置集群的负载均衡)
Nginx 简介 Nginx (engine x) 是一个高性能的 HTTP 和反向代理服务.Nginx 是由伊戈尔·赛索耶夫为俄罗斯访问量第二的 Rambler.ru 站点(俄文:Рамблер)开 ...
- 【微服务架构】SpringCloud之Eureka(注册中心集群篇)(三)
上一篇讲解了spring注册中心(eureka),但是存在一个单点故障的问题,一个注册中心远远无法满足实际的生产环境,那么我们需要多个注册中心进行集群,达到真正的高可用.今天我们实战来搭建一个Eure ...
- Spark运行模式_基于YARN的Resource Manager的Client模式(集群)
现在越来越多的场景,都是Spark跑在Hadoop集群中,所以为了做到资源能够均衡调度,会使用YARN来做为Spark的Cluster Manager,来为Spark的应用程序分配资源. 在执行Spa ...
随机推荐
- 【科创人独家】PingCAP黄东旭:想告诉图灵这个世界现在的样子
创业是投己所好 科创人:作为技术圈内著名艺术青年,哪个瞬间会让您更开心,完成一段优美的代码或者乐谱?还是得到来自外界的欢呼与掌声? 黄东旭:在创业之前的很长一段时间里,完成一段代码.写完一首好曲子那一 ...
- 【分布式锁】07-Zookeeper实现分布式锁:Semaphore、读写锁实现原理
前言 前面已经讲解了Zookeeper可重入锁的实现原理,自己对分布式锁也有了更深的认知. 我在公众号中发了一个疑问,相比于Redis来说,Zookeeper的实现方式要更好一些,即便Redis作者实 ...
- [阿里云-机器学习PAI快速入门与业务实战 ]课时1-机器学习背景知识以及业务架构介绍
什么是机器学习? 机器学习指的是机器通过统计学算法,对大量的历史数据进行学习从而生成经验模型,利用经验模型指导业务. 目前机器学习主要在一下一些方面发挥作用: 营销类场景:商品推荐.用户群体画像.广告 ...
- Building Applications with Force.com and VisualForce(Dev401)( 九):Designing Applications for Multiple Users: Putting It All Together
Module Objectives1.Apply profiles, organization wide defaults, role hierarchy and sharing to given a ...
- OpenCV-Python 光流 | 四十八
目标 在本章中, 我们将了解光流的概念及其使用Lucas-Kanade方法的估计. 我们将使用cv.calcOpticalFlowPyrLK()之类的函数来跟踪视频中的特征点. 我们将使用cv.cal ...
- 巴什博弈 HDU-1846
描述:一堆石子有 n 个 ,两个人开始轮流取,每人最多取m个,最少取1个,最后一个将石子取完的是赢家. 思路:对于先手来说,如果有(m+1)个石子,先手取 k 个,后手就可以取 m+1-k 个,所以有 ...
- 让vscode支持WePY框架 *.wpy
WePY框架的.wpy 文件在微信开发者工具中无法打开,这里使用vscode 打开,并安装vetur 和vetur-wepy 插件即可
- coding++:解决Not allowed to load local resource错误-SpringBoot配置虚拟路径
1.在SpringBoot里上传图片后返回了绝对路径,发现本地读取的环节上面出现了错误(Not allowed to load local resource),一开始用的是直接本地路径. 但是在页面上 ...
- 分布式配置中心Apollo
1,什么是分布式配置中心 项目中配置文件比较繁杂,而且不同环境的不同配置修改相对频繁,每次发布都需要对应修改配置,如果配置出现错误,需要重新打包发布,时间成本较高,因此需要做统一的分布式注册中心,能做 ...
- Web安全认证
一.HTTP Basic Auth 每次请求 API 时都提供用户的 username 和 password. Basic Auth 是配合 RESTful API 使用的最简单的认证方式,只需提供用 ...