PART Ⅰ : 容器云OPENSHIFT
- 安装
- 数据持久化
- 集群管理
- 数据持久化
- 管理
- 网络
- 安全审计
- 工具应用部署
PART Ⅱ:容器云 KUBERNETES
- 基础
- 原理
- 系统应用/网络CNI/TRaefik
- 安装
- 集群管理
- 用户认证ServiceAccount与授权策略RBAC
- K8S应用管理工具Helm
- 问题
- 辅助工具
- Doing:K8S 多集群管理与网络互联
- VM On K8S
PART Ⅲ:持续集成与持续部署
- CICD优化总结
- Jenkins
- Gitlab
- Drone
- Nexus
- 配置
- 使用OrientDB Console在DB层面修改配置
- [设置SMTP邮件服务](https://www.wenjiangs.com/doc/krrcu7ebin9hh
- 仓库管理
- 数据备份恢复
- API
- Jenkins相关插件
- 配置
- SonarQube静态代码扫描分析
- LDAP
- Apollo
- 项目管理工具
- Jira
- Redmine
- Harbor
- Vault
- Alfred
- Web IDE: VSCode
- DolphinScheduler
PART Ⅴ:日志/监控/告警
- Logging
- Kafka/Zookeeper
- Filebeat
- Metrics
- Tracing
- Sentry日志聚合告警平台
PART Ⅵ:基础
- Docker
- Shell脚本
- Mave
- git
- 正则表达式
- SSL/TLS
- Ceph
- 性能压力测试
- PXE+Kickstart
- netboot.xyz
- Tool
- Windows
- MacOS小技巧
- Linux
- Linux排错优化
- iptables详解
- MySQL
- Redis
- 负载均衡与代理
- 代理服务器
- Nginx
- GitBook
- Telegram机器人
- OpenVPN Server
- iDRAC
- vSphere
- Raspberry Pi树莓派
- 钉钉机器人
- Aliyun CLI
- 音、视频处理工具:fffmpeg
- 图片处理工具:Imagemagick
- PDF处理工具:Ghostscript
- Nvidia
- Virtualbox 虚拟机管理
- 阿里云产品使用总结
- RustDesk:可自建远程控制软件
- Poste:自建邮件服务器
- 使用 Jlink构建最小化依赖的 JRE 环境
- Aria2
- Asuswrt-Merlin
- Trap:Shell脚本信号跟踪
- 零散知识汇总
- BarkServer通知
- Synology
PART Ⅶ:数据存储、处理
PART VIII:CODE
- Python学习笔记
- 基础语法
- statik 将静态资源文件打包到二进制文件中
- HTML/CSS 学习笔记
- JavaScript学习笔记
PART X:HACKINTOSH
PART XI:安全
K8S应用管理工具Helm
Helm 是 Kubernetes 的包管理器。包管理器类似于我们在 Ubuntu 中使用的apt、Centos中使用的yum 或者Python中的 pip 一样,能快速查找、下载和安装软件包。Helm 由客户端组件 helm 和服务端组件 Tiller 组成, 能够将一组K8S资源打包统一管理, 是查找、共享和使用为Kubernetes构建的软件的最佳方式。
Helm3之前是C/S架构的。主要分为客户端 helm
和服务端 Tiller
。Tiller
负责对charts的解析生成k8s资源声明文件,然后调用k8s api进行部署。同时还保存chart部署的版本信息。
Helm3移除了 Tiller
,直接在客户端就对charts进行解析,调用k8s api部署资源声明文件。同时将charts release的版本信息保存至对应k8s应用部署所在命名空间下的secret中。(例如:名为sh.helm.release.v1.sentry-kubernetes-events.v1 helm.sh/release.v1类型的secret)
全面拥抱Helm3
Github下载地址:https://github.com/helm/helm/releases
1、二进制包安装
下载二进制文件解压至系统环境路径下即可。
命令脚本
curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 chmod 700 get_helm.sh ./get_helm.sh # 或者 curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
2、包管理器安装
Brew
brew install helm
3、源码编译安装
$ cd $GOPATH
$ mkdir -p src/helm.sh
$ cd src/helm.sh
$ git clone https://github.com/helm/helm.git
$ cd helm
$ make
helm3默认读取当前用户目录下~/.kube/config
文件中的当前k8s环境上下文来配置部署charts到哪个k8s集群。相关权限跟随着kuectl配置的用户权限。(开箱即用的感觉)
1、配置helm的环境变量
Name | Description |
---|---|
$XDG_CACHE_HOME | set an alternative location for storing cached files. |
$XDG_CONFIG_HOME | set an alternative location for storing Helm configuration. |
$XDG_DATA_HOME | set an alternative location for storing Helm data. |
$HELM_DRIVER | set the backend storage driver. Values are: configmap, secret, memory |
$HELM_NO_PLUGINS | disable plugins. Set HELM_NO_PLUGINS=1 to disable plugins. |
$KUBECONFIG | set an alternative Kubernetes configuration file (default "~/.kube/config") |
2、Helm相关文件存储的默认路径
- cached文件都存在
$XDG_CACHE_HOME/helm
- 配置文件存在
$XDG_CONFIG_HOME/helm
- 数据文件存在
$XDG_DATA_HOME/helm
3、各个操作操作系统的默认配置
操作系统 | Cache文件路径 | 配置文件路径 | 数据文件路径 |
---|---|---|---|
Linux | $HOME/.cache/helm | $HOME/.config/helm | $HOME/.local/share/helm |
macOS | $HOME/Library/Caches/helm | $HOME/Library/Preferences/helm | $HOME/Library/helm |
Windows | %TEMP%\helm | %APPDATA%\helm | %APPDATA%\helm |
4、命令行的命令补全
helm completion zsh
source <(helm completion zsh)
全局通用的命令行参数
--add-dir-header 添加文件路径到Header中
--alsologtostderr log to standard error as well as files
--debug 输出Debug级别的日志
--kube-context string 指定使用哪个kubeconfig context
--kubeconfig string 指定kubeconfig文件路径
--log-backtrace-at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log-dir string 指定日志输出到哪个路径下
--log-file string 指定日志输出到哪个文件中
--log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
--logtostderr log to standard error instead of files (default true)
-n, --namespace string 指定在哪个K8S命名空间下进行操作
--registry-config string path to the registry config file (default "/Users/curiouser/Library/Preferences/helm/registry.json")
--repository-cache string path to the file containing cached repository indexes (default "/Users/curiouser/Library/Caches/helm/repository")
--repository-config string path to the file containing repository names and URLs (default "/Users/curiouser/Library/Preferences/helm/repositories.yaml")
--skip-headers If true, avoid header prefixes in the log messages
--skip-log-headers If true, avoid headers when opening log files
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level number for the log level verbosity
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging
1、远程Charts仓库的管理
添加远程charts仓库
helm repo add 远程仓库别名 https://kubernetes-charts-incubator.storage.googleapis.com/
查看当前所有的远程charts仓库
helm repo list
删除指定的远程charts仓库
helm repo rm/remove 远程仓库别名
查看远程仓库中的所有charts
helm search repo
查看Github中的所有charts
helm search hub
2、Charts的管理
从远程仓库中下载Charts到本地
helm pull 远程仓库别名/chart名 参数项
# 参数项
--ca-file string verify certificates of HTTPS-enabled servers using this CA bundle
--cert-file string identify HTTPS client using this SSL certificate file
-d/--destination string location to write the chart. If this and tardir are specified, tardir is appended to this (default ".")
--devel use development versions, too. Equivalent to version '>0.0.0-0'. If --version is set, this is ignored.
-h/--help help for pull
--key-file string identify HTTPS client using this SSL key file
--keyring string location of public keys used for verification (default "/Users/curiouser/.gnupg/pubring.gpg")
--password string chart repository password where to locate the requested chart
--prov fetch the provenance file, but don't perform verification
--repo string chart repository url where to locate the requested chart
--untar 下载后解压
--untardir string 下载后解压到指定目录(默认是当前路径".")
--username string chart repository username where to locate the requested chart
--verify verify the package before installing it
--version string specify the exact chart version to install. If this is not specified, the latest version is installed
# 支持全局通用参数
命令格式
helm install [NAME] [CHART] [参数项]
# 参数项
--atomic 原子部署。当charts部署失败时,所有操作进行回滚删除。同时如果设置该参数, 一并的"--wait"也会被设置
--ca-file string verify certificates of HTTPS-enabled servers using this CA bundle
--cert-file string identify HTTPS client using this SSL certificate file
--dependency-update 在部署前更新charts依赖
--description string 添加自定义描述
--devel use development versions, too. Equivalent to version '>0.0.0-0'. If --version is set, this is ignored
--disable-openapi-validation if set, the installation process will not validate rendered templates against the Kubernetes OpenAPI Schema
--dry-run 模拟部署
-g, --generate-name generate the name (and omit the NAME parameter)
-h, --help 显示帮助信息
--key-file string identify HTTPS client using this SSL key file
--keyring string location of public keys used for verification (default "/Users/curiouser/.gnupg/pubring.gpg")
--name-template string specify template used to name the release
--no-hooks prevent hooks from running during install
-o, --output format 指定日志输出的格式(可选项table, json, yaml 默认是table)
--password string 远程chart仓库用户的密码
--post-renderer postrenderer the path to an executable to be used for post rendering. If it exists in $PATH, the binary will be used, otherwise it will try to look for the executable at the given path (default exec)
--render-subchart-notes if set, render subchart notes along with the parent
--replace re-use the given name, only if that name is a deleted release which remains in the history. This is unsafe in production
--repo string 设置远程chart仓库的url
--set stringArray 设置vaules。(覆盖values.yaml中的值可设置多个,以“,”分割。例如
key1=val1,key2=val2)
--set-file stringArray 从文件中读取va luset values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
--set-string stringArray set STRING values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--skip-crds if set, no CRDs will be installed. By default, CRDs are installed if not already present
--timeout duration time to wait for any individual Kubernetes operation (like Jobs for hooks) (默认5分0秒)
--username string 远程chart仓库的用户名
-f, --values strings 指定values文件或URL(可设置多个)
--verify verify the package before installing it
--version string specify the exact chart version to install. If this is not specified, the latest version is installed
--wait 设置等待charts涉及的k8s资源变为ready状态的时间才认为部署成功。它的值等 同timeout设置的值例如Pods, PVCs, Services, Deployment的最少POD数, StatefulSet, or ReplicaSet )
# 支持全局通用参数
1、部署远程仓库中的charts到k8s集群
helm install 部署名 远程仓库别名/chart名 参数项
2、部署本地的Charts到k8s集群
helm install 部署名 -f values.yaml .
3、更新charts的部署
helm upgrade charts的部署名 -f values.yaml .
# 参数项
--atomic 原子更新。当charts更新部署失败时,所有操作进行回滚删除。同时如果设置该参
数,一并的"--wait"也会被设置
--ca-file string verify certificates of HTTPS-enabled servers using this CA bundle
--cert-file string identify HTTPS client using this SSL certificate file
--cleanup-on-fail allow deletion of new resources created in this upgrade when upgrade fails
--description string 添加自定义描述
--devel use development versions, too. Equivalent to version '>0.0.0-0'. If --version is set, this is ignored
--dry-run 模拟更新部署
--force force resource updates through a replacement strategy
-h, --help 显示帮助信息
--history-max int limit the maximum number of revisions saved per release. Use 0 for no limit (default 10)
-i, --install 如果指定的chart部署名不存在,就直接安装
--key-file string identify HTTPS client using this SSL key file
--keyring string 指定验证时公钥的路径(默认当前用户路径下的.gnupg/pubring.gpg")
--no-hooks disable pre/post upgrade hooks
-o, --output format 指定日志输出的格式(可选项table, json, yaml 默认是table)
--password string 远程chart仓库用户的密码
--post-renderer postrenderer the path to an executable to be used for post rendering. If it exists in $PATH, the binary will be used, otherwise it will try to look for the executable at the given path (default exec)
--render-subchart-notes if set, render subchart notes along with the parent
--repo string 设置远程chart仓库的url
--reset-values when upgrading, reset the values to the ones built into the chart
--reuse-values when upgrading, reuse the last release's values and merge in any overrides from the command line via --set and -f. If '--reset-values' is specified, this is ignored
--set stringArray 设置vaules。(覆盖values.yaml中的值可设置多个,以“,”分割。例如
key1=val1,key2=val2)
--set-file stringArray set values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
--set-string stringArray set STRING values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--timeout duration time to wait for any individual Kubernetes operation (like Jobs for hooks) (默认5分0秒)
--username string 远程chart仓库的用户名
-f, --values strings 指定values文件或URL(可设置多个)
--verify verify the package before installing it
--version string specify the exact chart version to install. If this is not specified, the latest version is installed
--wait 设置等待charts涉及的k8s资源变为ready状态的时间才认为部署成功。它的值等 同timeout设置的值例如Pods, PVCs, Services, Deployment的最少POD数, StatefulSet, or ReplicaSet )
# 支持全局通用参数
4、删除部署charts的资源
默认删除charts涉及的所有资源和charts的发布版本
helm del/uninstall/del/delete/un charts的部署名 参数项
# 参数项
--description string 添加自定义描述
--dry-run 模拟删除
-h, --help 显示帮助信息
--keep-history 删除charts涉及的所有资源,然后标记该charts的发布为删除状态,但保留删除历史
--no-hooks prevent hooks from running during uninstallation
--timeout duration time to wait for any individual Kubernetes operation (like Jobs for hooks) (默认5m0s)
# 支持全局通用参数
1、value文件中的List数组配置映射到命令行 set中
# values.yaml中参数
globalArguments:
- "--api.disabledashboardad=false"
- "--global.checknewversion=false"
- "--global.sendanonymoususage=false"
- "--api.insecure=false"
- "--accesslog=true"
- "--accesslog.fields.names.accesslog"
- "--accesslog.fields.headers.defaultmode=keep"
- "--accesslog.filepath=/data/400-599-reponse-json.log"
- "--accesslog.format=json"
- "--accesslog.filters.statuscodes=400-599"
# 映射为 set参数值
helm upgrade --install traefik-ingress-controller \
--version 24.0.0 \
--namespace kube-system \
--set ports.traefik.hostPort=9000 \
--set deployment.replicas=2 \
--set globalArguments="{"--api.disabledashboardad=false","--global.sendanonymoususage=false","--global.checknewversion=false","--accesslog=true","--accesslog.fields.names.accesslog","--accesslog.fields.headers.defaultmode=keep","--accesslog.filepath=/data/400-599-reponse-json.log","--accesslog.format=json","--accesslog.filters.statuscodes=400-599"}" \
--set service.type=ClusterIP \
--set hostNetwork=true \
traefik/traefik
2、value文件中的对象数组配置映射到命令行 set中
# values.yaml中参数
server:
ingress:
hosts:
- host: chart-example.local
paths: []
# 映射为 set参数值
helm upgrade --install vault
--namespace tools hashicorp/vault \
--set "server.ingress.enabled=true" \
--set "server.ingress.hosts[0].host=vault.test.com"
3、value文件中的完整对象数组配置映射到命令行 set中
extraObjects:
- apiVersion: v1
kind: Service
metadata:
name: traefik-api
spec:
type: ClusterIP
selector:
app.kubernetes.io/name: traefik
app.kubernetes.io/instance: traefik-default
ports:
- port: 8080
name: traefik
targetPort: 9000
protocol: TCP
- apiVersion: v1
kind: Secret
metadata:
name: traefik-dashboard-auth-secret
type: kubernetes.io/basic-auth
stringData:
username: admin
password: changeme
- apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: traefik-dashboard-auth
spec:
basicAuth:
secret: traefik-dashboard-auth-secret
- apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: traefik-dashboard
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.middlewares: default-traefik-dashboard-auth@kubernetescrd
helm upgrade --install --atomic traefik-ingress-controller \
--version 24.0.0 \
--namespace kube-system \
--set extraObjects[0].apiVersion=v1 \
--set extraObjects[0].kind=Service \
--set extraObjects[0].metadata.name=traefik-api \
--set extraObjects[0].spec.type=ClusterIP \
--set extraObjects[0].spec.ports[0].port=8080 \
--set extraObjects[0].spec.ports[0].name=traefik \
--set extraObjects[0].spec.ports[0].targetPort=9000 \
--set extraObjects[0].spec.ports[0].protocol=TCP \
--set extraObjects[0].spec.selector."app\.kubernetes\.io\/name"="traefik" \
--set extraObjects[0].spec.selector."app\.kubernetes\.io\/instance"="traefik-default" \
--set extraObjects[1].apiVersion=v1 \
--set extraObjects[1].kind=Secret \
--set extraObjects[1].metadata.name=traefik-dashboard-auth-secret \
--set extraObjects[1].type=kubernetes.io/basic-auth \
--set extraObjects[1].stringData.username=admin \
--set extraObjects[1].stringData.password=changeme \
--set extraObjects[2].apiVersion=traefik.io/v1alpha1 \
--set extraObjects[2].kind=Middleware \
--set extraObjects[2].metadata.name=traefik-dashboard-auth \
--set extraObjects[2].spec.basicAuth.secret=traefik-dashboard-auth-secret \
--set extraObjects[3].apiVersion=networking.k8s.io/v1 \
--set extraObjects[3].kind=Ingress \
--set extraObjects[3].metadata.name=traefik-dashboard \
--set extraObjects[3].spec.rules[0].host=traefik-dashboard.test.com \
--set extraObjects[3].spec.rules[0].http.paths[0].path=/ \
--set extraObjects[3].spec.rules[0].http.paths[0].pathType=Prefix \
--set extraObjects[3].spec.rules[0].http.paths[0].backend.service.name=traefik-api \
--set extraObjects[3].spec.rules[0].http.paths[0].backend.service.port.name=traefik \
--set extraObjects[3].metadata.annotations."traefik\.ingress\.kubernetes\.io\/router\.entrypoints"="websecure" \
--set extraObjects[3].metadata.annotations."traefik\.ingress\.kubernetes\.io\/router\.middlewares"="default-traefik-dashboard-auth@kubernetescrd" \
traefik/traefik
参考:https://stackoverflow.com/questions/59632924/how-to-set-annotations-for-a-helm-install
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论