如何在阿里雲容器服務ACK上部署應用管理/釋出系統Spinnaker
阿新 • • 發佈:2019-09-25
Spinnaker是一個開源的多雲持續交付平臺,可幫助您方便管理應用以及快速交付應用。
Spinnaker的兩個主要功能是: 應用管理 , 應用交付
Applications, clusters, and server groups是Spinnaker中非常重要的幾個概念, Load balancers and firewalls描述瞭如何向用戶公開你的服務:
應用部署和部署策略:
在ACK上部署Spinnaker的步驟:
(1)建立一個ACK叢集
(2)建立Spinnaker需要的Kubernetes資源
(3)配置Spinnaker的安裝檔案
(4)部署並訪問Spinnaker
1. 建立叢集
2. 建立Spinnaker需要的Kubernetes資源
2.1 建立 Namespace
$ kubectl create ns spinnaker2.2 建立ServiceAccount ClusterRoleBinding 資源用於 Halyard 部署 Spinnaker
rbac.yaml 檔案內容:
apiVersion: v1 kind: ServiceAccount metadata: name: spinnaker-service-account namespace: spinnaker --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: spinnaker-role-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - namespace: spinnaker kind: ServiceAccount name: spinnaker-service-account
執行以下命令建立資源:
$ kubectl create -f rbac.yaml3. 配置Spinnaker的安裝檔案
Spinnaker是通過Halyard工具來管理配置和部署的。
3.1 部署halyard
hal-deployment.yaml 檔案內容如下:
apiVersion: extensions/v1beta1 kind: Deployment metadata: labels: app: hal name: hal namespace: spinnaker spec: replicas: 1 selector: matchLabels: app: hal template: metadata: labels: app: hal spec: containers: - image: registry.cn-hangzhou.aliyuncs.com/haoshuwei24/halyard:stable name: halyard serviceAccount: spinnaker-service-account serviceAccountName: spinnaker-service-account
執行以下命令建立資源:
$ kubectl create -f hal-deployment.yaml檢視pod是否正常執行:
$ kubectl -n spinnaker get po
NAME READY STATUS RESTARTS AGE
hal-77b4cf787f-p25h5 1/1 Running 0 9m54s3.2 配置Cloud Provider
- exec進入hal pod:
$ kubectl -n spinnaker exec -it hal-77b4cf787f-p25h5 bash- 拷貝kubeconfig檔案為~/.kube/config
- 啟用kubernetes provider:
$ hal config provider kubernetes enable
+ Get current deployment
Success
+ Edit the kubernetes provider
Success
Problems in default.provider.kubernetes:
- WARNING Provider kubernetes is enabled, but no accounts have been
configured.
+ Successfully enabled kubernetes- 新增一個spinnaker account:
$ CONTEXT=$(kubectl config current-context)
$ hal config provider kubernetes account add my-k8s-v2-account \
--provider-version v2 \
--context $CONTEXT
+ Get current deployment
Success
+ Add the my-k8s-v2-account account
Success
+ Successfully added account my-k8s-v2-account for provider
kubernetes.
$ hal config features edit --artifacts true
+ Get current deployment
Success
+ Get features
Success
+ Edit features
Success
+ Successfully updated features.3.3 選擇Spinnaker的部署環境
執行以下命令:
$ ACCOUNT=my-k8s-v2-account
$ hal config deploy edit --type distributed --account-name $ACCOUNT
+ Get current deployment
Success
+ Get the deployment environment
Success
+ Edit the deployment environment
Success
+ Successfully updated your deployment environment.3.4 配置儲存
Spinnaker需要外部安全可靠的儲存服務來保留您的應用程式設定和已配置的Pipeline。由於這些資料很敏感,丟失的話恢復起來代價很高。 本次示例我們臨時搭建一個Minio Service
- 部署Minio
minio-deployment.yml檔案內容如下:
---
apiVersion: v1
kind: Namespace
metadata:
name: minio
---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
namespace: minio
name: minio
labels:
component: minio
spec:
strategy:
type: Recreate
template:
metadata:
labels:
component: minio
spec:
volumes:
- name: storage
emptyDir: {}
- name: config
emptyDir: {}
containers:
- name: minio
image: minio/minio:latest
imagePullPolicy: IfNotPresent
args:
- server
- /storage
- --config-dir=/config
env:
- name: MINIO_ACCESS_KEY
value: "<your MINIO_ACCESS_KEY>"
- name: MINIO_SECRET_KEY
value: "your MINIO_SECRET_KEY"
ports:
- containerPort: 9000
volumeMounts:
- name: storage
mountPath: "/storage"
- name: config
mountPath: "/config"
---
apiVersion: v1
kind: Service
metadata:
namespace: minio
name: minio
labels:
component: minio
spec:
# ClusterIP is recommended for production environments.
# Change to NodePort if needed per documentation,
# but only if you run Minio in a test/trial environment, for example with Minikube.
type: LoadBalancer
ports:
- port: 9000
targetPort: 9000
protocol: TCP
selector:
component: minio設定MINIO_ACCESS_KEY MINIO_SECRET_KEY的值並部署Minio:
$ kubectl create -f minio-deployment.yaml檢視Pod執行狀態和服務埠:
$ kubectl -n minio get po
NAME READY STATUS RESTARTS AGE
minio-59fd966974-nn5ns 1/1 Running 0 12m
[root@iZbp184d18xuqpwxs9tat3Z minio]# kubectl -n minio get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
minio LoadBalancer 172.27.12.130 xxx.xx.xxx.xx 9000:30771/TCP 12m建立job在Minio中建立bucket和path:
job.yaml內容如下:
apiVersion: batch/v1
kind: Job
metadata:
namespace: minio
name: minio-setup
labels:
component: minio
spec:
template:
metadata:
name: minio-setup
spec:
restartPolicy: OnFailure
volumes:
- name: config
emptyDir: {}
containers:
- name: mc
image: minio/mc:latest
imagePullPolicy: IfNotPresent
command:
- /bin/sh
- -c
- "mc --config-dir=/config config host add spinnaker http://xxx.xx.xxx.xx:9000 MINIO_ACCESS_KEY MINIO_SECRET_KEY && mc --config-dir=/config mb -p spinnaker/spinnaker"
volumeMounts:
- name: config
mountPath: "/config"你需要記錄 ENDPOINT MINIO_ACCESS_KEY MINIO_SECRET_KEY 在下文會用到
- 編輯和配置儲存資訊
在hal pod中繼續執行以下步驟:
$ mkdir -p ~/.hal/default/profiles
$ echo "spinnaker.s3.versioning: false" >> ~/.hal/default/profiles/front50-local.yml
$ ENDPOINT=http://xxx.xx.xxx.xx:9000
$ MINIO_ACCESS_KEY=<your key>
$ MINIO_SECRET_KEY=<your secret>
$ echo $MINIO_SECRET_KEY | hal config storage s3 edit --endpoint $ENDPOINT \
--path-style-access true \
--bucket spinnaker \
--root-folder spinnaker \
--access-key-id $MINIO_ACCESS_KEY \
--secret-access-key
+ Get current deployment
Success
+ Get persistent store
Success
+ Edit persistent store
Success
+ Successfully edited persistent store "s3".
$ hal config storage edit --type s3
+ Get current deployment
Success
+ Get persistent storage settings
Success
+ Edit persistent storage settings
Success
+ Successfully edited persistent storage.4. 部署Spinnaker並訪問服務
- 列出並選擇一個版本
注意:此處會從Google Cloud上獲取一個versions.yml檔案, 請自行解決網路問題
$ hal version list
+ Get current deployment
Success
+ Get Spinnaker version
Success
+ Get released versions
Success
+ You are on version "", and the following are available:
- 1.13.12 (BirdBox):
Changelog: https://gist.github.com/spinnaker-release/9ee98b0cbed65e334cd498bc31676295
Published: Mon Jul 29 18:18:59 UTC 2019
(Requires Halyard >= 1.17)
- 1.14.15 (LoveDeathAndRobots):
Changelog: https://gist.github.com/spinnaker-release/52b1de1551a8830a8945b3c49ef66fe3
Published: Mon Sep 16 18:09:49 UTC 2019
(Requires Halyard >= 1.17)
- 1.15.2 (ExtremelyWickedShockinglyEvilAndVile):
Changelog: https://gist.github.com/spinnaker-release/e72cc8015d544738d07d57a183cb5404
Published: Mon Aug 12 20:48:52 UTC 2019
(Requires Halyard >= 1.17)
- 1.15.4 (ExtremelyWickedShockinglyEvilAndVile):
Changelog: https://gist.github.com/spinnaker-release/2229c2172952e9a485d68788bd4560b0
Published: Tue Sep 17 17:35:54 UTC 2019
(Requires Halyard >= 1.17)
- 1.16.1 (SecretObsession):
Changelog: https://gist.github.com/spinnaker-release/21ff4522a9e46ba5f27c52f67da88dc9
Published: Tue Sep 17 17:48:07 UTC 2019
(Requires Halyard >= 1.17)- 選擇1.16.1版本:
$ hal config version edit --version 1.16.1
+ Get current deployment
Success
+ Edit Spinnaker version
Success
+ Spinnaker has been configured to update/install version "1.16.1".
Deploy this version of Spinnaker with `hal deploy apply`.- 部署Spinnaker
$ hal deploy apply
+ Get current deployment
Success
+ Prep deployment
Success
Problems in default.security:
- WARNING Your UI or API domain does not have override base URLs
set even though your Spinnaker deployment is a Distributed deployment on a
remote cloud provider. As a result, you will need to open SSH tunnels against
that deployment to access Spinnaker.
? We recommend that you instead configure an authentication
mechanism (OAuth2, SAML2, or x509) to make it easier to access Spinnaker
securely, and then register the intended Domain and IP addresses that your
publicly facing services will be using.
+ Preparation complete... deploying Spinnaker
+ Get current deployment
Success
+ Apply deployment
Success
+ Deploy spin-redis
Success
+ Deploy spin-clouddriver
Success
+ Deploy spin-front50
Success
+ Deploy spin-orca
Success
+ Deploy spin-deck
Success
+ Deploy spin-echo
Success
+ Deploy spin-gate
Success
+ Deploy spin-rosco
Success
+ Run `hal deploy connect` to connect to Spinnaker.- 檢視Spinnaker Pod執行狀態:
$ kubectl -n spinnaker get po
NAME READY STATUS RESTARTS AGE
hal-77b4cf787f-xlr5g 1/1 Running 0 18m
spin-clouddriver-66bf54c684-6ns9b 1/1 Running 0 7m49s
spin-deck-cd6489797-7fqzj 1/1 Running 0 7m52s
spin-echo-85cd9fb85c-dzkrz 1/1 Running 0 7m54s
spin-front50-6c57c79995-7d5sj 1/1 Running 0 7m46s
spin-gate-5dc9b977c6-5kl8d 1/1 Running 0 7m51s
spin-orca-dfdbdf448-gp8s2 1/1 Running 0 7m47s
spin-redis-7bff9789b6-lmpb4 1/1 Running 0 7m50s
spin-rosco-666d4889c8-vh7p5 1/1 Running 0 7m47s$ kubectl -n spinnaker get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
spin-clouddriver ClusterIP 172.21.1.183 <none> 7002/TCP 13m
spin-deck ClusterIP 172.21.6.203 <none> 9000/TCP 13m
spin-echo ClusterIP 172.21.10.119 <none> 8089/TCP 13m
spin-front50 ClusterIP 172.21.13.128 <none> 8080/TCP 13m
spin-gate ClusterIP 172.21.6.130 <none> 8084/TCP 13m
spin-orca ClusterIP 172.21.4.37 <none> 8083/TCP 13m
spin-redis ClusterIP 172.21.9.201 <none> 6379/TCP 13m
spin-rosco ClusterIP 172.21.11.27 <none> 8087/TCP 13m- 訪問Spinnaker服務
kubectl -n spinnaker edit svc spin-deck修改提供ui服務的spin-deckservice資源type: LoadBalancer
$ kubectl -n spinnaker get svc |grep spin-deck
spin-deck LoadBalancer 172.21.6.203 xxx.xx.xx.xx 9000:30680/TCP 16m- 在hal pod中配置ui可外部訪問
$ hal config security ui edit --override-base-url http://xxx.xx.xx.xx:9000
+ Get current deployment
Success
+ Get UI security settings
Success
+ Edit UI security settings
Success
Problems in default.security:
- WARNING Your UI or API domain does not have override base URLs
set even though your Spinnaker deployment is a Distributed deployment on a
remote cloud provider. As a result, you will need to open SSH tunnels against
that deployment to access Spinnaker.
? We recommend that you instead configure an authentication
mechanism (OAuth2, SAML2, or x509) to make it easier to access Spinnaker
securely, and then register the intended Domain and IP addresses that your
publicly facing services will be using.
+ Successfully updated UI security settings.在瀏覽器中訪問Spinnaker ui介面 http://xxx.xx.xx.xx:9000
注意: Spinnaker本身並沒有使用者管理模組, 在生產中使用的話,使用者需要對接自己的認證系統, 參考[Spinnaker Authentication](https://www.spinnaker.io/setup/security/authentication/)
- 若需要外部訪問Spinnaker API, 則需要做以下操作
修改Servicespin-gate為type: LoadBalancer
設定api為外部可訪問:
$ hal config security api edit --override-base-url http://xx.xx.xxx.xx:8084
+ Get current deployment
Success
+ Get API security settings
Success
+ Edit API security settings
Success5. 其他
後面我們會繼續為大家補充如何使用Spinnaker管理和交付應用。
參考文件:
https://www.spinnaker.io/setup/install/
https://www.mirantis.com/blog/how-to-deploy-spinnaker-on-kubernetes-a-quick-and-dirty-guide/
本文為雲棲社群原創內容,未經