当在 Kubernetes 中已经部署很多应用时,后续需要对每个应用的 yaml 文件进行维护操作,这个过程会变的很繁琐,我们可以使用 Helm 来简化这些工作。Helm 是 Kubernetes 的一个包管理工具,用来简化 Kubernetes 应用的部署和管理。
部署 Helm 客户端与服务端
部署客户端
在 GitHub上 Helm Realese 下载最新的二进制文件
$ tar -zxvf helm-v2.11.0-linux-amd64.tar.gz $ mv linux-amd64/helm /usr/local/bin/helm $ helm help
部署服务端(tiller )
$ helm init --upgrade --tiller-image sapcc/tiller:v2.11.0 Creating /root/.helm Creating /root/.helm/repository Creating /root/.helm/repository/cache Creating /root/.helm/repository/local Creating /root/.helm/plugins Creating /root/.helm/starters Creating /root/.helm/cache/archive Creating /root/.helm/repository/repositories.yaml Adding stable repo with URL: https://kubernetes-charts.storage.googleapis.com Adding local repo with URL: http://127.0.0.1:8879/charts $HELM_HOME has been configured at /root/.helm. Tiller (the Helm server-side component) has been installed into your Kubernetes Cluster. Please note: by default, Tiller is deployed with an insecure 'allow unauthenticated users' policy. To prevent this, run `helm init` with the --tiller-tls-verify flag. For more information on securing your installation see: https://docs.helm.sh/using_helm/#securing-your-helm-installation Happy Helming!
备注: 在 DockerHub 上找到了同步的镜像 :https://hub.docker.com/r/sapcc/tiller/ 。
查看
$ kubectl get pod -n kube-system -l app=helm NAME READY STATUS RESTARTS AGE tiller-deploy-69c9dc58bd-jvzkr 1/1 Running 0 3m2s $ helm version Client: &version.Version{SemVer:"v2.11.0", GitCommit:"2e55dbe1fdb5fdb96b75ff144a339489417b146b", GitTreeState:"clean"} Server: &version.Version{SemVer:"v2.11.0", GitCommit:"2e55dbe1fdb5fdb96b75ff144a339489417b146b", GitTreeState:"clean"}
配置 RBAC
$ vi rbac-config.yaml apiVersion: v1 kind: ServiceAccount metadata: name: tiller namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: tiller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: tiller namespace: kube-system
$ kubectl create -f rbac-config.yaml serviceaccount/tiller created clusterrolebinding.rbac.authorization.k8s.io/tiller created $ kubectl patch deploy --namespace kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}' deployment.extensions/tiller-deploy patched
备注:上述我们为 Tiller 管理员提供了对整个群集的访问权限,如果不需要授予 Tiller 集群管理员访问权限,可以指定 Role 和 RoleBinding 来将 Tiller 的范围限制为特定的 namespace 中,官方文档是新建一个 namespace 做的(https://docs.helm.sh/using_helm/#role-based-access-control) 。
部署一个程序
创建一个配置文件
$ helm create helm-test Creating helm-test $ tree. ├── helm-test │ ├── charts │ ├── Chart.yaml │ ├── templates │ │ ├── deployment.yaml │ │ ├── _helpers.tpl │ │ ├── ingress.yaml │ │ ├── NOTES.txt │ │ └── service.yaml │ └── values.yaml
文件说明:
- charts 目录中文件是本 chart 依赖的 chart,当前是空的 。
- Chart.yaml 这个 yaml 文件用于描述 Chart 的基本信息,如名称,版本等。
- templates 是 Kubernetes manifest 文件模板目录,模板使用 chart 配置的值生成 Kubernetes manifest 文件,还包含部署 Pod 依赖的 deploymnet,ingress,service 对象。
- templates/NOTES.txt 纯文本文件,可在其中填写 chart 的使用说明。
- value.yaml 是 chart 配置的默认值。
查看 value.yaml (可以知道部署的是一个 Nginx 服务)
# cat values.yaml # Default values for helm-test. # This is a YAML-formatted file. # Declare variables to be passed into your templates. replicaCount: 1 image: repository: nginx tag: stable pullPolicy: IfNotPresent nameOverride: "" fullnameOverride: "" service: type: ClusterIP port: 80 ingress: enabled: false annotations: {} # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" path: / hosts: - chart-example.local tls: [] # - secretName: chart-example-tls # hosts: # - chart-example.local resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. # limits: # cpu: 100m # memory: 128Mi # requests: # cpu: 100m # memory: 128Mi nodeSelector: {} tolerations: [] affinity: {}
部署应用
$ helm install ./helm-test NAME: famous-bison LAST DEPLOYED: Fri Nov 2 19:50:16 2018 NAMESPACE: default STATUS: DEPLOYED RESOURCES: ==> v1/Service NAME AGE famous-bison-helm-test 0s ==> v1beta2/Deployment famous-bison-helm-test 0s ==> v1/Pod(related) NAME READY STATUS RESTARTS AGE famous-bison-helm-test-8568b9cb46-969pn 0/1 ContainerCreating 0 0s NOTES: 1. Get the application URL by running these commands: export POD_NAME=$(kubectl get pods --namespace default -l "app.kubernetes.io/name=helm-test,app.kubernetes.io/instance=famous-bison" -o jsonpath="{.items[0].metadata.name}") echo "Visit http://127.0.0.1:8080 to use your application" kubectl port-forward $POD_NAME 8080:80
查看
$ kubectl get pods --all-namespaces NAMESPACE NAME READY STATUS RESTARTS AGE default musty-shark-helm-test-578886d7b9-sdppq 1/1 Running 0 82s $ kubectl get services --all-namespaces NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE default kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 3d3h default musty-shark-helm-test ClusterIP 10.102.19.244 <none> 80/TCP 2m29s
Helm 命令
$ helm list NAME REVISION UPDATED STATUS CHART APP VERSION NAMESPACE famous-bison 1 Fri Nov 2 19:50:16 2018 DEPLOYED helm-test-0.1.0 1.0 default $ helm list NAME REVISION UPDATED STATUS CHART APP VERSION NAMESPACE famous-bison 1 Fri Nov 2 19:50:16 2018 DEPLOYED helm-test-0.1.0 1.0 default $ helm package helm-test Successfully packaged chart and saved it to: /opt/helm/helm-test-0.1.0.tgz $ helm delete famous-bison release "famous-bison" deleted
Helm 仓库
Helm 也包含 Repo 仓库的功能与 Docker Registry 比较类似
$ helm repo list NAME URL stable https://kubernetes-charts.storage.googleapis.com local http://127.0.0.1:8879/charts
不过这个镜像同样是被 Ban ,我们也可以自己搭建自己的仓库用于自定义的包版本管理。通过 helm search 命令可以找到我们想要的 chart 包,然后通过 helm install 命令来安装。
$ helm search redis NAME CHART VERSION APP VERSION DESCRIPTION stable/prometheus-redis-exporter 0.3.2 0.21.1 Prometheus exporter for Redis metrics stable/redis 4.2.6 4.0.11 Open source, advanced key-value store. It is often referr... stable/redis-ha 3.0.0 4.0.11 Highly available Kubernetes implementation of Redis stable/sensu 0.2.3 0.28 Sensu monitoring framework backed by the Redis transport
安装
$ helm install stable/redis备注:
官方应用同步源
REFER:
https://docs.helm.sh/using_helm/
https://github.com/helm/helm
https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/
https://docs.helm.sh/using_helm/#using-ssl-between-helm-and-tiller
https://medium.com/virtuslab/think-twice-before-using-helm-25fbb18bc822
恕我直言,对Helm大家还是要三思而后用
https://mp.weixin.qq.com/s?__biz=MzIzNjUxMzk2NQ==&mid=2247490052&idx=1&sn=197ae17ce1156e19a279f7695361c532&chksm=e8d7e5c6dfa06cd0d3d8e6b591ad6149ed4e76a096679497f8b40a627ecff7c37af006887587