原文作者:流生
原文連結:
https://developer.aliyun.com/article/719211?spm=a2c6h.12873581.0.0.6f7c115e50nLX7&groupCode=cloudnative 更多雲原生技術資訊可關注 阿裡巴巴雲原生技術圈Spinnaker是一個開源的多雲持續傳遞平台,可幫助您友善管理應用以及快速傳遞應用。
Spinnaker的兩個主要功能是:
應用管理 , 應用傳遞 Applications, clusters, and server groups是Spinnaker中非常重要的幾個概念, Load balancers and firewalls描述了如何向使用者公開你的服務:
在ACK上部署Spinnaker的步驟:
(1)建立一個ACK叢集
(2)建立Spinnaker需要的Kubernetes資源
(3)配置Spinnaker的安裝檔案
(4)部署并通路Spinnaker
1. 建立叢集
參考
建立阿裡雲容器服務ACK叢集2. 建立Spinnaker需要的Kubernetes資源
2.1 建立 Namespace
Namespace
$ kubectl create ns spinnaker 2.2 建立 ServiceAccount
ClusterRoleBinding
Halyard
Spinnaker
ServiceAccount
ClusterRoleBinding
Halyard
Spinnaker
rbac.yaml
檔案内容:
apiVersion: v1
kind: ServiceAccount
metadata:
name: spinnaker-service-account
namespace: spinnaker
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: spinnaker-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- namespace: spinnaker
kind: ServiceAccount
name: spinnaker-service-account 運作以下指令建立資源:
$ kubectl create -f rbac.yaml 3. 配置Spinnaker的安裝檔案
Spinnaker是通過Halyard工具來管理配置和部署的。
3.1 部署halyard
hal-deployment.yaml
檔案内容如下:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app: hal
name: hal
namespace: spinnaker
spec:
replicas: 1
selector:
matchLabels:
app: hal
template:
metadata:
labels:
app: hal
spec:
containers:
- image: registry.cn-hangzhou.aliyuncs.com/haoshuwei24/halyard:stable
name: halyard
serviceAccount: spinnaker-service-account
serviceAccountName: spinnaker-service-account $ kubectl create -f hal-deployment.yaml 檢視pod是否正常運作:
$ kubectl -n spinnaker get po
NAME READY STATUS RESTARTS AGE
hal-77b4cf787f-p25h5 1/1 Running 0 9m54s 3.2 配置Cloud Provider
- exec進入hal pod:
$ kubectl -n spinnaker exec -it hal-77b4cf787f-p25h5 bash - 拷貝kubeconfig檔案為~/.kube/config
- 啟用kubernetes provider:
$ hal config provider kubernetes enable
+ Get current deployment
Success
+ Edit the kubernetes provider
Success
Problems in default.provider.kubernetes:
- WARNING Provider kubernetes is enabled, but no accounts have been
configured.
+ Successfully enabled kubernetes - 添加一個spinnaker account:
$ CONTEXT=$(kubectl config current-context)
$ hal config provider kubernetes account add my-k8s-v2-account \
--provider-version v2 \
--context $CONTEXT
+ Get current deployment
Success
+ Add the my-k8s-v2-account account
Success
+ Successfully added account my-k8s-v2-account for provider
kubernetes.
$ hal config features edit --artifacts true
+ Get current deployment
Success
+ Get features
Success
+ Edit features
Success
+ Successfully updated features. 3.3 選擇Spinnaker的部署環境
運作以下指令:
$ ACCOUNT=my-k8s-v2-account
$ hal config deploy edit --type distributed --account-name $ACCOUNT
+ Get current deployment
Success
+ Get the deployment environment
Success
+ Edit the deployment environment
Success
+ Successfully updated your deployment environment. 3.4 配置存儲
Spinnaker需要外部安全可靠的存儲服務來保留您的應用程式設定和已配置的Pipeline。由于這些資料很敏感,丢失的話恢複起來代價很高。 本次示例我們臨時搭建一個Minio Service
-
部署Minio
minio-deployment.yml檔案内容如下:
---
apiVersion: v1
kind: Namespace
metadata:
name: minio
---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
namespace: minio
name: minio
labels:
component: minio
spec:
strategy:
type: Recreate
template:
metadata:
labels:
component: minio
spec:
volumes:
- name: storage
emptyDir: {}
- name: config
emptyDir: {}
containers:
- name: minio
image: minio/minio:latest
imagePullPolicy: IfNotPresent
args:
- server
- /storage
- --config-dir=/config
env:
- name: MINIO_ACCESS_KEY
value: "<your MINIO_ACCESS_KEY>"
- name: MINIO_SECRET_KEY
value: "your MINIO_SECRET_KEY"
ports:
- containerPort: 9000
volumeMounts:
- name: storage
mountPath: "/storage"
- name: config
mountPath: "/config"
---
apiVersion: v1
kind: Service
metadata:
namespace: minio
name: minio
labels:
component: minio
spec:
# ClusterIP is recommended for production environments.
# Change to NodePort if needed per documentation,
# but only if you run Minio in a test/trial environment, for example with Minikube.
type: LoadBalancer
ports:
- port: 9000
targetPort: 9000
protocol: TCP
selector:
component: minio 設定
MINIO_ACCESS_KEY
MINIO_SECRET_KEY
的值并部署Minio:
$ kubectl create -f minio-deployment.yaml 檢視Pod運作狀态和服務端口:
$ kubectl -n minio get po
NAME READY STATUS RESTARTS AGE
minio-59fd966974-nn5ns 1/1 Running 0 12m
[root@iZbp184d18xuqpwxs9tat3Z minio]# kubectl -n minio get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
minio LoadBalancer 172.27.12.130 xxx.xx.xxx.xx 9000:30771/TCP 12m 建立job在Minio中建立bucket和path:
job.yaml内容如下:
apiVersion: batch/v1
kind: Job
metadata:
namespace: minio
name: minio-setup
labels:
component: minio
spec:
template:
metadata:
name: minio-setup
spec:
restartPolicy: OnFailure
volumes:
- name: config
emptyDir: {}
containers:
- name: mc
image: minio/mc:latest
imagePullPolicy: IfNotPresent
command:
- /bin/sh
- -c
- "mc --config-dir=/config config host add spinnaker http://xxx.xx.xxx.xx:9000 MINIO_ACCESS_KEY MINIO_SECRET_KEY && mc --config-dir=/config mb -p spinnaker/spinnaker"
volumeMounts:
- name: config
mountPath: "/config" 你需要記錄
ENDPOINT
`MINIO_ACCESS_KEY
MINIO_SECRET_KEY` 在下文會用到
-
編輯和配置存儲資訊
在hal pod中繼續執行以下步驟:
$ mkdir -p ~/.hal/default/profiles
$ echo "spinnaker.s3.versioning: false" >> ~/.hal/default/profiles/front50-local.yml
$ ENDPOINT=http://xxx.xx.xxx.xx:9000
$ MINIO_ACCESS_KEY=<your key>
$ MINIO_SECRET_KEY=<your secret>
$ echo $MINIO_SECRET_KEY | hal config storage s3 edit --endpoint $ENDPOINT \
--path-style-access true \
--bucket spinnaker \
--root-folder spinnaker \
--access-key-id $MINIO_ACCESS_KEY \
--secret-access-key
+ Get current deployment
Success
+ Get persistent store
Success
+ Edit persistent store
Success
+ Successfully edited persistent store "s3".
$ hal config storage edit --type s3
+ Get current deployment
Success
+ Get persistent storage settings
Success
+ Edit persistent storage settings
Success
+ Successfully edited persistent storage. 4. 部署Spinnaker并通路服務
- 列出并選擇一個版本
注意:此處會從Google Cloud上擷取一個versions.yml檔案, 請自行解決網絡問題
$ hal version list
+ Get current deployment
Success
+ Get Spinnaker version
Success
+ Get released versions
Success
+ You are on version "", and the following are available:
- 1.13.12 (BirdBox):
Changelog: https://gist.github.com/spinnaker-release/9ee98b0cbed65e334cd498bc31676295
Published: Mon Jul 29 18:18:59 UTC 2019
(Requires Halyard >= 1.17)
- 1.14.15 (LoveDeathAndRobots):
Changelog: https://gist.github.com/spinnaker-release/52b1de1551a8830a8945b3c49ef66fe3
Published: Mon Sep 16 18:09:49 UTC 2019
(Requires Halyard >= 1.17)
- 1.15.2 (ExtremelyWickedShockinglyEvilAndVile):
Changelog: https://gist.github.com/spinnaker-release/e72cc8015d544738d07d57a183cb5404
Published: Mon Aug 12 20:48:52 UTC 2019
(Requires Halyard >= 1.17)
- 1.15.4 (ExtremelyWickedShockinglyEvilAndVile):
Changelog: https://gist.github.com/spinnaker-release/2229c2172952e9a485d68788bd4560b0
Published: Tue Sep 17 17:35:54 UTC 2019
(Requires Halyard >= 1.17)
- 1.16.1 (SecretObsession):
Changelog: https://gist.github.com/spinnaker-release/21ff4522a9e46ba5f27c52f67da88dc9
Published: Tue Sep 17 17:48:07 UTC 2019
(Requires Halyard >= 1.17) - 選擇1.16.1版本:
$ hal config version edit --version 1.16.1
+ Get current deployment
Success
+ Edit Spinnaker version
Success
+ Spinnaker has been configured to update/install version "1.16.1".
Deploy this version of Spinnaker with `hal deploy apply`. - 部署Spinnaker
$ hal deploy apply
+ Get current deployment
Success
+ Prep deployment
Success
Problems in default.security:
- WARNING Your UI or API domain does not have override base URLs
set even though your Spinnaker deployment is a Distributed deployment on a
remote cloud provider. As a result, you will need to open SSH tunnels against
that deployment to access Spinnaker.
? We recommend that you instead configure an authentication
mechanism (OAuth2, SAML2, or x509) to make it easier to access Spinnaker
securely, and then register the intended Domain and IP addresses that your
publicly facing services will be using.
+ Preparation complete... deploying Spinnaker
+ Get current deployment
Success
+ Apply deployment
Success
+ Deploy spin-redis
Success
+ Deploy spin-clouddriver
Success
+ Deploy spin-front50
Success
+ Deploy spin-orca
Success
+ Deploy spin-deck
Success
+ Deploy spin-echo
Success
+ Deploy spin-gate
Success
+ Deploy spin-rosco
Success
+ Run `hal deploy connect` to connect to Spinnaker. - 檢視Spinnaker Pod運作狀态:
$ kubectl -n spinnaker get po
NAME READY STATUS RESTARTS AGE
hal-77b4cf787f-xlr5g 1/1 Running 0 18m
spin-clouddriver-66bf54c684-6ns9b 1/1 Running 0 7m49s
spin-deck-cd6489797-7fqzj 1/1 Running 0 7m52s
spin-echo-85cd9fb85c-dzkrz 1/1 Running 0 7m54s
spin-front50-6c57c79995-7d5sj 1/1 Running 0 7m46s
spin-gate-5dc9b977c6-5kl8d 1/1 Running 0 7m51s
spin-orca-dfdbdf448-gp8s2 1/1 Running 0 7m47s
spin-redis-7bff9789b6-lmpb4 1/1 Running 0 7m50s
spin-rosco-666d4889c8-vh7p5 1/1 Running 0 7m47s $ kubectl -n spinnaker get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
spin-clouddriver ClusterIP 172.21.1.183 <none> 7002/TCP 13m
spin-deck ClusterIP 172.21.6.203 <none> 9000/TCP 13m
spin-echo ClusterIP 172.21.10.119 <none> 8089/TCP 13m
spin-front50 ClusterIP 172.21.13.128 <none> 8080/TCP 13m
spin-gate ClusterIP 172.21.6.130 <none> 8084/TCP 13m
spin-orca ClusterIP 172.21.4.37 <none> 8083/TCP 13m
spin-redis ClusterIP 172.21.9.201 <none> 6379/TCP 13m
spin-rosco ClusterIP 172.21.11.27 <none> 8087/TCP 13m - 通路Spinnaker服務
kubectl -n spinnaker edit svc spin-deck
spin-deck
type: LoadBalancer
$ kubectl -n spinnaker get svc |grep spin-deck
spin-deck LoadBalancer 172.21.6.203 xxx.xx.xx.xx 9000:30680/TCP 16m - 在hal pod中配置ui可外部通路
$ hal config security ui edit --override-base-url http://xxx.xx.xx.xx:9000
+ Get current deployment
Success
+ Get UI security settings
Success
+ Edit UI security settings
Success
Problems in default.security:
- WARNING Your UI or API domain does not have override base URLs
set even though your Spinnaker deployment is a Distributed deployment on a
remote cloud provider. As a result, you will need to open SSH tunnels against
that deployment to access Spinnaker.
? We recommend that you instead configure an authentication
mechanism (OAuth2, SAML2, or x509) to make it easier to access Spinnaker
securely, and then register the intended Domain and IP addresses that your
publicly facing services will be using.
+ Successfully updated UI security settings. 在浏覽器中通路Spinnaker ui界面
http://xxx.xx.xx.xx:9000
注意: Spinnaker本身并沒有使用者管理子產品, 在生産中使用的話,使用者需要對接自己的認證系統, 參考[Spinnaker Authentication](https://www.spinnaker.io/setup/security/authentication/)
-
若需要外部通路Spinnaker API, 則需要做以下操作
修改
Service
spin-gate
type: LoadBalancer
設定api為外部可通路:
$ hal config security api edit --override-base-url http://xx.xx.xxx.xx:8084
+ Get current deployment
Success
+ Get API security settings
Success
+ Edit API security settings
Success 5. 其他
後面我們會繼續為大家補充如何使用Spinnaker管理和傳遞應用。
參考文檔:
https://www.spinnaker.io/setup/install/ https://www.mirantis.com/blog/how-to-deploy-spinnaker-on-kubernetes-a-quick-and-dirty-guide/“ 阿裡巴巴雲原生 關注微服務、Serverless、容器、Service Mesh 等技術領域、聚焦雲原生流行技術趨勢、雲原生大規模的落地實踐,做最懂雲原生開發者的技術圈。”