Kubernetes部署Jumpserver3.x
环境配置
Jumpserver版本:3.4.3
MySQL版本:8.0
Redis版本:5.0.8
Kubernetes版本:1.20.0
详情可参考Jumpserver官方文档,本文是从2.3.0升级至3.4.3,具体升级可参考Jumpserver官网文档
部署服务
部署MySQL
[root@k8s01 jumpserver]# cat mysql.yaml
---
apiVersion: v1
kind: ConfigMap
metadata:
name: mysql-config
namespace: tools-env
labels:
app: mysql
data:
my.cnf: |-
[client-server]
explicit_defaults_for_timestamp=true
datadir = /var/lib/mysql
[mysqld]
port= 3306
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
pid-file=/var/run/mysqld/mysqld.pid
log_queries_not_using_indexes = 1
bind-address = 0.0.0.0
skip-name-resolve
back_log = 600
max_connections = 1000
max_connect_errors = 6000
lower_case_table_names = 1
open_files_limit = 65535
table_open_cache = 128
max_allowed_packet = 4M
binlog_cache_size = 1M
max_heap_table_size = 8M
tmp_table_size = 16M
read_buffer_size = 2M
read_rnd_buffer_size = 8M
sort_buffer_size = 8M
join_buffer_size = 8M
thread_cache_size = 8
key_buffer_size = 4M
ft_min_word_len = 4
transaction_isolation = REPEATABLE-READ
log_bin = mysql-bin
binlog_format = mixed
performance_schema = 0
explicit_defaults_for_timestamp
innodb_file_per_table = 1
innodb_open_files = 500
innodb_buffer_pool_size = 64M
innodb_write_io_threads = 4
innodb_read_io_threads = 4
innodb_thread_concurrency = 0
innodb_purge_threads = 1
innodb_flush_log_at_trx_commit = 2
innodb_log_buffer_size = 2M
innodb_log_file_size = 32M
innodb_log_files_in_group = 3
innodb_max_dirty_pages_pct = 90
innodb_lock_wait_timeout = 120
bulk_insert_buffer_size = 8M
myisam_sort_buffer_size = 8M
myisam_max_sort_file_size = 10G
myisam_repair_threads = 1
interactive_timeout = 28800
wait_timeout = 28800
sql_mode=""
[mysqldump]
quick
[myisamchk]
key_buffer_size = 8M
sort_buffer_size = 8M
read_buffer = 4M
write_buffer = 4M
[client]
port = 3306
socket=/var/lib/mysql/mysql.sock
[mysqld_safe]
log-error=/logs/mysql/mysqld.log
innodb_buffer_pool
innodb_buffer_pool_instance
innodb_data_file_path
transaction_isolation
innodb_log_buffer_size
innodb_log_file_size
innodb_log_files_in_group
max_connections
expire_logs_days
slow_query_log
long_query_time
binlog_format
interactive_timeout
wait_timeout
innodb_flush_method
log_queries_not_using_indexes
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: mysql-data-pvc
namespace: tools-env
labels:
app: redis
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 50Gi
storageClassName: managed-nfs-storage
---
apiVersion: v1
kind: Service
metadata:
name: mysql
namespace: tools-env
labels:
app: mysql
spec:
type: NodePort
ports:
- name: mysql
port: 3306
targetPort: 3306
nodePort: 30336
selector:
app: mysql
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: mysql
namespace: tools-env
labels:
app: mysql
spec:
replicas: 1
selector:
matchLabels:
app: mysql
template:
metadata:
labels:
app: mysql
spec:
containers:
- name: mysql
image: mysql:8.0.21
imagePullPolicy: IfNotPresent
ports:
- containerPort: 3306
env:
- name: MYSQL_ROOT_PASSWORD #配置Root用户默认密码
value: "test-pwd"
resources:
limits:
cpu: 2000m
memory: 512Mi
requests:
cpu: 2000m
memory: 512Mi
livenessProbe:
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 3
exec:
command: ["mysqladmin", "-uroot", "-p${MYSQL_ROOT_PASSWORD}", "ping"]
readinessProbe:
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 3
exec:
command: ["mysqladmin", "-uroot", "-p${MYSQL_ROOT_PASSWORD}", "ping"]
volumeMounts:
- name: data
mountPath: /var/lib/mysql
- name: config
mountPath: /etc/mysql/conf.d/my.cnf
subPath: my.cnf
- name: localtime
readOnly: true
mountPath: /etc/localtime
volumes:
- name: data
persistentVolumeClaim:
claimName: mysql-data-pvc
- name: config
configMap:
name: mysql-config
- name: localtime
hostPath:
type: File
path: /etc/localtime
#授权远程登录
[root@k8s01 mysql]# kubectl exec -it -n tools-env mysql-74465f65cc-tn9fk bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
bash-4.4# mysql -ptest-pwd
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 27
Server version: 8.0.33 MySQL Community Server - GPL
Copyright (c) 2000, 2023, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> GRANT ALL ON *.* TO 'root'@'%';
Query OK, 0 rows affected (0.00 sec)
mysql> ALTER USER 'root'@'%' IDENTIFIED WITH mysql_native_password BY 'test-pwd';
Query OK, 0 rows affected (0.04 sec)
#创建jumpserver库
mysql> CREATE DATABASE jumpserver2 DEFAULT CHARSET 'utf8';
Query OK, 1 row affected, 1 warning (0.04 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
部署Redis
[root@k8s01 test-env]# vim redis.yaml
---
apiVersion: v1
kind: ConfigMap
metadata:
name: redis-config
namespace: tools-env
data:
redis.conf: |-
dir /data
port 6379
bind 0.0.0.0
appendonly yes
protected-mode no
requirepass super
pidfile /data/redis-6379.pid
maxmemory 1073741824 # maxmemory参数用于配置Redis可用最大内存数,单位为字节,1073741824=1G大小,Deployment部署时候的limit要和该限制的大小保持一致
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: redis-pvc
namespace: tools-env
labels:
app: redis
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi
storageClassName: managed-nfs-storage
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: redis
namespace: tools-env
labels:
app: redis
spec:
replicas: 1
selector:
matchLabels:
app: redis
template:
metadata:
labels:
app: redis
spec:
#进行初始化操作,修改系统配置,解决Redis启动时提示的警告信息
initContainers:
- name: system-init
image: busybox:1.32
imagePullPolicy: IfNotPresent
command:
- "sh"
- "-c"
- "echo 2048 > /proc/sys/net/core/somaxconn && echo never > /sys/kernel/mm/transparent_hugepage/enabled"
securityContext:
privileged: true
runAsUser: 0
volumeMounts:
- name: sys
mountPath: /sys
containers:
- name: redis
image: redis:5.0.8
imagePullPolicy: IfNotPresent
command:
- "sh"
- "-c"
- "redis-server /usr/local/etc/redis/redis.conf"
ports:
- containerPort: 6379
resources:
limits:
cpu: 1000m
memory: 1024Mi # 注意这里的内存限制要和上面的ConfigMap中maxmemory参数限制的内存大小保持一致
requests:
cpu: 1000m
memory: 1024Mi
livenessProbe:
tcpSocket:
port: 6379
initialDelaySeconds: 300
timeoutSeconds: 1
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
readinessProbe:
tcpSocket:
port: 6379
initialDelaySeconds: 5
timeoutSeconds: 1
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
volumeMounts:
- name: data
mountPath: /data
- name: config
mountPath: /usr/local/etc/redis/redis.conf
subPath: redis.conf
volumes:
- name: data
persistentVolumeClaim:
claimName: redis-pvc
- name: config
configMap:
name: redis-config
- name: sys
hostPath:
path: /sys
---
apiVersion: v1
kind: Service
metadata:
labels:
app: redis
name: redis
namespace: tools-env
spec:
ports:
- name: redis
port: 6379
protocol: TCP
targetPort: 6379
selector:
app: redis
type: ClusterIP
[root@k8s01 jumpserver]# kubectl apply -f redis.yaml
configmap/redis-config created
persistentvolumeclaim/redis-pvc created
deployment.apps/redis created
service/redis created
部署Jumpserver
生成SECRET_KEY和BOOTSTRAP_TOKEN,后面部署jumpserver及后续升级都将需要,请妥善保管
#生成随机SECRET_KEY
[root@k8s01 jumpserver]# SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
[root@k8s01 jumpserver]# echo $SECRET_KEY
IF6x9seZc7KlfAZcNmb1y79Y1PvOCE7mbrmRCmPNderzztM8nR
#生成随机BOOTSTRAP_TOKEN
[root@k8s01 jumpserver]# BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
[root@k8s01 jumpserver]# echo $BOOTSTRAP_TOKEN
o89aE7Vgwmu4tcRA
[root@k8s01 jumpserver]# cat jumpserver.yaml
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: jumpserver-data
namespace: tools-env
annotations:
volume.beta.kubernetes.io/storage-class: "managed-nfs-storage"
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 50Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: jumpserver
namespace: tools-env
labels:
app.kubernetes.io/instance: jumpserver
app.kubernetes.io/name: jumpserver
spec:
replicas: 1
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
type: RollingUpdate
selector:
matchLabels:
app.kubernetes.io/instance: jumpserver
app.kubernetes.io/name: jumpserver
template:
metadata:
labels:
app.kubernetes.io/instance: jumpserver
app.kubernetes.io/name: jumpserver
spec:
containers:
- env:
- name: SECRET_KEY
value: "IF6x9seZc7KlfAZcNmb1y79Y1PvOCE7mbrmRCmPNderzztM8nR"
- name: BOOTSTRAP_TOKEN
value: "o89aE7Vgwmu4tcRA"
- name: DB_ENGINE
value: "mysql"
- name: DB_HOST
value: "mysql"
- name: DB_PORT
value: "3306"
- name: DB_USER
value: "jumpserver"
- name: DB_PASSWORD
value: "test-pwd"
- name: DB_NAME
value: "jumpserver"
- name: REDIS_HOST
value: "redis"
- name: REDIS_PORT
value: "6379"
- name: REDIS_PASSWORD
value: "super"
image: jumpserver/jms_all:v3.4.3
imagePullPolicy: IfNotPresent
name: jumpserver
ports:
- containerPort: 80
name: http
protocol: TCP
- containerPort: 2222
name: ssh
protocol: TCP
volumeMounts:
- mountPath: /opt/jumpserver/data
name: datadir
volumes:
- name: datadir
persistentVolumeClaim:
claimName: jumpserver-data
---
apiVersion: v1
kind: Service
metadata:
name: jumpserver-svc
namespace: tools-env
labels:
app.kubernetes.io/instance: jumpserver
app.kubernetes.io/name: jumpserver
spec:
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP
nodePort: 38888
- name: ssh
port: 2222
targetPort: 2222
protocol: TCP
nodePort: 22222
type: NodePort
selector:
app.kubernetes.io/instance: jumpserver
app.kubernetes.io/name: jumpserver
[root@k8s01 jumpserver]# kubectl apply -f jumpserver.yaml
persistentvolumeclaim/jumpserver-data created
deployment.apps/jumpserver created
service/jumpserver-svc created
为了方便访问,可以添加ingress域名来访问
[root@k8s01 jumpserver]# cat tools-ing.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: tools-ing
namespace: tools-env
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/affinity: "cookie"
nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-connect-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-body-size: "2048M"
nginx.org/redirect-to-https: "true"
spec:
tls:
- hosts:
- Jumpserver.k8s.com
secretName: tools-secret
rules:
- host: Jumpserver.k8s.com
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: jumpserver
port:
number: 80
登录测试
访问jumpserver.k8s.com或者IP:38888,初始账号/密码:admin/admin
版权声明:
本站所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自
爱吃可爱多!
喜欢就支持一下吧
打赏
微信
支付宝