环境配置

  • Jumpserver版本:3.4.3

  • MySQL版本:8.0

  • Redis版本:5.0.8

  • Kubernetes版本:1.20.0

详情可参考Jumpserver官方文档,本文是从2.3.0升级至3.4.3,具体升级可参考Jumpserver官网文档

部署服务

部署MySQL

[root@k8s01 jumpserver]# cat mysql.yaml
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: mysql-config
  namespace: tools-env
  labels:
    app: mysql
data:
  my.cnf: |-
    [client-server]
    explicit_defaults_for_timestamp=true
    datadir = /var/lib/mysql
    
    [mysqld]
    port= 3306
    datadir=/var/lib/mysql
    socket=/var/lib/mysql/mysql.sock
    pid-file=/var/run/mysqld/mysqld.pid
    log_queries_not_using_indexes = 1
    bind-address = 0.0.0.0
    skip-name-resolve
    back_log = 600
    max_connections = 1000
    max_connect_errors = 6000
    lower_case_table_names = 1
    open_files_limit = 65535
    table_open_cache = 128
    max_allowed_packet = 4M
    binlog_cache_size = 1M
    max_heap_table_size = 8M
    tmp_table_size = 16M
    read_buffer_size = 2M
    read_rnd_buffer_size = 8M
    sort_buffer_size = 8M
    join_buffer_size = 8M
    thread_cache_size = 8
    key_buffer_size = 4M
    ft_min_word_len = 4
    transaction_isolation = REPEATABLE-READ
    log_bin = mysql-bin
    binlog_format = mixed
    performance_schema = 0
    explicit_defaults_for_timestamp
    innodb_file_per_table = 1
    innodb_open_files = 500
    innodb_buffer_pool_size = 64M
    innodb_write_io_threads = 4
    innodb_read_io_threads = 4
    innodb_thread_concurrency = 0
    innodb_purge_threads = 1
    innodb_flush_log_at_trx_commit = 2
    innodb_log_buffer_size = 2M
    innodb_log_file_size = 32M
    innodb_log_files_in_group = 3
    innodb_max_dirty_pages_pct = 90
    innodb_lock_wait_timeout = 120 
    bulk_insert_buffer_size = 8M
    myisam_sort_buffer_size = 8M
    myisam_max_sort_file_size = 10G
    myisam_repair_threads = 1
    interactive_timeout = 28800
    wait_timeout = 28800
    sql_mode=""
    [mysqldump]
    quick
    [myisamchk]
    key_buffer_size = 8M
    sort_buffer_size = 8M
    read_buffer = 4M
    write_buffer = 4M
    
    [client]
    port = 3306
    socket=/var/lib/mysql/mysql.sock
    
    [mysqld_safe]
    log-error=/logs/mysql/mysqld.log
    
    innodb_buffer_pool 
    innodb_buffer_pool_instance
    innodb_data_file_path
    transaction_isolation
    innodb_log_buffer_size
    innodb_log_file_size
    innodb_log_files_in_group
    max_connections
    expire_logs_days
    slow_query_log
    long_query_time
    binlog_format
    interactive_timeout
    wait_timeout
    innodb_flush_method
    log_queries_not_using_indexes
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: mysql-data-pvc
  namespace: tools-env
  labels:
    app: redis
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 50Gi
  storageClassName: managed-nfs-storage
---
apiVersion: v1
kind: Service
metadata:
  name: mysql
  namespace: tools-env
  labels:
    app: mysql
spec:
  type: NodePort
  ports:
  - name: mysql
    port: 3306
    targetPort: 3306
    nodePort: 30336
  selector:
    app: mysql
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: mysql
  namespace: tools-env
  labels:
    app: mysql
spec:
  replicas: 1
  selector:
    matchLabels:
      app: mysql
  template:
    metadata:
      labels:
        app: mysql
    spec:     
      containers:
      - name: mysql
        image: mysql:8.0.21
        imagePullPolicy: IfNotPresent 
        ports:
        - containerPort: 3306
        env:
        - name: MYSQL_ROOT_PASSWORD    #配置Root用户默认密码
          value: "test-pwd"
        resources:
          limits:
            cpu: 2000m
            memory: 512Mi
          requests:
            cpu: 2000m
            memory: 512Mi
        livenessProbe:
          initialDelaySeconds: 30
          periodSeconds: 10
          timeoutSeconds: 5
          successThreshold: 1
          failureThreshold: 3
          exec:
            command: ["mysqladmin", "-uroot", "-p${MYSQL_ROOT_PASSWORD}", "ping"]
        readinessProbe:  
          initialDelaySeconds: 10
          periodSeconds: 10
          timeoutSeconds: 5
          successThreshold: 1
          failureThreshold: 3
          exec:
            command: ["mysqladmin", "-uroot", "-p${MYSQL_ROOT_PASSWORD}", "ping"]
        volumeMounts:
        - name: data
          mountPath: /var/lib/mysql
        - name: config
          mountPath: /etc/mysql/conf.d/my.cnf
          subPath: my.cnf
        - name: localtime
          readOnly: true
          mountPath: /etc/localtime
      volumes:
      - name: data
        persistentVolumeClaim:
          claimName: mysql-data-pvc
      - name: config      
        configMap:
          name: mysql-config
      - name: localtime
        hostPath:
          type: File
          path: /etc/localtime
          
#授权远程登录                              
[root@k8s01 mysql]# kubectl exec -it -n tools-env mysql-74465f65cc-tn9fk bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
bash-4.4# mysql -ptest-pwd

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 27
Server version: 8.0.33 MySQL Community Server - GPL

Copyright (c) 2000, 2023, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> GRANT ALL ON *.* TO 'root'@'%';
Query OK, 0 rows affected (0.00 sec)

mysql> ALTER USER 'root'@'%' IDENTIFIED WITH mysql_native_password BY 'test-pwd';
Query OK, 0 rows affected (0.04 sec)

#创建jumpserver库
mysql> CREATE DATABASE jumpserver2 DEFAULT CHARSET 'utf8';
Query OK, 1 row affected, 1 warning (0.04 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)       

部署Redis

[root@k8s01 test-env]# vim redis.yaml 
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: redis-config
  namespace: tools-env
data:
  redis.conf: |-
    dir /data
    port 6379
    bind 0.0.0.0
    appendonly yes
    protected-mode no
    requirepass super
    pidfile /data/redis-6379.pid
    maxmemory 1073741824    # maxmemory参数用于配置Redis可用最大内存数,单位为字节,1073741824=1G大小,Deployment部署时候的limit要和该限制的大小保持一致
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: redis-pvc
  namespace: tools-env
  labels:
    app: redis
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 10Gi
  storageClassName: managed-nfs-storage
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: redis
  namespace: tools-env
  labels:
    app: redis
spec:
  replicas: 1
  selector:
    matchLabels:
      app: redis
  template:
    metadata:
      labels:
        app: redis
    spec:
      #进行初始化操作,修改系统配置,解决Redis启动时提示的警告信息
      initContainers:
        - name: system-init
          image: busybox:1.32
          imagePullPolicy: IfNotPresent
          command:
            - "sh"
            - "-c"
            - "echo 2048 > /proc/sys/net/core/somaxconn && echo never > /sys/kernel/mm/transparent_hugepage/enabled"
          securityContext:
            privileged: true
            runAsUser: 0
          volumeMounts:
          - name: sys
            mountPath: /sys
      containers:
        - name: redis
          image: redis:5.0.8
          imagePullPolicy: IfNotPresent
          command:
            - "sh"
            - "-c"
            - "redis-server /usr/local/etc/redis/redis.conf"
          ports:
            - containerPort: 6379
          resources:
            limits:
              cpu: 1000m
              memory: 1024Mi    # 注意这里的内存限制要和上面的ConfigMap中maxmemory参数限制的内存大小保持一致
            requests:
              cpu: 1000m
              memory: 1024Mi
          livenessProbe:
            tcpSocket:
              port: 6379
            initialDelaySeconds: 300
            timeoutSeconds: 1
            periodSeconds: 10
            successThreshold: 1
            failureThreshold: 3
          readinessProbe:
            tcpSocket:
              port: 6379
            initialDelaySeconds: 5
            timeoutSeconds: 1
            periodSeconds: 10
            successThreshold: 1
            failureThreshold: 3
          volumeMounts:
            - name: data
              mountPath: /data
            - name: config
              mountPath: /usr/local/etc/redis/redis.conf
              subPath: redis.conf
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: redis-pvc
        - name: config
          configMap:
            name: redis-config
        - name: sys
          hostPath:
            path: /sys
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: redis
  name: redis
  namespace: tools-env
spec:
  ports:
  - name: redis
    port: 6379
    protocol: TCP
    targetPort: 6379
  selector:
    app: redis
  type: ClusterIP

[root@k8s01 jumpserver]# kubectl apply -f redis.yaml 
configmap/redis-config created
persistentvolumeclaim/redis-pvc created
deployment.apps/redis created
service/redis created    

部署Jumpserver

生成SECRET_KEY和BOOTSTRAP_TOKEN,后面部署jumpserver及后续升级都将需要,请妥善保管

#生成随机SECRET_KEY
[root@k8s01 jumpserver]# SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
[root@k8s01 jumpserver]# echo $SECRET_KEY
IF6x9seZc7KlfAZcNmb1y79Y1PvOCE7mbrmRCmPNderzztM8nR

#生成随机BOOTSTRAP_TOKEN
[root@k8s01 jumpserver]# BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
[root@k8s01 jumpserver]# echo $BOOTSTRAP_TOKEN
o89aE7Vgwmu4tcRA
[root@k8s01 jumpserver]# cat jumpserver.yaml 
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: jumpserver-data
  namespace: tools-env
  annotations:
    volume.beta.kubernetes.io/storage-class: "managed-nfs-storage"
spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: 50Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: jumpserver
  namespace: tools-env
  labels:
    app.kubernetes.io/instance: jumpserver
    app.kubernetes.io/name: jumpserver
spec:
    replicas: 1
    strategy:
      rollingUpdate:
        maxSurge: 1
        maxUnavailable: 0
      type: RollingUpdate
    selector:
      matchLabels:
        app.kubernetes.io/instance: jumpserver
        app.kubernetes.io/name: jumpserver
    template:
      metadata:
        labels:
          app.kubernetes.io/instance: jumpserver
          app.kubernetes.io/name: jumpserver
      spec:
        containers:
        - env:
          - name: SECRET_KEY
            value: "IF6x9seZc7KlfAZcNmb1y79Y1PvOCE7mbrmRCmPNderzztM8nR"
          - name: BOOTSTRAP_TOKEN
            value: "o89aE7Vgwmu4tcRA"
          - name: DB_ENGINE
            value: "mysql"
          - name: DB_HOST
            value: "mysql"
          - name: DB_PORT
            value: "3306"
          - name: DB_USER
            value: "jumpserver"
          - name: DB_PASSWORD
            value: "test-pwd"
          - name: DB_NAME
            value: "jumpserver"
          - name: REDIS_HOST
            value: "redis"
          - name: REDIS_PORT
            value: "6379"
          - name: REDIS_PASSWORD
            value: "super"
          image: jumpserver/jms_all:v3.4.3
          imagePullPolicy: IfNotPresent
          name: jumpserver
          ports:
          - containerPort: 80
            name: http
            protocol: TCP
          - containerPort: 2222
            name: ssh
            protocol: TCP
          volumeMounts:
          - mountPath: /opt/jumpserver/data
            name: datadir
        volumes:
        - name: datadir
          persistentVolumeClaim:
            claimName: jumpserver-data
---
apiVersion: v1
kind: Service
metadata:
  name: jumpserver-svc
  namespace: tools-env
  labels:
    app.kubernetes.io/instance: jumpserver
    app.kubernetes.io/name: jumpserver
spec:
  ports:
  - name: http
    port: 80
    targetPort: 80
    protocol: TCP
    nodePort: 38888
  - name: ssh
    port: 2222
    targetPort: 2222
    protocol: TCP
    nodePort: 22222
  type: NodePort
  selector:
    app.kubernetes.io/instance: jumpserver
    app.kubernetes.io/name: jumpserver
    
[root@k8s01 jumpserver]# kubectl apply -f jumpserver.yaml 
persistentvolumeclaim/jumpserver-data created
deployment.apps/jumpserver created
service/jumpserver-svc created    

为了方便访问,可以添加ingress域名来访问

[root@k8s01 jumpserver]# cat tools-ing.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: tools-ing
  namespace: tools-env
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/affinity: "cookie"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
    nginx.ingress.kubernetes.io/proxy-connect-timeout: "3600"
    nginx.ingress.kubernetes.io/proxy-body-size: "2048M"

    nginx.org/redirect-to-https: "true"
spec:
  tls:
  - hosts:
    - Jumpserver.k8s.com

    secretName: tools-secret
  rules:  
  - host: Jumpserver.k8s.com
    http: 
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: jumpserver
            port:
              number: 80

登录测试

访问jumpserver.k8s.com或者IP:38888,初始账号/密码:admin/admin

文章作者: 鲜花的主人
版权声明: 本站所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 爱吃可爱多
Tools Kubernetes Tools Kubernetes
喜欢就支持一下吧
打赏
微信 微信
支付宝 支付宝