共计 37912 个字符,预计需要花费 95 分钟才能阅读完成。
背景:
2017-2018 年左右的吧,不记得看什么了看到了 spinnaker,然而过后真的装置不起来。各种被墙裂。2020 年底学习了泽阳大佬的 spinnaker 实际课程。通过 Halyard 形式搭建了 spinnaker 的集群,并与 jenkins gitlab harbor k8s 实现了集成。2021 年初略微玩了一下,就去整别的事件去了,没有能利用于线上环境。下半年了,jenkins k8s 这些的流程当初根本都是清晰了。想把 cd 从 jenkins 中剥离进去教给 spinnaker 了,就从新复习一下 spinnaker 吧!
对于 spinnaker
spinnaker 是 Netfix 公司开源的一款继续部署工具,采纳 java 语言编写,遵循微服务的设计思维,指标是为团队提供灵便的继续部署流水线并提供软件的部署效率
spinnaker 的劣势
- 反对多云部署
- 主动公布
-
内置部署最佳实际
spinnaker 架构
对于 spinnaker 的架构阐明
- deck-基于浏览器的 UI
- gate 微服务 api 网关,Spinnaker UI 和所有 api 调用者通过 Gate 与 Spinnaker 通信
- orca 流水线阶段编排引擎。它解决所有长期操作和管道。浏览无关 Orca 服务概述的更多信息
- clouddriver 负责对云提供商的所有变异调用以及索引 / 缓存所有部署的资源。
- front50 用于长久化应用程序、管道、我的项目和告诉的元数据
-
rosco 为各种云提供商生成不可变的 VM 映像(或映像模板)
它用于生成机器映像(例如 GCE 映像、AWS AMI、Azure VM 映像)。它目前包装了 packer,但将 被扩大以反对用于生成图像的其余机制。
- igor 用于通过 Jenkins 和 Travis CI 等零碎中的继续集成作业触发管道,它容许在管道中应用 Jenkins/Travis 阶段
- echo 事件总线 它反对发送告诉(例如 Slack、电子邮件、SMS),并对来自 Github 等服务的传入 webhook 采取行动。
- fiat 认证受权核心 它用于查问用户对帐户、应用程序和服务帐户的拜访权限
- kayenta 主动金丝雀剖析
-
Keel 为治理交付提供能源
注:这个还没有用过
-
halyard 配置服务 治理上述每项服务的生命周期。它仅在 Spinnaker 启动、更新和回滚期间与这些服务交互。
服务依赖调用关系:
重要的事件:这些货色去看官网文档很是具体,比其余的比拟具体多了:https://spinnaker.io/docs/reference/architecture/microservices-overview/
Kubernetes 搭建 spinnaker 服务
注:spinnaker 的装置形式有 helm 和 halyard 的本地部署形式 这里采纳了 halyard 的形式!。根本过程参照泽阳大佬的 spinnaker 课程!
自己集群环境为 kubernetes1.20.6 rutime 应用了 containerd 并没有采纳 docker。两头过程尝试了很屡次各种失败,先基于 docker 的形式做一次装置部署。前面分析一下 containerd 形式!
根本环境
腾讯云同一 vpc 内服务器,内网互通,ip 为内网地址
| 主机名 | ip | 零碎 | 内核 | k8s 版本 | |
|---|---|---|---|---|---|
| k8s-master-01 | 10.0.0.41 | CentOS Linux 8 | 5.4.134-1.el8.elrepo.x86_64 | v1.21.3 | containerd |
| k8s-master-02 | 10.0.0.34 | CentOS Linux 8 | 5.4.134-1.el8.elrepo.x86_64 | v1.21.3 | containerd |
| k8s-master-03 | 10.0.0.26 | CentOS Linux 8 | 5.4.134-1.el8.elrepo.x86_64 | v1.21.3 | containerd |
| k8s-node-01 | 10.0.4.49 | CentOS Linux 8 | 5.4.134-1.el8.elrepo.x86_64 | v1.21.3 | containerd |
| k8s-node-02 | 10.0.4.48 | CentOS Linux 8 | 5.4.134-1.el8.elrepo.x86_64 | v1.21.3 | containerd |
| k8s-node-03 | 10.0.4.23 | CentOS Linux 8 | 5.4.134-1.el8.elrepo.x86_64 | v1.21.3 | containerd |
| k8s-node-04 | 10.0.4.47 | CentOS Linux 8 | 5.4.134-1.el8.elrepo.x86_64 | v1.21.3 | containerd |
| k8s-node-05 | 10.0.4.32 | CentOS Linux 8 | 5.4.134-1.el8.elrepo.x86_64 | v1.21.3 | containerd |
| k8s-node-06 | 10.0.4.18 | CentOS Linux 8 | 5.4.134-1.el8.elrepo.x86_64 | v1.21.3 | docker |
| k8s-01 | 10.0.2.17 | CentOS Linux 8 | 4.18.0-305.12.1.el8_4.x86_64 | 不在集群内(然而也是一个测试的 k8s 集群,故下面的其余 pod 疏忽) | docker(集群外一台运行 docker 的服务器) |
注:集体尝试 containerd 运行 halyard 未能胜利,最终应用 docker 形式运行 halyard
基于 docker runtime 形式部署 halyard 的形式部署 spinnaker
注:对于 halyard 的操作都在 k8s-01 节点操作。另外申明一下 k8s-01 原主机名为 k8s-02 应用了 hostnamectl set-hostname 批改主机名。有些截图或者命令都仍然为 k8-02,理论为同一个台服务器。xshell 早些时候关上 10.0.2.17 的窗口 ……
下载镜像,挂载本地配置文件目录,并启动容器
[root@k8s-01 ~]# docker pull registry.cn-beijing.aliyuncs.com/spinnaker-cd/halyard:1.32.0
#### 创立.hall 文件夹前面长久化存储 spinnaker 生成文件
[root@k8s-01 ~]# mkdir -p /home/spinnaker/.hal
### 创立.kube 文件夹并将集群中的 config 文件上传到此目录
[root@k8s-01 ~]# mkdir -p /home/spinnaker/.kube
[root@k8s-01 ~]# ls /home/spinnaker/.kube
config
#### 启动 halyard 容器
[root@k8s-01 ~]# docker run -itd --name halyard -v /home/spinnaker/.hal:/home/spinnaker/.hal -v /home/spinnaker/.kube:/home/spinnaker/.kube registry.cn-beijing.aliyuncs.com/spinnaker-cd/halyard:1.32.0
特权身份进入容器敞开 gcs
## 以 root 身份进入容器,批改配置文件
[root@k8s-01 .kube]# docker exec -it -u root halyard bash
bash-5.0# ## 批改 spinnaker.config.input.gcs.enabled = false。vi /opt/halyard/config/halyard.yml
spinnaker:
artifacts:
debian: https://dl.bintray.com/spinnaker-releases/debians
docker: gcr.io/spinnaker-marketplace
config:
input:
gcs:
enabled: false
writerEnabled: false
bucket: halconfig
重新启动 halyard 容器
## 须要重启容器(如果此命令未重启,则须要退出容器而后 docker restart halyard)bash-5.0# hal shutdown
Halyard Daemon Response: Shutting down, bye...
## 重启容器
[root@k8s-01 .kube]# docker start halyard
halyard
上传 boms 文件到服务器
参照 https://github.com/zeyangli/spinnaker-cd-install, 这里应用的是 https://github.com/zeyangli/spinnaker-cd-install/actions/runs/1368350526 1.26.6 的制品:
### 通过 rz 命令上传制品库到运行 halyard 的服务器,并解压压缩包
[root@k8s-01 work]# ls
1.26.6-Install-Scripts.zip
[root@k8s-01 work]# unzip 1.26.6-Install-Scripts.zip
嗯看到了这个.boms 的文件夹,将其 copy 到 /home/spinnaker/.hal/ 目录下!
[root@k8s-01 1.26.6]# ls .boms/
bom clouddriver deck echo fiat front50 gate igor kayenta monitoring-daemon orca rosco
[root@k8s-01 1.26.6]# cp -Ra .boms/ /home/spinnaker/.hal/
[root@k8s-01 1.26.6]# ls /home/spinnaker/.hal/.boms/
bom clouddriver deck echo fiat front50 gate igor kayenta monitoring-daemon orca rosco
对于镜像的下载
镜像下载泽阳大佬的制品库下载中有下载镜像的脚本:
#!/bin/bash
S_REGISTRY="gcr.io/spinnaker-marketplace"
#T_REGISTRY="registry.cn-beijing.aliyuncs.com/spinnaker-cd"
T_REGISTRY="docker.io/spinnakercd"
NODES="node01.zy.com node02.zy.com"
## 下载镜像
function GetImages(){
echo -e "\033[43;34m =====GetImg===== \033[0m"
IMAGES=$(cat tagfile.txt)
for image in ${IMAGES}
do
for node in ${NODES}
do
echo -e "\033[32m ${node} ---> pull ---> ${image} \033[0m"
ssh ${node} "docker pull ${T_REGISTRY}/${image}"
echo -e "\033[32m ${node} ---> tag ---> ${image} \033[0m"
ssh ${node} "docker tag ${T_REGISTRY}/${image} ${S_REGISTRY}/${image}"
done
done
for node in ${NODES}
do
echo -e "\033[43;34m =====${node}=== 镜像信息 ===== \033[0m"
ssh ${node} "docker images | grep'spinnaker-marketplace' "
done
}
GetImagesBut 我的集群的运行时是containerd。ctr crictl 两个命令的区别有必要从新复习一下。crictl 也没法批改标签啊?
#!/bin/bash
S_REGISTRY="gcr.io/spinnaker-marketplace"
#T_REGISTRY="registry.cn-beijing.aliyuncs.com/spinnaker-cd"
T_REGISTRY="docker.io/spinnakercd"
NODES="10.0.4.18 10.0.4.49 10.0.4.48 10.0.4.23 10.0.4.47 10.0.4.32"
## 下载镜像
function GetImages(){
echo -e "\033[43;34m =====GetImg===== \033[0m"
IMAGES=$(cat tagfile.txt)
for image in ${IMAGES}
do
for node in ${NODES}
do
echo -e "\033[32m ${node} ---> pull ---> ${image} \033[0m"
ssh -p 36000 ${node} "crictl pull ${T_REGISTRY}/${image}"
echo -e "\033[32m ${node} ---> tag ---> ${image} \033[0m"
ssh -p 36000 ${node} "crictl images ${T_REGISTRY}/${image} ${S_REGISTRY}/${image}"
done
done
for node in ${NODES}
do
echo -e "\033[43;34m =====${node}=== 镜像信息 ===== \033[0m"
ssh -p 36000 ${node} "crictl images ls| grep'spinnaker-marketplace' "
done
}
GetImages
所以这个形式就行不通了, 而后偶尔搜到 csdn 的 — 装置篇——用 halyard 装置 Spinnaker。通过在.hall 目录下 default/service-settings/ 目录创立对应配置文件。并设置 artifactId!
至于 service-settings 目录为什么在 default 目录下我也不求甚解泽阳大佬的课程中批改 redis 为内部 redis 的时候有这个目录
[root@k8s-2 .hal]# mkdir -p /home/spinnaker/.hal/default/service-settings
[root@k8s-2 .hal]# cd /home/spinnaker/.hal/default/service-settings
[root@k8s-2 service-settings]# pwd
/home/spinnaker/.hal/default/service-settings
[root@k8s-2 service-settings]# ls
clouddriver.yml deck.yml echo.yml fiat.yml front50.yml gate.yml igor.yml kayenta.yml orca.yml rosco.yml
[root@k8s-2 service-settings]# cat *
artifactId: docker.io/spinnakercd/clouddriver:8.0.4-20210625060028
artifactId: docker.io/spinnakercd/deck:3.7.2-20210614020020
artifactId: docker.io/spinnakercd/echo:2.17.1-20210429125836
artifactId: docker.io/spinnakercd/fiat:1.16.0-20210422230020
artifactId: docker.io/spinnakercd/front50:0.27.1-20210625161956
artifactId: docker.io/spinnakercd/gate:1.22.1-20210603020019
artifactId: docker.io/spinnakercd/igor:1.16.0-20210422230020
artifactId: docker.io/spinnakercd/kayenta:0.21.0-20210322140019
artifactId: docker.io/spinnakercd/orca:2.20.3-20210630022216
artifactId: docker.io/spinnakercd/rosco:0.25.0-20210422230020
就不批改标签间接应用泽阳大佬 docker 的镜像仓库外面的镜像了免去下载镜像批改标签的步骤
Halyard 配置管理
注:halyard 的配置都在 k8s-01 节点执行默认在 halyard 容器内
设置 Spinnaker 版本,–version 指定版本
[root@k8s-01 .kube]# docker exec -it -u root halyard bash
bash-5.0$ hal config version edit --version local:1.26.6
+ Get current deployment
Success
- Edit Spinnaker version
Failure
Validation in Global:
! ERROR Failure writing your halconfig to path
"/home/spinnaker/.hal/config": /home/spinnaker/.hal/config
- Failed to update version.
嗯强调一下 .hall 目录要有读写权限啊
[root@k8s-01 1.26.6]# chmod 777 -R /home/spinnaker/.hal/
[root@k8s-01 1.26.6]#
持续指定 spinnaker 版本并生成配置文件
bash-5.0$ hal config version edit --version local:1.26.6
+ Get current deployment
Success
+ Edit Spinnaker version
Success
+ Spinnaker has been configured to update/install version
"local:1.26.6". Deploy this version of Spinnaker with `hal deploy apply`.
bash-5.0$ ls
config default
bash-5.0$ cat config
currentDeployment: default
deploymentConfigurations:
- name: default
version: local:1.26.6
providers:
appengine:
enabled: false
accounts: []
aws:
enabled: false
accounts: []
bakeryDefaults:
baseImages: []
defaultKeyPairTemplate: '{{name}}-keypair'
defaultRegions:
- name: us-west-2
defaults:
iamRole: BaseIAMRole
ecs:
enabled: false
accounts: []
azure:
enabled: false
accounts: []
bakeryDefaults:
templateFile: azure-linux.json
baseImages: []
dcos:
enabled: false
accounts: []
clusters: []
dockerRegistry:
enabled: false
accounts: []
google:
enabled: false
accounts: []
bakeryDefaults:
templateFile: gce.json
baseImages: []
zone: us-central1-f
network: default
useInternalIp: false
huaweicloud:
enabled: false
accounts: []
bakeryDefaults:
baseImages: []
kubernetes:
enabled: false
accounts: []
tencentcloud:
enabled: false
accounts: []
bakeryDefaults:
baseImages: []
oracle:
enabled: false
accounts: []
bakeryDefaults:
templateFile: oci.json
baseImages: []
cloudfoundry:
enabled: false
accounts: []
deploymentEnvironment:
size: SMALL
type: LocalDebian
imageVariant: SLIM
updateVersions: true
consul:
enabled: false
vault:
enabled: false
customSizing: {}
sidecars: {}
initContainers: {}
hostAliases: {}
affinity: {}
tolerations: {}
nodeSelectors: {}
gitConfig:
upstreamUser: spinnaker
livenessProbeConfig:
enabled: false
haServices:
clouddriver:
enabled: false
disableClouddriverRoDeck: false
echo:
enabled: false
persistentStorage:
azs: {}
gcs:
rootFolder: front50
redis: {}
s3:
rootFolder: front50
oracle: {}
features:
auth: false
fiat: false
chaos: false
entityTags: false
metricStores:
datadog:
enabled: false
tags: []
prometheus:
enabled: false
add_source_metalabels: true
stackdriver:
enabled: false
newrelic:
enabled: false
tags: []
period: 30
enabled: false
notifications:
slack:
enabled: false
twilio:
enabled: false
baseUrl: https://api.twilio.com/
github-status:
enabled: false
timezone: America/Los_Angeles
ci:
jenkins:
enabled: false
masters: []
travis:
enabled: false
masters: []
wercker:
enabled: false
masters: []
concourse:
enabled: false
masters: []
gcb:
enabled: false
accounts: []
codebuild:
enabled: false
accounts: []
repository:
artifactory:
enabled: false
searches: []
security:
apiSecurity:
ssl:
enabled: false
uiSecurity:
ssl:
enabled: false
authn:
oauth2:
enabled: false
client: {}
resource: {}
userInfoMapping: {}
saml:
enabled: false
userAttributeMapping: {}
ldap:
enabled: false
x509:
enabled: false
iap:
enabled: false
enabled: false
authz:
groupMembership:
service: EXTERNAL
google:
roleProviderType: GOOGLE
github:
roleProviderType: GITHUB
file:
roleProviderType: FILE
ldap:
roleProviderType: LDAP
enabled: false
artifacts:
bitbucket:
enabled: false
accounts: []
gcs:
enabled: false
accounts: []
oracle:
enabled: false
accounts: []
github:
enabled: false
accounts: []
gitlab:
enabled: false
accounts: []
gitrepo:
enabled: false
accounts: []
http:
enabled: false
accounts: []
helm:
enabled: false
accounts: []
s3:
enabled: false
accounts: []
maven:
enabled: false
accounts: []
templates: []
pubsub:
enabled: false
google:
enabled: false
pubsubType: GOOGLE
subscriptions: []
publishers: []
canary:
enabled: false
serviceIntegrations:
- name: google
enabled: false
accounts: []
gcsEnabled: false
stackdriverEnabled: false
- name: prometheus
enabled: false
accounts: []
- name: datadog
enabled: false
accounts: []
- name: signalfx
enabled: false
accounts: []
- name: aws
enabled: false
accounts: []
s3Enabled: false
- name: newrelic
enabled: false
accounts: []
reduxLoggerEnabled: true
defaultJudge: NetflixACAJudge-v1.0
stagesEnabled: true
templatesEnabled: true
showAllConfigsEnabled: true
spinnaker:
extensibility:
plugins: {}
repositories: {}
webhook:
trust:
enabled: false
stats:
enabled: true
endpoint: https://stats.spinnaker.io
instanceId: 01FKDR1B3P8PF35RRC93XTE9AS
deploymentMethod: {}
connectionTimeoutMillis: 3000
readTimeoutMillis: 5000
bash-5.0$
设置时区
# 设置时区
hal config edit --timezone Asia/ShanghaiS3–no-validate
# 设置存储为 s3(前面不必,然而必须配置 bug)
hal config storage edit --type s3 --no-validate拜访形式, 设置 deck 与 gate 的域名
# 拜访形式:设置 deck 与 gate 的域名
hal config security ui edit --override-base-url http://spinnaker.xxxx.com
hal config security api edit --override-base-url http://spin-gate.xxxx.com
来比照一下执行以上命令后 config 文件的变动:
做这些比照是为了不便当前本人手动更改配置文件。大佬的能够疏忽这些截图步骤。
增加镜像仓库(harbor)和 k8s 集群账户
开启镜像仓库配置并增加 account
bash-5.0$ hal config provider docker-registry enable --no-validate
+ Get current deployment
Success
+ Edit the dockerRegistry provider
Success
+ Successfully enabled dockerRegistry
bash-5.0$ hal config provider docker-registry account add my-harbor-registry \
> --address https://harbor.xxxx.com \
> --username xxxx \
> --password xxxx
+ Get current deployment
Success
+ Add the my-harbor-registry account
Success
Validation in
default.provider.dockerRegistry.my-harbor-registry:
- WARNING Your docker registry has no repositories specified, and
the registry's catalog is empty. Spinnaker will not be able to deploy any images
until some are pushed to this registry.
? Manually specify some repositories for this docker registry to
index.
+ Successfully added account my-harbor-registry for provider
dockerRegistry.
开启 kubernetes 配置并增加 account
bash-5.0$ hal config provider kubernetes enable
+ Get current deployment
Success
+ Edit the kubernetes provider
Success
Validation in default.provider.kubernetes:
- WARNING Provider kubernetes is enabled, but no accounts have been
configured.
+ Successfully enabled kubernetes
bash-5.0$ hal config provider kubernetes account add default \
> --docker-registries my-harbor-registry \
> --context $(kubectl config current-context) \
> --service-account true \
> --omit-namespaces=kube-system,kube-public \
> --provider-version v2 \
> --no-validate
+ Get current deployment
Success
+ Add the default account
Success
+ Successfully added account default for provider kubernetes.
再瞄一眼配置文件 config:
指定部署应用 account 和命名空间,部署形式 distributed(分布式)
bash-5.0$ hal config deploy edit \
> --account-name default \
> --type distributed \
> --location spinnaker
看了一眼配置文件应该对应的是 deploymentEnvironment 上面的配置:
开启一些次要的性能(前期能够再追加)
bash-5.0$ hal config features edit --pipeline-templates true
bash-5.0$ hal config features edit --artifacts true
bash-5.0$ hal config features edit --managed-pipeline-templates-v2-ui true
查看 config 配置文件对应的为 features 下开关:
配置与 jenkins CI 集成
# 配置 Jenkins
hal config ci jenkins enable
### JenkinsServer 须要用到账号和明码
hal config ci jenkins master add my-jenkins-master-01 \
--address https://jenkins.xxxx.com \
--username zhangpeng \
--password xxxx
### 启用 csrf
hal config ci jenkins master edit my-jenkins-master-01 --csrf true
cat config 对应如下:当然了也能够开启 travis wercker consourse gcb 等 ci 工具?
配置 GitHub/GitLab 集成
github 的是泽阳大佬的。我这里就只集成了 gitlab。github 仅供参考在配置文件中也生成一下。不便比照配置文件。token 的生成就不必做过多的赘述了!
# GitHub
## 参考:https://spinnaker.io/setup/artifacts/github/
## 创立 token https://github.com/settings/tokens
hal config artifact github enable
hal config artifact github account add my-github-account \
--token xxxxxxxxxxxxxxxxxxxxxxx \
--username zeyangli
# GitLab
## https://spinnaker.io/setup/artifacts/gitlab/
## 创立一个集体的 token(admin)hal config artifact gitlab enable
hal config artifact gitlab account add my-gitlab-account \
--token xxxxxxxxxxxxxx
artifacts 下找到相干配置
应用内部 redis 集群
对于 redis 我是应用的腾讯云的云 redis。失常该搞一个明码的。然而没有去认真看下官网文档,就间接应用了免密的形式!
## service-settings
bash-5.0$ pwd
/home/spinnaker/.hal/default/service-settings
vi .hal/default/service-settings/redis.yml
overrideBaseUrl: redis://10.0.0.31:6379
skipLifeCycleManagement: true
## profiles
## /home/spinnaker/.hal/default/profiless
bash-5.0$ pwd
/home/spinnaker/.hal/default
bash-5.0$ mkdir /home/spinnaker/.hal/default/profiles
bash-5.0$ cd profiles/
bash-5.0$ vi gate-local.yml
redis:
configuration:
secure:
true应用 SQL 数据库
mysql 我是间接开启了腾讯云的 TDSQL-C
Clouddriver 服务
创立数据库:
CREATE DATABASE `clouddriver` DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
GRANT
SELECT, INSERT, UPDATE, DELETE, CREATE, EXECUTE, SHOW VIEW
ON `clouddriver`.*
TO 'clouddriver_service'@'%' IDENTIFIED BY 'clouddriver@spinnaker.com';
GRANT
SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, LOCK TABLES, EXECUTE, SHOW VIEW
ON `clouddriver`.*
TO 'clouddriver_migrate'@'%' IDENTIFIED BY 'clouddriver@spinnaker.com';
批改配置文件:
bash-5.0$ pwd
/home/spinnaker/.hal/default/profiles
bash-5.0$ vi clouddriver-local.yml
sql:
enabled: true
# read-only boolean toggles `SELECT` or `DELETE` health checks for all pools.
# Especially relevant for clouddriver-ro and clouddriver-ro-deck which can
# target a SQL read replica in their default pools.
read-only: false
taskRepository:
enabled: true
cache:
enabled: true
# These parameters were determined to be optimal via benchmark comparisons
# in the Netflix production environment with Aurora. Setting these too low
# or high may negatively impact performance. These values may be sub-optimal
# in some environments.
readBatchSize: 500
writeBatchSize: 300
scheduler:
enabled: true
# Enable clouddriver-caching's clean up agent to periodically purge old
# clusters and accounts. Set to true when using the Kubernetes provider.
unknown-agent-cleanup-agent:
enabled: false
connectionPools:
default:
# additional connection pool parameters are available here,
# for more detail and to view defaults, see:
# https://github.com/spinnaker/kork/blob/master/kork-sql/src/main/kotlin/com/netflix/spinnaker/kork/sql/config/ConnectionPoolProperties.kt
default: true
jdbcUrl: jdbc:mysql://10.0.4.22:3306/clouddriver
user: clouddriver_service
password: clouddriver@spinnaker.com
# The following tasks connection pool is optional. At Netflix, clouddriver
# instances pointed to Aurora read replicas have a tasks pool pointed at the
# master. Instances where the default pool is pointed to the master omit a
# separate tasks pool.
tasks:
user: clouddriver_service
jdbcUrl: jdbc:mysql://10.0.4.22:3306/clouddriver
password: clouddriver@spinnaker.com
migration:
user: clouddriver_migrate
jdbcUrl: jdbc:mysql://10.0.4.22:3306/clouddriver
password: clouddriver@spinnaker.com
redis:
enabled: false
cache:
enabled: false
scheduler:
enabled: false
taskRepository:
enabled: false
Front50 服务
创立数据库
CREATE DATABASE `front50` DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, EXECUTE, SHOW VIEW ON `front50`.* TO 'front50_service'@'%' IDENTIFIED BY "front50@spinnaker.com";
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, LOCK TABLES, EXECUTE, SHOW VIEW ON `front50`.* TO 'front50_migrate'@'%' IDENTIFIED BY "front50@spinnaker.com";
批改配置文件
bash-5.0$ pwd
/home/spinnaker/.hal/default/profiles
bash-5.0$ vi front50-local.yml
spinnaker:
s3:
enabled: false
sql:
enabled: true
connectionPools:
default:
# additional connection pool parameters are available here,
# for more detail and to view defaults, see:
# https://github.com/spinnaker/kork/blob/master/kork-sql/src/main/kotlin/com/netflix/spinnaker/kork/sql/config/ConnectionPoolProperties.kt
default: true
jdbcUrl: jdbc:mysql://10.0.4.22:3306/front50
user: front50_service
password: front50@spinnaker.com
migration:
user: front50_migrate
jdbcUrl: jdbc:mysql://10.0.4.22:3306/front50
password: front50@spinnaker.comOrca 服务
创立数据库
set tx_isolation = 'REPEATABLE-READ';
CREATE SCHEMA `orca` DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
GRANT
SELECT, INSERT, UPDATE, DELETE, CREATE, EXECUTE, SHOW VIEW
ON `orca`.*
TO 'orca_service'@'%' IDENTIFIED BY "orca@spinnaker.com" ;
GRANT
SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, LOCK TABLES, EXECUTE, SHOW VIEW
ON `orca`.*
TO 'orca_migrate'@'%' IDENTIFIED BY "orca@spinnaker.com" ;
批改配置文件
bash-5.0$ pwd
/home/spinnaker/.hal/default/profiles
bash-5.0$ vi front50-local.yml
bash-5.0$ pwd
/home/spinnaker/.hal/default/profiles
bash-5.0$ vi orca-local.yml
tasks:
useManagedServiceAccounts: true
sql:
enabled: true
connectionPool:
jdbcUrl: jdbc:mysql://10.0.4.22:3306/orca
user: orca_service
password: orca@spinnaker.com
connectionTimeout: 5000
maxLifetime: 30000
# MariaDB-specific:
maxPoolSize: 50
migration:
jdbcUrl: jdbc:mysql://10.0.4.22:3306/orca
user: orca_migrate
password: orca@spinnaker.com
# Ensure we're only using SQL for accessing execution state
executionRepository:
sql:
enabled: true
redis:
enabled: false
# Reporting on active execution metrics will be handled by SQL
monitor:
activeExecutions:
redis: false
# Use SQL for Orca's work queue
# Settings from Netflix and may require adjustment for your environment
# Only validated with AWS Aurora MySQL 5.7
# Please PR if you have success with other databases
keiko:
queue:
sql:
enabled: true
redis:
enabled: false
queue:
zombieCheck:
enabled: true
pendingExecutionService:
sql:
enabled: true
redis:
enabled: false部署服务
bash-5.0$ hal deploy apply --no-validate创立 Ingress 拜访 web 测试
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: spinnaker-service
namespace: spinnaker
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
rules:
- host: spinnaker.xxxx.com
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: spin-deck
port:
number: 9000
- host: spin-gate.xxxx.com
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: spin-gate
port:
number: 8084
通过 web 浏览器拜访 https://spinnaker.layame.com/ 如下:
注:至于为什么拜访 https 呢?因为我的代理是 traefik slb 下面做了跳转。当然了这里应该依据本人理论的环境登程!
集成 ldap:
至于为什么集成 ldap 呢?账号平安方面思考了当然是基于,还有其余的各种形式:Google Groups, GitHub Teams, SAML Roles, or LDAP groups。参照:https://spinnaker.io/docs/setup/other_config/security/。
对于 ldap 的装置能够参考 Kuberneters 搭建 openLDAP
首先登陆 web 治理页面登陆用户:
创立 ou-devops
创立 inetOrgPerson-zhangpeng
Password 设置用户 zhangpeng 的明码
Commit 确认
最终如下:
halyard 容器中操作. 可能复制命令时候出现异常:Was passed main parameter ‘ –user-search-base’ but no main parameter was defined in your arg class。把代码复制到编辑器解决一下
hal config security authn ldap edit \
--user-search-base 'ou=devops,dc=zy,dc=com' \
--url 'ldap://192.168.1.200:389' \
--user-search-filter 'cn={0}' \
--manager-dn 'cn=admin,dc=zy,dc=com' \
--manager-password '12345678'
hal config security authn ldap enable
bash-5.0$ cd /home/spinnaker/.hal/
bash-5.0$ pwd
/home/spinnaker/.hal
bash-5.0$ cat config
web 拜访如下:狐疑我 traefik 强跳搞的
bash-5.0$ hal deploy apply --no-validate
[root@k8s-master-01 ~]# kubectl get pods -n spinnaker
期待 pod 起来
进入首页
对于受权
首先登陆 ldap web 治理页面两个用户组 groupOfUniqueNames yunwenzu devops 两个组, 依据 ldap 中组进行受权。
ldap 创立用户组与用户
yunweizu- 用户 zhangpeng
将 zhangpeng 用户增加到组中:
devop 用户组 - 用户 huozhonghao
同理将 huozhonghao 退出 devops 组
halyard 中配置:
开启 ldap security 配置。并减少相干配置:
hal config security authz ldap edit \
--url 'ldap://172.19.252.28:389/dc=xxxx,dc=com' \
--manager-dn 'cn=admin,dc=xxxx,dc=com' \
--manager-password 'xxxxxx' \
--user-dn-pattern 'cn={0}' \
--group-search-base 'ou=devops' \
--group-search-filter 'uniqueMember={0}' \
--group-role-attributes 'cn' \
--user-search-filter 'cn={0}'
hal config security authz edit --type ldap
hal config security authz enable
设置那些用户能够拜访集群账户、镜像仓库、应用程序
## 配置 yunweizu 和 group02 角色的用户能够应用 default 这个集群账户
hal config provider kubernetes account edit default \
--add-read-permission yunweizu,group02 \
--add-write-permission yunweizu
## 配置 yunweizu 角色的用户能够应用 my-harbor-registry 账户
hal config provider docker-registry account edit my-harbor-registry \
--read-permissions yunweizu \
--write-permissions yunweizu
## 更新部署
hal deploy apply注:group2 copy 自泽阳大佬的课程笔记。保留了没有什么实际意义。当然了也能够去掉的 ……
登陆 spinnaker web 尝试:
注:用 zhangpeng 用户建了一个空白的
devops 的用户 huozhonghao 创立一个空白的 applications 做下测试
就先只看到这里的权限,正告提醒通知你 read 会所有用户锁定在此应用程序之外。
具体的权限是跟 ldap 绑定的那么应该是这样的:
1. 在 ldap 治理页面中,将用户 zhangpeng 退出 devops 组
2.spinnaker 登陆 zhangpeng 用户新建一个利用,yunweizu 读写可执行,devops 组仅仅可读。
- 创立一个新的用户组 platform 将 huozhonghao 用户退出
- spinnaker web 登陆 huozhonghao 用户
嗯 这里也能够看到 platform 组了 批改一下权限试试,删除一下 devops 的试试:
减少 platform 组权限也是失败因为只有 read 权限,没有 writer 权限
开启管道权限
halyard 容器中操作:
bash-5.0$ pwd
/home/spinnaker/.hal/default/profiles
bash-5.0$ cat /home/spinnaker/.hal/default/profiles/orca-local.yml
tasks:
useManagedServiceAccounts: true
bash-5.0$ cat ~/.hal/default/profiles/settings-local.js
window.spinnakerSettings.feature.managedServiceAccounts = true;
bash-5.0$ hal deploy apply --no-validate
留神:orca-local.yml 中的开启。我其实在 orca 服务中早配置上了!
权限的一些测试
测试一下权限。登陆 zhangpeng 用户新建一个 pipeline zhangpeng
能够发现默认的 kubernetes 的 default account 并能够保留 pipeline
huozhonghao 用户批改 zhangpeng pipeline 中的 Manifest. 嗯没有操作权限
嗯给 devops 组增加一个 read kubernetes account 的权限是不是要?否则连 account 都没有!
bash-5.0$ hal deploy apply --no-validate
[root@k8s-master-01 develop]# kubectl get pods -n spinnaker期待 clouddriver running!
[root@k8s-master-01 develop]#kubectl get svc -n spinnaker
[root@k8s-master-01 develop]# curl -X POST http://172.19.254.33:7003/roles/sync
[root@k8s-master-01 develop]#curl 172.19.254.33:7003/authorize/huozhonghao
read 权限仍然无奈看到 accout!
kubernetes default account 增加 devops 组 writer 权限:
bash-5.0$ vi config
bash-5.0$ hal deploy apply --no-validate持续期待 clouddriver crunning
嗯再次刷新 web 登陆 huozhonghao 用户能够看到 kubernetes default account 了然而批改 Manifest 无奈 writer。验证通过!
装置环境根本实现。其余的步骤后续操作
一些失败的尝试(还是没有胜利)
1. 下载 Halyard 镜像并启动容器 —ctr 各种命令的温习
ctr pull
[root@k8s-master-01 ~]# ctr image pull registry.cn-beijing.aliyuncs.com/spinnaker-cd/halyard:1.32.0
[root@k8s-master-01 ~]# mkdir /root/.hal
参考一下 docker 时代的启动形式:
docker run -itd --name halyard \
-v /root/.hal:/home/spinnaker/.hal \
-v /root/.kube:/home/spinnaker/.kube \
registry.cn-beijing.aliyuncs.com/spinnaker-cd/halyard:1.32.0ctr run
依着葫芦画瓢一下?
ctr run -itd --name halyard \
-v /root/.hal:/home/spinnaker/.hal \
-v /root/.kube:/home/spinnaker/.kube \
registry.cn-beijing.aliyuncs.com/spinnaker-cd/halyard:1.32.0两头尝试了很屡次各种 ctr 命令的确没有搞明确 …… 参考了应用 ctr 命令治理 Containerd 容器
我感觉应用 containerd 装置 spinnaker 这真的是能够温习 ctr critical 命令了
ctr create
[root@k8s-master-01 1.26.6]# ctr c create registry.cn-beijing.aliyuncs.com/spinnaker-cd/halyard:1.32.0 halyard --mount type=bind,src=/root/.hal,dst=/home/spinnaker/.hal,options=rbind:row --mount type=bind,src=/root/.kube,dst=/home/spinnaker/.kube,options=rbind:ro --mount type=bind,src=/opt/halyard/config/,dst=/opt/halyard/config/,options=rbind:rw
[root@k8s-master-01 1.26.6]# ctr c ls
CONTAINER IMAGE RUNTIME
halyard registry.cn-beijing.aliyuncs.com/spinnaker-cd/halyard:1.32.0 io.containerd.runc.v2 ctr t start
[root@k8s-master-01 1.26.6]# ctr t start -d halyard
[root@k8s-master-01 1.26.6]# ctr t ls
TASK PID STATUS
halyard 1729924 RUNNING
当初问题来了 如何进入容器呢?
ctr tasks exec -t –exec-id
[root@k8s-master-01 1.26.6]# ctr tasks list
TASK PID STATUS
halyard 1729924 RUNNING
[root@k8s-master-01 1.26.6]# ctr tasks exec -t --exec-id 1729924 halyard sh
/ $
ctr c rm ctr c kill—- 读写权限没有搞明确 只能采纳挂载本地文件的形式从新搞一波了
嗯哼没有权限?docker 的时候能够用 root 的特权模式进入,这里的 ctr 也没有找到相干命令。而后就偷懒吧 halyard.yml 文件 copy 进去:
true 批改为 false!
而后挂载文件夹的形式去执行!删除容器从新走一遍流程,走一遍 ctr 命令
要删除容器应该是先进行?stop?后果不出意外我想错了是 kill…… 当然了 ctr t kill –signal 9 halyard 强制也很重要
[root@k8s-master-01 1.26.6]# ctr t ls
TASK PID STATUS
halyard 4184764 RUNNING
[root@k8s-master-01 1.26.6]# ctr t kill halyard
[root@k8s-master-01 1.26.6]# ctr t ls
TASK PID STATUS
halyard 4184764 STOPPED
[root@k8s-master-01 1.26.6]# ctr t ls
TASK PID STATUS
halyard 4184764 STOPPED
[root@k8s-master-01 1.26.6]# ctr c rm halyard
[root@k8s-master-01 1.26.6]# ctr t ls
TASK PID STATUS
[root@k8s-master-01 1.26.6]# ctr c create registry.cn-beijing.aliyuncs.com/spinnaker-cd/halyard:1.32.0 halyard --mount type=bind,src=/root/.hal,dst=/home/spinnaker/.hal,options=rbind:row --mount type=bind,src=/root/.kube,dst=/home/spinnaker/.kube,options=rbind:ro --mount type=bind,src=/opt/halyard/config/,dst=/opt/halyard/config/,options=rbind:rw
[root@k8s-master-01 1.26.6]# ctr c ls
CONTAINER IMAGE RUNTIME
halyard registry.cn-beijing.aliyuncs.com/spinnaker-cd/halyard:1.32.0 io.containerd.runc.v2
[root@k8s-master-01 1.26.6] # ctr t start -d halyard
[root@k8s-master-01 1.26.6] # ctr t ls
TASK PID STATUS
halyard 1729924 RUNNING
[root@k8s-master-01 1.26.6] # ctr tasks exec -t --exec-id 1729924 halyard sh
下载镜像的尝试:
小伙伴们感觉下载镜像应该用上面哪个脚本?用 ctr or crictl 呢?最终应用镜像的是要 kubernetes…. 应该是用 crictl 的。ctr 搞了 kubernetes 集群利用是发现不了镜像的!
#!/bin/bash
S_REGISTRY="gcr.io/spinnaker-marketplace"
#T_REGISTRY="registry.cn-beijing.aliyuncs.com/spinnaker-cd"
T_REGISTRY="docker.io/spinnakercd"
NODES="10.0.4.18 10.0.4.49 10.0.4.48 10.0.4.23 10.0.4.47 10.0.4.32"
## 下载镜像
function GetImages(){
echo -e "\033[43;34m =====GetImg===== \033[0m"
IMAGES=$(cat tagfile.txt)
for image in ${IMAGES}
do
for node in ${NODES}
do
echo -e "\033[32m ${node} ---> pull ---> ${image} \033[0m"
ssh -p 36000 ${node} "crictl pull ${T_REGISTRY}/${image}"
echo -e "\033[32m ${node} ---> tag ---> ${image} \033[0m"
ssh -p 36000 ${node} "ctr image tag ${T_REGISTRY}/${image} ${S_REGISTRY}/${image}"
done
done
for node in ${NODES}
do
echo -e "\033[43;34m =====${node}=== 镜像信息 ===== \033[0m"
ssh -p 36000 ${node} "ctr image ls | grep'spinnaker-marketplace' "
done
}
GetImages
#!/bin/bash
S_REGISTRY="gcr.io/spinnaker-marketplace"
#T_REGISTRY="registry.cn-beijing.aliyuncs.com/spinnaker-cd"
T_REGISTRY="docker.io/spinnakercd"
NODES="10.0.4.18 10.0.4.49 10.0.4.48 10.0.4.23 10.0.4.47 10.0.4.32"
## 下载镜像
function GetImages(){
echo -e "\033[43;34m =====GetImg===== \033[0m"
IMAGES=$(cat tagfile.txt)
for image in ${IMAGES}
do
for node in ${NODES}
do
echo -e "\033[32m ${node} ---> pull ---> ${image} \033[0m"
ssh -p 36000 ${node} "crictl pull ${T_REGISTRY}/${image}"
echo -e "\033[32m ${node} ---> tag ---> ${image} \033[0m"
ssh -p 36000 ${node} "crictl images ${T_REGISTRY}/${image} ${S_REGISTRY}/${image}"
done
done
for node in ${NODES}
do
echo -e "\033[43;34m =====${node}=== 镜像信息 ===== \033[0m"
ssh -p 36000 ${node} "crictl images ls| grep'spinnaker-marketplace' "
done
}
GetImages
当然了还有一个问题就是 crictl 能够更改镜像名字吗?貌似是不能够的 … 而后此形式就失败了。
各种失败的尝试 -containerd 下:
[root@k8s-master-01 .boms]# ctr c create registry.cn-beijing.aliyuncs.com/spinnaker-cd/halyard:1.32.0 halyard --mount type=bind,src=/root/.hal,dst=/home/spinnaker/.hal,options=rbind:row --mount type=bind,src=/root/.kube,dst=/home/spinnaker/.kube,options=rbind:ro --mount type=bind,src=/opt/halyard/config/,dst=/opt/halyard/config/,options=rbind:rw
[root@k8s-master-01 .boms]# ctr c ls
CONTAINER IMAGE RUNTIME
halyard registry.cn-beijing.aliyuncs.com/spinnaker-cd/halyard:1.32.0 io.containerd.runc.v2
[root@k8s-master-01 .boms]# ctr t start -d halyard
[root@k8s-master-01 .boms]# ctr t ls
TASK PID STATUS
halyard 1775521 RUNNING
[root@k8s-master-01 .boms]# ctr tasks exec -t --exec-id 1729924 halyard sh
/ $ hal config version edit --version local:1.26.6
~ $ cd /home/spinnaker/.hal/
vi config
timezone: America/Los_Angeles
timezone: Asia/Shanghai
hal config storage edit --type s3 --no-validate
hal config security ui edit --override-base-url http://spinnaker.layame.com
hal config security api edit --override-base-url http://spin-gate.layame.com
这都 tmd 怎么会事件 ….. 要疯了
[root@k8s-master-01 .boms]# ctr t kill --signal 9 halyard
[root@k8s-master-01 .boms]# ctr c rm halyard
[root@k8s-master-01 .boms]# ctr c create registry.cn-beijing.aliyuncs.com/spinnaker-cd/halyard:1.32.0 halyard --mount type=bind,src=/root/.hal,dst=/home/spinnaker/.hal,options=rbind:row --mount type=bind,src=/root/.kube,dst=/home/spinnaker/.kube,options=rbind:ro --mount type=bind,src=/opt/halyard/config/,dst=/opt/halyard/config/,options=rbind:rw
[root@k8s-master-01 .boms]# ctr c ls
CONTAINER IMAGE RUNTIME
halyard registry.cn-beijing.aliyuncs.com/spinnaker-cd/halyard:1.32.0 io.containerd.runc.v2
[root@k8s-master-01 .boms]# ctr t start -d halyard
[root@k8s-master-01 .boms]# ctr t ls
TASK PID STATUS
halyard 1832934 RUNNING
[root@k8s-master-01 .boms]# ctr tasks exec -t --exec-id 1832934 halyard sh
~ $ cd /home/spinnaker/.hal/
~/.hal $ cat config |grep time
timezone: Asia/Shanghai
~/.hal $ cat config |grep s3
persistentStoreType: s3
s3:
s3:
s3Enabled: true
~/.hal $ cat config |grep com
baseUrl: https://api.twilio.com/
overrideBaseUrl: http://spin-gate.layame.com
overrideBaseUrl: http://spinnaker.layame.com~/.hal $ hal config provider kubernetes enable
~/.hal $ hal config provider kubernetes account add default \
--docker-registries my-harbor-registry \
--context $(kubectl config current-context) \
--service-account true \
--omit-namespaces=kube-system,kube-public \
--provider-version v2 \
--no-validate至于这个中央的报错 他还是须要 w 宿主机 chmod 了一下
hal config deploy edit \
--account-name default \
--type distributed \
--location spinnaker
hal config features edit --pipeline-templates true
hal config features edit --artifacts true
hal config features edit --managed-pipeline-templates-v2-ui true
尼玛又疯了!。。。。。。。。。。。。。。。。。分隔符吧 我筹备全副都批改好了这些文件了
我又开始狐疑了 一下人生:是不是我的服务器资源不够了?因为我这是 kubernetes 的 master 节点,而后呢资源只有 4 外围 8g,我找一个资源多的 server 测试一下?
先 copy 一下 .kube 下的 config
[root@k8s-node-01 home]# mkdir -p /home/spinnaker/.hal
[root@k8s-node-01 home]# mkdir -p /opt/halyard/config
[root@k8s-node-01 home]# mkdir -p /home/spinnaker/.kube
[root@k8s-node-01 home]# crictl pull registry.cn-beijing.aliyuncs.com/spinnaker-cd/halyard:1.32.0
Image is up to date for sha256:8673f1670b8768138cd8349b7d9843eb4fd451658227d2e9f02d5fbe454c500d
[root@k8s-node-01 home]# cd /home/spinnaker/.kube
[root@k8s-node-01 .kube]# rz
[root@k8s-node-01 .kube]# ls
config
[root@k8s-node-01 .kube]# ctr image pull registry.cn-beijing.aliyuncs.com/spinnaker-cd/halyard:1.32.0
[root@k8s-node-01 .kube]# ctr c create registry.cn-beijing.aliyuncs.com/spinnaker-cd/halyard:1.32.0 halyard --mount type=bind,src=/home/spinnaker/.hal,dst=/home/spinnaker/.hal,options=rbind:row --mount type=bind,src=/home/spinnaker/.kube,dst=/home/spinnaker/.kube,options=rbind:ro --mount type=bind,src=/opt/halyard/config/,dst=/opt/halyard/config/,options=rbind:rw
[root@k8s-node-01 .boms]# pwd
/home/spinnaker/.hal/.boms
[root@k8s-node-01 .boms]# ls
bom clouddriver deck echo fiat front50 gate igor kayenta monitoring-daemon orca rosco
[root@k8s-node-01 .boms]# cd /opt/halyard/config/
[root@k8s-node-01 config]# cat halyard.yaml
[root@k8s-node-01 ~]# ctr t ls
TASK PID STATUS
[root@k8s-node-01 ~]# ctr t start -d halyard
[root@k8s-node-01 ~]# ctr t ls
TASK PID STATUS
halyard 3910255 RUNNING
[root@k8s-node-01 ~]# ctr tasks exec -t --exec-id 3910255 halyard sh
/ $ hal config version edit --version local:1.26.6
+ Get current deployment
Success
- Edit Spinnaker version
Failure
Validation in Global:
! ERROR Failure writing your halconfig to path
"/home/spinnaker/.hal/config": /home/spinnaker/.hal/config
- Failed to update version.
/ $ hal config version edit --version local:1.26.6
+ Get current deployment
Success
+ Edit Spinnaker version
Success
+ Spinnaker has been configured to update/install version
"local:1.26.6". Deploy this version of Spinnaker with `hal deploy apply`.
/ $ hal config edit --timezone Asia/Shanghai
******** 又 tmd sb 了 不晓得怎么回事不试了。间接改好配置文件间接启动了!总结以上失败 执行啥也不行 … 最初决定间接把 docker 环境面 config 文件以及其余制品搞过来试试!
my config 文件:
currentDeployment: default
deploymentConfigurations:
- name: default
version: local:1.26.6
providers:
appengine:
enabled: false
accounts: []
aws:
enabled: false
accounts: []
bakeryDefaults:
baseImages: []
defaultKeyPairTemplate: '{{name}}-keypair'
defaultRegions:
- name: us-west-2
defaults:
iamRole: BaseIAMRole
ecs:
enabled: false
accounts: []
azure:
enabled: false
accounts: []
bakeryDefaults:
templateFile: azure-linux.json
baseImages: []
dcos:
enabled: false
accounts: []
clusters: []
dockerRegistry:
enabled: true
accounts:
- name: my-harbor-registry
requiredGroupMembership: []
providerVersion: V1
permissions:
READ:
- yunweizu
WRITE:
- yunweizu
address: https://harbor.layame.com
username: zhangpeng
password: xxxx
email: fake.email@spinnaker.io
cacheIntervalSeconds: 30
clientTimeoutMillis: 60000
cacheThreads: 1
paginateSize: 100
sortTagsByDate: false
trackDigests: false
insecureRegistry: false
repositories: []
primaryAccount: my-harbor-registry
google:
enabled: false
accounts: []
bakeryDefaults:
templateFile: gce.json
baseImages: []
zone: us-central1-f
network: default
useInternalIp: false
huaweicloud:
enabled: false
accounts: []
bakeryDefaults:
baseImages: []
kubernetes:
enabled: true
accounts:
- name: default
requiredGroupMembership: []
providerVersion: V2
permissions:
READ:
- yunweizu,group02
- devops
WRITE:
- yunweizu
- devops
dockerRegistries:
- accountName: my-harbor-registry
namespaces: []
context: kubernetes-admin@kubernetes
configureImagePullSecrets: true
serviceAccount: true
cacheThreads: 1
namespaces: []
omitNamespaces:
- kube-system
- kube-public
kinds: []
omitKinds: []
customResources: []
cachingPolicies: []
oAuthScopes: []
onlySpinnakerManaged: false
primaryAccount: default
tencentcloud:
enabled: false
accounts: []
bakeryDefaults:
baseImages: []
oracle:
enabled: false
accounts: []
bakeryDefaults:
templateFile: oci.json
baseImages: []
cloudfoundry:
enabled: false
accounts: []
deploymentEnvironment:
size: SMALL
type: Distributed
accountName: default
imageVariant: SLIM
updateVersions: true
consul:
enabled: false
vault:
enabled: false
location: spinnaker
customSizing: {}
sidecars: {}
initContainers: {}
hostAliases: {}
affinity: {}
tolerations: {}
nodeSelectors: {}
gitConfig:
upstreamUser: spinnaker
livenessProbeConfig:
enabled: false
haServices:
clouddriver:
enabled: false
disableClouddriverRoDeck: false
echo:
enabled: false
persistentStorage:
persistentStoreType: s3
azs: {}
gcs:
rootFolder: front50
redis: {}
s3:
rootFolder: front50
oracle: {}
features:
auth: false
fiat: false
chaos: false
entityTags: false
pipelineTemplates: true
artifacts: true
managedPipelineTemplatesV2UI: true
metricStores:
datadog:
enabled: false
tags: []
prometheus:
enabled: false
add_source_metalabels: true
stackdriver:
enabled: false
newrelic:
enabled: false
tags: []
period: 30
enabled: false
notifications:
slack:
enabled: false
twilio:
enabled: false
baseUrl: https://api.twilio.com/
github-status:
enabled: false
timezone: Asia/Shanghai
ci:
jenkins:
enabled: true
masters:
- name: my-jenkins-master-01
permissions: {}
address: https://jenkins.xxxx.com
username: zhangpeng
password: xxxxx
csrf: true
travis:
enabled: false
masters: []
wercker:
enabled: false
masters: []
concourse:
enabled: false
masters: []
gcb:
enabled: false
accounts: []
codebuild:
enabled: false
accounts: []
repository:
artifactory:
enabled: false
searches: []
security:
apiSecurity:
ssl:
enabled: false
overrideBaseUrl: https://spin-gate.xxxx.com
uiSecurity:
ssl:
enabled: false
overrideBaseUrl: https://spinnaker.xxxx.com
authn:
oauth2:
enabled: false
client: {}
resource: {}
userInfoMapping: {}
saml:
enabled: false
userAttributeMapping: {}
ldap:
enabled: true
url: ldap://172.19.252.28:389
userSearchBase: ou=devops,dc=xxxx,dc=com
userSearchFilter: cn={0}
managerDn: cn=admin,dc=xxxx,dc=com
managerPassword: xxxx
x509:
enabled: false
iap:
enabled: false
enabled: true
authz:
groupMembership:
service: LDAP
google:
roleProviderType: GOOGLE
github:
roleProviderType: GITHUB
file:
roleProviderType: FILE
path: /home/spinnaker/.hal/userrole.yml
ldap:
roleProviderType: LDAP
url: ldap://172.19.252.28:389/dc=xxxx,dc=com
managerDn: cn=admin,dc=xxxx,dc=com
managerPassword: xxxx
userDnPattern: cn={0}
groupSearchBase: ou=devops
userSearchFilter: cn={0}
groupSearchFilter: uniqueMember={0}
groupRoleAttributes: cn
enabled: true
artifacts:
bitbucket:
enabled: false
accounts: []
gcs:
enabled: false
accounts: []
oracle:
enabled: false
accounts: []
github:
enabled: true
accounts:
- name: my-github-account
username: zeyangli
token: xxxx
gitlab:
enabled: true
accounts:
- name: my-gitlab-account
token: xxxx
gitrepo:
enabled: false
accounts: []
http:
enabled: false
accounts: []
helm:
enabled: false
accounts: []
s3:
enabled: false
accounts: []
maven:
enabled: false
accounts: []
templates: []
pubsub:
enabled: false
google:
enabled: false
pubsubType: GOOGLE
subscriptions: []
publishers: []
canary:
enabled: false
serviceIntegrations:
- name: google
enabled: false
accounts: []
gcsEnabled: false
stackdriverEnabled: false
- name: prometheus
enabled: false
accounts: []
- name: datadog
enabled: false
accounts: []
- name: signalfx
enabled: false
accounts: []
- name: aws
enabled: false
accounts: []
s3Enabled: false
- name: newrelic
enabled: false
accounts: []
reduxLoggerEnabled: true
defaultJudge: NetflixACAJudge-v1.0
stagesEnabled: true
templatesEnabled: true
showAllConfigsEnabled: true
spinnaker:
extensibility:
plugins: {}
repositories: {}
webhook:
trust:
enabled: false
stats:
enabled: true
endpoint: https://stats.spinnaker.io
instanceId: 01FKDR1B3P8PF35RRC93XTE9AS
deploymentMethod: {}
connectionTimeoutMillis: 3000
readTimeoutMillis: 5000
间接搞过来试一波
上传文件并解压到 k8s-master-01 节点 home 目录下
持续
[root@k8s-master-01 .kube]# ctr c create registry.cn-beijing.aliyuncs.com/spinnaker-cd/halyard:1.32.0 halyard --mount type=bind,src=/root/.hal,dst=/home/spinnaker/.hal,options=rbind:row --mount type=bind,src=/home/spinnaker/.kube,dst=/home/spinnaker/.kube,options=rbind:ro --mount type=bind,src=/opt/halyard/config/,dst=/opt/halyard/config/,options=rbind:rw
[root@k8s-master-01 .kube]# ctr t start -d halyard
[root@k8s-master-01 .kube]# ctr t ls
TASK PID STATUS
halyard 3073271 RUNNING
[root@k8s-master-01 .kube]# ctr tasks exec -t --exec-id 3073271 halyard sh
bash-5.0$ hal deploy apply --no-validate
从新来一遍
[root@k8s-master-01 .kube]# ctr t kill --signal 9 halyard
[root@k8s-master-01 .kube]# ctr c rm halyard
[root@k8s-master-01 .hal]# ctr c create registry.cn-beijing.aliyuncs.com/spinnaker-cd/halyard:1.32.0 halyard --mount type=bind,src=/root/.hal,dst=/home/spinnaker/.hal,options=rbind:row --mount type=bind,src=/home/spinnaker/.kube,dst=/home/spinnaker/.kube,options=rbind:ro --mount type=bind,src=/opt/halyard/config/,dst=/opt/halyard/config/,options=rbind:rw
[root@k8s-master-01 .hal]# ctr t start -d halyard
[root@k8s-master-01 .hal]# ctr t ls
TASK PID STATUS
halyard 3085723 RUNNING
[root@k8s-master-01 .hal]# ctr tasks exec -t --exec-id 3085723 halyard bash
bash-5.0$
算了我放弃了 ……,containerd 的装置形式
总结一下失败以及教训:
- containerd or docker 的运行时中都能够在文件夹 /home/spinnaker/.hal/default/service-settings 本地写文件的件形式指定 image tag,docker 环境下还好,containerd 形式下 crictl 批改镜像标签本人把握的不是很好!
- containerd 命令跟 docker 还是不一样。启动 halyard 的形式还是很不好弄,最好的形式还是在一台装置 docker 的机器下面运行 halyard。
- halyard 执行脚本复制命令的空格格局问题
- 部署过程中呈现数据库地址写错问题 … 写成了 TDSQL- C 中的读地址 ….
正文完
发表至: kubernetes
2021-11-06
