背景:

2017-2018年左右的吧,不记得看什么了看到了spinnaker,然而过后真的装置不起来。各种被墙裂。2020年底学习了泽阳大佬的spinnaker实际课程。通过Halyard形式搭建了spinnaker的集群,并与jenkins gitlab harbor k8s实现了集成。2021年初略微玩了一下,就去整别的事件去了,没有能利用于线上环境。下半年了,jenkins k8s这些的流程当初根本都是清晰了。想把cd从jenkins中剥离进去教给spinnaker了,就从新复习一下spinnaker吧!

对于spinnaker

spinnaker是Netfix公司开源的一款继续部署工具,采纳java语言编写,遵循微服务的设计思维,指标是为团队提供灵便的继续部署流水线并提供软件的部署效率

spinnaker的劣势

  • 反对多云部署
  • 主动公布

  • 内置部署最佳实际

    spinnaker架构

    对于spinnaker的架构阐明

  • deck-基于浏览器的 UI
  • gate 微服务api网关,Spinnaker UI 和所有 api 调用者通过 Gate 与 Spinnaker 通信
  • orca 流水线阶段编排引擎。它解决所有长期操作和管道。浏览无关 Orca 服务概述的更多信息
  • clouddriver 负责对云提供商的所有变异调用以及索引/缓存所有部署的资源。
  • front50 用于长久化应用程序、管道、我的项目和告诉的元数据

  • rosco 为各种云提供商生成不可变的 VM 映像(或映像模板)

    它用于生成机器映像(例如 GCE 映像 、 AWS AMI 、 Azure VM 映像 )。它目前包装了 packer ,但将 被扩大以反对用于生成图像的其余机制。

  • igor 用于通过 Jenkins 和 Travis CI 等零碎中的继续集成作业触发管道,它容许在管道中应用 Jenkins/Travis 阶段
  • echo 事件总线 它反对发送告诉(例如 Slack、电子邮件、SMS),并对来自 Github 等服务的传入 webhook 采取行动。
  • fiat 认证受权核心 它用于查问用户对帐户、应用程序和服务帐户的拜访权限
  • kayenta 主动金丝雀剖析

  • Keel 为治理交付提供能源

    注:这个还没有用过

  • halyard 配置服务 治理上述每项服务的生命周期。它仅在 Spinnaker 启动、更新和回滚期间与这些服务交互。

    服务依赖调用关系:


    重要的事件: 这些货色去看官网文档很是具体,比其余的比拟具体多了:https://spinnaker.io/docs/reference/architecture/microservices-overview/

Kubernetes搭建spinnaker服务

注:spinnaker的装置形式有helm 和halyard的本地部署形式 这里采纳了halyard的形式!。根本过程参照泽阳大佬的spinnaker课程!
自己集群环境为kubernetes1.20.6 rutime应用了containerd并没有采纳docker。两头过程尝试了很屡次各种失败,先基于docker的形式做一次装置部署。前面分析一下containerd形式!

根本环境

腾讯云同一vpc内服务器,内网互通,ip为内网地址

主机名ip零碎内核k8s版本
k8s-master-0110.0.0.41CentOS Linux 85.4.134-1.el8.elrepo.x86_64v1.21.3containerd
k8s-master-0210.0.0.34CentOS Linux 85.4.134-1.el8.elrepo.x86_64v1.21.3containerd
k8s-master-0310.0.0.26CentOS Linux 85.4.134-1.el8.elrepo.x86_64v1.21.3containerd
k8s-node-0110.0.4.49CentOS Linux 85.4.134-1.el8.elrepo.x86_64v1.21.3containerd
k8s-node-0210.0.4.48CentOS Linux 85.4.134-1.el8.elrepo.x86_64v1.21.3containerd
k8s-node-0310.0.4.23CentOS Linux 85.4.134-1.el8.elrepo.x86_64v1.21.3containerd
k8s-node-0410.0.4.47CentOS Linux 85.4.134-1.el8.elrepo.x86_64v1.21.3containerd
k8s-node-0510.0.4.32CentOS Linux 85.4.134-1.el8.elrepo.x86_64v1.21.3containerd
k8s-node-0610.0.4.18CentOS Linux 85.4.134-1.el8.elrepo.x86_64v1.21.3docker
k8s-0110.0.2.17CentOS Linux 84.18.0-305.12.1.el8_4.x86_64不在集群内(然而也是一个测试的k8s集群,故下面的其余pod疏忽)docker(集群外一台运行docker的服务器)

注:集体尝试containerd运行halyard未能胜利,最终应用docker形式运行halyard

基于docker runtime形式部署halyard的形式部署spinnaker

注: 对于halyard的操作都在k8s-01节点操作。另外申明一下k8s-01原主机名为k8s-02应用了hostnamectl set-hostname批改主机名。有些截图或者命令都仍然为k8-02,理论为同一个台服务器。xshell早些时候关上10.0.2.17的窗口......

下载镜像,挂载本地配置文件目录,并启动容器

[root@k8s-01 ~]# docker pull registry.cn-beijing.aliyuncs.com/spinnaker-cd/halyard:1.32.0####创立.hall文件夹前面长久化存储spinnaker生成文件[root@k8s-01 ~]# mkdir -p /home/spinnaker/.hal###创立.kube文件夹并将集群中的config文件上传到此目录[root@k8s-01 ~]# mkdir -p /home/spinnaker/.kube[root@k8s-01 ~]# ls  /home/spinnaker/.kubeconfig####启动halyard容器[root@k8s-01 ~]# docker run -itd --name halyard   -v /home/spinnaker/.hal:/home/spinnaker/.hal   -v /home/spinnaker/.kube:/home/spinnaker/.kube   registry.cn-beijing.aliyuncs.com/spinnaker-cd/halyard:1.32.0

特权身份进入容器敞开gcs

## 以root身份进入容器,批改配置文件[root@k8s-01 .kube]# docker exec -it -u root halyard bashbash-5.0# 
## 批改spinnaker.config.input.gcs.enabled = false 。vi /opt/halyard/config/halyard.yml spinnaker:  artifacts:    debian: https://dl.bintray.com/spinnaker-releases/debians    docker: gcr.io/spinnaker-marketplace  config:    input:      gcs:        enabled: false      writerEnabled: false      bucket: halconfig

重新启动halyard容器

## 须要重启容器(如果此命令未重启,则须要退出容器而后 docker restart halyard)bash-5.0# hal shutdownHalyard Daemon Response: Shutting down, bye...##重启容器[root@k8s-01 .kube]# docker start halyardhalyard

上传boms文件到服务器

参照https://github.com/zeyangli/spinnaker-cd-install,这里应用的是https://github.com/zeyangli/spinnaker-cd-install/actions/runs/1368350526 1.26.6的制品:

###通过rz命令上传制品库到运行halyard的服务器,并解压压缩包[root@k8s-01 work]# ls1.26.6-Install-Scripts.zip[root@k8s-01 work]# unzip 1.26.6-Install-Scripts.zip


嗯看到了这个.boms的文件夹,将其copy到/home/spinnaker/.hal/目录下!

[root@k8s-01 1.26.6]# ls .boms/bom  clouddriver  deck  echo  fiat  front50  gate  igor  kayenta  monitoring-daemon  orca  rosco[root@k8s-01 1.26.6]# cp -Ra .boms/ /home/spinnaker/.hal/[root@k8s-01 1.26.6]# ls /home/spinnaker/.hal/.boms/bom  clouddriver  deck  echo  fiat  front50  gate  igor  kayenta  monitoring-daemon  orca  rosco

对于镜像的下载

镜像下载泽阳大佬的制品库下载中有下载镜像的脚本:

#!/bin/bashS_REGISTRY="gcr.io/spinnaker-marketplace"#T_REGISTRY="registry.cn-beijing.aliyuncs.com/spinnaker-cd"T_REGISTRY="docker.io/spinnakercd"NODES="node01.zy.com node02.zy.com"## 下载镜像function GetImages(){    echo -e "\033[43;34m =====GetImg===== \033[0m"    IMAGES=$( cat tagfile.txt)    for image in ${IMAGES}    do        for node in ${NODES}        do            echo  -e "\033[32m ${node} ---> pull ---> ${image} \033[0m"           ssh ${node} "docker pull ${T_REGISTRY}/${image}"           echo  -e "\033[32m ${node} ---> tag ---> ${image} \033[0m"           ssh ${node} "docker tag ${T_REGISTRY}/${image} ${S_REGISTRY}/${image}"        done    done    for node in ${NODES}    do       echo -e "\033[43;34m =====${node}===镜像信息===== \033[0m"       ssh ${node} "docker images | grep 'spinnaker-marketplace' "    done    }GetImages

But 我的集群的运行时是containerd。ctr crictl两个命令的区别有必要从新复习一下。crictl也没法批改标签啊?

#!/bin/bashS_REGISTRY="gcr.io/spinnaker-marketplace"#T_REGISTRY="registry.cn-beijing.aliyuncs.com/spinnaker-cd"T_REGISTRY="docker.io/spinnakercd"NODES="10.0.4.18 10.0.4.49 10.0.4.48 10.0.4.23 10.0.4.47 10.0.4.32"## 下载镜像function GetImages(){    echo -e "\033[43;34m =====GetImg===== \033[0m"    IMAGES=$( cat tagfile.txt)    for image in ${IMAGES}    do        for node in ${NODES}        do            echo  -e "\033[32m ${node} ---> pull ---> ${image} \033[0m"           ssh -p 36000 ${node} "crictl pull  ${T_REGISTRY}/${image}"           echo  -e "\033[32m ${node} ---> tag ---> ${image} \033[0m"           ssh -p 36000 ${node} "crictl images ${T_REGISTRY}/${image} ${S_REGISTRY}/${image}"        done    done    for node in ${NODES}    do       echo -e "\033[43;34m =====${node}===镜像信息===== \033[0m"       ssh -p 36000 ${node} "crictl images ls| grep 'spinnaker-marketplace' "    done    }GetImages

所以这个形式就行不通了,而后偶尔搜到csdn的---装置篇——用halyard装置Spinnaker。通过在.hall目录下default/service-settings/目录创立对应配置文件。并设置artifactId!
至于service-settings目录为什么在default目录下我也不求甚解泽阳大佬的课程中批改redis为内部redis的时候有这个目录

[root@k8s-2 .hal]# mkdir -p /home/spinnaker/.hal/default/service-settings[root@k8s-2 .hal]# cd /home/spinnaker/.hal/default/service-settings[root@k8s-2 service-settings]# pwd/home/spinnaker/.hal/default/service-settings[root@k8s-2 service-settings]# lsclouddriver.yml  deck.yml  echo.yml  fiat.yml  front50.yml  gate.yml  igor.yml  kayenta.yml  orca.yml  rosco.yml[root@k8s-2 service-settings]# cat *artifactId: docker.io/spinnakercd/clouddriver:8.0.4-20210625060028artifactId: docker.io/spinnakercd/deck:3.7.2-20210614020020 artifactId: docker.io/spinnakercd/echo:2.17.1-20210429125836 artifactId: docker.io/spinnakercd/fiat:1.16.0-20210422230020artifactId: docker.io/spinnakercd/front50:0.27.1-20210625161956artifactId: docker.io/spinnakercd/gate:1.22.1-20210603020019artifactId: docker.io/spinnakercd/igor:1.16.0-20210422230020artifactId: docker.io/spinnakercd/kayenta:0.21.0-20210322140019 artifactId: docker.io/spinnakercd/orca:2.20.3-20210630022216artifactId: docker.io/spinnakercd/rosco:0.25.0-20210422230020



就不批改标签间接应用泽阳大佬docker的镜像仓库外面的镜像了免去下载镜像批改标签的步骤

Halyard配置管理

注: halyard的配置都在k8s-01节点执行默认在halyard容器内

设置Spinnaker版本,--version 指定版本

[root@k8s-01 .kube]# docker exec -it -u root halyard bashbash-5.0$ hal config version edit --version local:1.26.6+ Get current deployment  Success- Edit Spinnaker version  FailureValidation in Global:! ERROR Failure writing your halconfig to path  "/home/spinnaker/.hal/config": /home/spinnaker/.hal/config- Failed to update version.


嗯强调一下 .hall目录要有读写权限啊

[root@k8s-01 1.26.6]# chmod 777 -R /home/spinnaker/.hal/[root@k8s-01 1.26.6]#

持续指定spinnaker版本并生成配置文件

bash-5.0$ hal config version edit --version local:1.26.6+ Get current deployment  Success+ Edit Spinnaker version  Success+ Spinnaker has been configured to update/install version  "local:1.26.6". Deploy this version of Spinnaker with `hal deploy apply`.bash-5.0$ lsconfig   defaultbash-5.0$ cat config currentDeployment: defaultdeploymentConfigurations:- name: default  version: local:1.26.6  providers:    appengine:      enabled: false      accounts: []    aws:      enabled: false      accounts: []      bakeryDefaults:        baseImages: []      defaultKeyPairTemplate: '{{name}}-keypair'      defaultRegions:      - name: us-west-2      defaults:        iamRole: BaseIAMRole    ecs:      enabled: false      accounts: []    azure:      enabled: false      accounts: []      bakeryDefaults:        templateFile: azure-linux.json        baseImages: []    dcos:      enabled: false      accounts: []      clusters: []    dockerRegistry:      enabled: false      accounts: []    google:      enabled: false      accounts: []      bakeryDefaults:        templateFile: gce.json        baseImages: []        zone: us-central1-f        network: default        useInternalIp: false    huaweicloud:      enabled: false      accounts: []      bakeryDefaults:        baseImages: []    kubernetes:      enabled: false      accounts: []    tencentcloud:      enabled: false      accounts: []      bakeryDefaults:        baseImages: []    oracle:      enabled: false      accounts: []      bakeryDefaults:        templateFile: oci.json        baseImages: []    cloudfoundry:      enabled: false      accounts: []  deploymentEnvironment:    size: SMALL    type: LocalDebian    imageVariant: SLIM    updateVersions: true    consul:      enabled: false    vault:      enabled: false    customSizing: {}    sidecars: {}    initContainers: {}    hostAliases: {}    affinity: {}    tolerations: {}    nodeSelectors: {}    gitConfig:      upstreamUser: spinnaker    livenessProbeConfig:      enabled: false    haServices:      clouddriver:        enabled: false        disableClouddriverRoDeck: false      echo:        enabled: false  persistentStorage:    azs: {}    gcs:      rootFolder: front50    redis: {}    s3:      rootFolder: front50    oracle: {}  features:    auth: false    fiat: false    chaos: false    entityTags: false  metricStores:    datadog:      enabled: false      tags: []    prometheus:      enabled: false      add_source_metalabels: true    stackdriver:      enabled: false    newrelic:      enabled: false      tags: []    period: 30    enabled: false  notifications:    slack:      enabled: false    twilio:      enabled: false      baseUrl: https://api.twilio.com/    github-status:      enabled: false  timezone: America/Los_Angeles  ci:    jenkins:      enabled: false      masters: []    travis:      enabled: false      masters: []    wercker:      enabled: false      masters: []    concourse:      enabled: false      masters: []    gcb:      enabled: false      accounts: []    codebuild:      enabled: false      accounts: []  repository:    artifactory:      enabled: false      searches: []  security:    apiSecurity:      ssl:        enabled: false    uiSecurity:      ssl:        enabled: false    authn:      oauth2:        enabled: false        client: {}        resource: {}        userInfoMapping: {}      saml:        enabled: false        userAttributeMapping: {}      ldap:        enabled: false      x509:        enabled: false      iap:        enabled: false      enabled: false    authz:      groupMembership:        service: EXTERNAL        google:          roleProviderType: GOOGLE        github:          roleProviderType: GITHUB        file:          roleProviderType: FILE        ldap:          roleProviderType: LDAP      enabled: false  artifacts:    bitbucket:      enabled: false      accounts: []    gcs:      enabled: false      accounts: []    oracle:      enabled: false      accounts: []    github:      enabled: false      accounts: []    gitlab:      enabled: false      accounts: []    gitrepo:      enabled: false      accounts: []    http:      enabled: false      accounts: []    helm:      enabled: false      accounts: []    s3:      enabled: false      accounts: []    maven:      enabled: false      accounts: []    templates: []  pubsub:    enabled: false    google:      enabled: false      pubsubType: GOOGLE      subscriptions: []      publishers: []  canary:    enabled: false    serviceIntegrations:    - name: google      enabled: false      accounts: []      gcsEnabled: false      stackdriverEnabled: false    - name: prometheus      enabled: false      accounts: []    - name: datadog      enabled: false      accounts: []    - name: signalfx      enabled: false      accounts: []    - name: aws      enabled: false      accounts: []      s3Enabled: false    - name: newrelic      enabled: false      accounts: []    reduxLoggerEnabled: true    defaultJudge: NetflixACAJudge-v1.0    stagesEnabled: true    templatesEnabled: true    showAllConfigsEnabled: true  spinnaker:    extensibility:      plugins: {}      repositories: {}  webhook:    trust:      enabled: false  stats:    enabled: true    endpoint: https://stats.spinnaker.io    instanceId: 01FKDR1B3P8PF35RRC93XTE9AS    deploymentMethod: {}    connectionTimeoutMillis: 3000    readTimeoutMillis: 5000bash-5.0$

设置时区

# 设置时区hal config edit --timezone Asia/Shanghai

S3--no-validate

# 设置存储为s3(前面不必,然而必须配置bug)hal config storage edit --type s3  --no-validate

拜访形式,设置deck与gate的域名

# 拜访形式:设置deck与gate的域名hal config security ui edit --override-base-url http://spinnaker.xxxx.comhal config security api edit --override-base-url http://spin-gate.xxxx.com


来比照一下执行以上命令后config文件的变动:


做这些比照是为了不便当前本人手动更改配置文件。大佬的能够疏忽这些截图步骤。

增加镜像仓库(harbor)和k8s集群账户

开启镜像仓库配置并增加account

bash-5.0$ hal config provider docker-registry enable --no-validate+ Get current deployment  Success+ Edit the dockerRegistry provider  Success+ Successfully enabled dockerRegistrybash-5.0$ hal config provider docker-registry account add my-harbor-registry \>     --address https://harbor.xxxx.com \>     --username xxxx \>     --password xxxx+ Get current deployment  Success+ Add the my-harbor-registry account  SuccessValidation in  default.provider.dockerRegistry.my-harbor-registry:- WARNING Your docker registry has no repositories specified, and  the registry's catalog is empty. Spinnaker will not be able to deploy any images  until some are pushed to this registry.? Manually specify some repositories for this docker registry to  index.+ Successfully added account my-harbor-registry for provider  dockerRegistry.

开启kubernetes配置并增加account

bash-5.0$ hal config provider kubernetes enable+ Get current deployment  Success+ Edit the kubernetes provider  SuccessValidation in default.provider.kubernetes:- WARNING Provider kubernetes is enabled, but no accounts have been  configured.+ Successfully enabled kubernetesbash-5.0$ hal config provider kubernetes account add default \>     --docker-registries my-harbor-registry \>     --context $(kubectl config current-context) \>     --service-account true \>     --omit-namespaces=kube-system,kube-public \>     --provider-version v2 \>     --no-validate+ Get current deployment  Success+ Add the default account  Success+ Successfully added account default for provider kubernetes.


再瞄一眼配置文件config:

指定部署应用account和命名空间,部署形式distributed(分布式)

bash-5.0$ hal config deploy edit \>     --account-name default \>     --type distributed \>     --location spinnaker


看了一眼配置文件应该对应的是deploymentEnvironment上面的配置:

开启一些次要的性能(前期能够再追加)

bash-5.0$ hal config features edit --pipeline-templates truebash-5.0$ hal config features edit --artifacts truebash-5.0$ hal config features edit --managed-pipeline-templates-v2-ui true

查看config配置文件对应的为features下开关:

配置与jenkins CI集成

# 配置Jenkinshal config ci jenkins enable### JenkinsServer 须要用到账号和明码hal config ci jenkins master add my-jenkins-master-01 \    --address https://jenkins.xxxx.com \    --username zhangpeng \    --password xxxx### 启用csrfhal config ci jenkins master edit my-jenkins-master-01 --csrf true


cat config对应如下:当然了也能够开启travis wercker consourse gcb等ci工具?

配置GitHub/GitLab集成

github的是泽阳大佬的。我这里就只集成了gitlab。github仅供参考在配置文件中也生成一下。不便比照配置文件。token的生成就不必做过多的赘述了!

# GitHub## 参考:https://spinnaker.io/setup/artifacts/github/## 创立token https://github.com/settings/tokenshal config artifact github enablehal config artifact github account add my-github-account \    --token xxxxxxxxxxxxxxxxxxxxxxx  \    --username zeyangli# GitLab## https://spinnaker.io/setup/artifacts/gitlab/## 创立一个集体的token(admin)hal config artifact gitlab enablehal config artifact gitlab account add my-gitlab-account \    --token xxxxxxxxxxxxxx


artifacts下找到相干配置

应用内部redis集群

对于redis我是应用的腾讯云的云redis。失常该搞一个明码的。然而没有去认真看下官网文档,就间接应用了免密的形式!

## service-settingsbash-5.0$ pwd/home/spinnaker/.hal/default/service-settingsvi .hal/default/service-settings/redis.ymloverrideBaseUrl: redis://10.0.0.31:6379skipLifeCycleManagement: true## profiles## /home/spinnaker/.hal/default/profilessbash-5.0$ pwd/home/spinnaker/.hal/defaultbash-5.0$ mkdir /home/spinnaker/.hal/default/profilesbash-5.0$ cd profiles/bash-5.0$ vi gate-local.ymlredis:    configuration:         secure:              true


应用SQL数据库

mysql我是间接开启了腾讯云的TDSQL-C

Clouddriver服务

创立数据库:

CREATE DATABASE `clouddriver` DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;GRANT  SELECT, INSERT, UPDATE, DELETE, CREATE, EXECUTE, SHOW VIEWON `clouddriver`.*TO 'clouddriver_service'@'%' IDENTIFIED BY 'clouddriver@spinnaker.com';GRANT  SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, LOCK TABLES, EXECUTE, SHOW VIEWON `clouddriver`.*TO 'clouddriver_migrate'@'%' IDENTIFIED BY 'clouddriver@spinnaker.com';

批改配置文件:

bash-5.0$ pwd/home/spinnaker/.hal/default/profilesbash-5.0$ vi clouddriver-local.ymlsql:  enabled: true  # read-only boolean toggles `SELECT` or `DELETE` health checks for all pools.  # Especially relevant for clouddriver-ro and clouddriver-ro-deck which can  # target a SQL read replica in their default pools.  read-only: false  taskRepository:    enabled: true  cache:    enabled: true    # These parameters were determined to be optimal via benchmark comparisons    # in the Netflix production environment with Aurora. Setting these too low    # or high may negatively impact performance. These values may be sub-optimal    # in some environments.    readBatchSize: 500    writeBatchSize: 300  scheduler:    enabled: true  # Enable clouddriver-caching's clean up agent to periodically purge old  # clusters and accounts. Set to true when using the Kubernetes provider.  unknown-agent-cleanup-agent:    enabled: false  connectionPools:    default:      # additional connection pool parameters are available here,      # for more detail and to view defaults, see:      # https://github.com/spinnaker/kork/blob/master/kork-sql/src/main/kotlin/com/netflix/spinnaker/kork/sql/config/ConnectionPoolProperties.kt      default: true      jdbcUrl: jdbc:mysql://10.0.4.22:3306/clouddriver      user: clouddriver_service      password: clouddriver@spinnaker.com    # The following tasks connection pool is optional. At Netflix, clouddriver    # instances pointed to Aurora read replicas have a tasks pool pointed at the    # master. Instances where the default pool is pointed to the master omit a    # separate tasks pool.    tasks:      user: clouddriver_service      jdbcUrl: jdbc:mysql://10.0.4.22:3306/clouddriver      password: clouddriver@spinnaker.com  migration:    user: clouddriver_migrate    jdbcUrl: jdbc:mysql://10.0.4.22:3306/clouddriver    password: clouddriver@spinnaker.comredis:  enabled: false  cache:    enabled: false  scheduler:    enabled: false  taskRepository:    enabled: false

Front50服务

创立数据库

CREATE DATABASE `front50` DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, EXECUTE, SHOW VIEW ON `front50`.*  TO 'front50_service'@'%' IDENTIFIED BY "front50@spinnaker.com";GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, LOCK TABLES, EXECUTE, SHOW VIEW ON `front50`.* TO 'front50_migrate'@'%' IDENTIFIED BY "front50@spinnaker.com";

批改配置文件

bash-5.0$ pwd/home/spinnaker/.hal/default/profilesbash-5.0$ vi front50-local.ymlspinnaker:  s3:    enabled: falsesql:  enabled: true  connectionPools:    default:      # additional connection pool parameters are available here,      # for more detail and to view defaults, see:      # https://github.com/spinnaker/kork/blob/master/kork-sql/src/main/kotlin/com/netflix/spinnaker/kork/sql/config/ConnectionPoolProperties.kt      default: true      jdbcUrl: jdbc:mysql://10.0.4.22:3306/front50      user: front50_service      password: front50@spinnaker.com  migration:    user: front50_migrate    jdbcUrl: jdbc:mysql://10.0.4.22:3306/front50    password: front50@spinnaker.com

Orca服务

创立数据库

set tx_isolation = 'REPEATABLE-READ';CREATE SCHEMA `orca` DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, EXECUTE, SHOW VIEWON `orca`.* TO 'orca_service'@'%' IDENTIFIED BY "orca@spinnaker.com" ;GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, LOCK TABLES, EXECUTE, SHOW VIEW ON `orca`.* TO 'orca_migrate'@'%'  IDENTIFIED BY "orca@spinnaker.com" ;

批改配置文件

bash-5.0$ pwd/home/spinnaker/.hal/default/profilesbash-5.0$ vi front50-local.ymlbash-5.0$ pwd/home/spinnaker/.hal/default/profilesbash-5.0$ vi orca-local.ymltasks:  useManagedServiceAccounts: truesql:  enabled: true  connectionPool:    jdbcUrl: jdbc:mysql://10.0.4.22:3306/orca    user: orca_service    password: orca@spinnaker.com    connectionTimeout: 5000    maxLifetime: 30000    # MariaDB-specific:    maxPoolSize: 50  migration:    jdbcUrl: jdbc:mysql://10.0.4.22:3306/orca    user: orca_migrate    password: orca@spinnaker.com# Ensure we're only using SQL for accessing execution stateexecutionRepository:  sql:    enabled: true  redis:    enabled: false # Reporting on active execution metrics will be handled by SQLmonitor:  activeExecutions:    redis: false # Use SQL for Orca's work queue# Settings from Netflix and may require adjustment for your environment# Only validated with AWS Aurora MySQL 5.7# Please PR if you have success with other databaseskeiko:  queue:    sql:      enabled: true    redis:      enabled: false queue:  zombieCheck:    enabled: true  pendingExecutionService:    sql:      enabled: true    redis:      enabled: false

部署服务

bash-5.0$ hal deploy apply --no-validate


创立Ingress拜访web测试

apiVersion: networking.k8s.io/v1kind: Ingressmetadata:  name: spinnaker-service  namespace: spinnaker  annotations:    kubernetes.io/ingress.class: traefik      traefik.ingress.kubernetes.io/router.entrypoints: webspec:  rules:  - host: spinnaker.xxxx.com    http:     paths:     - pathType: Prefix       path: /       backend:          service:            name:  spin-deck            port:              number: 9000  - host: spin-gate.xxxx.com    http:      paths:      - pathType: Prefix        path: /        backend:          service:            name: spin-gate            port:               number: 8084


通过web浏览器拜访https://spinnaker.layame.com/ 如下:

注:至于为什么拜访https呢?因为我的代理是traefik slb下面做了跳转。当然了这里应该依据本人理论的环境登程!

集成ldap:

至于为什么集成ldap呢?账号平安方面思考了当然是基于,还有其余的各种形式:Google Groups, GitHub Teams, SAML Roles, or LDAP groups。参照:https://spinnaker.io/docs/setup/other_config/security/。
对于ldap的装置能够参考Kuberneters 搭建openLDAP
首先登陆web治理页面登陆用户:

创立ou-devops



创立inetOrgPerson-zhangpeng



Password设置用户zhangpeng的明码

Commit确认

最终如下:

halyard容器中操作.可能复制命令时候出现异常:Was passed main parameter '    --user-search-base' but no main parameter was defined in your arg class。把代码复制到编辑器解决一下

hal config security authn ldap edit \--user-search-base 'ou=devops,dc=zy,dc=com' \--url 'ldap://192.168.1.200:389' \--user-search-filter 'cn={0}' \--manager-dn 'cn=admin,dc=zy,dc=com' \--manager-password '12345678'hal config security authn ldap enable

bash-5.0$ cd /home/spinnaker/.hal/bash-5.0$ pwd/home/spinnaker/.halbash-5.0$ cat config


web拜访如下:狐疑我traefik 强跳搞的

bash-5.0$ hal deploy apply --no-validate

[root@k8s-master-01 ~]# kubectl get pods -n spinnaker


期待pod起来


进入首页

对于受权

首先登陆ldap web治理页面两个用户组 groupOfUniqueNames yunwenzu devops两个组,依据ldap中组进行受权。

ldap创立用户组与用户

yunweizu-用户zhangpeng


将zhangpeng用户增加到组中:

devop用户组-用户huozhonghao

同理将huozhonghao退出devops组

halyard中配置:

开启ldap security 配置。并减少相干配置:

hal config security authz ldap edit \    --url 'ldap://172.19.252.28:389/dc=xxxx,dc=com' \    --manager-dn 'cn=admin,dc=xxxx,dc=com' \    --manager-password 'xxxxxx' \    --user-dn-pattern 'cn={0}' \    --group-search-base 'ou=devops' \    --group-search-filter 'uniqueMember={0}' \    --group-role-attributes 'cn' \    --user-search-filter 'cn={0}'hal config security authz edit --type ldaphal config security authz enable


设置那些用户能够拜访集群账户、镜像仓库、应用程序

## 配置yunweizu和group02角色的用户能够应用default这个集群账户hal config provider kubernetes account edit default \--add-read-permission yunweizu,group02  \--add-write-permission yunweizu  ## 配置yunweizu角色的用户能够应用my-harbor-registry账户hal config provider docker-registry account edit my-harbor-registry \    --read-permissions yunweizu \    --write-permissions yunweizu##更新部署    hal deploy apply

注:group2 copy自泽阳大佬的课程笔记。保留了没有什么实际意义。当然了也能够去掉的......

登陆spinnaker web尝试:

注:用zhangpeng用户建了一个空白的
devops的用户huozhonghao创立一个空白的applications做下测试



就先只看到这里的权限,正告提醒通知你read会所有用户锁定在此应用程序之外。
具体的权限是跟ldap绑定的那么应该是这样的:
1.在ldap治理页面中, 将用户zhangpeng退出devops组

2.spinnaker登陆zhangpeng用户新建一个利用,yunweizu 读写可执行,devops组仅仅可读。

  1. 创立一个新的用户组platform将huozhonghao用户退出

  1. spinnaker web登陆huozhonghao用户


嗯 这里也能够看到platform组了 批改一下权限试试,删除一下devops的试试:


减少platform组权限也是失败因为只有read权限,没有writer权限

开启管道权限

halyard容器中操作:

bash-5.0$ pwd/home/spinnaker/.hal/default/profilesbash-5.0$ cat /home/spinnaker/.hal/default/profiles/orca-local.ymltasks:   useManagedServiceAccounts: truebash-5.0$ cat ~/.hal/default/profiles/settings-local.jswindow.spinnakerSettings.feature.managedServiceAccounts = true;bash-5.0$ hal deploy apply --no-validate


留神:orca-local.yml中的开启。我其实在orca服务中早配置上了!

权限的一些测试

测试一下权限。登陆zhangpeng用户新建一个pipeline zhangpeng


能够发现默认的kubernetes的default account 并能够保留pipeline

huozhonghao用户批改zhangpeng pipeline中的Manifest.嗯没有操作权限

嗯给devops组增加一个read kubernetes account的权限是不是要?否则连account都没有!

bash-5.0$ hal deploy apply --no-validate
[root@k8s-master-01 develop]# kubectl get pods -n spinnaker

期待clouddriver running!

[root@k8s-master-01 develop]#kubectl get svc -n spinnaker[root@k8s-master-01 develop]# curl -X POST http://172.19.254.33:7003/roles/sync[root@k8s-master-01 develop]#curl 172.19.254.33:7003/authorize/huozhonghao


read权限仍然无奈看到accout!

kubernetes default account 增加devops组writer权限:

bash-5.0$ vi config bash-5.0$ hal deploy apply --no-validate

持续期待clouddriver crunning

嗯再次刷新web登陆huozhonghao用户能够看到kubernetes default account了然而批改Manifest无奈writer。验证通过!

装置环境根本实现。其余的步骤后续操作

一些失败的尝试(还是没有胜利)

1. 下载Halyard 镜像并启动容器---ctr各种命令的温习

ctr pull

[root@k8s-master-01 ~]# ctr image pull registry.cn-beijing.aliyuncs.com/spinnaker-cd/halyard:1.32.0[root@k8s-master-01 ~]# mkdir /root/.hal


参考一下docker时代的启动形式:

docker run -itd --name halyard \  -v /root/.hal:/home/spinnaker/.hal \  -v /root/.kube:/home/spinnaker/.kube \  registry.cn-beijing.aliyuncs.com/spinnaker-cd/halyard:1.32.0

ctr run

依着葫芦画瓢一下?

ctr run -itd --name halyard \  -v /root/.hal:/home/spinnaker/.hal \  -v /root/.kube:/home/spinnaker/.kube \  registry.cn-beijing.aliyuncs.com/spinnaker-cd/halyard:1.32.0

两头尝试了很屡次各种 ctr命令的确没有搞明确......参考了应用ctr 命令治理 Containerd 容器
我感觉应用containerd装置spinnaker 这真的是能够温习ctr critical命令了

ctr create

[root@k8s-master-01 1.26.6]# ctr c create registry.cn-beijing.aliyuncs.com/spinnaker-cd/halyard:1.32.0 halyard   --mount type=bind,src=/root/.hal,dst=/home/spinnaker/.hal,options=rbind:row   --mount type=bind,src=/root/.kube,dst=/home/spinnaker/.kube,options=rbind:ro --mount type=bind,src=/opt/halyard/config/,dst=/opt/halyard/config/,options=rbind:rw [root@k8s-master-01 1.26.6]# ctr c lsCONTAINER    IMAGE                                                           RUNTIME                  halyard      registry.cn-beijing.aliyuncs.com/spinnaker-cd/halyard:1.32.0    io.containerd.runc.v2

ctr t start

[root@k8s-master-01 1.26.6]# ctr t start -d  halyard[root@k8s-master-01 1.26.6]# ctr t lsTASK       PID        STATUS    halyard    1729924    RUNNING


当初问题来了 如何进入容器呢?

ctr tasks exec -t --exec-id

[root@k8s-master-01 1.26.6]# ctr tasks listTASK       PID        STATUS    halyard    1729924    RUNNING[root@k8s-master-01 1.26.6]# ctr tasks exec -t --exec-id 1729924 halyard sh/ $


ctr c rm ctr c kill----读写权限没有搞明确 只能采纳挂载本地文件的形式从新搞一波了

嗯哼没有权限?docker的时候能够用root的特权模式进入,这里的ctr也没有找到相干命令。而后就偷懒吧halyard.yml文件copy进去:
true批改为false!

而后挂载文件夹的形式去执行!删除容器从新走一遍流程,走一遍ctr命令
要删除容器应该是先进行?stop?后果不出意外我想错了是kill......当然了ctr t kill --signal 9 halyard强制也很重要

[root@k8s-master-01 1.26.6]# ctr t lsTASK       PID        STATUS    halyard    4184764    RUNNING[root@k8s-master-01 1.26.6]# ctr t kill halyard[root@k8s-master-01 1.26.6]# ctr t lsTASK       PID        STATUS    halyard    4184764    STOPPED[root@k8s-master-01 1.26.6]# ctr t lsTASK       PID        STATUS    halyard    4184764    STOPPED[root@k8s-master-01 1.26.6]# ctr c rm halyard[root@k8s-master-01 1.26.6]# ctr t lsTASK    PID    STATUS 

[root@k8s-master-01 1.26.6]# ctr c create registry.cn-beijing.aliyuncs.com/spinnaker-cd/halyard:1.32.0 halyard   --mount type=bind,src=/root/.hal,dst=/home/spinnaker/.hal,options=rbind:row   --mount type=bind,src=/root/.kube,dst=/home/spinnaker/.kube,options=rbind:ro --mount type=bind,src=/opt/halyard/config/,dst=/opt/halyard/config/,options=rbind:rw [root@k8s-master-01 1.26.6]# ctr c lsCONTAINER    IMAGE                                                           RUNTIME                  halyard      registry.cn-beijing.aliyuncs.com/spinnaker-cd/halyard:1.32.0    io.containerd.runc.v2    [root@k8s-master-01 1.26.6] # ctr t start -d  halyard[root@k8s-master-01 1.26.6] # ctr t lsTASK       PID        STATUS    halyard    1729924    RUNNING[root@k8s-master-01 1.26.6] # ctr tasks exec -t --exec-id 1729924 halyard sh

下载镜像的尝试:

小伙伴们感觉下载镜像应该用上面哪个脚本?用ctr or crictl呢?最终应用镜像的是要kubernetes....应该是用crictl的。 ctr搞了kubernetes集群利用是发现不了镜像的!

#!/bin/bashS_REGISTRY="gcr.io/spinnaker-marketplace"#T_REGISTRY="registry.cn-beijing.aliyuncs.com/spinnaker-cd"T_REGISTRY="docker.io/spinnakercd"NODES="10.0.4.18 10.0.4.49 10.0.4.48 10.0.4.23 10.0.4.47 10.0.4.32"## 下载镜像function GetImages(){    echo -e "\033[43;34m =====GetImg===== \033[0m"    IMAGES=$( cat tagfile.txt)    for image in ${IMAGES}    do        for node in ${NODES}        do            echo  -e "\033[32m ${node} ---> pull ---> ${image} \033[0m"           ssh -p 36000 ${node} "crictl pull ${T_REGISTRY}/${image}"           echo  -e "\033[32m ${node} ---> tag ---> ${image} \033[0m"           ssh -p 36000 ${node} "ctr image tag ${T_REGISTRY}/${image} ${S_REGISTRY}/${image}"        done    done    for node in ${NODES}    do       echo -e "\033[43;34m =====${node}===镜像信息===== \033[0m"       ssh -p 36000 ${node} "ctr image ls | grep 'spinnaker-marketplace' "    done    }GetImages
#!/bin/bashS_REGISTRY="gcr.io/spinnaker-marketplace"#T_REGISTRY="registry.cn-beijing.aliyuncs.com/spinnaker-cd"T_REGISTRY="docker.io/spinnakercd"NODES="10.0.4.18 10.0.4.49 10.0.4.48 10.0.4.23 10.0.4.47 10.0.4.32"## 下载镜像function GetImages(){    echo -e "\033[43;34m =====GetImg===== \033[0m"    IMAGES=$( cat tagfile.txt)    for image in ${IMAGES}    do        for node in ${NODES}        do            echo  -e "\033[32m ${node} ---> pull ---> ${image} \033[0m"           ssh -p 36000 ${node} "crictl pull  ${T_REGISTRY}/${image}"           echo  -e "\033[32m ${node} ---> tag ---> ${image} \033[0m"           ssh -p 36000 ${node} "crictl images ${T_REGISTRY}/${image} ${S_REGISTRY}/${image}"        done    done    for node in ${NODES}    do       echo -e "\033[43;34m =====${node}===镜像信息===== \033[0m"       ssh -p 36000 ${node} "crictl images ls| grep 'spinnaker-marketplace' "    done    }GetImages

当然了还有一个问题就是 crictl 能够更改镜像名字吗?貌似是不能够的...而后此形式就失败了。

各种失败的尝试-containerd下:

[root@k8s-master-01 .boms]# ctr c create registry.cn-beijing.aliyuncs.com/spinnaker-cd/halyard:1.32.0 halyard   --mount type=bind,src=/root/.hal,dst=/home/spinnaker/.hal,options=rbind:row   --mount type=bind,src=/root/.kube,dst=/home/spinnaker/.kube,options=rbind:ro --mount type=bind,src=/opt/halyard/config/,dst=/opt/halyard/config/,options=rbind:rw[root@k8s-master-01 .boms]# ctr c lsCONTAINER    IMAGE                                                           RUNTIME                  halyard      registry.cn-beijing.aliyuncs.com/spinnaker-cd/halyard:1.32.0    io.containerd.runc.v2    [root@k8s-master-01 .boms]# ctr t start -d  halyard[root@k8s-master-01 .boms]# ctr t lsTASK       PID        STATUS    halyard    1775521    RUNNING[root@k8s-master-01 .boms]# ctr tasks exec -t --exec-id 1729924 halyard sh/ $ hal config version edit --version local:1.26.6~ $ cd /home/spinnaker/.hal/vi config
timezone: America/Los_Angeles  timezone: Asia/Shanghai

hal config storage edit --type s3  --no-validate

hal config security ui edit --override-base-url http://spinnaker.layame.comhal config security api edit --override-base-url http://spin-gate.layame.com

这都tmd怎么会事件.....要疯了

[root@k8s-master-01 .boms]#  ctr t kill --signal 9  halyard[root@k8s-master-01 .boms]#  ctr c rm halyard

[root@k8s-master-01 .boms]# ctr c create registry.cn-beijing.aliyuncs.com/spinnaker-cd/halyard:1.32.0 halyard   --mount type=bind,src=/root/.hal,dst=/home/spinnaker/.hal,options=rbind:row   --mount type=bind,src=/root/.kube,dst=/home/spinnaker/.kube,options=rbind:ro --mount type=bind,src=/opt/halyard/config/,dst=/opt/halyard/config/,options=rbind:rw[root@k8s-master-01 .boms]# ctr c lsCONTAINER    IMAGE                                                           RUNTIME                  halyard      registry.cn-beijing.aliyuncs.com/spinnaker-cd/halyard:1.32.0    io.containerd.runc.v2    [root@k8s-master-01 .boms]# ctr t start -d  halyard[root@k8s-master-01 .boms]# ctr t lsTASK       PID        STATUS    halyard    1832934   RUNNING[root@k8s-master-01 .boms]# ctr tasks exec -t --exec-id 1832934 halyard sh~ $ cd /home/spinnaker/.hal/~/.hal $ cat config |grep time  timezone: Asia/Shanghai  ~/.hal $ cat config |grep s3    persistentStoreType: s3    s3:    s3:      s3Enabled: true      ~/.hal $ cat config |grep com      baseUrl: https://api.twilio.com/      overrideBaseUrl: http://spin-gate.layame.com      overrideBaseUrl: http://spinnaker.layame.com
~/.hal $ hal config provider kubernetes enable~/.hal $ hal config provider kubernetes account add default \    --docker-registries my-harbor-registry \    --context $(kubectl config current-context) \    --service-account true \    --omit-namespaces=kube-system,kube-public \    --provider-version v2 \    --no-validate

至于这个中央的报错 他还是须要w 宿主机 chmod了一下

hal config deploy edit \    --account-name default \    --type distributed \    --location spinnaker 

hal config features edit --pipeline-templates truehal config features edit --artifacts truehal config features edit --managed-pipeline-templates-v2-ui true


尼玛又疯了!。。。。。。。。。。。。。。。。。分隔符吧 我筹备全副都批改好了这些文件了

我又开始狐疑了 一下人生:是不是我的服务器资源不够了?因为我这是kubernetes的master节点,而后呢资源只有4外围8g,我找一个资源多的server测试一下?
先copy一下 .kube下的config

[root@k8s-node-01 home]# mkdir -p /home/spinnaker/.hal[root@k8s-node-01 home]# mkdir -p /opt/halyard/config[root@k8s-node-01 home]# mkdir -p /home/spinnaker/.kube[root@k8s-node-01 home]# crictl pull registry.cn-beijing.aliyuncs.com/spinnaker-cd/halyard:1.32.0Image is up to date for sha256:8673f1670b8768138cd8349b7d9843eb4fd451658227d2e9f02d5fbe454c500d[root@k8s-node-01 home]# cd /home/spinnaker/.kube[root@k8s-node-01 .kube]# rz[root@k8s-node-01 .kube]# lsconfig[root@k8s-node-01 .kube]# ctr image pull registry.cn-beijing.aliyuncs.com/spinnaker-cd/halyard:1.32.0[root@k8s-node-01 .kube]# ctr c create registry.cn-beijing.aliyuncs.com/spinnaker-cd/halyard:1.32.0 halyard   --mount type=bind,src=/home/spinnaker/.hal,dst=/home/spinnaker/.hal,options=rbind:row   --mount type=bind,src=/home/spinnaker/.kube,dst=/home/spinnaker/.kube,options=rbind:ro --mount type=bind,src=/opt/halyard/config/,dst=/opt/halyard/config/,options=rbind:rw

[root@k8s-node-01 .boms]# pwd/home/spinnaker/.hal/.boms[root@k8s-node-01 .boms]# lsbom  clouddriver  deck  echo  fiat  front50  gate  igor  kayenta  monitoring-daemon  orca  rosco[root@k8s-node-01 .boms]# cd /opt/halyard/config/[root@k8s-node-01 config]# cat halyard.yaml

[root@k8s-node-01 ~]# ctr t lsTASK    PID    STATUS    [root@k8s-node-01 ~]# ctr t start -d  halyard[root@k8s-node-01 ~]# ctr t lsTASK       PID        STATUS    halyard    3910255    RUNNING[root@k8s-node-01 ~]# ctr tasks exec -t --exec-id 3910255 halyard sh/ $ hal config version edit --version local:1.26.6+ Get current deployment  Success- Edit Spinnaker version  FailureValidation in Global:! ERROR Failure writing your halconfig to path  "/home/spinnaker/.hal/config": /home/spinnaker/.hal/config- Failed to update version./ $ hal config version edit --version local:1.26.6+ Get current deployment  Success+ Edit Spinnaker version  Success+ Spinnaker has been configured to update/install version  "local:1.26.6". Deploy this version of Spinnaker with `hal deploy apply`./ $ hal config edit --timezone Asia/Shanghai********又tmd  sb了 不晓得怎么回事不试了。间接改好配置文件间接启动了!

总结以上失败 执行啥也不行...最初决定间接把docker环境面config文件以及其余制品搞过来试试!

my config文件:

currentDeployment: defaultdeploymentConfigurations:- name: default  version: local:1.26.6  providers:    appengine:      enabled: false      accounts: []    aws:      enabled: false      accounts: []      bakeryDefaults:        baseImages: []      defaultKeyPairTemplate: '{{name}}-keypair'      defaultRegions:      - name: us-west-2      defaults:        iamRole: BaseIAMRole    ecs:      enabled: false      accounts: []    azure:      enabled: false      accounts: []      bakeryDefaults:        templateFile: azure-linux.json        baseImages: []    dcos:      enabled: false      accounts: []      clusters: []    dockerRegistry:      enabled: true      accounts:      - name: my-harbor-registry        requiredGroupMembership: []        providerVersion: V1        permissions:          READ:          - yunweizu          WRITE:          - yunweizu        address: https://harbor.layame.com        username: zhangpeng        password: xxxx        email: fake.email@spinnaker.io        cacheIntervalSeconds: 30        clientTimeoutMillis: 60000        cacheThreads: 1        paginateSize: 100        sortTagsByDate: false        trackDigests: false        insecureRegistry: false        repositories: []      primaryAccount: my-harbor-registry    google:      enabled: false      accounts: []      bakeryDefaults:        templateFile: gce.json        baseImages: []        zone: us-central1-f        network: default        useInternalIp: false    huaweicloud:      enabled: false      accounts: []      bakeryDefaults:        baseImages: []    kubernetes:      enabled: true      accounts:      - name: default        requiredGroupMembership: []        providerVersion: V2        permissions:          READ:          - yunweizu,group02           - devops          WRITE:          - yunweizu          - devops        dockerRegistries:        - accountName: my-harbor-registry          namespaces: []        context: kubernetes-admin@kubernetes        configureImagePullSecrets: true        serviceAccount: true        cacheThreads: 1        namespaces: []        omitNamespaces:        - kube-system        - kube-public        kinds: []        omitKinds: []        customResources: []        cachingPolicies: []        oAuthScopes: []        onlySpinnakerManaged: false      primaryAccount: default    tencentcloud:      enabled: false      accounts: []      bakeryDefaults:        baseImages: []    oracle:      enabled: false      accounts: []      bakeryDefaults:        templateFile: oci.json        baseImages: []    cloudfoundry:      enabled: false      accounts: []  deploymentEnvironment:    size: SMALL    type: Distributed    accountName: default    imageVariant: SLIM    updateVersions: true    consul:      enabled: false    vault:      enabled: false    location: spinnaker    customSizing: {}    sidecars: {}    initContainers: {}    hostAliases: {}    affinity: {}    tolerations: {}    nodeSelectors: {}    gitConfig:      upstreamUser: spinnaker    livenessProbeConfig:      enabled: false    haServices:      clouddriver:        enabled: false        disableClouddriverRoDeck: false      echo:        enabled: false  persistentStorage:    persistentStoreType: s3    azs: {}    gcs:      rootFolder: front50    redis: {}    s3:      rootFolder: front50    oracle: {}  features:    auth: false    fiat: false    chaos: false    entityTags: false    pipelineTemplates: true    artifacts: true    managedPipelineTemplatesV2UI: true  metricStores:    datadog:      enabled: false      tags: []    prometheus:      enabled: false      add_source_metalabels: true    stackdriver:      enabled: false    newrelic:      enabled: false      tags: []    period: 30    enabled: false  notifications:    slack:      enabled: false    twilio:      enabled: false      baseUrl: https://api.twilio.com/    github-status:      enabled: false  timezone: Asia/Shanghai  ci:    jenkins:      enabled: true      masters:      - name: my-jenkins-master-01        permissions: {}        address: https://jenkins.xxxx.com        username: zhangpeng        password: xxxxx        csrf: true    travis:      enabled: false      masters: []    wercker:      enabled: false      masters: []    concourse:      enabled: false      masters: []    gcb:      enabled: false      accounts: []    codebuild:      enabled: false      accounts: []  repository:    artifactory:      enabled: false      searches: []  security:    apiSecurity:      ssl:        enabled: false      overrideBaseUrl: https://spin-gate.xxxx.com    uiSecurity:      ssl:        enabled: false      overrideBaseUrl: https://spinnaker.xxxx.com    authn:      oauth2:        enabled: false        client: {}        resource: {}        userInfoMapping: {}      saml:        enabled: false        userAttributeMapping: {}      ldap:        enabled: true        url: ldap://172.19.252.28:389        userSearchBase: ou=devops,dc=xxxx,dc=com        userSearchFilter: cn={0}        managerDn: cn=admin,dc=xxxx,dc=com        managerPassword: xxxx      x509:        enabled: false      iap:        enabled: false      enabled: true    authz:      groupMembership:        service: LDAP        google:          roleProviderType: GOOGLE        github:          roleProviderType: GITHUB        file:          roleProviderType: FILE          path: /home/spinnaker/.hal/userrole.yml        ldap:          roleProviderType: LDAP          url: ldap://172.19.252.28:389/dc=xxxx,dc=com          managerDn: cn=admin,dc=xxxx,dc=com          managerPassword: xxxx          userDnPattern: cn={0}          groupSearchBase: ou=devops          userSearchFilter: cn={0}          groupSearchFilter: uniqueMember={0}          groupRoleAttributes: cn      enabled: true  artifacts:    bitbucket:      enabled: false      accounts: []    gcs:      enabled: false      accounts: []    oracle:      enabled: false      accounts: []    github:      enabled: true      accounts:      - name: my-github-account        username: zeyangli        token: xxxx    gitlab:      enabled: true      accounts:      - name: my-gitlab-account        token: xxxx    gitrepo:      enabled: false      accounts: []    http:      enabled: false      accounts: []    helm:      enabled: false      accounts: []    s3:      enabled: false      accounts: []    maven:      enabled: false      accounts: []    templates: []  pubsub:    enabled: false    google:      enabled: false      pubsubType: GOOGLE      subscriptions: []      publishers: []  canary:    enabled: false    serviceIntegrations:    - name: google      enabled: false      accounts: []      gcsEnabled: false      stackdriverEnabled: false    - name: prometheus      enabled: false      accounts: []    - name: datadog      enabled: false      accounts: []    - name: signalfx      enabled: false      accounts: []    - name: aws      enabled: false      accounts: []      s3Enabled: false    - name: newrelic      enabled: false      accounts: []    reduxLoggerEnabled: true    defaultJudge: NetflixACAJudge-v1.0    stagesEnabled: true    templatesEnabled: true    showAllConfigsEnabled: true  spinnaker:    extensibility:      plugins: {}      repositories: {}  webhook:    trust:      enabled: false  stats:    enabled: true    endpoint: https://stats.spinnaker.io    instanceId: 01FKDR1B3P8PF35RRC93XTE9AS    deploymentMethod: {}    connectionTimeoutMillis: 3000    readTimeoutMillis: 5000

间接搞过来试一波

上传文件并解压到k8s-master-01节点home目录下

持续

[root@k8s-master-01 .kube]# ctr c create registry.cn-beijing.aliyuncs.com/spinnaker-cd/halyard:1.32.0 halyard   --mount type=bind,src=/root/.hal,dst=/home/spinnaker/.hal,options=rbind:row   --mount type=bind,src=/home/spinnaker/.kube,dst=/home/spinnaker/.kube,options=rbind:ro --mount type=bind,src=/opt/halyard/config/,dst=/opt/halyard/config/,options=rbind:rw [root@k8s-master-01 .kube]#  ctr t start -d  halyard[root@k8s-master-01 .kube]# ctr t lsTASK       PID        STATUS    halyard    3073271    RUNNING[root@k8s-master-01 .kube]# ctr tasks exec -t --exec-id 3073271 halyard shbash-5.0$  hal deploy apply --no-validate


从新来一遍

[root@k8s-master-01 .kube]# ctr t kill --signal 9 halyard[root@k8s-master-01 .kube]# ctr c rm halyard

[root@k8s-master-01 .hal]# ctr c create registry.cn-beijing.aliyuncs.com/spinnaker-cd/halyard:1.32.0 halyard   --mount type=bind,src=/root/.hal,dst=/home/spinnaker/.hal,options=rbind:row   --mount type=bind,src=/home/spinnaker/.kube,dst=/home/spinnaker/.kube,options=rbind:ro --mount type=bind,src=/opt/halyard/config/,dst=/opt/halyard/config/,options=rbind:rw[root@k8s-master-01 .hal]# ctr t start -d  halyard[root@k8s-master-01 .hal]# ctr t lsTASK       PID        STATUS    halyard    3085723    RUNNING[root@k8s-master-01 .hal]# ctr tasks exec -t --exec-id 3085723 halyard bashbash-5.0$

算了我放弃了......,containerd的装置形式

总结一下失败以及教训:

  1. containerd or docker的运行时中都能够在文件夹 /home/spinnaker/.hal/default/service-settings本地写文件的件形式指定image tag,docker环境下还好,containerd形式下crictl 批改镜像标签本人把握的不是很好!
  2. containerd命令跟docker还是不一样。启动halyard的形式还是很不好弄,最好的形式还是在一台装置docker的机器下面运行halyard。
  3. halyard执行脚本复制命令的空格格局问题
  4. 部署过程中呈现数据库地址写错问题...写成了TDSQL-C中的读地址....