赞
踩
#以下两个在gitlab页面获取
gitlabUrl: http://192.168.31.3:83/
runnerRegistrationToken: "glrt-wfzAecJmszsZb3GorS8J" #gitlab-runner注册用到的tocken
concurrent: 10 #最大作业并发数
checkInterval: 30 #新作业检查间隔
tags: "shared" #runner的标签
#rbac权限打开
rbac:
create: true
resources: ["pods", "pods/exec", "secrets","configmaps"]
verbs: ["get", "list", "watch", "create", "patch", "delete","update"]
修改ConfigMap下config.template.toml配置:
[[runners]]
builds_dir = "/builds"
[runners.kubernetes]
namespace = "base"
image = "alpine"
pull_policy = "if-not-present" # 拉取镜像策略,本地有是有本地无需拉取
[[runners.kubernetes.volumes.pvc]] # 挂载数据卷持久化
name = "k8s-running-pod-data"
mount_path = "/builds"
[[runners.kubernetes.volumes.host_path]] # 使用docker命令需要配置引擎
name = "docker"
mount_path = "/var/run/docker.sock"
host_path = "/var/run/docker.sock"
[[runners.kubernetes.host_aliases]] # 用于解析内网中的harbor域名
ip = "192.168.31.11"
hostnames = ["harbor域名"]
[[runners.kubernetes.host_aliases]] # 用于解析k8s集群中Kubernetes API Server 的地址
ip = "192.168.31.21" # k8s集群master ip
hostnames = ["lb.kubesphere.local"]
整个微服务应用中包含了5个组件
productpage 是一个由 react 开发的前端组件
gateway 是一个由 spring-cloud-gateway 提供的 API 网关服务
details 是一个 spring-cloud 微服务,提供了书籍详情 API
reviews提供了基础的书籍评论信息, review-v2 在 review-v1 的基础之上额外的提供了评分数据,依赖 ratings 服务
ratings 是一个 golang 开发的微服务组件
改造Springcloud-bookinfo中Gateway网关,将reviews权重加密,从Secret中获取权重值进行测试
ConfigMap 主要用于存储非敏感的配置数据
application.yml中经常会配置账号密码这些,此时资源清单中这些内容就不能以明文暴露到gitlab中
server:
port: ${SERVER_PORT:8080}
spring:
application:
name: gateway
cloud:
gateway:
routes:
- id: ratings
uri: lb://ratings
predicates:
- Path=/api/v1/reviews/*/ratings
- id: details
uri: lb://details
predicates:
- Path=/api/v1/products/*
- id: reviews-v1
uri: lb://reviews-v1
predicates:
- Path=/api/v1/products/*/reviews
- Weight=reviews, ${reviews-v1:0}
- id: reviews-v2
uri: lb://reviews-v2
predicates:
- Path=/api/v1/products/*/reviews
- Weight=reviews, ${reviews-v2:100}
management:
endpoints:
web:
exposure:
include: "*"
此时访问页面一直是红星
Secret 用于存储敏感数据,例如密码、API 密钥等。
kind: Secret
apiVersion: v1
metadata:
name: gateway
namespace: spring-cloud
annotations:
kubesphere.io/creator: admin
data:
reviews-v1: NTA=
reviews-v2: NTA=
type: Opaque
明文数据如下
env:
- name: server.port
valueFrom:
secretKeyRef:
name: details
key: server-port
volumes:
- name: secret-volume
secret:
secretName: my-secret
containers:
volumeMounts:
- name: secret-volume
mountPath: /etc/my-app
这样,你可以在 ConfigMap 中引用这些环境变量或挂载的文件,间接地使用 Secret 中的数据。记住,Secret 中的数据是加密存储的,应该小心处理以确保安全性。
env:
- name: reviews-v1
valueFrom:
secretKeyRef:
name: gateway
key: reviews-v1
- name: reviews-v2
valueFrom:
secretKeyRef:
name: gateway
key: reviews-v2
访问页面测试,多次访问出现v1和v2版本页面
kind: Secret
apiVersion: v1
metadata:
name: gateway
namespace: spring-cloud
annotations:
kubesphere.io/creator: admin
data:
reviews-v1: MA==
reviews-v2: MTAw
type: Opaque
# 备份公钥
kubeseal --fetch-cert > public-cert.pem
kubeseal --format=yaml --cert ./public-cert-0.26.0.pem < bookinfo-gateway-secret.yaml > bookinfo-gateway-secret-sealed.yaml
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: gateway
namespace: spring-cloud
spec:
encryptedData:
reviews-v1: AgCQ1PwFXeAitYGhDd5Pz+VFZYzsKsGUEqhK/mSQk/3Fhxut+z7lX8+fZReEAt+CPGpOObdHvTwPMeT9eCD3KrKulUgRfLU0ViJw5oU8ESXfoHOIcmAFi58ChtW3vA6Ww6bKoPmdtbKH8OVkLou+8Rw/BG3N+H3+NqSeBvLE7ITv2ZCX2eaH0pOARWG8vQfw65eAnwuYb7LyRoizlAO7eXdJ1V4r7mhqvYGIPMISFw7h3P229ZRYoXwZpOdPyfA3fb6eKQU2JBXUNWp+IT9iNImEt8j6ZGbH/Q49C+tvDRb27Yw13OzAf0QCy88ZbQr4ZixhWi7qUHv3Lhfso++/Ps8/V6svz+p2Ecfsb/+2B7cpBvTLeIH3s6IE+hm7OomnnyQT5wEenBchflsf4/PWd6AuJBm94rtquy5QmPplpy4mig3C68anSYe2fARgK4CPBgczqeVjUJVmOd0HuNjsGXnssC5j8C10y92pXNvu9f7txIANEj5UCul+ovIUZslqof3wMs7OCGsDpJTXVHCL6fF4N0EAHTgjHJgaZQIvjPm1CGmG1igK6wM4QyGmfSGtfc9mn68v1xVKFqAE3eWJsoWuMOaZ09HGwNfS8oMN1DUUjTZfZbR7iJgtAkUcrwoSKfxe4kKrXAa3RDff/9WK/WzQl5/beLNOT5XwcC8lXK43xcILH1MNqrP5zYdv+erIH3DO
reviews-v2: AgBtPBz/ANesC/HP7UVhtJbZ2g5oyI08RWck3tQ78pCJzF1w7r9s4p1YWB3zbZ+xgL+rjCnl6IVlaB5UBwsYG1EgkT/g5e0Nfxy0aUigcKu87Qvaj1zmtn3rzP/xZ1RNmcKfK8MRiU4NTj8OwhyjKYe/Qy/pPX7D53880wTdZsuhLFTyF5egZCnRdJekq297hwGH+B7cp4pCbfxoZmTjO5b8jim2YGmc1hEMFKhqObb1AyqMMTJ1G3kF2dmVenlU+jTDRGAlndZLRO9HbeGjBPtjhZuLO4sOLPp6Nd0Cjzzkxe9CylzsTT4SynKN6cgpWcYRweYnelMnVDBoa58X47quMc6LTvo7UmYobfIk//NT34r6qDZ4MR160onHxYUxtGyI3k6ZQJn2wqdDIJEWdMaY+r/DYqG7pgM4XGickNtgKS8o1UFh7fip71a5HGy0q/dPb9URtbKzzABcd91SsVnxK9QYFDFqsUblmpDkCcWm7hMSClAvE8+wvC5+s1bq6+V6QO21coXMqoulU3DVujh0zJE8VSuxIbKvzeVOs0peCNSRpxfF53DCf5JSawseKFkwNn2E47zPHSsHZ2sxQy9Wm7lrfIIsc26oyFhwBhDR416bZ7mRNyJbvjSKWN2iUtF7cLr+WMU2LFszroQMbwkBlciWA9W9pgTrV3Tv+Zi+10yTq199KxShuZ09rcEGsoXWtqQ=
template:
metadata:
annotations:
kubesphere.io/creator: admin
creationTimestamp: null
name: gateway
namespace: spring-cloud
type: Opaque
kubectl apply -f bookinfo-gateway-secret-sealed.yaml
执行上述命令会创建原始的secret,生成如下:
此时无论怎么访问都是显示红色星
https://gitee.com/zhouwei1996/kustomize
kustomize-bookinfo-reviews通过Istio实现金丝雀部署,结构中资源与其他项目有区别
下述以reviews项目为例,其他项目类似,可编写为kustomize资源清单,通过app of apps模式一键部署。
├─kustomize(父kustomize)
│ ├─kustomize-bookinfo-reviews(bookinfo-reviews部署清单)
│ ├─├─base(公用资源)
│ ├─├─├─kustomization.yaml(组织资源)
│ ├─├─├─svc.yaml
│ ├─├─├─dr.yaml
│ ├─├─├─sa.yaml
│ ├─├─├─vs.yaml
│ ├─├─build(cicd过程生成汇总资源)
│ ├─├─├─build.yaml
│ ├─├─├─kustomization.yaml
│ ├─├─overlay(补丁路径)
│ ├─├─├─v1
│ ├─├─├─configmap.yaml(存放springboot的application.yml配置)
│ ├─├─├─deployment.yaml
│ ├─├─├─kustomization.yaml
│ ├─├─├─v2
│ ├─├─├─configmap.yaml(存放springboot的application.yml配置)
│ ├─├─├─deployment.yaml
│ ├─├─├─kustomization.yaml
------------------------------------
│ ├─kustomize-bookinfo-productpage(bookinfo-productpage部署清单)
│ ├─├─base(公用资源)
│ ├─├─├─kustomization.yaml(组织资源)
│ ├─├─├─istio-gateway.yaml
│ ├─├─├─svc.yaml
│ ├─├─├─dr.yaml
│ ├─├─├─sa.yaml
│ ├─├─├─vs.yaml
│ ├─├─├─deployment.yaml
│ ├─├─build(cicd过程生成汇总资源)
│ ├─├─├─build.yaml
│ ├─├─├─kustomization.yaml
│ ├─├─overlay(补丁路径)
│ ├─├─├─dev
│ ├─├─├─kustomization.yaml
----------------------------------------
│ ├─kustomize-bookinfo-gateway(bookinfo-productpage部署清单)
│ ├─├─base(公用资源)
│ ├─├─├─kustomization.yaml(组织资源)
│ ├─├─├─configmap.yaml
│ ├─├─├─svc.yaml
│ ├─├─├─dr.yaml
│ ├─├─├─sa.yaml
│ ├─├─├─vs.yaml
│ ├─├─├─deployment.yaml
│ ├─├─build(cicd过程生成汇总资源)
│ ├─├─├─build.yaml
│ ├─├─├─kustomization.yaml
│ ├─├─overlay(补丁路径)
│ ├─├─├─dev
│ ├─├─├─kustomization.yaml
--------------下述结构类似查看gitee---------------------
|--kustomize-bookinfo-admin
|--kustomize-bookinfo-ratings
|--kustomize-bookinfo-details
假设配置中ratings下所有内容为需加密数据,改造如下:
kind: ConfigMap
apiVersion: v1
metadata:
name: reviews
namespace: spring-cloud
annotations:
kubesphere.io/creator: admin
data:
application.yml: |-
server:
port: ${SERVER_PORT:8080}
spring:
application:
name: reviews
ratings:
enabled: ${ratings_enabled:false}
server-addr: ${ratings_server_addr:http://ratings}
color: ${ratings_color:red}
management:
endpoints:
web:
exposure:
include: "*"
bookinfo-reviews-secret.yaml
kind: Secret
apiVersion: v1
metadata:
name: reviews
namespace: spring-cloud
annotations:
kubesphere.io/creator: admin
data:
ratings_color: cmVk
ratings_enabled: dHJ1ZQ==
ratings_server_addr: aHR0cDovL3JhdGluZ3M=
type: Opaque
kubeseal --format=yaml --cert ./public-cert-0.26.0.pem < bookinfo-reviews-secret.yaml > bookinfo-reviews-secret-sealed.yaml
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: reviews
namespace: spring-cloud
spec:
encryptedData:
ratings_color: AgCfoIXX43E/KCSqtmC2HPXqUky2tOMs5ZrOesM7c19eeGSLSZUJiZ58mv407couvVTAKy0f5HazHeGOvQzW5QmMQtFM38yrKrNrwInuWal8XGMRUo/pwbxlPQ2K5X8L9g/jJg7eykaXHoYA/n0r1XRq0ZgN3M8I+uhZqrABhtT7oxb+yQB2w2BCOdfCpnogblgfZQkgEiYoBqfmMH4SZ+Uz//fi3EKekIItBq94ZvjpaS/w+G1+DE7suhsYp4gKRUwcJBY9D6qWJc4LBXwOGKfKI6Lg5cKOs6UYi0qAUPeU0fU+zpp3uyFia2ghWuXHUhe2E4zwEFbMJ/CFiQO76bHHblo4+aLWi0SQHLVDR6h0jtNTjRk+IkxMwFlxji2UqHa5J6giCJwMpTx44UHicQ5RPbwbVCtpog/U+vjTejszxRZDU0SWeIlH2gHRtFdIIl8uKy2/SFhjE6i/0NN2F1hXGHfCGE7rLZXGXUxNRvvMa/IPHKahn/HfunURXODo/kwdqoEuaoRnEjk4LD1oWdhUZxume/jC2riTMTTcQBEEyNWJIwdJzooACj7Z0Qn5AG0Gs/A23yea6WCL5ZCn0b0k8KzHQHZRcIPWddZStYaqO5l2B4F8rblL7XwpDk9lXXbPgktKlou19HMcUmZu3Vuu7DNuehrAr0K5bUR8qiillfOLbO5RFmZsr7rOSAe4bhGCE2U=
ratings_enabled: AgBsOa0HGRi+m/KArc1WZcHOB6pouyq4inkfDXUpKkOkZXhhJsk97qr/dTBQCae7ey+myUPPWpQhJLjcXFzE/f0lk0jRklZvUV8tdYUE6nj+MKmDHFf/tpe4+buB4nhcKOXsjzgBheuElXqObNmXaDxnHOdyDJJarG1eL3v+/cbcZ+mYPEmZQ4fzCSvLGQuN37ZKljjM5Mq5S6UhL8VK/2Niy+7weQZkVg5B/4P5L8I5n77//fUR5SNP79PxaeiY5dFgHU1+CiITTuC5igBTyqTFUrStZlo/pfbTtBDuAa//I1hgQhFF3l0Rb+HdySv1nrgbL6aWcJojpxIw3JJe4aEv/DGoF7jGRMsFPrSHk18DtO0+g0pLJ9SRxLCX8nNHDCynVFZfF6PIQx56kEFzv4I6zQEichstkTZq7rFPqjK7ROy8ctmJQHyVx3jbW4kBqAzwT5UhbVk0Kk/uwXjthgb+SA6EQoN5PNhcgtcU4YRxXgsmiy7r73qa5monqEBITD9icAVE2Ni8qtKDwU+q6j8L1qsSe2BM74JEeKmRQUTJYj2uzZjUCtS077BYAEQ6mts2eNOEIskHaDK09YwnZHThQ78Sslqv52scrHM65AT7UV1GVG/v010z9AWX8c0bRfObbFtYkxwy3l9GTWsyUw3ShJrGGY35jROsKBtlNdIg4Y6AOqSRyQ+7Hksz9CbkWA2Qaejq
ratings_server_addr: AgBpinPNNUcEwEQqAKnMZKrGLDr7f3RFJZTtDxJcjPX5/nWJ2W4Wo2OKu/7Cj9qp7L+KddEELPpuXZP5BfFfjHJrq/QOUAIQYxQnwof/rem6lWMs+bxN3GTzsVakBwW1zi9oLAbpWjB8mblFnskbtRFF7r7jAFX7UFi5Ad6WyF0Bxitys9Jb64trjhhDeb4+yzV61raL+jqs3dhU/ObFPHmu6XIb0I4EUEy2IHPfWkL3gIn2rEpLzX71Tp1WfOjHLPFuOK81jaqgVQOtempQ8USsZQMJ2K4Lft9Sm2XoUfYjDCl56RnGYqtUKYQfDRr/YV5wFhOt15VBO/M0xsaYTYFKoyUw8SS85slkPe5nIyoRe5MdCjsWlQsVWS/nCo3ZCwPzEzsPMDGf0k8mNg2POgRFARr8iFy4Zp1uTxhy2h1ohw9TRDkD6U/gyj+ETCXdlRGRC8UFuVOHXz4+H8aXMMmPeIlCZ3t/6HU4xFc9TOghZQQqxgEt+lQU8aBNJKmHFUqIdtG01OdZ39aYSK0kGUqdp+Gh8UdE/JXa4aXV0u5EWUt5gcPg+8sAjstyWeozr1cg/26KvKj3JfcGflmMIg0CWZxc/Rm1acuM4LuCFKgkGPg5dWuTo3ZbXVz4d8WZxRpXgBsd6VGCCDDOfFPvuwpsOmC7yMVsQo+4mbiP3gBqf+pl8zP7PbA+RT/5puvBODGBMGUYNXvTyTVst1zQlQ==
template:
metadata:
annotations:
kubesphere.io/creator: admin
creationTimestamp: null
name: reviews
namespace: spring-cloud
type: Opaque
apiVersion: apps/v1
kind: Deployment
metadata:
name: reviews
labels:
app: reviews
version: v1
spec:
replicas: 1
revisionHistoryLimit: 3
selector:
matchLabels:
app: reviews
version: v1
template:
metadata:
labels:
app: reviews
version: v1
spec:
containers:
- image: registry.cn-hangzhou.aliyuncs.com/yxymzw/reviews:latest
name: reviews
ports:
- containerPort: 8080
env:
# 将secret加密配置引入
- name: ratings_enabled
valueFrom:
secretKeyRef:
name: reviews
key: ratings_enabled
- name: ratings_server_addr
valueFrom:
secretKeyRef:
name: reviews
key: ratings_server_addr
- name: ratings_color
valueFrom:
secretKeyRef:
name: reviews
key: ratings_color
svc.yaml
apiVersion: v1
kind: Service
metadata:
name: reviews
labels:
app: reviews
service: reviews
spec:
ports:
- port: 80
targetPort: 8080
selector:
app: reviews
dr.yaml
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: reviews
spec:
host: reviews
subsets:
- name: v1
labels:
version: v1
istio-gateway.yaml,流量入口建议放在bookinfo-productpage项目中,或者通过ArgoCD的app of apps放在顶级app中
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
# 指定了这个 Gateway 的名称
name: kustomize-bookinfo-gateway
spec:
# 指定了这个 Gateway 的目标选择器为 istio: ingressgateway,表示这个网关将指向 Istio 中的 Ingress Gateway
selector:
istio: ingressgateway
servers: # 定义了网关监听的端口信息
- port:
number: 99
name: http
protocol: HTTP
hosts:
- "*"
该资源会与istio-ingressgateway绑定
vs.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews
spec:
hosts:
- reviews
http: # 定义了虚拟服务的 HTTP 路由规则
- route: # 定义了路由规则,指定了流量的目的地
- destination: # 指定了路由的目的地,即将流量发送到的服务
host: reviews # 指定了目标服务的主机为 reviews
subset: v1 # 指定了要发送流量到的服务的子集为 v1,这表示将流量路由到 reviews 服务的 v1 版本
sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: bookinfo-reviews
labels:
account: reviews
在 Istio 中,ServiceAccount 用于定义服务在 Istio 网格中的身份。Istio 构建在 Kubernetes 上,并扩展了 Kubernetes 的功能,包括对服务身份和访问控制的增强支持。使用 ServiceAccount 可以为服务提供以下几个重要用途:
总的来说,ServiceAccount 在 Istio 中扮演着关键的角色,用于定义和管理服务在 Istio 网格中的身份和访问权限,从而确保服务之间的通信是安全、可控和可管理的。
通过该项目可以一键部署bookinfo
https://gitee.com/zhouwei1996/kustomize
kustomize-bookinfo-apps
|--root-app
|--rootapp.yaml # 指定apps位置
|--apps # 指定各个项目位置
|--bookinfo-productpage.yaml
|--bookinfo-gateway.yaml
|--bookinfo-details.yaml
|--bookinfo-reviews.yaml
|--bookinfo-ratings.yaml
如何编写Application?部署一个测试Application,查看部署后生成的Application资源yaml
kubectl get app -n argocd
kubectl get app <application> -n argocd -o yaml
apiVersion: argoproj.io/v1alpha1
# Application 资源,用于定义应用程序的部署配置
kind: Application
metadata:
name: root-application
namespace: argocd
spec:
# 指定了应用程序所属的项目为 default
project: default
# 指定了应用程序的源码信息
source:
repoURL: https://gitee.com/zhouwei1996/kustomize.git
# 指定了要部署的代码版本为 HEAD
targetRevision: HEAD
# 指定了部署时的目录配置
path: ./kustomize-bookinfo-apps/apps
directory:
# 指定了不递归处理目录
recurse: false
# 指定了应用程序的部署目的地
destination:
server: https://kubernetes.default.svc
# 指定了部署到的命名空间为 default
namespace: default
targetRevision: HEAD
在软件开发中,targetRevision: HEAD 表示在版本控制系统(如 Git)中使用最新的提交作为部署的目标版本。在 Git 中,HEAD 是指向当前所在分支最新提交的指针。
具体来说,当在部署流程中指定 targetRevision: HEAD 时,系统会将部署目标设置为当前所在分支的最新提交。这意味着每次部署时都会使用当前分支的最新代码版本,确保部署的是最新的代码更改。
使用 targetRevision: HEAD 可以确保部署的应用程序始终是基于最新的代码提交构建的,有助于保持部署的应用程序与代码仓库的同步,并确保部署的应用程序包含了最新的功能和修复。
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
# 指定了 Application 资源的名称
name: bookinfo-ratings
# 指定了资源所在的命名空间为 argocd
namespace: argocd
spec:
# 指定了应用程序的部署目的地
destination:
# 指定了部署到的命名空间
namespace: spring-cloud
# 指定了部署到的 Kubernetes 集群的 API 服务器地址
server: https://kubernetes.default.svc
# 指定了应用程序所属的项目为 default
project: default
source:
# 指定了应用程序的路径
path: kustomize-bookinfo-ratings
# 指定了应用程序的源代码存储库的 URL
repoURL: https://gitee.com/zhouwei1996/kustomize.git
# 指定了要部署的代码版本为 main (分支名称)
targetRevision: HEAD
# 指定了同步策略
syncPolicy:
# 指定了应用程序的同步策略为自动化,以便 Argo CD 可以自动监视并同步应用程序的状态。
automated: {}
syncOptions: # 指定了同步选项
# 启用了创建命名空间的选项,即在部署应用程序时会创建指定的命名空间
- CreateNamespace=true
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: bookinfo-gateway
namespace: argocd
spec:
destination:
namespace: spring-cloud
server: https://kubernetes.default.svc
project: default
source:
path: kustomize-bookinfo-gateway/base
repoURL: https://gitee.com/zhouwei1996/kustomize.git
targetRevision: HEAD
syncPolicy:
automated: {}
syncOptions:
- CreateNamespace=true
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: bookinfo-details
namespace: argocd
spec:
destination:
namespace: spring-cloud
server: https://kubernetes.default.svc
project: default
source:
path: kustomize-bookinfo-details/base
repoURL: https://gitee.com/zhouwei1996/kustomize.git
targetRevision: HEAD
syncPolicy:
automated: {}
syncOptions:
- CreateNamespace=true
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: bookinfo-reviews
namespace: argocd
spec:
destination:
namespace: spring-cloud
server: https://kubernetes.default.svc
project: default
source:
path: kustomize-bookinfo-reviews/overlay/v1
repoURL: https://gitee.com/zhouwei1996/kustomize.git
targetRevision: HEAD
syncPolicy:
automated: {}
syncOptions:
- CreateNamespace=true
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: bookinfo-reviews
namespace: argocd
spec:
destination:
namespace: spring-cloud
server: https://kubernetes.default.svc
project: default
source:
path: kustomize-bookinfo-reviews/overlay/v2
repoURL: https://gitee.com/zhouwei1996/kustomize.git
targetRevision: HEAD
syncPolicy:
automated: {}
syncOptions:
- CreateNamespace=true
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: bookinfo-ratings
namespace: argocd
spec:
destination:
namespace: spring-cloud
server: https://kubernetes.default.svc
project: default
source:
path: kustomize-bookinfo-ratings/base
repoURL: https://gitee.com/zhouwei1996/kustomize.git
targetRevision: HEAD
syncPolicy:
automated: {}
syncOptions:
- CreateNamespace=true
注意:通过上述观察发现我们部署的svc资源带上了前缀,跟我们VirtualService中使用的hosts不一致,这儿需要修改
查看istio资源是否也添加了前缀:
# kubectl get gw -A
NAMESPACE NAME AGE
bookinfo bookinfo-gateway 7d2h
spring-cloud devops-web-gateway 6m10s
spring-cloud gateway 6m10s
spring-cloud kustomize-devops-web-gateway 27m
spring-cloud kustomize-gateway 27m
spring-cloud reviews-gateway 6m10s
spring-cloud v2-kustomize-reviews-gateway 27m
kubectl delete all --all -n <namespace>
kubectl delete all --all -n spring-cloud
Istio 是一个服务网格解决方案,它引入了许多自定义资源(Custom Resource Definitions,CRDs)来管理服务间的通信、流量控制和安全策略等。以下是 Istio 中常见的一些资源类型:
所有命名空间中的 Istio 资源
kubectl get virtualservices --all-namespaces
kubectl get destinationrules --all-namespaces
kubectl get gw --all-namespaces
kubectl get ServiceAccount --all-namespaces
kubectl get serviceentries --all-namespaces
kubectl get istiooperators --all-namespaces
kubectl get authorizationpolicies --all-namespaces
kubectl get sidecars --all-namespaces
gateway:
该错误是服务账户没有访问权限,配置如下:
在 Argo CD 中删除应用程序(app)时,可以选择不同的删除策略,包括 Foreground、Background 和 Non-cascading。这些策略决定了删除操作的行为方式。下面是它们的区别:
在使用 Argo CD 删除应用程序时,根据具体需求选择适合的删除策略是很重要的。根据是否需要等待资源对象的删除以及是否需要级联删除资源对象,选择合适的删除策略可以更好地管理应用程序的生命周期。
删除指定空间所有资源
kubectl delete all --all -n spring-cloud
删除 Istio 资源:
kubectl delete virtualservice <virtualservice-name> -n <namespace>
kubectl delete destinationrule <destinationrule-name> -n <namespace>
kubectl delete gw <gateway-name> -n <namespace>
kubectl delete serviceentry <serviceentry-name> -n <namespace>
kubectl delete istiooperator <istiooperator-name> -n <namespace>
kubectl delete authorizationpolicy <authorizationpolicy-name> -n <namespace>
kubectl delete sidecar <sidecar-name> -n <namespace>
删除查询到的资源
kubectl get gw -n spring-cloud | awk '{print $1}' | xargs kubectl delete gw -n spring-cloud
kubectl get virtualservice -n spring-cloud | awk '{print $1}' | xargs kubectl delete virtualservice -n spring-cloud
kubectl get ServiceAccount -n spring-cloud | awk '{print $1}' | xargs kubectl delete ServiceAccount -n spring-cloud
kubectl get destinationrule -n spring-cloud | awk '{print $1}' | xargs kubectl delete destinationrule -n spring-cloud
通过nodeport方式暴露istio-ingressgateway流量入口
访问页面,若是访问出错检查bookinfo-productpage部署时环境变量API_SERVER是否配置
参考下述文章进行配置:
4. 服务暴露方式
5.云原生安全之kubesphere应用网关配置域名TLS证书
验证结果如下:
bookinfo安全暴露服务:
修改爱快软路由暴露192.168.31.12内网ip
访问测试
这个内网和外网端口保持一致,端口为istio-ingressgateway服务端口如下:
官网:理解 TLS 配置
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: kustomize-bookinfo-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 99
name: http
protocol: HTTP
hosts:
- "*"
# 重定向到https上
tls:
httpsRedirect: true
- port:
number: 77
name: https
protocol: HTTPS
tls:
mode: SIMPLE
# 配置证书secret
credentialName: your-cert-secret-name
hosts:
- "*"
mode选项介绍:
在 Istio 中,当配置 Gateway 的 TLS 设置时,tls.mode 选项用于指定 TLS 连接的模式。tls.mode 可以设置为以下几种模式之一:
在 Istio Gateway 中配置 TLS 模式时,根据您的安全需求和环境,选择适当的 tls.mode 设置是很重要的。您可以根据实际情况选择 SIMPLE、MUTUAL 或 ISTIO_MUTUAL 模式,以保障通信的安全性和完整性。
此处配置访问测试【问题暂时还未解决】
案例项目地址:https://gitee.com/zhouwei1996/spring-cloud-bookinfo.git
此处小编不进行演示给出关键gitlab-ci.yml流水线脚本,可根据实际情况改造
variables:
KUBECONFIG: /etc/deploy/config
MAVEN_OPTS: >-
-Dmaven.repo.local=/builds/maven
-Dorg.slf4j.simpleLogger.showDateTime=true
-Djava.awt.headless=true
MAVEN_CLI_OPTS: >-
--batch-mode
--errors
--fail-at-end
--show-version
--no-transfer-progress
-DinstallAtEnd=true
-DdeployAtEnd=true
# 设置自定义的镜像源
# DOCKER_REGISTRY_MIRROR: https://registry.example.com
DOCKER_IMAGE_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
DOCKER_DRIVER: overlay
stages:
- package
- build
- deploy
package:
stage: package
image: maven:3.6.3-jdk-8
tags:
- k8s
script:
- mvn clean package -Dmaven.test.skip=true
- rm -rf /builds/project-target/reviews
- rm -rf /builds/project-target/productpage
- cp -rf ./reviews /builds/project-target
- cp -rf ./productpage /builds/project-target
docker-build:
image: docker:cli
services:
- docker:latest
stage: build
tags:
- k8s
script:
- cd /builds/project-target
- docker login -u $aliimarepo_user -p $aliimarepo_password registry.cn-hangzhou.aliyuncs.com
- docker build -t registry.cn-hangzhou.aliyuncs.com/yxymzw/productpage:latest -f ./productpage/Dockerfile ./productpage/
- docker push registry.cn-hangzhou.aliyuncs.com/yxymzw/productpage:latest
- docker build -t registry.cn-hangzhou.aliyuncs.com/yxymzw/reviews:latest -f ./reviews/Dockerfile ./reviews/
- docker push registry.cn-hangzhou.aliyuncs.com/yxymzw/productpage:latest
deploy:
stage: deploy
image: cnych/kustomize:v1.0
before_script:
- git config --global user.email "gitlab@git.k8s.local"
- git config --global user.name "GitLab CI/CD"
script:
- cd /builds/project-target
- rm -rf ./kustomize
- git clone http://$gitlab_user:$gitlab_password@192.168.31.3:83/root/kustomize.git
- cd ./kustomize/kustomize-bookinfo-productpage/overlay/dev
- kustomize edit set image registry.cn-hangzhou.aliyuncs.com/yxymzw/productpage:latest
- kustomize build > ../../build/build.yaml
- cd ./kustomize/kustomize-bookinfo-reviews/overlay/dev
- kustomize edit set image registry.cn-hangzhou.aliyuncs.com/yxymzw/reviews:latest
- kustomize build > ../../build/build.yaml
- git add /builds/project-target/kustomize/kustomize-productpage/
- git add /builds/project-target/kustomize/kustomize-reviews/
- git commit -am "image update"
- git push -u origin main
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。