JumpServer-v2.20.0迁移到K8S运行
JumpServer-v2.20.0迁移K8S运行
yaml: 相关链接:https://gitee.com/jiayu997/kubernetes/blob/master/Jumpserver-v2.20.0/Jumpserver.tar.gz
测试环境
主机 | ||
---|---|---|
k8s-master-1 | 192.168.0.10 | MASTER节点 |
k8s-node-1 | 192.168.0.11 | WORK节点 |
k8s-nfs | 192.168.0.55 | 提供NFS存储 |
实际效果
jms_configmap
[root@k8s-master-1 yaml]# cat jms_configmap.yaml apiVersion: v1kind: Namespacemetadata: name: jms---apiVersion: v1kind: ConfigMapmetadata: name: jms-config namespace: jmsdata: MYSQL_DATABASE: "jumpserver" my.cnf: | [mysqld] basedir=/usr/ datadir=/var/lib/mysql pid-file=/var/run/mysqld/mysqld.pid socket=/var/run/mysqld/mysqld.sock port=3306 user=mysql log_error=/var/lib/mysql/mysql-error.log slow-query-log-file=/var/lib/mysql/mysql-slow.log log_bin=/var/lib/mysql/mysql-bin.log relay-log=/var/lib/mysql/mysql-relay-bin server-id=1 innodb_buffer_pool_size=1024M innodb_log_buffer_size=16M key_buffer_size=128M query_cache_size=256M tmp_table_size=128M binlog_format=mixed skip-external-locking skip-name-resolve character-set-server=utf8 collation-server=utf8_bin max_allowed_packet=16M thread_cache_size=256 table_open_cache=4096 back_log=1024 max_connect_errors=100000 interactive_timeout=1800 wait_timeout=1800 max_connections=2048 sort_buffer_size=16M join_buffer_size=4M read_buffer_size=4M read_rnd_buffer_size=16M binlog_cache_size=2M thread_stack=192K max_heap_table_size=128M myisam_sort_buffer_size=128M bulk_insert_buffer_size=256M open_files_limit=65535 query_cache_limit=2M slow-query-log long_query_time=2 expire_logs_days=3 max_binlog_size=1000M slave_parallel_workers=4 log-slave-updates binlog_ignore_db=mysql replicate_wild_ignore_table=mysql.% sync_binlog=1 innodb_file_per_table=1 innodb_flush_method=O_DIRECT innodb_buffer_pool_instances=4 innodb_log_file_size=512M innodb_log_files_in_group=3 innodb_open_files=4000 innodb_read_io_threads=8 innodb_write_io_threads=8 innodb_thread_concurrency=8 innodb_io_capacity=2000 innodb_io_capacity_max=6000 innodb_lru_scan_depth=2000 innodb_max_dirty_pages_pct=85 innodb_flush_log_at_trx_commit=2 sql_mode=NO_ENGINE_SUBSTITUTION,STRICT_TRANS_TABLES [mysqldump] quick quote-names max_allowed_packet=16M [client] default-character-set=utf8 [mysql] default-character-set=utf8 [isamchk] key_buffer=128M sort_buffer_size=4M read_buffer=2M write_buffer=2M [myisamchk] key_buffer=128M sort_buffer_size=4M read_buffer=2M write_buffer=2M redis.conf: | daemonize no bind 0.0.0.0 port 6379 timeout 300 loglevel notice databases 16 save 900 1 save 300 10 save 60 10000 dbfilename dump.rdb rdbcompression yes dir /data loglevel warning logfile "/data/redis.log" maxclients 20480 maxmemory 2g maxmemory-policy allkeys-lru appendonly no appendfilename "appendonly.aof" appendfsync no nginx.conf: | server { listen 80; client_max_body_size 4096m; location /ui/ { try_files $uri / /index.html; alias /opt/lina/; } location /luna/ { try_files $uri / /index.html; alias /opt/luna/; } location /download/ { alias /opt/download/; } location /media/replay/ { add_header Content-Encoding gzip; root /opt/jumpserver/data/; } location /media/ { root /opt/jumpserver/data/; } location /static/ { root /opt/jumpserver/data/; } location /koko/ { proxy_pass http://jms-koko.jms.svc.cluster.local:5000; proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location /lion/ { proxy_pass http://jms-lion.jms.svc.cluster.local:8081; proxy_buffering off; proxy_request_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_ignore_client_abort on; proxy_connect_timeout 600; proxy_send_timeout 600; proxy_read_timeout 600; send_timeout 6000; } # 企业版才有该功能 #location /omnidb/ { # resolver 127.0.0.11 valid=30s; # set $upstream http://omnidb:8082; # proxy_pass $upstream$request_uri; # proxy_buffering off; # proxy_http_version 1.1; # proxy_set_header Upgrade $http_upgrade; # proxy_set_header Connection $http_connection; # proxy_set_header X-Real-IP $remote_addr; # proxy_set_header Host $host; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #} location /ws/ { proxy_pass http://jms-core.jms.svc.cluster.local:8070; proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location /api/ { proxy_pass http://jms-core.jms.svc.cluster.local:8080; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location /core/ { proxy_pass http://jms-core.jms.svc.cluster.local:8080; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location / { rewrite ^/(.*)$ /ui/$1 last; } }---apiVersion: v1kind: ConfigMapmetadata: name: jms-core-config namespace: jmsdata: SECRET_KEY: "ZWNjNzRkNTYtYWVmOS1jMjE3LWRlNmEtNDI0Zjk2ZWMxYzJk" BOOTSTRAP_TOKEN: "ZWNjNzRkNTYtYWVmOS1jMjE3" LOG_LEVEL: "ERROR" # MySQL 配置, USE_EXTERNAL_MYSQL=1 表示使用外置 MySQL, 请输入正确的 MySQL 信息 USE_EXTERNAL_MYSQL: "1" DB_HOST: "jms-mysql.jms.svc.cluster.local" DB_PORT: "3306" DB_USER: "root" DB_PASSWORD: "jumpserver" DB_NAME: "jumpserver" ## Redis 配置, USE_EXTERNAL_REDIS: 1 表示使用外置 Redis, 请输入正确的 Redis 信息 USE_EXTERNAL_REDIS: "1" REDIS_HOST: "jms-redis.jms.svc.cluster.local" REDIS_PORT: "6379" REDIS_PASSWORD: "jumpserver" # Nginx 配置 HTTP_PORT: "80" SSH_PORT: "2222" RDP_PORT: "3389" # Task 配置, 是否启动 jms_celery 容器, 单节点必须开启 USE_TASK: "1" # XPack, USE_XPACK: 1 表示开启, 开源版本设置无效 USE_XPACK: "0" # Core 配置, Session 定义, SESSION_COOKIE_AGE 表示闲置多少秒后 session 过期, SESSION_EXPIRE_AT_BROWSER_CLOSE: true 表示关闭浏览器即 session 过期 # SESSION_COOKIE_AGE: 86400 SESSION_EXPIRE_AT_BROWSER_CLOSE: "true" # Koko Lion XRDP 组件配置 CORE_HOST: "http://jms-core.jms.svc.cluster.local:8080" # Lion 开启字体平滑 JUMPSERVER_ENABLE_FONT_SMOOTHING: "true" # Nginx 文件上传大小 CLIENT_MAX_BODY_SIZE: "4096m" # 终端使用宿主 HOSTNAME 标识 SERVER_HOSTNAME: "${HOSTNAME}" # 额外的配置 CURRENT_VERSION: "v2.20.0"
jms_secret
[root@k8s-master-1 yaml]# cat jms_secret.yaml apiVersion: v1kind: Secretmetadata: name: jms-secret namespace: jmsdata: #密码:echo -n "jumpserver" | base64 MYSQL_ROOT_PASSWORD: "anVtcHNlcnZlcg==" REDIS_PASSWORD: "anVtcHNlcnZlcg=="---
jms_mysql
[root@k8s-master-1 yaml]# cat jms_mysql.yaml apiVersion: apps/v1kind: Deploymentmetadata: name: jms-mysql namespace: jmsspec: minReadySeconds: 30 replicas: 1 selector: matchLabels: app: jms-mysql template: metadata: name: jms-mysql labels: app: jms-mysql spec: restartPolicy: Always terminationGracePeriodSeconds: 30 containers: - name: jms-mysql image: jumpserver/mysql:5 imagePullPolicy: Never env: - name: MYSQL_DATABASE valueFrom: configMapKeyRef:name: jms-configkey: MYSQL_DATABASE - name: MYSQL_ROOT_PASSWORD valueFrom: secretKeyRef:name: jms-secretkey: MYSQL_ROOT_PASSWORD command: ["docker-entrypoint.sh"] args: ["--character-set-server=utf8"] readinessProbe: periodSeconds: 10 failureThreshold: 3 successThreshold: 1 timeoutSeconds: 5 initialDelaySeconds: 30 exec: command: ["/bin/bash","-c","mysql -h127.0.0.1 -P$DB_PORT -uroot -p$MYSQL_ROOT_PASSWORD -e 'SHOW DATABASES;'"] volumeMounts: - name: jms-nfs mountPath: /var/lib/mysql - name: jms-my-cnf mountPath: /etc/mysql volumes: - name: jms-nfs nfs: path: /Jumpserver/mysql server: 192.168.0.55 - name: jms-my-cnf configMap: name: jms-config items: - key: my.cnf path: my.cnf---apiVersion: v1kind: Servicemetadata: name: jms-mysql namespace: jmsspec: type: ClusterIP clusterIP: None selector: app: jms-mysql ports: - name: jms-mysql-3306 protocol: TCP port: 3306 targetPort: 3306 - name: jms-mysql-33060 protocol: TCP port: 33060 targetPort: 33060
jms_redis
[root@k8s-master-1 yaml]# cat jms_redis.yaml apiVersion: apps/v1kind: Deploymentmetadata: name: jms-redis namespace: jmsspec: minReadySeconds: 30 replicas: 1 selector: matchLabels: app: jms-redis template: metadata: name: jms-redis labels: app: jms-redis spec: restartPolicy: Always terminationGracePeriodSeconds: 30 containers: - name: jms-redis image: jumpserver/redis:6-alpine imagePullPolicy: Never env: - name: REDIS_PASSWORD valueFrom: secretKeyRef:name: jms-secretkey: REDIS_PASSWORD command: ["/bin/sh","-c","redis-server /etc/redis.conf --requirepass $REDIS_PASSWORD"] readinessProbe: periodSeconds: 10 failureThreshold: 3 successThreshold: 1 timeoutSeconds: 5 initialDelaySeconds: 10 exec: command: ["/bin/sh","-c","redis-cli -h 127.0.0.1 -p 6379 -a $REDIS_PASSWORD info Replication"] volumeMounts: - name: jms-nfs mountPath: /data - name: jms-redis-config mountPath: /etc/redis.conf subPath: redis.conf volumes: - name: jms-nfs nfs: path: /Jumpserver/redis server: 192.168.0.55 - name: jms-redis-config configMap: name: jms-config---apiVersion: v1kind: Servicemetadata: name: jms-redis namespace: jmsspec: type: ClusterIP clusterIP: None selector: app: jms-redis ports: - protocol: TCP port: 6379 targetPort: 6379
jms_core
[root@k8s-master-1 yaml]# cat jms_core.yaml apiVersion: apps/v1kind: Deploymentmetadata: name: jms-core namespace: jmsspec: minReadySeconds: 90 replicas: 1 selector: matchLabels: app: jms-core template: metadata: name: jms-core labels: app: jms-core spec: restartPolicy: Always terminationGracePeriodSeconds: 30 containers: - name: jms-core image: jumpserver/core:v2.20.0 imagePullPolicy: Never tty: true envFrom: - configMapRef: name: jms-core-config command: ["/bin/bash","-c","python jms start web"] #command默认没带shell环境 readinessProbe: periodSeconds: 10 failureThreshold: 3 successThreshold: 1 timeoutSeconds: 5 initialDelaySeconds: 90 exec: command: ["/bin/sh","-c","curl -fsL http://localhost:8080/api/health/ > /dev/null"] volumeMounts: - name: jms-nfs-data mountPath: /opt/jumpserver/data - name: jms-nfs-logs mountPath: /opt/jumpserver/logs volumes: - name: jms-nfs-data nfs: path: /Jumpserver/core/data server: 192.168.0.55 - name: jms-nfs-logs nfs: path: /Jumpserver/core/logs server: 192.168.0.55---apiVersion: v1kind: Servicemetadata: name: jms-core namespace: jmsspec: type: ClusterIP clusterIP: None selector: app: jms-core ports: - name: jms-core-8070 protocol: TCP port: 8070 targetPort: 8070 - name: jms-core-8080 protocol: TCP port: 8080 targetPort: 8080
jms_celery
[root@k8s-master-1 yaml]# cat jms_celery.yaml apiVersion: apps/v1kind: Deploymentmetadata: name: jms-celery namespace: jmsspec: minReadySeconds: 30 replicas: 1 selector: matchLabels: app: jms-celery template: metadata: name: jms-celery labels: app: jms-celery spec: restartPolicy: Always terminationGracePeriodSeconds: 30 containers: - name: jms-celery image: jumpserver/core:v2.20.0 imagePullPolicy: Never tty: true envFrom: - configMapRef: name: jms-core-config command: ["/bin/bash","-c","python jms start task"] #command默认没带shell环境 readinessProbe: periodSeconds: 10 failureThreshold: 3 successThreshold: 1 timeoutSeconds: 5 initialDelaySeconds: 30 exec: command: ["/bin/bash","-c","bash /opt/jumpserver/utils/check_celery.sh"] volumeMounts: - name: jms-nfs-data mountPath: /opt/jumpserver/data - name: jms-nfs-logs mountPath: /opt/jumpserver/logs volumes: - name: jms-nfs-data nfs: path: /Jumpserver/core/data server: 192.168.0.55 - name: jms-nfs-logs nfs: path: /Jumpserver/core/logs server: 192.168.0.55---apiVersion: v1kind: Servicemetadata: name: jms-celery namespace: jmsspec: type: ClusterIP clusterIP: None selector: app: jms-celery ports: - name: jms-celery-8070 protocol: TCP port: 8070 targetPort: 8070 - name: jms-celery-8080 protocol: TCP port: 8080 targetPort: 8080
jms_koko
[root@k8s-master-1 yaml]# cat jms_koko.yaml apiVersion: apps/v1kind: Deploymentmetadata: name: jms-koko namespace: jmsspec: minReadySeconds: 10 replicas: 1 selector: matchLabels: app: jms-koko template: metadata: name: jms-koko labels: app: jms-koko spec: restartPolicy: Always terminationGracePeriodSeconds: 30 containers: - name: jms-koko image: jumpserver/koko:v2.20.0 imagePullPolicy: Never tty: true envFrom: - configMapRef: name: jms-core-config readinessProbe: periodSeconds: 10 failureThreshold: 3 successThreshold: 1 timeoutSeconds: 5 initialDelaySeconds: 10 exec: command: ["/bin/sh","-c","curl -fsL http://localhost:5000/koko/health/ > /dev/null"] volumeMounts: - name: jms-nfs-koko mountPath: /opt/koko/data volumes: - name: jms-nfs-koko nfs: path: /Jumpserver/koko/data server: 192.168.0.55---apiVersion: v1kind: Servicemetadata: name: jms-koko namespace: jmsspec: type: ClusterIP clusterIP: None selector: app: jms-koko ports: - name: jms-koko-2222 protocol: TCP port: 2222 targetPort: 2222 - name: jms-koko-5000 port: 5000 targetPort: 5000
jms_lion
[root@k8s-master-1 yaml]# cat jms_lion.yaml apiVersion: apps/v1kind: Deploymentmetadata: name: jms-lion namespace: jmsspec: minReadySeconds: 10 replicas: 1 selector: matchLabels: app: jms-lion template: metadata: name: jms-lion labels: app: jms-lion spec: restartPolicy: Always terminationGracePeriodSeconds: 30 containers: - name: jms-lion image: jumpserver/lion:v2.20.0 imagePullPolicy: Never tty: true envFrom: - configMapRef: name: jms-core-config readinessProbe: periodSeconds: 10 failureThreshold: 3 successThreshold: 1 timeoutSeconds: 5 initialDelaySeconds: 10 exec: command: ["/bin/sh","-c","curl -fsL http://localhost:8081/lion/health/ > /dev/null"] volumeMounts: - name: jms-nfs-lion mountPath: /opt/lion/data volumes: - name: jms-nfs-lion nfs: path: /Jumpserver/lion/data server: 192.168.0.55---apiVersion: v1kind: Servicemetadata: name: jms-lion namespace: jmsspec: type: ClusterIP clusterIP: None selector: app: jms-lion ports: - name: jms-lion-4822 protocol: TCP port: 4822 targetPort: 4822 - name: jms-lion-8081 #dockerfile本身没有暴露该端口,但是由于nginx有流量转发到这里,所以开端口了 protocol: TCP port: 8081 targetPort: 8081
jms_nginx
[root@k8s-master-1 yaml]# cat jms_nginx.yaml apiVersion: apps/v1kind: Deploymentmetadata: name: jms-nginx namespace: jmsspec: minReadySeconds: 180 replicas: 1 selector: matchLabels: app: jms-nginx template: metadata: name: jms-nginx labels: app: jms-nginx spec: restartPolicy: Always terminationGracePeriodSeconds: 30 containers: - name: jms-nginx image: jumpserver/web:v2.20.0 imagePullPolicy: Never tty: true readinessProbe: periodSeconds: 10 failureThreshold: 3 successThreshold: 1 timeoutSeconds: 5 initialDelaySeconds: 50 exec: command: ["/bin/sh","-c","curl -fsL http://localhost/ > /dev/null"] volumeMounts: - name: jms-core-data mountPath: /opt/jumpserver/data - name: jms-nginx-logs mountPath: /var/log/nginx - name: jms-nginx-config mountPath: /etc/nginx/conf.d/default.conf subPath: nginx.conf volumes: - name: jms-core-data nfs: path: /Jumpserver/core/data server: 192.168.0.55 - name: jms-nginx-logs nfs: path: /Jumpserver/nginx/data/logs server: 192.168.0.55 - name: jms-nginx-config configMap: name: jms-config---apiVersion: v1kind: Servicemetadata: name: jms-nginx namespace: jmsspec: type: ClusterIP clusterIP: None selector: app: jms-nginx ports: - name: jms-nginx protocol: TCP port: 80 targetPort: 80
jms_ingress
[root@k8s-master-1 yaml]# cat jms_ingress.yaml apiVersion: networking.k8s.io/v1kind: Ingressmetadata: name: jms-ingress namespace: jms annotations: kubernetes.io/ingress.class: "nginx" nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/proxy-body-size: "4096m" nginx.ingress.kubernetes.io/ssl-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"spec: tls: - hosts: - www.jumpserver.com secretName: jms-ingress rules: - host: www.jumpserver.com http: paths: - backend: service: name: jms-nginx port:number: 80 path: / pathType: Prefix
运行
[root@k8s-master-1 yaml]# kubectl apply -f jms_configmap.yaml namespace/jms createdconfigmap/jms-config createdconfigmap/jms-core-config created[root@k8s-master-1 yaml]# kubectl apply -f jms_secret.yaml secret/jms-secret created[root@k8s-master-1 yaml]# kubectl apply -f jms_mysql.yaml deployment.apps/jms-mysql createdservice/jms-mysql created[root@k8s-master-1 yaml]# kubectl apply -f jms_redis.yaml deployment.apps/jms-redis createdservice/jms-redis created[root@k8s-master-1 yaml]# kubectl apply -f jms_core.yaml deployment.apps/jms-core createdservice/jms-core created[root@k8s-master-1 yaml]# kubectl apply -f jms_celery.yaml deployment.apps/jms-celery createdservice/jms-celery created[root@k8s-master-1 yaml]# kubectl apply -f jms_koko.yaml deployment.apps/jms-koko createdservice/jms-koko created[root@k8s-master-1 yaml]# kubectl apply -f jms_lion.yaml deployment.apps/jms-lion createdservice/jms-lion created[root@k8s-master-1 yaml]# kubectl apply -f jms_nginx.yaml deployment.apps/jms-nginx createdservice/jms-nginx created[root@k8s-master-1 yaml]# kubectl apply -f jms_ingress.yaml ingress.networking.k8s.io/jms-ingress created# 查看状态[root@k8s-master-1 yaml]# kubectl get pods -n jmsNAME READY STATUS RESTARTS AGEjms-celery-b59bd98f8-m8wsz 1/1 Running 0 7m14sjms-core-67ffc475b6-6hgps 1/1 Running 0 7m18sjms-koko-69c9557bd6-4mzsz 1/1 Running 0 7m5sjms-lion-7b57997486-n445g 1/1 Running 0 6m59sjms-mysql-5898bb7d79-947gg 1/1 Running 0 7m27sjms-nginx-cf4bf56f6-pfbv5 1/1 Running 4 6m52sjms-redis-57b8b7b9f-8nchq 1/1 Running 0 7m23s