走一趟云效+k8s的部署流程

介绍

花了2周左右的时间把k8s全部过了一篇,从溺死到知识的海洋里到产生上岸的错觉,这篇小日志也算对这2周的一个总结。

文章想表达什么

  • 了解k8s的基础知识
  • 部署一套初级可运行的k8s集群
  • 了解基于阿里云效持续集成的部署整体流程
  • 一些踩过的坑

需要具备

  • Linux相关基础知识,能使用常用命令
  • docker基础知识 ,dockerfile 编写能力
  • Git基础知识,发布流程上需要用到
  • 20块钱,jd云打表计费体验一把全套流程

相关的还有阿里的一套发布部署平台分别是

code库
云效
镜像仓库

基础

k8s是什么

k8s全程kubernetes 因 k->s之间正好 8个字母而的名,它是一个为服务容器而生的一个特有工具,也是微服务等热门技术的落地方案可选项之一。它为下面几种场景提供了解决方案

  • 负载均衡
  • 服务发现与调度
  • 服务自愈
  • 服务动态扩容

服务

ps:笔者也是才接触2周的小菜,下面的介绍就操作为主,介绍为辅。至于对于下面基础服务的描述有不到位的地方也欢迎指出。

pod

k8s的灵魂所在,pod是容器的最小承载。我们一般不会去操作pod,但是我们应用到的是pod提供的服务。管理pod会交给更上层的服务去完成。

Deployment

管理 pod容器的一个调度工具,定义一定数量的 pod,Deployment会维持Pod数量与期望数量一致它解决了RC(Replication Controller)一些不能解决的问题(滚动发布等)也是现在最常用的pod控制器 ps:所以其它3种我就忽略掉了

ConfigMap

配置文件信息或者环境变量,是存储在etc内的持久化信息,可能更具需要写出文件或者设置一个环境变量

Service

提供容器间的相互通信 ip+port 的形式相互访问

Ingress-nginx-controller

需要安装的扩展,功能是蛮多的详细可以去看下文档。主要就是负载均衡和路由分发

Ingress

ingress-nginx-controller 的映射关系

工具

minikube

Minikube 是一种可以让你在本地轻松运行 Kubernetes 的工具。 Minikube 在笔记本电脑上的虚拟机(VM)中运行单节点 Kubernetes 集群, 供那些希望尝试 Kubernetes 或进行日常开发的用户使用。

Minikube 支持以下 Kubernetes 功能:

  • DNS
  • NodePorts
  • ConfigMaps 和 Secrets
  • Dashboards
  • 容器运行时: Docker、CRI-O 以及 containerd
  • 启用 CNI (容器网络接口)
  • Ingress

测试下来Ingress在国内安装会出现诸多问题,即使使用阿里云提供的镜像版minikube也是一样

阿里云 minikube

kubectl

管理k8s集群的命令行管理工具

配置文件

Deployment.yaml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
apiVersion: apps/v1  # 指定api版本,此值必须在kubectl api-versions中
kind: Deployment # 指定创建资源的角色/类型
metadata: # 资源的元数据/属性
name: lnmp # 资源的名字,在同一个namespace中必须唯一
namespace: default # 部署在哪个namespace中
labels: # 设定资源的标签
app: lnmp-spec
version: stable
spec: # 资源规范字段
replicas: 3 # 声明副本数目
revisionHistoryLimit: 3 # 保留历史版本
selector: # 选择器
matchLabels: # 匹配标签
app: lnmp-spec
version: stable
template: # 模版
metadata: # 资源的元数据/属性
annotations: # 自定义注解列表
sidecar.istio.io/inject: "false" # 自定义注解名字
labels: # 设定资源的标签
app: lnmp-spec
version: stable
spec: # 资源规范字段
containers:
- name: php7 # 容器的名字
image: registry.cn-shanghai.aliyuncs.com/zjj_test/blog:20200916133624 # 容器使用的镜像地址
volumeMounts:
- mountPath: /www/blog/.env
subPath: .env
name: env
ports:
- name: http # 名称
containerPort: 9200 # 容器开发对外的端口
protocol: TCP # 协议
lifecycle:
postStart:
exec:
command: ["/bin/sh", "-c", "cd /www/blog && /usr/local/bin/composer install"]

- name: nginx # 容器的名字
image: registry.cn-shanghai.aliyuncs.com/acs-sample/nginx:latest # 容器使用的镜像地址
volumeMounts:
- mountPath: /etc/nginx/conf.d
name: nginx
ports:
- name: http # 名称
containerPort: 80 # 容器开发对外的端口
protocol: TCP # 协议
imagePullSecrets: # 镜像仓库拉取密钥
- name: regcred
volumes:
- name: www
emptyDir: {}
- name: nginx
configMap:
name: blog-nginx-config
- name: env
configMap:
name: blog-env

Service.yaml

1
2
3
4
5
6
7
8
9
10
11
12
apiVersion: v1
kind: Service
metadata:
name: lnmp-net
spec:
type: NodePort #这里代表是NodePort类型的
ports:
- port: 80
targetPort: 80
protocol: TCP
selector:
app: lnmp-spec

Ingress-nginx-controller.yaml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
apiVersion: v1
kind: Namespace
metadata:
name: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx

---
# Source: ingress-nginx/templates/controller-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
helm.sh/chart: ingress-nginx-2.13.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.35.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx
namespace: ingress-nginx
---
# Source: ingress-nginx/templates/controller-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
labels:
helm.sh/chart: ingress-nginx-2.13.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.35.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx-controller
namespace: ingress-nginx
data:
---
# Source: ingress-nginx/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
helm.sh/chart: ingress-nginx-2.13.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.35.0
app.kubernetes.io/managed-by: Helm
name: ingress-nginx
rules:
- apiGroups:
- ''
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
verbs:
- list
- watch
- apiGroups:
- ''
resources:
- nodes
verbs:
- get
- apiGroups:
- ''
resources:
- services
verbs:
- get
- list
- update
- watch
- apiGroups:
- extensions
- networking.k8s.io # k8s 1.14+
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ''
resources:
- events
verbs:
- create
- patch
- apiGroups:
- extensions
- networking.k8s.io # k8s 1.14+
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io # k8s 1.14+
resources:
- ingressclasses
verbs:
- get
- list
- watch
---
# Source: ingress-nginx/templates/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
helm.sh/chart: ingress-nginx-2.13.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.35.0
app.kubernetes.io/managed-by: Helm
name: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
# Source: ingress-nginx/templates/controller-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
helm.sh/chart: ingress-nginx-2.13.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.35.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx
namespace: ingress-nginx
rules:
- apiGroups:
- ''
resources:
- namespaces
verbs:
- get
- apiGroups:
- ''
resources:
- configmaps
- pods
- secrets
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ''
resources:
- services
verbs:
- get
- list
- update
- watch
- apiGroups:
- extensions
- networking.k8s.io # k8s 1.14+
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io # k8s 1.14+
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io # k8s 1.14+
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- ''
resources:
- configmaps
resourceNames:
- ingress-controller-leader-nginx
verbs:
- get
- update
- apiGroups:
- ''
resources:
- configmaps
verbs:
- create
- apiGroups:
- ''
resources:
- endpoints
verbs:
- create
- get
- update
- apiGroups:
- ''
resources:
- events
verbs:
- create
- patch
---
# Source: ingress-nginx/templates/controller-rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
helm.sh/chart: ingress-nginx-2.13.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.35.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
# Source: ingress-nginx/templates/controller-service-webhook.yaml
apiVersion: v1
kind: Service
metadata:
labels:
helm.sh/chart: ingress-nginx-2.13.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.35.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx-controller-admission
namespace: ingress-nginx
spec:
type: ClusterIP
ports:
- name: https-webhook
port: 443
targetPort: webhook
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/component: controller
---
# Source: ingress-nginx/templates/controller-service.yaml
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
service.beta.kubernetes.io/aws-load-balancer-type: nlb
labels:
helm.sh/chart: ingress-nginx-2.13.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.35.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
type: LoadBalancer
externalTrafficPolicy: Local
ports:
- name: http
port: 80
protocol: TCP
targetPort: http
- name: https
port: 443
protocol: TCP
targetPort: https
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/component: controller
---
# Source: ingress-nginx/templates/controller-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
helm.sh/chart: ingress-nginx-2.13.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.35.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
selector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/component: controller
revisionHistoryLimit: 10
minReadySeconds: 0
template:
metadata:
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/component: controller
spec:
dnsPolicy: ClusterFirst
containers:
- name: controller
image: registry.cn-beijing.aliyuncs.com/fcu3dx/nginx-ingress-controller:v0.35.0
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- /wait-shutdown
args:
- /nginx-ingress-controller
- --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
- --election-id=ingress-controller-leader
- --ingress-class=nginx
- --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
runAsUser: 101
allowPrivilegeEscalation: true
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
livenessProbe:
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 5
readinessProbe:
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
ports:
- name: http
containerPort: 80
protocol: TCP
- name: https
containerPort: 443
protocol: TCP
- name: webhook
containerPort: 8443
protocol: TCP
volumeMounts:
- name: webhook-cert
mountPath: /usr/local/certificates/
readOnly: true
resources:
requests:
cpu: 100m
memory: 90Mi
serviceAccountName: ingress-nginx
terminationGracePeriodSeconds: 300
volumes:
- name: webhook-cert
secret:
secretName: ingress-nginx-admission
---
# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
# before changing this value, check the required kubernetes version
# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
labels:
helm.sh/chart: ingress-nginx-2.13.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.35.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
name: ingress-nginx-admission
webhooks:
- name: validate.nginx.ingress.kubernetes.io
rules:
- apiGroups:
- extensions
- networking.k8s.io
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- ingresses
failurePolicy: Fail
sideEffects: None
admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
namespace: ingress-nginx
name: ingress-nginx-controller-admission
path: /extensions/v1beta1/ingresses
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: ingress-nginx-admission
annotations:
helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-2.13.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.35.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
namespace: ingress-nginx
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ingress-nginx-admission
annotations:
helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-2.13.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.35.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- get
- update
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ingress-nginx-admission
annotations:
helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-2.13.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.35.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: ingress-nginx-admission
annotations:
helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-2.13.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.35.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
namespace: ingress-nginx
rules:
- apiGroups:
- ''
resources:
- secrets
verbs:
- get
- create
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ingress-nginx-admission
annotations:
helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-2.13.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.35.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: ingress-nginx-admission-create
annotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-2.13.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.35.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
namespace: ingress-nginx
spec:
template:
metadata:
name: ingress-nginx-admission-create
labels:
helm.sh/chart: ingress-nginx-2.13.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.35.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
spec:
containers:
- name: create
image: docker.io/jettech/kube-webhook-certgen:v1.2.2
imagePullPolicy: IfNotPresent
args:
- create
- --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
- --namespace=$(POD_NAMESPACE)
- --secret-name=ingress-nginx-admission
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
restartPolicy: OnFailure
serviceAccountName: ingress-nginx-admission
securityContext:
runAsNonRoot: true
runAsUser: 2000
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: ingress-nginx-admission-patch
annotations:
helm.sh/hook: post-install,post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-2.13.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.35.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
namespace: ingress-nginx
spec:
template:
metadata:
name: ingress-nginx-admission-patch
labels:
helm.sh/chart: ingress-nginx-2.13.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.35.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
spec:
containers:
- name: patch
image: docker.io/jettech/kube-webhook-certgen:v1.2.2
imagePullPolicy: IfNotPresent
args:
- patch
- --webhook-name=ingress-nginx-admission
- --namespace=$(POD_NAMESPACE)
- --patch-mutating=false
- --secret-name=ingress-nginx-admission
- --patch-failure-policy=Fail
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
restartPolicy: OnFailure
serviceAccountName: ingress-nginx-admission
securityContext:
runAsNonRoot: true
runAsUser: 2000

Ingress.yaml

1
2
3
4
5
6
7
8
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: test-ingress
spec:
backend:
serviceName: lnmp-net
servicePort: 80

###configmap.yaml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
apiVersion: v1  # 指定api版本,此值必须在kubectl api-versions中
kind: ConfigMap # 指定创建资源的角色/类型
metadata: # 资源的元数据/属性
name: blog-nginx-config # 资源的名字,在同一个namespace中必须唯一
namespace: default # 部署在哪个namespace中
data:
nginx.conf: "

server {
listen 80;

server_name www.phpzjj.com;

index index.html index.htm index.php;
root /www/blog/public/;

location / {
try_files $uri $uri/
/index.php$is_args$query_string;
}

location /nginx_status
{
stub_status on;
access_log off;
}

location ~ .*\\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}

location ~ .*\\.(js|css)?$
{
expires 12h;
}


location ~ \\.php(.*)$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_split_path_info ^((?U).+\\.php)(/?.+)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
include fastcgi_params;

}
}

"
---
apiVersion: v1 # 指定api版本,此值必须在kubectl api-versions中
kind: ConfigMap # 指定创建资源的角色/类型
metadata: # 资源的元数据/属性
name: blog-env
namespace: default # 部署在哪个namespace中
data:
.env: "
APP_NAME=Laravel

APP_ENV=local

APP_KEY=***

APP_DEBUG=true

APP_URL=https://www.phpzjj.com

LOG_CHANNEL=stack


DB_CONNECTION=mysql

DB_HOST=***

DB_PORT=3306

DB_DATABASE=blog

DB_USERNAME=***

DB_PASSWORD=***




BROADCAST_DRIVER=log

CACHE_DRIVER=file



SESSION_DRIVER=file

SESSION_LIFETIME=120

QUEUE_DRIVER=sync



REDIS_HOST=127.0.0.1

REDIS_PASSWORD=null

REDIS_PORT=6378




MAIL_DRIVER=smtp

MAIL_HOST=smtpdm.aliyun.com

MAIL_PORT=25

MAIL_USERNAME=admin@mail.phpzjj.com

MAIL_PASSWORD=***

MAIL_ENCRYPTION=null



MAIL_FROM_ADDRESS=admin@mail.phpzjj.com

MAIL_FROM_NAME='张俊杰的博客'




PUSHER_APP_ID=

PUSHER_APP_KEY=

PUSHER_APP_SECRET=

PUSHER_APP_CLUSTER=mt1


MIX_PUSHER_APP_KEY=\"${PUSHER_APP_KEY}\"

MIX_PUSHER_APP_CLUSTER=\"${PUSHER_APP_CLUSTER}\"


JWT_SECRET=***

"


Service.yaml

1
2
3
4
5
6
7
8
9
10
11
12
apiVersion: v1
kind: Service
metadata:
name: lnmp-net
spec:
type: NodePort #这里代表是NodePort类型的
ports:
- port: 80
targetPort: 80
protocol: TCP
selector:
app: lnmp-spec

基于阿里云效的部署流程

PHP因为不需要编译部署流程可以分成以下几类

  1. FTP一把梭,常见于小型野团队
  2. 先传Git,然后再FTP一把梭
  3. 先传Git,然后WebHook触发脚本部署
  4. 如下图,先上传到类似云效这样的部署平台,然后触发一定的流程最后触发部署脚本

在上图中其实是我博客现在正在用的一个部署流程,在部署环境什么都没有去做,构建的时候服务器上安装的工具触发了一个shell脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# !/bin/bash
codedir="/www/blog"
rdc_build_meta="origin/master"
# 拉取GIT主分支
cd $codedir
git fetch
git reset --hard $rdc_build_meta
git pull
composer install

#清理opc
WEBDIR="/www/blog/blog/public/"
RANDOM_NAME=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 13)
echo "<?php opcache_reset(); ?>" > ${WEBDIR}${RANDOM_NAME}.php
curl https://www.phpzjj.com/${RANDOM_NAME}.php
rm ${WEBDIR}${RANDOM_NAME}.php

下面我将尝试下面这种构建方式,把项目代码作为docker镜像的方式去发布和部署。

DockFile

因为我的博客在本地开发的时候是基于Docker环境进行的,所以计划的是直接把以前构建好的docker compose中的php7作为基础镜像包来发布

自用php开发环境

当然也可以直接构建然后发布到私有仓库

php7 DockerFile

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
FROM php:7.1-fpm-jessie



RUN mv /etc/apt/sources.list /etc/apt/sources.list.bak && \
echo 'deb http://mirrors.163.com/debian/ jessie main non-free contrib' > /etc/apt/sources.list && \
echo 'deb http://mirrors.163.com/debian/ jessie-updates main non-free contrib' >> /etc/apt/sources.list && \
echo 'deb http://mirrors.163.com/debian-security/ jessie/updates main non-free contrib' >> /etc/apt/sources.list

RUN apt-get update
RUN apt-get install -y \
libfreetype6-dev \
libjpeg62-turbo-dev \
libmcrypt-dev \
libpng-dev \
libxml2-dev \
libmagickwand-dev \
libmagickcore-dev \
libgmp-dev \
&& ln -s /usr/include/x86_64-linux-gnu/gmp.h /usr/local/include/ \
&& docker-php-ext-configure gmp \
&& docker-php-ext-install -j$(nproc) gmp \
&& docker-php-ext-install -j$(nproc) iconv mcrypt \
&& docker-php-ext-configure gd --with-freetype-dir=/usr/include/ --with-jpeg-dir=/usr/include/ \
&& docker-php-ext-install -j$(nproc) gd

# pecl貌似被墙了,http://pecl.php.net/ 要包自己下
RUN curl 'http://pecl.php.net/get/redis-4.0.2.tgz' -o redis.tgz \
&& pecl install redis.tgz \
&& curl 'http://pecl.php.net/get/xdebug-2.6.0.tgz' -o xdebug.tgz \
&& pecl install xdebug.tgz \
&& curl 'http://pecl.php.net/get/swoole-4.0.2.tgz' -o swoole.tgz \
&& pecl install swoole.tgz \
&& curl 'http://pecl.php.net/get/imagick-3.4.3.tgz' -o imagick.tgz\
&& pecl install imagick.tgz \
&& pecl install grpc-1.30.0 \
&& pecl install protobuf-3.12.2 \
&& docker-php-ext-enable imagick redis xdebug swoole gmp grpc protobuf

RUN docker-php-ext-install mysqli pdo_mysql opcache\
&& curl -sS https://getcomposer.org/installer | php \
&& mv /var/www/html/composer.phar /usr/local/bin/composer \
&& composer config -g repo.packagist composer https://packagist.phpcomposer.com

#安装分词
RUN curl 'http://www.xunsearch.com/scws/down/scws-1.2.3.tar.bz2' -o scws.tar.bz2 \
&& tar xvjf scws.tar.bz2 \
&& cd scws-1.2.3 \
&& ./configure --prefix=/usr/local/scws \
&& make \
&& make install \
&& cd phpext \
&& phpize \
&& ./configure --with-scws=/usr/local/scws \
&& make \
&& make install \
&& cd ../../ \
&& rm -rf scws scws-1.2.3.tar.bz2 \
&& docker-php-ext-enable scws \
&& echo "scws.default.charset = utf8" >> /usr/local/etc/php/conf.d/docker-php-ext-scws.ini \
&& echo "scws.default.fpath = /usr/local/scws/etc" >> /usr/local/etc/php/conf.d/docker-php-ext-scws.ini

#pcntl 安装

RUN cd /usr/src/ \
&& mkdir /usr/src/php \
&& tar -xvf php.tar.xz -C ./php\
&& cd /usr/src/php \
&& mv * php7 \
&& cd /usr/src/php/php7/ext/pcntl \
&& phpize \
&& ./configure --with-php-config=/usr/local/bin/php-config \
&& make && make install \
&& docker-php-ext-enable pcntl



RUN cd /var/www/html/ \
&& rm -rf redis.tgz scws-1.2.3 scws.tar.bz2 xdebug.tgz \
&& mkdir /etc/php-fpm.d/

#xdebug配置
RUN echo "xdebug.remote_host= 10.0.1.1 \n xdebug.remote_port = 9123 \n xdebug.idekey = PHPSTORM \n xdebug.remote_log='/www/xdebug_php7.log' \n xdebug.remote_enable = 1" >> /usr/local/etc/php/conf.d/docker-php-ext-xdebug.ini

阿里云私有仓库

地址

先建立一个自己的命名空间设置为私有

然后建立一个放基础环境的仓库

把刚才本地编译好的docker image 打包发布到仓库中

1
2
3
$ sudo docker login --username=XXX registry.cn-shanghai.aliyuncs.com
$ sudo docker tag [ImageId] registry.cn-shanghai.aliyuncs.com/zjj_test/php7:[镜像版本号]
$ sudo docker push registry.cn-shanghai.aliyuncs.com/zjj_test/php7:[镜像版本号]

最后记得授权下,后面会用到

#京东云部署k8s

购买

地址

注意这边尽量购买 1核 2G X 2 以上 的配置

整个创建过程在 10分钟左右 再创建完成过后(ps一定要在结束后)

配置本机客服端

复制出客户配置文件写入

1
vim ~/.kube/config

我们先 kubectl get pod 看下是否配置成功

1
2
3
NAME                                           READY   STATUS              RESTARTS   AGE
init-jcr-token-refresher-dbtcl 0/1 Completed 0 2m18s
jdcloud-jcr-credential-cron-1600497600-pkqrq 0/1 ContainerCreating 0 6s

配置secret

配置这个的目的是为了有权限在私有仓库中拉取images

1
2
3
4
5
kubectl create secret docker-registry regcred \
--docker-server=registry.cn-shanghai.aliyuncs.com \
--docker-username=*** \
--docker-password=*** \
--docker-email=***

配置configmap/deployment/service

用上面写好的yaml 直接创建就好,结尾我会给出创建包

1
kubectl create -f configmap.yaml

访问

在访问前要仔细确认,是否pod已经启动

等它们全部为running状态我们可以尝试下面2种方法去访问它们

我们再确认下service已近创建成功

Kubernetes proxy 模式

1
kubectl proxy --port=8080

然后访问

1
2
3
http://localhost:8080/api/v1/proxy/namespaces/<NAMESPACE>/services/<SERVICE-NAME>:<PORT-NAME>/

http://localhost:8080/api/v1/namespaces/default/services/http:lnmp-net:/proxy/

Ingress 访问

安装 Nginx

1
kubectl create -f ingress-nginx.yaml

等待安装成功

1
kubectl get pod -n ingress-nginx

ingress-nginx-controller-597f4f6fb5-qzgkj 为 Running 后就可以配置详细的访问规则了

1
kubectl create -f ingress.yaml

等待分配IP,这可能要花1分钟左右

1
kubectl get ingress

现在可以直接通过IP访问了

阿里云效配置k8s发布

去填写刚才的客户端管理信息

注意状态信息

回到上一步骤填写对应信息(主要是几个yaml文件里面的标签

接下来我们进入流水线添加构建,注意构建配置里面的文件名

我们在代码目录放入构建配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# 请参考 https://help.aliyun.com/document_detail/59293.html 了解更多关于release文件的编写方式 

# 构建源码语言类型
code.language=php7.0

# docker构建所用的Dockerfile的路径
docker.file=Dockerfile


# docker构建完成之后,要push到的docker repo
docker.repo=registry.cn-shanghai.aliyuncs.com/zjj_test/blog


# 使用时间戳做docker tag,这样打出来的docker镜像就形如:registry.cn-hangzhou.aliyuncs.com/mynamespace/container-app:20170622232633
docker.tag=${TIMESTAMP}

放入 Dockerfile 文件

1
2
3
4
5
6
7
8
9
10
FROM registry.cn-shanghai.aliyuncs.com/zjj_test/php7:1.0
USER root
COPY blog.tgz /www/tgz/blog.tgz
RUN tar zxvf /www/tgz/blog.tgz -C /www
RUN /usr/local/bin/composer config -g repo.packagist composer https://mirrors.aliyun.com/composer/
RUN apt-get update
RUN apt-get install -y git unzip
WORKDIR /www/blog
RUN chmod 777 -R /www/blog/storage
RUN /usr/local/bin/composer install

这样它就会去拉取我们刚才的基础镜像包,然后完成composer install流程后再创建一个images发布到 registry.cn-shanghai.aliyuncs.com/zjj_test/blog 仓库等待 k8s去拉取

最后就是部署流程选择刚才配置好的k8s测试环境了

测试发布

我们在测试分支把banner里面的文字改掉试试

去看下流水线

在进行composer install了

最后包也成功上传到了我们的私有镜像仓库

代码发布单中可以看到第一批发布完成正在等待确认

然后登陆集群可以看见,k8s采用滚动发布(金丝雀发布)的方式新创建了一个deployment然后启动了一个pod替换了一个老的pod

我们继续发布

老的pod彻底替换掉

代码生效

参考文档

https://kubernetes.io/zh/docs/tasks/configure-pod-container/pull-image-private-registry/

https://www.mantian.site/blog/2019/07/12/Kubernetes%E5%AD%A6%E4%B9%A0-%E2%80%94%E2%80%94-%E5%A6%82%E4%BD%95%E5%B0%86%E8%87%AA%E5%B7%B1%E7%9A%84%E5%BA%94%E7%94%A8%E9%83%A8%E7%BD%B2%E4%B8%BAk8s-service/

http://www.dockerone.com/article/4884

https://www.jianshu.com/p/18441c7434a6

  • 版权声明: 本博客所有文章除特别声明外,著作权归作者所有。转载请注明出处!

请我喝杯咖啡吧~