helm安装升级jumpserver

1、添加仓库

helm repo add jumpserver https://jumpserver.github.io/helm-charts

helm repo list

2、自定义配置

cat > values.yaml << EOF
core:
  config:
    #组件认证使用的 token, 长度推荐大于 24 位
    bootstrapToken: ****
    # 加密敏感信息的 secret_key, 长度推荐大于 50 位
    secretKey: ****
  persistence:
    size: 50Gi
    storageClassName: nfs-storageclass
externalDatabase:
  database: jumpserver
  engine: mysql
  host: 192.168.150.88
  password: MmVkNTQyMDYxN2V
  port: 3306
  user: jumpserver
externalRedis:
  host: redis-svc.zzmed-test.svc
  password: ""
  port: 6379
global:
  imageTag: v2.28.7
ingress:
  enabled: false
koko:
  persistence:
    storageClassName: nfs-storageclass
lion:
  persistence:
    storageClassName: nfs-storageclass
magnus:
  persistence:
    storageClassName: nfs-storageclass
omnidb:
  persistence:
    storageClassName: nfs-storageclass
razor:
  persistence:
    storageClassName: nfs-storageclass
web:
  persistence:
    storageClassName: nfs-storageclass
EOF

3、安装

方法1：

helm repo add jumpserver https://jumpserver.github.io/helm-charts
helm repo update jumpserver
helm upgrade --install jumpserver --version 2.28.7 -n tools jumpserver/jumpserver -f values.yaml

方法2：

helm upgrade --install jumpserver -n tools jumpserver/jumpserver \
  --set global.imageTag="v2.28.7" \
  --set externalDatabase.engine=mysql \
  --set externalDatabase.host=外置数据库地址 \
  --set externalDatabase.port=3306 \
  --set externalDatabase.user=jumpserver \
  --set externalDatabase.password="密码" \
  --set externalDatabase.database=jumpserver  \
  --set externalRedis.host=外置redis地址 \
  --set externalRedis.port=6379 \
  --set externalRedis.password="redis密码" \
  --set ingress.enabled=false \
  # 加密敏感信息的 secret_key, 长度推荐大于 50 位
  --set core.config.secretKey=**** \
  #组件认证使用的 token, 长度推荐大于 24 位
  --set core.config.bootstrapToken=**** \
  --set core.persistence.storageClassName=nfs-storageclass \
  --set core.persistence.size=50Gi \
  --set koko.persistence.storageClassName=nfs-storageclass \
  --set lion.persistence.storageClassName=nfs-storageclass \
  --set magnus.persistence.storageClassName=nfs-storageclass \
  --set omnidb.persistence.storageClassName=nfs-storageclass \
  --set razor.persistence.storageClassName=nfs-storageclass \
  --set web.persistence.storageClassName=nfs-storageclass

4、添加ing用于外网访问

$ cat > jumpserver-ing.yaml << EOF
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: jumpserver
  namespace: tools
spec:
  rules:
  - host: jumpserver.example.com
    http:
      paths:
      - backend:
          serviceName: jumpserver-jms-web
          servicePort: 80
        path: /
      - backend:
          serviceName: jumpserver-jms-web
          servicePort: 80
        path: /*
EOF

$ kubectl apply -f jumpserver-ing.yaml

---
apiVersion: v1
kind: Service
metadata:
  labels:
    app.jumpserver.org/name: jms-koko
    app.kubernetes.io/instance: jumpserver
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: jumpserver
    app.kubernetes.io/version: v2.23.0
    helm.sh/chart: jumpserver-2.23.0
  name: jumpserver-jms-koko
  namespace: tools
spec:
  ports:
  - name: web
    nodePort: 31985
    port: 5000
    protocol: TCP
    targetPort: web
  - name: ssh
    nodePort: 32222
    port: 2222
    protocol: TCP
    targetPort: ssh
  selector:
    app.jumpserver.org/name: jms-koko
    app.kubernetes.io/instance: jumpserver
    app.kubernetes.io/name: jumpserver
  sessionAffinity: ClientIP
  sessionAffinityConfig:
    clientIP:
      timeoutSeconds: 10800
  type: NodePort

5、卸载

helm uninstall jumpserver -n tools

6、升级

• 请先手动备份好数据库, 然后继续操作

方法1：

#values.yaml 从 https://github.com/jumpserver/helm-charts/blob/main/charts/jumpserver/values.yaml 获取
helm repo add jumpserver https://jumpserver.github.io/helm-charts
helm repo update jumpserver
helm upgrade --install jumpserver -n tools jumpserver/jumpserver -f values.yaml

方法2：

helm repo add jumpserver https://jumpserver.github.io/helm-charts
helm repo update
helm upgrade --install jumpserver -n tools jumpserver/jumpserver \
  --set global.imageTag="v2.28.7" \
  --set externalDatabase.engine=mysql \
  --set externalDatabase.host=外置数据库地址 \
  --set externalDatabase.port=3306 \
  --set externalDatabase.user=jumpserver \
  --set externalDatabase.password="密码" \
  --set externalDatabase.database=jumpserver  \
  --set externalRedis.host=外置redis地址 \
  --set externalRedis.port=6379 \
  --set externalRedis.password="redis密码" \
  --set ingress.enabled=false \
  # 加密敏感信息的 secret_key, 长度推荐大于 50 位
  --set core.config.secretKey=jjjj \
  #组件认证使用的 token, 长度推荐大于 24 位
  --set core.config.bootstrapToken=jjjj \
  --set core.persistence.storageClassName=nfs-storageclass \
  --set core.persistence.size=50Gi \
  --set koko.persistence.storageClassName=nfs-storageclass \
  --set lion.persistence.storageClassName=nfs-storageclass \
  --set magnus.persistence.storageClassName=nfs-storageclass \
  --set omnidb.persistence.storageClassName=nfs-storageclass \
  --set razor.persistence.storageClassName=nfs-storageclass \
  --set web.persistence.storageClassName=nfs-storageclass

7、使用备份数据文件恢复报错

MySQL server has gone away

解决：

mysql> show VARIABLES like '%max_allowed_packet%';

mysql> set global max_allowed_packet = 41943040000;

8、使用备份数据库恢复后，启动服务报错

2023-02-15 12:11:26 main main.go [ERROR] POST http://jumpserver-jms-core:8080/api/v1/terminal/terminal-registrations/ failed, get code: 400, {"error":"service account registration disabled"}
2023-02-15 12:11:27,815 INFO success: lion entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2023-02-15 12:11:32 main main.go [ERROR] POST http://jumpserver-jms-core:8080/api/v1/terminal/terminal-registrations/ failed, get code: 400, {"error":"service account registration disabled"}
2023-02-15 12:11:37 main main.go [ERROR] POST http://jumpserver-jms-core:8080/api/v1/terminal/terminal-registrations/ failed, get code: 400, {"error":"service account registration disabled"}
2023-02-15 12:11:42 main main.go [ERROR] POST http://jumpserver-jms-core:8080/api/v1/terminal/terminal-registrations/ failed, get code: 400, {"error":"service account registration disabled"}
2023-02-15 12:11:47 main main.go [ERROR] POST http://jumpserver-jms-core:8080/api/v1/terminal/terminal-registrations/ failed, get code: 400, {"error":"service account registration disabled"}
2023-02-15 12:11:52 main main.go [ERROR] POST http://jumpserver-jms-core:8080/api/v1/terminal/terminal-registrations/ failed, get code: 400, {"error":"service account registration disabled"}
2023-02-15 12:11:58 main main.go [ERROR] POST http://jumpserver-jms-core:8080/api/v1/terminal/terminal-registrations/ failed, get code: 400, {"error":"service account registration disabled"}
2023-02-15 12:12:03 main main.go [ERROR] POST http://jumpserver-jms-core:8080/api/v1/terminal/terminal-registrations/ failed, get code: 400, {"error":"service account registration disabled"}
2023-02-15 12:12:08 main main.go [ERROR] POST http://jumpserver-jms-core:8080/api/v1/terminal/terminal-registrations/ failed, get code: 400, {"error":"service account registration disabled"}
2023-02-15 12:12:13 main main.go [ERROR] POST http://jumpserver-jms-core:8080/api/v1/terminal/terminal-registrations/ failed, get code: 400, {"error":"service account registration disabled"}
2023-02-15 12:12:18 main main.go [ERROR] 注册终端失败退出
2023-02-15 12:12:18,335 INFO exited: lion (exit status 1; not expected)
2023-02-15 12:12:19,337 INFO spawned: 'lion' with pid 34

解决：

方法1、

打开终端注册（默认关闭）

方法2、

要将表 settings_setting 中的 SECURITY_SERVICE_ACCOUNT_REGISTRATION 改为 true