k8s集群部署jumpserver v3.3.1(helm)

首先安装了动态存储、动态存储怎么安装,这里不介绍

1:mysql安装

root@k8s-master1:/usr/local/helm-charts-jumpserver-3.9.2/charts/jumpserver/111# cat mysql-pvc.yaml 
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: mysql-data
  namespace: jumpserver
  annotations:
    volume.beta.kubernetes.io/storage-class: "managed-nfs-storage"  #这里改成自己的动态存储名
spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: 50Gi
 

root@k8s-master1:/usr/local/helm-charts-jumpserver-3.9.2/charts/jumpserver/111# cat mysql.yaml 
apiVersion: apps/v1
kind: Deployment
metadata:
  name: mysql
  namespace: jumpserver
spec:
  selector:
    matchLabels:
      app: mysql
  replicas: 1
  template:
    metadata:
      labels:
        app: mysql
    spec:
      containers:
        - name: mysql
          args:
            - --character-set-server=utf8
          image: jumpserver/mysql:5
          imagePullPolicy: IfNotPresent
          env:
            - name: DB_PORT
              value: "3306"
            - name: MYSQL_DATABASE
              value: jumpserver                          #容器起来时创建的库,给jumpserver服务用
            - name: MYSQL_ROOT_PASSWORD
              value: "Password123@mysql"      #设置的root密码
          ports:
            - containerPort: 3306            #端口
              protocol: TCP
          volumeMounts:
            - name: mysql-data                #数据目录
              mountPath: /var/lib/mysql
      volumes:
        - name: mysql-data                    #这里用前面创建的动态名称
          persistentVolumeClaim:
            claimName: mysql-data
---
apiVersion: v1
kind: Service
metadata:
  name: mysql
  namespace: jumpserver
spec:
  ports:
    - name: mysql
      protocol: TCP
      port: 3306
      targetPort: 3306
      nodePort: 30306
  type: NodePort
  selector:
    app: mysql

2:redis安装

root@k8s-master1:/usr/local/helm-charts-jumpserver-3.9.2/charts/jumpserver/111# cat redis-config.yaml 
apiVersion: v1
data:
  redis.conf: |-
    bind 0.0.0.0
    port 6379
    requirepass fdsa923nkfs32
    pidfile /var/run/redis_6379.pid
    save 900 1
    save 300 10
    save 60 10000
    rdbcompression yes
    rdbchecksum yes
    dbfilename dump.rdb
    appendonly yes
    appendfilename "appendonly.aof"
    appendfsync everysec
    dir /data
    logfile "/data/redis-6379.log"
kind: ConfigMap
metadata:
  name: redis-config
  namespace: jumpserver
 

root@k8s-master1:/usr/local/helm-charts-jumpserver-3.9.2/charts/jumpserver/111# cat redis-pvc.yaml 
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: redis-data
  namespace: jumpserver
  annotations:
    volume.beta.kubernetes.io/storage-class: "managed-nfs-storage"
spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: 20Gi
 

root@k8s-master1:/usr/local/helm-charts-jumpserver-3.9.2/charts/jumpserver/111# cat redis.yaml 
apiVersion: apps/v1
kind: Deployment
metadata:
  name: jumpserver-redis
  namespace: jumpserver
spec:
  replicas: 1
  selector:
    matchLabels:
      app: jumpserver-redis
  template:
    metadata:
      labels:
        app: jumpserver-redis
    spec:
      containers:
      - image: redis:6.0.9
        command: ["redis-server","/etc/redis/redis.conf"]
        name: redis
        ports:
        - containerPort: 6379        
        volumeMounts:
        - name: redis-config
          mountPath: /etc/redis/redis.conf
          subPath: redis.conf
        - name: redis-data
          mountPath: /data
      volumes:
      - name: redis-config
        configMap:
          name: redis-config
      - name: redis-data
        persistentVolumeClaim:
          claimName: redis-data


---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: jumpserver-redis-svc
  name: jumpserver-redis-svc
  namespace: jumpserver
spec:
  ports:
  - name: tcp-redis-6379
    port: 6379
    protocol: TCP
    targetPort: 6379
  selector:
    app: jumpserver-redis
 

3:部署jumpserver

helm repo add jumpserver https://jumpserver.github.io/helm-charts

helm repo list

由于国内环境原因,添加repo一直失败,所以放弃了上面这个方法

先创建一个模板文件

root@k8s-master1:/usr/local/helm-charts-jumpserver-3.9.2/charts/jumpserver/111# cat values.yaml 

# 模板 https://github.com/jumpserver/helm-charts/blob/main/charts/jumpserver/values.yaml
# Default values for jumpserver.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

nameOverride: ""
fullnameOverride: ""

## @param global.imageRegistry Global Docker image registry
## @param global.imagePullSecrets Global Docker registry secret names as an array
## @param global.storageClass Global StorageClass for Persistent Volume(s)
## @param global.redis.password Global Redis™ password (overrides `auth.password`)
##
global:
  imageRegistry: "docker.io"    # 千万别听他的用国内的,那真是一点都下载不下来
  imageTag: v3.3.1             # 版本号
  ## E.g.
  #  imagePullSecrets:
  #    - name: harborsecret
  #
  #  storageClass: "jumpserver-data"
  ##
  imagePullSecrets: []
    # - name: yourSecretKey
  storageClass: "managed-nfs-storage"              # (*必填) NFS SC(刚创建好的sc,你别说你忘了)

## Please configure your MySQL server first
## Jumpserver will not start the external MySQL server.
##
externalDatabase:               #  (*必填) 数据库相关设置(写本地mysql也行,写pod mysql也行,我这里写的pod)
  engine: mysql
  host: 192.168.50.30    #k8s自带的dns,格式mysqlscv名字,名称空间名字.svc.cluster.local
  port: 30306                #端口
  user: root                  #用户
  password: "Password123@mysql"             #密码
  database: jumpserver         #库名

## Please configure your Redis server first
## Jumpserver will not start the external Redis server.
##
externalRedis:                  #  (*必填) Redis 设置
  host: 192.168.50.30
  port: 31214
  password: "fdsa923nkfs32"

serviceAccount:
  # Specifies whether a service account should be created
  create: false
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name:

ingress:
  enabled: false                             # 不使用 ingress 可以关闭(我这里给他关闭了,一会咱手动创建)
  annotations:
    # kubernetes.io/tls-acme: "true"
    compute-full-forwarded-for: "true"
    use-forwarded-headers: "true"
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/configuration-snippet: |
       proxy_set_header Upgrade "websocket";
       proxy_set_header Connection "Upgrade";
  hosts:
    - "test.jumpserver.org"                 # 对外域名
  tls: []
  #  - secretName: chart-example-tls
  #    hosts:
  #      - chart-example.local

core:
  enabled: true

  labels:
    app.jumpserver.org/name: jms-core

  config:
    # Generate a new random secret key by execute `cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
    secretKey: ""                            #  (*必填) 加密敏感信息的 secret_key, 长度推荐大于 50 位  (这玩意自己随便填就行,记好了就行,)
    # Generate a new random bootstrap token by execute `cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
    bootstrapToken: ""                       #  (*必填) 组件认证使用的 token, 长度推荐大于 24 位  (这也是随便填,记好了就行)
    # Enabled it for debug
    debug: false
    log:
      level: ERROR

  replicaCount: 1

  image:
    registry: docker.io
    repository: jumpserver/core
    tag: v3.3.1
    pullPolicy: IfNotPresent

  command: []

  env:
    # See: https://docs.jumpserver.org/zh/master/admin-guide/env/#core
    SESSION_EXPIRE_AT_BROWSER_CLOSE: true
    # SESSION_COOKIE_AGE: 86400
    # SECURITY_VIEW_AUTH_NEED_MFA: true

  livenessProbe:
    failureThreshold: 30
    httpGet:
      path: /api/health/
      port: web

  readinessProbe:
    failureThreshold: 30
    httpGet:
      path: /api/health/
      port: web

  podSecurityContext: {}
    # fsGroup: 2000

  securityContext: {}
    # capabilities:
    #   drop:
    #   - ALL
    # readOnlyRootFilesystem: true
    # runAsNonRoot: true
    # runAsUser: 1000

  service:
    type: ClusterIP
    web:
      port: 8080

  resources: {}
    # We usually recommend not to specify default resources and to leave this as a conscious
    # choice for the user. This also increases chances charts run on environments with little
    # resources, such as Minikube. If you do want to specify resources, uncomment the following
    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
    # limits:
    #   cpu: 1000m
    #   memory: 2048Mi
    # requests:
    #   cpu: 500m
    #   memory: 1024Mi

  persistence:
    storageClassName: jumpserver-data
    accessModes:
      - ReadWriteMany                   #注意,这里用ceph做动态存储的把这个参数改成ReadWriteOnce  (单机访问,不然创建出来会报错,pvc),不止这里,下面还有
    size: 100Gi
    # annotations: {}
    finalizers:
      - kubernetes.io/pvc-protection
    # subPath: ""
    # existingClaim:

  volumeMounts: []

  volumes: []

  nodeSelector: {}

  tolerations: []

  affinity: {}

koko:
  enabled: true

  labels:
    app.jumpserver.org/name: jms-koko

  config:
    log:
      level: ERROR

  replicaCount: 1

  image:
    registry: 192.168.50.14
    repository: images/koko
    tag: v3.3.1
    pullPolicy: IfNotPresent

  command: []

  env: []
    # See: https://docs.jumpserver.org/zh/master/admin-guide/env/#koko
    # LANGUAGE_CODE: zh
    # REUSE_CONNECTION: true
    # ENABLE_LOCAL_PORT_FORWARD: true
    # ENABLE_VSCODE_SUPPORT: true

  livenessProbe:
    failureThreshold: 30
    httpGet:
      path: /koko/health/
      port: web

  readinessProbe:
    failureThreshold: 30
    httpGet:
      path: /koko/health/
      port: web

  podSecurityContext: {}
    # fsGroup: 2000

  securityContext:
    privileged: true
    # capabilities:
    #   drop:
    #   - ALL
    # readOnlyRootFilesystem: true
    # runAsNonRoot: true
    # runAsUser: 1000

  service:
    type: ClusterIP
    web:
      port: 5000
    ssh:
      port: 2222

  resources: {}
    # We usually recommend not to specify default resources and to leave this as a conscious
    # choice for the user. This also increases chances charts run on environments with little
    # resources, such as Minikube. If you do want to specify resources, uncomment the following
    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
    # limits:
    #   cpu: 100m
    #   memory: 128Mi
    # requests:
    #   cpu: 100m
    #   memory: 128Mi

  persistence:
    storageClassName: jumpserver-data
    accessModes:
      - ReadWriteMany   #这里用ceph做动态存储的把这个参数改成ReadWriteOnce
    size: 10Gi
    # annotations: {}
    finalizers:
      - kubernetes.io/pvc-protection

  volumeMounts: []

  volumes: []

  nodeSelector: {}

  tolerations: []

  affinity: {}

lion:
  enabled: true

  labels:
    app.jumpserver.org/name: jms-lion

  config:
    log:
      level: ERROR

  replicaCount: 1

  image:
    registry: 192.168.50.14      ##我这里使用的私仓环境 
    repository: images/lion
    tag: v3.3.1
    pullPolicy: IfNotPresent

  command: []

  env:
    # See: https://docs.jumpserver.org/zh/master/admin-guide/env/#lion
    JUMPSERVER_ENABLE_FONT_SMOOTHING: true
    # JUMPSERVER_COLOR_DEPTH: 32
    # JUMPSERVER_ENABLE_WALLPAPER: true
    # JUMPSERVER_ENABLE_THEMING: true
    # JUMPSERVER_ENABLE_FULL_WINDOW_DRAG: true
    # JUMPSERVER_ENABLE_DESKTOP_COMPOSITION: true
    # JUMPSERVER_ENABLE_MENU_ANIMATIONS: true

  livenessProbe:
    failureThreshold: 30
    httpGet:
      path: /lion/health/
      port: web

  readinessProbe:
    failureThreshold: 30
    httpGet:
      path: /lion/health/
      port: web

  podSecurityContext: {}
    # fsGroup: 2000

  securityContext: {}
    # capabilities:
    #   drop:
    #   - ALL
    # readOnlyRootFilesystem: true
    # runAsNonRoot: true
    # runAsUser: 1000

  service:
    type: ClusterIP
    web:
      port: 8081

  resources: {}
    # We usually recommend not to specify default resources and to leave this as a conscious
    # choice for the user. This also increases chances charts run on environments with little
    # resources, such as Minikube. If you do want to specify resources, uncomment the following
    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
    # limits:
    #   cpu: 100m
    #   memory: 512Mi
    # requests:
    #   cpu: 100m
    #   memory: 512Mi

  persistence:
    storageClassName: jumpserver-data
    accessModes:
      - ReadWriteMany
    size: 50Gi
    # annotations: {}
    finalizers:
      - kubernetes.io/pvc-protection

  volumeMounts: []

  volumes: []

  nodeSelector: {}

  tolerations: []

  affinity: {}

magnus:
  enabled: true

  labels:
    app.jumpserver.org/name: jms-magnus

  config:
    log:
      level: ERROR

  replicaCount: 1

  image:
    registry: 192.168.50.14
    repository: images/magnus
    tag: v3.3.1
    pullPolicy: IfNotPresent

  command: []

  env: []

  livenessProbe:
    failureThreshold: 30
    tcpSocket:
      port: 9090

  readinessProbe:
    failureThreshold: 30
    tcpSocket:
      port: 9090

  podSecurityContext: {}
    # fsGroup: 2000

  securityContext: {}
    # capabilities:
    #   drop:
    #   - ALL
    # readOnlyRootFilesystem: true
    # runAsNonRoot: true
    # runAsUser: 1000

  service:
    type: ClusterIP
    mysql:
      port: 33061
    mariadb:
      port: 33062
    redis:
      port: 63790
    postgresql:
      port: 54320
    oracle:
      ports: 30000-30100

  resources: {}
    # We usually recommend not to specify default resources and to leave this as a conscious
    # choice for the user. This also increases chances charts run on environments with little
    # resources, such as Minikube. If you do want to specify resources, uncomment the following
    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
    # limits:
    #   cpu: 100m
    #   memory: 512Mi
    # requests:
    #   cpu: 100m
    #   memory: 512Mi

  persistence:
    storageClassName: jumpserver-data
    accessModes:
      - ReadWriteMany    #这里用ceph做动态存储的把这个参数改成ReadWriteOnce
    size: 10Gi
    # annotations: {}
    finalizers:
      - kubernetes.io/pvc-protection

  volumeMounts: []

  volumes: []

  nodeSelector: {}

  tolerations: []

  affinity: {}

xpack:
  enabled: false      # 企业版本打开此选项

omnidb:
  labels:
    app.jumpserver.org/name: jms-omnidb

  config:
    log:
      level: ERROR

  replicaCount: 1

  image:
    registry: registry.fit2cloud.com
    repository: jumpserver/omnidb
    tag: v3.3.1
    pullPolicy: IfNotPresent

  command: []

  env: []

  livenessProbe:
    failureThreshold: 30
    tcpSocket:
      port: web

  readinessProbe:
    failureThreshold: 30
    tcpSocket:
      port: web

  podSecurityContext: {}
    # fsGroup: 2000

  securityContext: {}
    # capabilities:
    #   drop:
    #   - ALL
    # readOnlyRootFilesystem: true
    # runAsNonRoot: true
    # runAsUser: 1000

  service:
    type: ClusterIP
    web:
      port: 8082

  resources: {}
    # We usually recommend not to specify default resources and to leave this as a conscious
    # choice for the user. This also increases chances charts run on environments with little
    # resources, such as Minikube. If you do want to specify resources, uncomment the following
    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
    # limits:
    #   cpu: 100m
    #   memory: 128Mi
    # requests:
    #   cpu: 100m
    #   memory: 128Mi

  persistence:
    storageClassName: jumpserver-data
    accessModes:
      - ReadWriteMany
    size: 10Gi
    # annotations: {}
    finalizers:
      - kubernetes.io/pvc-protection

  volumeMounts: []

  volumes: []

  nodeSelector: {}

  tolerations: []

  affinity: {}

razor:
  labels:
    app.jumpserver.org/name: jms-razor

  config:
    log:
      level: ERROR

  replicaCount: 1

  image:
    registry: registry.fit2cloud.com
    repository: jumpserver/razor
    tag: v2.28.6
    pullPolicy: IfNotPresent

  command: []

  env: []

  livenessProbe:
    failureThreshold: 30
    tcpSocket:
      port: rdp

  readinessProbe:
    failureThreshold: 30
    tcpSocket:
      port: rdp

  podSecurityContext: {}
    # fsGroup: 2000

  securityContext: {}
    # capabilities:
    #   drop:
    #   - ALL
    # readOnlyRootFilesystem: true
    # runAsNonRoot: true
    # runAsUser: 1000

  service:
    type: ClusterIP
    rdp:
      port: 3389

  resources: {}
    # We usually recommend not to specify default resources and to leave this as a conscious
    # choice for the user. This also increases chances charts run on environments with little
    # resources, such as Minikube. If you do want to specify resources, uncomment the following
    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
    # limits:
    #   cpu: 100m
    #   memory: 128Mi
    # requests:
    #   cpu: 100m
    #   memory: 128Mi

  persistence:
    storageClassName: jumpserver-data
    accessModes:
      - ReadWriteMany         #这里用ceph做动态存储的把这个参数改成ReadWriteOnce
    size: 50Gi
    # annotations: {}
    finalizers:
      - kubernetes.io/pvc-protection

  volumeMounts: []

  volumes: []

  nodeSelector: {}

  tolerations: []

  affinity: {}

web:
  enabled: true

  labels:
    app.jumpserver.org/name: jms-web

  replicaCount: 1

  image:
    registry: 192.168.50.14
    repository: images/web
    tag: v3.3.1
    pullPolicy: IfNotPresent

  command: []

  env: []
    # nginx client_max_body_size, default 4G
    # CLIENT_MAX_BODY_SIZE: 4096m

  livenessProbe:
    failureThreshold: 30
    httpGet:
      path: /api/health/
      port: web

  readinessProbe:
    failureThreshold: 30
    httpGet:
      path: /api/health/
      port: web

  podSecurityContext: {}
    # fsGroup: 2000

  securityContext: {}
    # capabilities:
    #   drop:
    #   - ALL
    # readOnlyRootFilesystem: true
    # runAsNonRoot: true
    # runAsUser: 1000

  service:
    type: ClusterIP
    web:
      port: 80

  resources: {}
    # We usually recommend not to specify default resources and to leave this as a conscious
    # choice for the user. This also increases chances charts run on environments with little
    # resources, such as Minikube. If you do want to specify resources, uncomment the following
    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
    # limits:
    #   cpu: 100m
    #   memory: 128Mi
    # requests:
    #   cpu: 100m
    #   memory: 128Mi

  persistence:
    storageClassName: jumpserver-data
    accessModes:
      - ReadWriteMany
    size: 1Gi
    # annotations: {}
    finalizers:
      - kubernetes.io/pvc-protection

  volumeMounts: []

  volumes: []

  nodeSelector: {}

  tolerations: []

  affinity: {}

下载helm包

https://github.com/jumpserver/helm-charts/releases?page=3

k8s集群部署jumpserver v3.3.1(helm)_第1张图片

k8s集群部署jumpserver v3.3.1(helm)_第2张图片

把源换成刚下载下来的包执行命令

helm install jms-k8s jumpserver-3.3.1.tgz -n jumpserver -f values.yaml

执行完之后首先他会起一个他内置数据库的pod,会running状态,如果是别的状态建议看看是不是镜像没下载下来

k8s集群部署jumpserver v3.3.1(helm)_第3张图片

一个小问题,可以看到这个celery pod一直在重启,删除红框里面的这一段

k8s集群部署jumpserver v3.3.1(helm)_第4张图片

这里使用的IP+port的方式访问

k8s集群部署jumpserver v3.3.1(helm)_第5张图片

初始用户名密码:admin、admin


 

你可能感兴趣的:(kubernetes)