一 、环境要求
-
Kubernetes 1.20+
-
Helm 3.0
-
redis >= 6.2
-
mysql >= 5.7 【也可以使用MariaDB但是版本必须 >= 10.6】
- jumpserver版本: v3.10.1 【社区版】
二、 安装部署
1. 添加chart源
$ helm repo add jumpserver https://jumpserver.github.io/helm-charts
2. 列出拉取的chart包
$ helm repo list
NAME URL
jumpserver https://jumpserver.github.io/helm-charts
3. 列出chart包版本
$ helm search repo jumpserver
NAME CHART VERSION APP VERSION DESCRIPTION
jumpserver/jumpserver 3.10.1 v3.10.1 A Helm chart for Deploying Jumpserver on Kubern...
4. 部署redis【我这里使用pod进行部署,存储使用的aws的动态存储EBS CSI】
$ cat claim.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: redis-data
namespace: jumpserver
spec:
accessModes:
- ReadWriteOnce
storageClassName: ebs-sc
resources:
requests:
storage: 91Gi
$ cat redis.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: redis
namespace: jumpserver
spec:
selector:
matchLabels:
app: redis
replicas: 1
strategy:
type: Recreate
template:
metadata:
creationTimestamp: null
labels:
app: redis
spec:
containers:
- name: redis
args:
- redis-server
- /etc/redis.conf
- --requirepass
- your-redis-passwd
env:
- name: REDIS_PASSWORD
value: your-redis-passwd #密码
- name: REDIS_PORT
value: "6379" #端口
image: jumpserver/redis:6.2
imagePullPolicy: IfNotPresent
volumeMounts:
- name: redis-data #数据目录
mountPath: /data
- name: redis-conf #配制文件
mountPath: /etc/redis.conf
volumes:
- name: redis-conf
configMap:
name: redis-cm
- name: redis-data
persistentVolumeClaim:
claimName: redis-data
---
apiVersion: v1
kind: Service
metadata:
name: redis
namespace: jumpserver
spec:
ports:
- name: redis
protocol: TCP
port: 6379
targetPort: 6379
type: NodePort
selector:
app: redis
$ cat redis-cm.yaml
apiVersion: v1
data:
redis.conf: |
protected-mode no
port 6379
tcp-backlog 511
requirepass 000415
timeout 0
tcp-keepalive 300
daemonize no
supervised no
pidfile /var/run/redis_6379.pid
loglevel notice
logfile ""
databases 30
always-show-logo yes
save 900 1
save 300 10
save 60 10000
stop-writes-on-bgsave-error yes
rdbcompression yes
rdbchecksum yes
dbfilename dump.rdb
dir ./
replica-serve-stale-data yes
replica-read-only yes
repl-diskless-sync no
repl-disable-tcp-nodelay no
replica-priority 100
lazyfree-lazy-eviction no
lazyfree-lazy-expire no
lazyfree-lazy-server-del no
replica-lazy-flush no
appendonly yes
appendfilename "appendonly.aof"
no-appendfsync-on-rewrite no
auto-aof-rewrite-percentage 100
auto-aof-rewrite-min-size 64mb
aof-load-truncated yes
aof-use-rdb-preamble yes
lua-time-limit 5000
slowlog-max-len 128
notify-keyspace-events ""
hash-max-ziplist-entries 512
hash-max-ziplist-value 64
list-max-ziplist-size -2
list-compress-depth 0
set-max-intset-entries 512
zset-max-ziplist-entries 128
zset-max-ziplist-value 64
hll-sparse-max-bytes 3000
stream-node-max-bytes 4096
stream-node-max-entries 100
activerehashing yes
hz 10
dynamic-hz yes
aof-rewrite-incremental-fsync yes
rdb-save-incremental-fsync yes
kind: ConfigMap
metadata:
name: redis-cm
namespace: jumpserver
我所有的yaml文件都在一个目录下,
kubectl apply -f .
5.配置mysql【我mysql用的aws的云服务器RDS】
登陆mysql,回车输入密码
$ mysql -h database-test.clsdasdccccsdcsdcscds.ap-northeast-1.rds.amazonaws.com -u admin -p
必须指定utf8字符集创建数据库
> CREATE DATABASE jumpserver DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci;
创建用户
> CREATE USER 'jump'@'%' IDENTIFIED BY 'jumppasswd';
授予指定库读写权限
> GRANT ALL PRIVILEGES ON jumpserver.* TO 'jump'@'%';
刷新
> FLUSH PRIVILEGES;
6. 配置values.yaml文件【存储使用aws动态存储EBS CSI】
$ cat values.yaml 【我这里用的存储是EKS集群集成的Amazon EBS CSI】
# 模板 https://github.com/jumpserver/helm-charts/blob/main/charts/jumpserver/values.yaml
# Default values for jumpserver.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
nameOverride: ""
fullnameOverride: ""
## @param global.imageRegistry Global Docker image registry
## @param global.imagePullSecrets Global Docker registry secret names as an array
## @param global.storageClass Global StorageClass for Persistent Volume(s)
## @param global.redis.password Global Redis™ password (overrides `auth.password`)
##
global:
imageRegistry: "docker.io" # 国内可以使用华为云加速
imageTag: v3.10.1 # 版本号
## E.g.
# imagePullSecrets:
# - name: harborsecret
#
# storageClass: "ebs-sc"
##
imagePullSecrets: []
# - name: yourSecretKey
storageClass: "" # (*必填) NFS SC
## Please configure your MySQL server first
## Jumpserver will not start the external MySQL server.
##
externalDatabase: # (*必填) 数据库相关设置
engine: mysql
host: mysql.jumpserver.svc.cluster.local #【k8s内部解析地址】
port: 3306
user: jump
password: ***********
database: jumpserver
## Please configure your Redis server first
## Jumpserver will not start the external Redis server.
##
externalRedis: # (*必填) Redis 设置
host: redis.jumpserver.svc.cluster.local #【k8s内部解析地址】
port: 6379
password: ***************
serviceAccount:
# Specifies whether a service account should be created
create: false
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name:
ingress:
enabled: true # 不使用 ingress 可以关闭
annotations:
# kubernetes.io/tls-acme: "true"
compute-full-forwarded-for: "true"
use-forwarded-headers: "true"
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_set_header Upgrade "websocket";
proxy_set_header Connection "Upgrade";
hosts:
- "jump.wbes.link" # 对外域名
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
core:
enabled: true
labels:
app.jumpserver.org/name: jms-core
config:
# Generate a new random secret key by execute `cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
# secretKey: "B3f2w8P2PfxIAS7s4URrD9YmSbtqX4vXdPUL217kL9XPUOWrmy"
#secretKey: "" # (*必填) 加密敏感信息的 secret_key, 长度推荐大于 50 位
secretKey: "************************" # (*必填) 加密敏感信息的 secret_key, 长度推荐大于 50 位
# Generate a new random bootstrap token by execute `cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
# bootstrapToken: "7Q11Vz6R2J6BLAdO"
#bootstrapToken: "" # (*必填) 组件认证使用的 token, 长度推荐大于 24 位
bootstrapToken: "****************" # (*必填) 组件认证使用的 token, 长度推荐大于 24 位
# Enabled it for debug
debug: false
log:
level: ERROR
replicaCount: 1
image:
registry: docker.io
repository: jumpserver/core
tag: v3.10.1
pullPolicy: IfNotPresent
command: []
env:
# See: https://docs.jumpserver.org/zh/master/admin-guide/env/#core
SESSION_EXPIRE_AT_BROWSER_CLOSE: true
# SESSION_COOKIE_AGE: 86400
# SECURITY_VIEW_AUTH_NEED_MFA: true
#livenessProbe:
#failureThreshold: 30
#httpGet:
#path: /api/health/
#port: web
readinessProbe:
failureThreshold: 30
httpGet:
path: /api/health/
port: web
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
service:
type: ClusterIP
web:
port: 8080
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 1000m
# memory: 2048Mi
# requests:
# cpu: 500m
# memory: 1024Mi
persistence:
storageClassName: ebs-sc
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 100Gi
# annotations: {}
finalizers:
- kubernetes.io/pvc-protection
# subPath: ""
# existingClaim:
volumeMounts: []
volumes: []
nodeSelector: {}
tolerations: []
affinity: {}
koko:
enabled: true
labels:
app.jumpserver.org/name: jms-koko
config:
log:
level: ERROR
replicaCount: 1
image:
registry: docker.io
repository: jumpserver/koko
tag: v3.10.1
pullPolicy: IfNotPresent
command: []
env: []
# See: https://docs.jumpserver.org/zh/master/admin-guide/env/#koko
# LANGUAGE_CODE: zh
# REUSE_CONNECTION: true
# ENABLE_LOCAL_PORT_FORWARD: true
# ENABLE_VSCODE_SUPPORT: true
livenessProbe:
failureThreshold: 30
httpGet:
path: /koko/health/
port: web
readinessProbe:
failureThreshold: 30
httpGet:
path: /koko/health/
port: web
podSecurityContext: {}
# fsGroup: 2000
securityContext:
privileged: true
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
service:
type: ClusterIP
web:
port: 5000
ssh:
port: 2222
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
persistence:
storageClassName: ebs-sc
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
# annotations: {}
finalizers:
- kubernetes.io/pvc-protection
volumeMounts: []
volumes: []
nodeSelector: {}
tolerations: []
affinity: {}
lion:
enabled: true
labels:
app.jumpserver.org/name: jms-lion
config:
log:
level: ERROR
replicaCount: 1
image:
registry: docker.io
repository: jumpserver/lion
tag: v3.10.1
pullPolicy: IfNotPresent
command: []
env:
# See: https://docs.jumpserver.org/zh/master/admin-guide/env/#lion
JUMPSERVER_ENABLE_FONT_SMOOTHING: true
# JUMPSERVER_COLOR_DEPTH: 32
# JUMPSERVER_ENABLE_WALLPAPER: true
# JUMPSERVER_ENABLE_THEMING: true
# JUMPSERVER_ENABLE_FULL_WINDOW_DRAG: true
# JUMPSERVER_ENABLE_DESKTOP_COMPOSITION: true
# JUMPSERVER_ENABLE_MENU_ANIMATIONS: true
livenessProbe:
failureThreshold: 30
httpGet:
path: /lion/health/
port: web
readinessProbe:
failureThreshold: 30
httpGet:
path: /lion/health/
port: web
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
service:
type: ClusterIP
web:
port: 8081
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 512Mi
# requests:
# cpu: 100m
# memory: 512Mi
persistence:
storageClassName: ebs-sc
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 50Gi
# annotations: {}
finalizers:
- kubernetes.io/pvc-protection
volumeMounts: []
volumes: []
nodeSelector: {}
tolerations: []
affinity: {}
magnus:
enabled: true
labels:
app.jumpserver.org/name: jms-magnus
config:
log:
level: ERROR
replicaCount: 1
image:
registry: docker.io
repository: jumpserver/magnus
tag: v3.10.1
pullPolicy: IfNotPresent
command: []
env: []
livenessProbe:
failureThreshold: 30
tcpSocket:
port: 9090
readinessProbe:
failureThreshold: 30
tcpSocket:
port: 9090
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
service:
type: ClusterIP
mysql:
port: 33061
mariadb:
port: 33062
redis:
port: 63790
postgresql:
port: 54320
oracle:
ports: 30000-30100
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 512Mi
# requests:
# cpu: 100m
# memory: 512Mi
persistence:
storageClassName: ebs-sc
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
# annotations: {}
finalizers:
- kubernetes.io/pvc-protection
volumeMounts: []
volumes: []
nodeSelector: {}
tolerations: []
affinity: {}
xpack:
enabled: false # 企业版本打开此选项
omnidb:
labels:
app.jumpserver.org/name: jms-omnidb
config:
log:
level: ERROR
replicaCount: 1
image:
registry: registry.fit2cloud.com
repository: jumpserver/omnidb
tag: v3.10.1
pullPolicy: IfNotPresent
command: []
env: []
livenessProbe:
failureThreshold: 30
tcpSocket:
port: web
readinessProbe:
failureThreshold: 30
tcpSocket:
port: web
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
service:
type: ClusterIP
web:
port: 8082
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
persistence:
storageClassName: ebs-sc
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
# annotations: {}
finalizers:
- kubernetes.io/pvc-protection
volumeMounts: []
volumes: []
nodeSelector: {}
tolerations: []
affinity: {}
razor:
labels:
app.jumpserver.org/name: jms-razor
config:
log:
level: ERROR
replicaCount: 1
image:
registry: registry.fit2cloud.com
repository: jumpserver/razor
tag: v2.28.6
pullPolicy: IfNotPresent
command: []
env: []
livenessProbe:
failureThreshold: 30
tcpSocket:
port: rdp
readinessProbe:
failureThreshold: 30
tcpSocket:
port: rdp
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
service:
type: ClusterIP
rdp:
port: 3389
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
persistence:
storageClassName: ebs-sc
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 50Gi
# annotations: {}
finalizers:
- kubernetes.io/pvc-protection
volumeMounts: []
volumes: []
nodeSelector: {}
tolerations: []
affinity: {}
web:
enabled: true
labels:
app.jumpserver.org/name: jms-web
replicaCount: 1
image:
registry: docker.io
repository: jumpserver/web
tag: v3.10.1
pullPolicy: IfNotPresent
command: []
env: []
# nginx client_max_body_size, default 4G
# CLIENT_MAX_BODY_SIZE: 4096m
livenessProbe:
failureThreshold: 30
httpGet:
path: /api/health/
port: web
readinessProbe:
failureThreshold: 30
httpGet:
path: /api/health/
port: web
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
service:
type: ClusterIP
web:
port: 80
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
persistence:
storageClassName: ebs-sc
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
# annotations: {}
finalizers:
- kubernetes.io/pvc-protection
volumeMounts: []
volumes: []
nodeSelector: {}
tolerations: []
affinity: {}
7. 然后执行helm安装命令安装jumpserver
提前创建namespace
$ kubectl create namespace jumpserver
安装命令
$ helm install jms-k8s jumpserver/jumpserver -n jumpserver -f values.yaml --set DOMAINS=jump.wbes.link
安装成功会出现如下提示
$ helm install jms-k8s jumpserver/jumpserver -n jumpserver -f values.yaml --set DOMAINS=jump.wbes.link
coalesce.go:220: warning: cannot overwrite table with non table for jumpserver.web.env (map[CLIENT_MAX_BODY_SIZE:4096m USE_LB:0])
NAME: jms-k8s
LAST DEPLOYED: Fri Jan 5 02:22:42 2024
NAMESPACE: jumpserver
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
The Installation is Complete.
--------------------------------------------------
| Documentation: https://docs.jumpserver.org/ |
| Official Website: https://www.jumpserver.org/ |
--------------------------------------------------
██╗██╗ ██╗███╗ ███╗██████╗ ███████╗███████╗██████╗ ██╗ ██╗███████╗██████╗
██║██║ ██║████╗ ████║██╔══██╗██╔════╝██╔════╝██╔══██╗██║ ██║██╔════╝██╔══██╗
██║██║ ██║██╔████╔██║██████╔╝███████╗█████╗ ██████╔╝██║ ██║█████╗ ██████╔╝
██ ██║██║ ██║██║╚██╔╝██║██╔═══╝ ╚════██║██╔══╝ ██╔══██╗╚██╗ ██╔╝██╔══╝ ██╔══██╗
╚█████╔╝╚██████╔╝██║ ╚═╝ ██║██║ ███████║███████╗██║ ██║ ╚████╔╝ ███████╗██║ ██║
╚════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚══════╝╚══════╝╚═╝ ╚═╝ ╚═══╝ ╚══════╝╚═╝ ╚═╝
1. Web access:
http://jump.wbes.link
username: admin password: admin
8. 获取所有的pod项目
$ kubectl get pods -n jumpserver
NAME READY STATUS RESTARTS AGE
jms-k8s-jumpserver-jms-celery-7759bf74dd-tc5vx 1/1 Running 0 3h56m
jms-k8s-jumpserver-jms-chen-55f68fb754-4l54g 1/1 Running 0 3h56m
jms-k8s-jumpserver-jms-core-c976bc4b4-lgrh5 1/1 Running 0 3h53m
jms-k8s-jumpserver-jms-init-db-b8l2b 0/1 Completed 0 4h1m
jms-k8s-jumpserver-jms-kael-7c59c57b76-6bljn 1/1 Running 0 3h56m
jms-k8s-jumpserver-jms-koko-6499d79f48-ljw82 1/1 Running 0 3h56m
jms-k8s-jumpserver-jms-lion-6f8d47946b-xnphn 1/1 Running 0 3h56m
jms-k8s-jumpserver-jms-magnus-857fcf8579-fgzcf 1/1 Running 0 3h56m
jms-k8s-jumpserver-jms-web-7866cb648c-nd5ct 1/1 Running 0 3h56m
redis-84f58f4d48-fj7xj 1/1 Running 0 4h2m
9. 界面登陆发现会有报错
解决方法
kubectl edit deployment -n jumpserver jms-k8s-jumpserver-jms-core 【添加下面的变量重启】
- name: DOMAINS
value: jump.wbes.link
【官方文档没有介绍这个问题,网上也没有解决方法,然后刷新尝试重新登陆页面即可】
10. 登陆成功如下图所示