ProHoster > Блог > Gudanarwa > Helm Tsaro

Helm Tsaro

Ana iya kwatanta ainihin labarin game da mashahurin mai sarrafa fakiti na Kubernetes ta amfani da emoji:

  • akwatin shine Helm (wanda shine mafi kusanci ga sabon sakin Emoji);
  • kulle - tsaro;
  • dan kadan shine maganin matsalar.

Helm Tsaro

A gaskiya ma, duk abin da zai zama dan kadan mafi rikitarwa, kuma labarin yana cike da cikakkun bayanai game da fasaha Yadda ake yin Helm lafiya.

  • A taƙaice menene Helm idan ba ku sani ba ko kun manta. Wadanne matsaloli ne yake magancewa kuma a ina yake a cikin yanayin yanayin.
  • Bari mu dubi gine-ginen Helm. Babu tattaunawa game da tsaro da yadda za a samar da kayan aiki ko mafita mafi aminci da aka kammala ba tare da fahimtar tsarin gine-ginen ba.
  • Bari mu tattauna abubuwan Helm.
  • Tambaya mafi zafi shine makomar - sabon sigar Helm 3. 

Duk abin da ke cikin wannan labarin ya shafi Helm 2. Wannan sigar a halin yanzu ana samarwa kuma galibi shine wanda kuke amfani dashi a halin yanzu, kuma sigar ce ta ƙunshi haɗarin tsaro.


Game da mai magana: Alexander Khayorov (alexx) yana tasowa don shekaru 10, yana taimakawa wajen inganta abun ciki Moscow Python Conf ++ kuma ya shiga kwamitin Taron Helm. Yanzu yana aiki a Chainstack a matsayin jagorar haɓakawa - wannan ƙaƙƙarfan ce tsakanin manajan haɓakawa da mutumin da ke da alhakin isar da sakin ƙarshe. Wato yana nan a fagen fama, inda komai ke faruwa tun daga samar da samfur har zuwa aikinsa.

Chainstack ƙarami ne, haɓaka mai haɓakawa wanda manufarsa ita ce baiwa abokan ciniki damar manta da abubuwan more rayuwa da rikitattun aikace-aikacen da ba a daidaita su ba; ƙungiyar haɓaka tana cikin Singapore. Kar ku nemi Chainstack don siyarwa ko siyan cryptocurrency, amma tayin magana game da tsarin toshewar kasuwanci, kuma za su amsa muku da farin ciki.

Hanya

Wannan fakiti ne (chart) manajan Kubernetes. Hanyar da ta fi dacewa da duniya don kawo aikace-aikace zuwa gungu na Kubernetes.

Helm Tsaro

Muna, ba shakka, muna magana ne game da tsarin tsari da masana'antu fiye da ƙirƙirar abubuwan YAML na ku da rubuta ƙananan kayan aiki.

Helm shine mafi kyawun wanda yake samuwa a halin yanzu kuma sananne.

Me yasa Helm? Da farko saboda CNCF tana goyon bayanta. Cloud Native babban ƙungiya ne kuma shine kamfani na iyaye don ayyukan Kubernetes, da sauransu, Fluentd da sauransu.

Wani muhimmin al'amari shi ne cewa Helm shiri ne da ya shahara sosai. Lokacin da na fara magana game da yadda ake tabbatar da Helm a cikin Janairu 2019, aikin yana da taurari dubu akan GitHub. Ya zuwa watan Mayu akwai dubu 12 daga cikinsu.

Mutane da yawa suna sha'awar Helm, don haka ko da ba ku yi amfani da shi ba tukuna, za ku amfana da sanin amincinsa. Tsaro yana da mahimmanci.

Babban ƙungiyar Helm Microsoft Azure yana goyan bayan sabili da haka aiki ne ingantacce, ba kamar sauran mutane ba. Sakin Helm 3 Alpha 2 a tsakiyar watan Yuli yana nuna cewa akwai mutane da yawa da ke aiki akan aikin, kuma suna da sha'awar haɓakawa da haɓaka Helm.

Helm Tsaro

Helm yana magance matsalolin tushen da yawa na sarrafa aikace-aikacen a Kubernetes.

  • Kundin aikace-aikacen. Ko da aikace-aikace kamar "Sannu, Duniya" akan WordPress ya riga ya ƙunshi ayyuka da yawa, kuma kuna son haɗa su tare.
  • Gudanar da hadaddun da ke zuwa tare da sarrafa waɗannan aikace-aikacen.
  • Yanayin rayuwa wanda baya ƙarewa bayan shigar da aikace-aikacen ko turawa. Yana ci gaba da rayuwa, yana buƙatar sabuntawa, kuma Helm yana taimakawa da wannan kuma yayi ƙoƙarin kawo matakan da suka dace da manufofin wannan.

Jaka an tsara shi ta hanya madaidaiciya: akwai metadata cikakke daidai da aikin mai sarrafa fakiti na yau da kullun don Linux, Windows ko MacOS. Wato, ma'ajiya, dogaro akan fakiti daban-daban, bayanan meta don aikace-aikace, saituna, fasalulluka na daidaitawa, ƙididdigar bayanai, da sauransu. Helm yana ba ku damar samun da amfani da duk wannan don aikace-aikacen.

Sarrafa Matsala. Idan kuna da aikace-aikacen da yawa iri ɗaya, to ana buƙatar daidaitawa. Samfura sun fito daga wannan, amma don guje wa samar da naku hanyar ƙirƙirar samfuri, kuna iya amfani da abin da Helm ke bayarwa daga cikin akwatin.

Gudanar da Rayuwar Aikace-aikacen - a ganina, wannan ita ce tambaya mafi ban sha'awa da rashin warwarewa. Wannan shine dalilin da ya sa na zo Helm a baya. Muna buƙatar sanya ido kan tsarin rayuwar aikace-aikacen kuma muna so mu matsar da CI/CD da zagayen aikace-aikacen zuwa wannan yanayin.

Helm yana ba ku damar:

  • gudanar da ƙaddamarwa, gabatar da manufar daidaitawa da sake dubawa;
  • nasarar aiwatar da sake dawowa;
  • amfani da ƙugiya don abubuwa daban-daban;
  • ƙara ƙarin bincike na aikace-aikacen kuma amsa sakamakon su.

Bugu da ƙari Helm yana da "batura" - ɗimbin abubuwa masu daɗi waɗanda za a iya haɗa su cikin nau'ikan plugins, sauƙaƙe rayuwar ku. Ana iya rubuta plugins da kansa, sun keɓe sosai kuma ba sa buƙatar tsarin gine-gine masu jituwa. Idan kuna son aiwatar da wani abu, Ina ba da shawarar yin shi azaman plugin, sannan mai yuwuwa haɗa shi a sama.

Helm ya dogara ne akan manyan dabaru guda uku:

  • Tsarin Repo - bayanin da tsararrun ma'auni mai yuwuwa don bayyanar ku. 
  • Gyara — wato, ƙimar da za a yi amfani da su (rubutu, ƙimar lambobi, da sauransu).
  • release tattara manyan abubuwan biyu na sama, kuma tare suka zama Saki. Ana iya siffanta abubuwan da aka fitar, ta yadda za a cimma tsarin rayuwa mai tsari: ƙarami a lokacin shigarwa kuma babba a lokacin haɓakawa, raguwa ko juyawa.

Helm gine-gine

Jadawalin a zahiri yana kwatanta babban matakin gine-gine na Helm.

Helm Tsaro

Bari in tunatar da ku cewa Helm wani abu ne mai alaka da Kubernetes. Don haka, ba za mu iya yin ba tare da gungu na Kubernetes (rectangle). Bangaren kube-apiserver yana kan maigidan. Ba tare da Helm muna da Kubeconfig ba. Helm yana kawo ƙananan binary guda ɗaya, idan za ku iya kiran shi, Helm CLI utility, wanda aka sanya a kan kwamfuta, kwamfutar tafi-da-gidanka, mainframe - akan kowane abu.

Amma wannan bai isa ba. Helm yana da bangaren uwar garken da ake kira Tiller. Yana wakiltar muradun Helm a cikin gungu; aikace-aikace ne a cikin gungu na Kubernetes, kamar kowane.

Bangare na gaba na Chart Repo shine ma'ajiya mai ma'ana. Akwai ma'ajiyar hukuma, kuma ana iya samun ma'ajiyar kamfani ko aiki.

Hadin kai

Bari mu kalli yadda sassan gine-gine ke hulɗa yayin da muke son shigar da aikace-aikacen ta amfani da Helm.

  • Muna magana Helm install, shiga wurin ma'ajiya (Chart Repo) kuma sami taswirar Helm.

  • Utility Helm (Helm CLI) yana hulɗa tare da Kubeconfig don gano gungu don tuntuɓar. 
  • Bayan samun wannan bayanin, mai amfani yana nufin Tiller, wanda ke cikin gungun mu, azaman aikace-aikace. 
  • Tiller ya kira Kube-apiserver don yin ayyuka a Kubernetes, ƙirƙirar wasu abubuwa (sabis, kwasfa, kwafi, sirri, da sauransu).

Na gaba, za mu rikitar da zane don ganin tasirin harin da za a iya fallasa dukkanin gine-ginen Helm gaba ɗaya. Sannan za mu yi kokarin kare ta.

Kai hari vector

Mahimmin rauni na farko shine API mai gata-mai amfani. A matsayin wani ɓangare na makircin, wannan ɗan hacker ne wanda ya sami damar gudanarwa zuwa Helm CLI.

API ɗin mara amfani Hakanan zai iya haifar da haɗari idan yana wani wuri kusa. Irin wannan mai amfani zai sami mahallin daban-daban, alal misali, ana iya gyara shi a cikin rukunin sunaye guda ɗaya a cikin saitunan Kubeconfig.

Mafi ban sha'awa vector harin na iya zama wani tsari da ke cikin wani gungu a wani wuri kusa da Tiller kuma yana iya samun dama gare shi. Wannan na iya zama sabar gidan yanar gizo ko microservice wanda ke ganin mahallin cibiyar sadarwa na tari.

Wani m, amma ƙara shahara, bambance-bambancen harin ya ƙunshi Chart Repo. Taswirar da marubuci marar mutunci ya ƙirƙira na iya ƙunsar albarkatu marasa aminci, kuma zaku kammala ta ta hanyar ɗauka akan bangaskiya. Ko kuma yana iya maye gurbin ginshiƙi da kuka zazzage daga ma'ajiyar hukuma kuma, alal misali, ƙirƙira wata hanya ta hanyar manufofi da haɓaka damarsa.

Helm Tsaro

Bari mu yi ƙoƙari mu kawar da hare-hare daga duk waɗannan bangarori hudu kuma mu gano inda akwai matsaloli a cikin gine-ginen Helm, kuma inda, watakila, babu.

Bari mu haɓaka zane, ƙara ƙarin abubuwa, amma kiyaye duk abubuwan asali.

Helm Tsaro

Helm CLI yana sadarwa tare da Chart Repo, yana hulɗa tare da Kubeconfig, kuma ana canza aikin zuwa gungu zuwa ɓangaren Tiller.

An wakilta Tiller da abubuwa biyu:

  • Tiller-deploy svc, wanda ke fallasa wani sabis;
  • Tiller-deploy pod (a cikin zanen a cikin kwafi ɗaya a cikin kwafi ɗaya), wanda duk nauyin ke gudana, wanda ke shiga gungu.

Ana amfani da ka'idoji da tsare-tsare daban-daban don hulɗa. Ta fuskar tsaro, mun fi sha'awar:

  • Hanyar da Helm CLI ke shiga cikin ginshiƙi repo: menene ka'ida, akwai tabbaci da abin da za a iya yi da shi.
  • Ka'idar da Helm CLI, ta amfani da kubectl, ke sadarwa tare da Tiller. Wannan sabar RPC ce da aka shigar a cikin tarin.
  • Tiller da kanta tana samun dama ga ƙananan sabis waɗanda ke zaune a cikin gungu kuma suna hulɗa tare da Kube-apiserver.

Helm Tsaro

Mu tattauna duk waɗannan fagage cikin tsari.

RBAC

Babu ma'ana cikin magana game da kowane tsaro na Helm ko kowane sabis a cikin tarin sai dai in an kunna RBAC.

Da alama wannan ba ita ce sabuwar shawarar ba, amma na tabbata cewa mutane da yawa har yanzu ba su kunna RBAC ba ko da a cikin samarwa, saboda yana da yawa kuma yana buƙatar daidaita abubuwa da yawa. Duk da haka, ina ƙarfafa ku ku yi wannan.

Helm Tsaro

https://rbac.dev/ - lauyan gidan yanar gizon RBAC. Ya ƙunshi babban adadin abubuwan ban sha'awa waɗanda zasu taimaka muku saita RBAC, nuna dalilin da yasa yake da kyau da kuma yadda ake rayuwa tare da shi a cikin samarwa.

Zan yi ƙoƙarin bayyana yadda Tiller da RBAC suke aiki. Tiller yana aiki a cikin gungu ƙarƙashin wani asusun sabis. Yawanci, idan ba a saita RBAC ba, wannan zai zama babban mai amfani. A cikin tsari na asali, Tiller zai zama admin. Wannan shine dalilin da ya sa ake yawan faɗin cewa Tiller rami ne na SSH zuwa tarin ku. A haƙiƙa, wannan gaskiya ne, don haka zaku iya amfani da keɓantaccen asusun sabis na keɓe maimakon Default Service Account a cikin zanen da ke sama.

Lokacin da ka fara Helm kuma ka shigar da shi akan uwar garke a karon farko, zaka iya saita asusun sabis ta amfani da --service-account. Wannan zai ba ku damar amfani da mai amfani tare da mafi ƙarancin saitin haƙƙoƙin da ake buƙata. Gaskiya ne, dole ne ka ƙirƙiri irin wannan “garland”: Matsayi da RoleBinding.

Helm Tsaro

Abin takaici, Helm ba zai yi muku wannan ba. Kai ko mai kula da gungu na Kubernetes kuna buƙatar shirya saitin Matsayi da RoleBindings don asusun sabis a gaba don wuce Helm.

Tambayar ta taso - menene bambanci tsakanin Role da ClusterRole? Bambancin shine ClusterRole yana aiki don duk wuraren suna, ba kamar Roles na yau da kullun da RoleBindings ba, waɗanda ke aiki kawai don keɓancewar suna. Kuna iya saita manufofi don gabaɗayan gungu da duk wuraren suna, ko keɓaɓɓen kowane sarari suna ɗaya ɗaya.

Yana da kyau a faɗi cewa RBAC tana magance wata babbar matsala. Mutane da yawa sun koka cewa Helm, da rashin alheri, ba multitenancy (ba ya goyi bayan multitenancy). Idan ƙungiyoyi da yawa sun cinye gungu kuma suna amfani da Helm, ba zai yuwu ba a kafa manufofi da iyakance damar su a cikin wannan rukunin, saboda akwai wani asusun sabis wanda Helm ke gudanarwa a ƙarƙashinsa, kuma yana ƙirƙirar duk albarkatun da ke cikin gungu daga ƙarƙashinsa. , wanda wani lokacin yana da wahala sosai. Wannan gaskiya ne - kamar fayil ɗin binary kanta, kamar tsari, Helm Tiller ba shi da ra'ayin zama da yawa.

Koyaya, akwai babbar hanyar da ke ba ku damar gudanar da Tiller sau da yawa a cikin tari. Babu matsala tare da wannan, ana iya ƙaddamar da Tiller a kowane wuri mai suna. Don haka, zaku iya amfani da RBAC, Kubeconfig azaman mahallin, da iyakance damar zuwa Helm na musamman.

Zai yi kama da wannan.

Helm Tsaro

Misali, akwai Kubeconfigs guda biyu tare da mahallin ƙungiyoyi daban-daban (wuraren suna biyu): Xungiyar X don ƙungiyar haɓakawa da rukunin gudanarwa. Tarin mai gudanarwa yana da nasa faffadan Tiller, wanda ke cikin tsarin sunan Kube-system, asusun sabis na ci gaba daidai. Kuma keɓantaccen wurin suna don ƙungiyar haɓakawa, za su iya tura ayyukansu zuwa wurin suna na musamman.

Wannan hanya ce mai iya aiki, Tiller baya jin yunwa sosai wanda zai shafi kasafin kuɗin ku sosai. Wannan yana ɗaya daga cikin mafita mai sauri.

Jin kyauta don saita Tiller daban kuma samar da Kubeconfig tare da mahallin mahallin don ƙungiyar, don takamaiman mai haɓakawa ko don yanayin: Dev, Staging, Production (yana da shakka cewa duk abin da zai kasance a kan gungu ɗaya, duk da haka, ana iya yin hakan).

Ci gaba da labarinmu, bari mu canza daga RBAC kuma muyi magana game da ConfigMaps.

ConfigMaps

Helm yana amfani da ConfigMaps azaman ma'ajin bayanai. Lokacin da muka yi magana game da gine-gine, babu wani bayanai a ko'ina da zai adana bayanai game da sakewa, daidaitawa, sake dawowa, da sauransu. Ana amfani da ConfigMaps don wannan.

Babban matsala tare da ConfigMaps sananne - ba su da aminci bisa manufa; ba shi yiwuwa a adana m bayanai. Muna magana ne game da duk abin da bai kamata ya wuce sabis ɗin ba, misali, kalmomin shiga. Hanyar da ta fi dacewa don Helm a yanzu ita ce canzawa daga amfani da ConfigMaps zuwa ga sirri.

Ana yin wannan a sauƙaƙe. Shake saitin Tiller kuma saka cewa ajiyar zai zama sirri. Sannan ga kowane turawa ba za ku karɓi ConfigMap ba, amma sirri ne.

Helm Tsaro

Kuna iya jayayya cewa asirin kansu baƙon ra'ayi ne kuma ba su da tsaro sosai. Koyaya, yana da daraja fahimtar cewa masu haɓaka Kubernetes da kansu suna yin wannan. An fara daga sigar 1.10, i.e. Na ɗan lokaci kaɗan yanzu, yana yiwuwa, aƙalla a cikin gajimare na jama'a, don haɗa ma'ajiyar madaidaicin don adana sirri. Ƙungiyar a yanzu tana aiki kan hanyoyin da za a fi rarraba damar yin amfani da sirri, kwasfan ɗaiɗaikun mutane, ko wasu ƙungiyoyi.

Yana da kyau don canja wurin Storage Helm zuwa asirce, kuma su, bi da bi, an amintattu a tsakiya.

Tabbas zai kasance iyakar ajiyar bayanai na 1 MB. Helm anan yana amfani da etcd azaman ajiya mai rarraba don ConfigMaps. Kuma a can sun yi la'akari da cewa wannan ya dace da bayanan da ya dace don maimaitawa, da dai sauransu. Akwai tattaunawa mai ban sha'awa game da wannan akan Reddit, Ina ba da shawarar gano wannan karatun mai ban dariya don karshen mako ko karanta tsantsa a nan.

Rubutun Jadawalin

Charts sune mafi raunin zamantakewa kuma suna iya zama tushen "Mutum a tsakiya", musamman idan kun yi amfani da mafitacin jari. Da farko, muna magana ne game da ma'ajiyar da aka fallasa ta hanyar HTTP.

Tabbas kuna buƙatar fallasa Helm Repo akan HTTPS - wannan shine mafi kyawun zaɓi kuma ba shi da tsada.

kula da tsarin sa hannu ginshiƙi. Fasaha yana da sauƙi kamar jahannama. Wannan shine abu ɗaya da kuke amfani dashi akan GitHub, injin PGP na yau da kullun tare da maɓallan jama'a da na sirri. Saita kuma tabbata, samun maɓallan da suka dace da sanya hannu akan komai, cewa wannan ainihin ginshiƙi ne.

Bugu da ƙari, Abokin Helm yana goyan bayan TLS (ba a cikin ma'anar HTTP ta uwar garken ba, amma TLS na juna). Kuna iya amfani da maɓallan uwar garken da abokin ciniki don sadarwa. A gaskiya, ba na amfani da irin wannan tsarin saboda ba na son takaddun shaida. Ainihin, gidan kayan gargajiya - babban kayan aiki don kafa Helm Repo don Helm 2 - shima yana goyan bayan ainihin auth. Kuna iya amfani da ainihin auth idan ya fi dacewa kuma ya fi shuru.

Akwai kuma plugin kwal-gcs, wanda ke ba ku damar karɓar Repos na Chart akan Google Cloud Storage. Wannan ya dace sosai, yana aiki mai girma kuma yana da aminci sosai, saboda duk hanyoyin da aka kwatanta ana sake yin su.

Helm Tsaro

Idan kun kunna HTTPS ko TLS, yi amfani da mTLS, kuma ku ba da izini na asali don ƙara rage haɗari, zaku sami amintacciyar tashar sadarwa tare da Helm CLI da Chart Repo.

gRPC API

Mataki na gaba yana da matukar mahimmanci - don tabbatar da Tiller, wanda ke cikin cluster kuma shine, a gefe guda, uwar garken, a daya bangaren, shi da kansa yana shiga wasu sassan kuma yana ƙoƙari ya zama wani.

Kamar yadda na fada a baya, Tiller sabis ne wanda ke fallasa gRPC, abokin ciniki na Helm yana zuwa ta hanyar gRPC. Ta hanyar tsoho, ba shakka, TLS ba a kashe. Dalilin da ya sa aka yi wannan tambaya ce mai yuwuwa, da alama a gare ni in sauƙaƙa saitin a farkon.

Don samarwa har ma da tsarawa, Ina ba da shawarar kunna TLS akan gRPC.

A ganina, ba kamar mTLS don sigogi ba, wannan ya dace a nan kuma ana yin shi da sauƙi - samar da kayan aikin PQI, ƙirƙirar takaddun shaida, ƙaddamar da Tiller, canja wurin takardar shaidar yayin farawa. Bayan wannan, zaku iya aiwatar da duk umarnin Helm, gabatar da kanku tare da takaddun shaida da maɓalli na sirri.

Helm Tsaro

Ta wannan hanyar za ku kare kanku daga duk buƙatun zuwa Tiller daga wajen gungu.

Don haka, mun kulla tashar haɗin kai zuwa Tiller, mun riga mun tattauna RBAC kuma mun daidaita haƙƙin Kubernetes apiserver, rage yankin da zai iya hulɗa da shi.

Helm mai kariya

Bari mu dubi zane na ƙarshe. Gine-gine iri ɗaya ne da kibau iri ɗaya.

Helm Tsaro

Yanzu ana iya zana duk haɗin kai cikin koren lafiya:

  • don Chart Repo muna amfani da TLS ko mTLS da ainihin auth;
  • mTLS don Tiller, kuma an fallasa shi azaman sabis na gRPC tare da TLS, muna amfani da takaddun shaida;
  • tarin yana amfani da asusun sabis na musamman tare da Role da RoleBinding. 

Mun tabbatar da gungu sosai, amma wani mai hankali ya ce:

"Za a iya samun mafita mai aminci guda ɗaya kawai - kwamfutar da aka kashe, wacce ke cikin akwatin siminti kuma sojoji ke gadin ta."

Akwai hanyoyi daban-daban don sarrafa bayanai da nemo sabbin hanyoyin kai hari. Duk da haka, ina da tabbacin cewa waɗannan shawarwari za su cimma daidaitattun masana'antu don aminci.

Bonus

Wannan bangare ba shi da alaƙa kai tsaye da tsaro, amma kuma zai yi amfani. Zan nuna muku wasu abubuwa masu ban sha'awa waɗanda mutane kaɗan suka sani. Misali, yadda ake nemo ginshiƙi - na hukuma da na hukuma.

A cikin ma'ajiyar github.com/helm/charts Yanzu akwai kusan ginshiƙi 300 da koguna biyu: barga da incubator. Duk wanda ya ba da gudummawa ya san sarai irin wahalar da ake samu daga incubator zuwa barga, da kuma sauƙin tashi daga barga. Koyaya, wannan ba shine mafi kyawun kayan aiki don bincika sigogi na Prometheus da duk abin da kuke so ba, saboda dalili ɗaya mai sauƙi - ba tashar tashar ba ce inda zaku iya bincika fakiti cikin dacewa.

Amma akwai sabis hub.helm.sh, wanda ya sa ya fi dacewa don nemo sigogi. Mafi mahimmanci, akwai ƙarin ɗakunan ajiya na waje da yawa da kuma kusan 800 laya akwai. Bugu da ƙari, za ku iya haɗa ma'ajiyar ku idan saboda wasu dalilai ba ku son aika taswirar ku zuwa kwanciyar hankali.

Gwada hub.helm.sh kuma bari mu haɓaka shi tare. Wannan sabis ɗin yana ƙarƙashin aikin Helm, kuma har ma kuna iya ba da gudummawa ga UI ɗin sa idan kun kasance mai haɓakawa na gaba kuma kawai kuna son haɓaka bayyanar.

Ina kuma so in ja hankalin ku zuwa ga Buɗe Broker API haɗin gwiwa. Yana da wuya kuma ba a sani ba, amma yana magance matsalolin da kowa ke fuskanta. Bari in yi bayani da misali mai sauƙi.

Helm Tsaro

Akwai gungu na Kubernetes wanda muke son gudanar da aikace-aikacen gargajiya - WordPress. Gabaɗaya, ana buƙatar rumbun adana bayanai don cikakken aiki. Akwai mafita daban-daban da yawa, alal misali, zaku iya ƙaddamar da sabis ɗin ku na jiha. Wannan bai dace sosai ba, amma mutane da yawa suna yin hakan.

Wasu, kamar mu a Chainstack, suna amfani da bayanan da aka sarrafa kamar MySQL ko PostgreSQL don sabobin su. Shi ya sa ma’adanin bayanan mu suke wani wuri a cikin gajimare.

Amma matsala ta taso: muna buƙatar haɗa sabis ɗinmu tare da bayanan bayanai, ƙirƙirar dandano na bayanai, canja wurin shaidar kuma ko ta yaya sarrafa shi. Duk waɗannan yawanci ana yin su da hannu ta mai sarrafa tsarin ko mai haɓakawa. Kuma babu matsala idan akwai 'yan aikace-aikace. Lokacin da suke da yawa, kuna buƙatar haɗuwa. Akwai irin wannan mai girbi - dillalin sabis ne. Yana ba ku damar amfani da plugin na musamman don tarin gajimare na jama'a da oda albarkatun daga mai samarwa ta hanyar Broker, kamar dai API ne. Don yin wannan, zaku iya amfani da kayan aikin Kubernetes na asali.

Yana da sauqi qwarai. Kuna iya tambaya, misali, Sarrafa MySQL a cikin Azure tare da matakin tushe (ana iya daidaita wannan). Yin amfani da Azure API, za a ƙirƙira da kuma shirya bayanan don amfani. Ba kwa buƙatar tsoma baki tare da wannan, plugin ɗin yana da alhakin wannan. Misali, OSBA (Plugin Azure) zai dawo da takaddun shaida ga sabis ɗin kuma ya wuce zuwa Helm. Za ku iya amfani da WordPress tare da girgije MySQL, kar ku yi ma'amala da bayanan bayanai da aka sarrafa kwata-kwata kuma kada ku damu da cikakkun ayyuka a ciki.

Za mu iya cewa Helm yana aiki a matsayin manne wanda, a gefe guda, yana ba ku damar ƙaddamar da ayyuka, kuma a gefe guda, cinye albarkatun masu samar da girgije.

Kuna iya rubuta abubuwan plugin ɗin ku kuma ku yi amfani da wannan labarin gabaɗayan akan fage. Sa'an nan kawai za ku sami plugin ɗin ku don mai samar da Cloud na kamfani. Ina ba da shawarar gwada wannan hanyar, musamman idan kuna da babban sikeli kuma kuna son tura dev, staging, ko gabaɗayan abubuwan more rayuwa don fasalin. Wannan zai sauƙaƙa rayuwa ga ayyukanku ko DevOps.

Wani binciken da na ambata shine Helm-gcs plugin, wanda ke ba ku damar amfani da Google-buckets (ma'ajiyar abu) don adana sigogin Helm.

Helm Tsaro

Kuna buƙatar umarni huɗu kawai don fara amfani da su:

  1. shigar da plugin;
  2. fara shi;
  3. saita hanya zuwa guga, wanda ke cikin gcp;
  4. buga sigogi a daidaitaccen hanya.

Kyakkyawan shine za a yi amfani da hanyar gcp na asali don izini. Kuna iya amfani da asusun sabis, asusun mai haɓakawa, duk abin da kuke so. Yana da matukar dacewa kuma yana biyan komai don aiki. Idan ku, kamar ni, inganta falsafar opsless, to wannan zai zama dacewa sosai, musamman ga ƙananan ƙungiyoyi.

Sauran hanyoyin

Helm ba shine kawai maganin sarrafa sabis ba. Akwai tambayoyi da yawa game da shi, wanda shine watakila dalilin da ya sa na uku ya bayyana da sauri. Tabbas akwai wasu hanyoyi.

Waɗannan na iya zama mafita na musamman, misali, Ksonnet ko Metaparticle. Kuna iya amfani da kayan aikin sarrafa abubuwan more rayuwa na yau da kullun (Mai yiwuwa, Terraform, Chef, da sauransu) don dalilai iri ɗaya waɗanda na yi magana akai.

Daga karshe akwai mafita Tsarin Aiki, wanda shahararsa ke karuwa.

Tsarin Aiki shine babban madadin Helm don yin la'akari.

Ya fi ɗan ƙasa zuwa CNCF da Kubernetes, amma shingen shiga ya fi girma, kuna buƙatar ƙarin shirye-shirye kuma ku bayyana ƙarancin bayyanar.

Akwai addons daban-daban, kamar Draft, Scaffold. Suna sauƙaƙa rayuwa sosai, alal misali, suna sauƙaƙe zagayowar aikawa da ƙaddamar da Helm don masu haɓakawa don tura yanayin gwaji. Zan kira su masu ƙarfafawa.

Anan ga ginshiƙi na gani na inda komai yake.

Helm Tsaro

A kan x-axis shine matakin ikon ku na sirri akan abin da ke faruwa, akan y-axis shine matakin ɗan asalin Kubernetes. Sigar Helm 2 ta faɗi wani wuri a tsakiya. A cikin sigar 3, ba mai girma ba, amma duka iko da matakin ɗan ƙasa an inganta su. Magani a matakin Ksonnet har yanzu suna ƙasa da Helm 2. Duk da haka, suna da kyau a duba su san abin da ke cikin wannan duniyar. Tabbas, manajan daidaitawar ku zai kasance ƙarƙashin ikon ku, amma kwata-kwata ba ɗan asalin Kubernetes bane.

Tsarin Ma'aikata cikakken ɗan asalin Kubernetes ne kuma yana ba ku damar sarrafa shi da kyau da tsafta (amma ku tuna game da matakin shigarwa). Madadin haka, wannan ya dace da aikace-aikacen musamman da ƙirƙirar gudanarwa don shi, maimakon mai girbin taro don tattara yawan aikace-aikacen ta amfani da Helm.

Extenders kawai suna haɓaka sarrafawa kaɗan, haɓaka aikin aiki, ko yanke sasanninta akan bututun CI/CD.

Makomar Helm

Labari mai dadi shine Helm 3 yana zuwa. An riga an fitar da sigar alpha na Helm 3.0.0-alpha.2, zaku iya gwadawa. Yana da tsayayye, amma har yanzu aiki yana iyakance.

Me yasa kuke buƙatar Helm 3? Da farko, wannan labari ne game da shi bacewar Tiller, a matsayin bangaren. Wannan, kamar yadda kuka riga kuka fahimta, babban ci gaba ne, domin daga mahangar tsaro na gine-ginen, an sauƙaƙe komai.

Lokacin da aka halicci Helm 2, wanda yake kusa da lokacin Kubernetes 1.8 ko ma a baya, yawancin ra'ayoyin ba su da girma. Misali, manufar CRD yanzu ana aiwatar da shi sosai, kuma Helm zai yi amfani da CRDdon adana tsarin. Zai yiwu a yi amfani da abokin ciniki kawai kuma ba kula da sashin uwar garken ba. Saboda haka, yi amfani da umarnin Kubernetes na asali don aiki tare da tsari da albarkatu. Wannan babban ci gaba ne.

Zai bayyana goyan baya ga wuraren ajiyar OCI na asali (Bude Kwantena Initiative). Wannan babban yunƙuri ne, kuma Helm yana da sha'awar da farko don buga jadawalin sa. Ya kai ga cewa, alal misali, Docker Hub yana goyan bayan matakan OCI da yawa. Ba na zato ba, amma watakila masu samar da ma'ajin Docker na yau da kullun za su fara ba ku dama don ɗaukar hotunan Helm ɗin ku.

Labarin da ke daure min kai shine Lua support, a matsayin injin gwadawa don rubuta rubutun. Ni ba babban mai son Lua ba ne, amma wannan zai zama fasalin zaɓin gaba ɗaya. Na duba wannan sau 3 - amfani da Lua ba zai zama dole ba. Don haka, waɗanda suke son samun damar yin amfani da Lua, waɗanda suke son Go, su shiga babban sansanin mu kuma su yi amfani da go-tmpl don wannan.

A ƙarshe, abin da na rasa tabbas shine fitowar makirci da ingantaccen nau'in bayanai. Ba za a sami ƙarin matsaloli tare da int ko kirtani ba, babu buƙatar kunsa sifili a cikin ƙididdiga biyu. Tsarin JSONS zai bayyana wanda zai ba ku damar siffanta wannan a sarari don ƙima.

Za a sake yin aiki sosai samfurin-kore taron. An riga an kwatanta shi da ra'ayi. Dubi reshe na Helm 3, za ku ga adadin abubuwan da suka faru da ƙugiya da sauran abubuwa da aka ƙara, wanda zai sauƙaƙa sosai kuma, a gefe guda, yana ƙara iko akan hanyoyin ƙaddamarwa da halayen su.

Helm 3 zai zama mafi sauƙi, mafi aminci, kuma mafi daɗi, ba saboda ba ma son Helm 2 ba, amma saboda Kubernetes yana ƙara haɓaka. Saboda haka, Helm na iya amfani da ci gaban Kubernetes kuma ya haifar da ingantattun manajoji ga Kubernetes akan shi.

Wani albishir kuma shine DevOpsConf Alexander Khayorov zai gaya muku, shin kwantena za su iya zama amintattu? Bari mu tunatar da ku cewa za a gudanar da taro kan haɗin kai na ci gaba, gwaji da ayyukan aiki a Moscow Satumba 30 da Oktoba 1. Kuna iya yin hakan har zuwa 20 ga Agusta gabatar da rahoto kuma gaya mana game da kwarewar ku game da mafita daya daga cikin da yawa ayyuka na tsarin DevOps.

Bi wuraren binciken taro da labarai a jerin aikawasiku и tashar telegram.

source: www.habr.com

Add a comment