Tafi? Bash! Haɗu da mai sarrafa harsashi (bita da rahoton bidiyo daga KubeCon EU'2020)

A wannan shekara, babban taron Kubernetes na Turai - KubeCon + CloudNativeCon Europe 2020 - ya kasance kama-da-wane. Koyaya, irin wannan canjin tsarin bai hana mu isar da rahotonmu da aka daɗe ana shiryawa ba “Tafi? Bash! Haɗu da Shell-operator” wanda aka sadaukar don aikin Buɗewar Tushen mu mai aiki da harsashi.

Wannan labarin, wanda aka yi wahayi ta hanyar magana, yana ba da hanya don sauƙaƙe tsarin ƙirƙirar masu aiki don Kubernetes kuma yana nuna yadda zaku iya yin naku tare da ƙaramin ƙoƙari ta amfani da mai sarrafa harsashi.

Gabatarwa bidiyon rahoton (~ Minti 23 a cikin Ingilishi, sanannen ƙarin bayani fiye da labarin) da babban abin da aka cire daga gare ta a cikin sigar rubutu. Tafi!

A Flant koyaushe muna haɓakawa da sarrafa komai. A yau za mu yi magana game da wani ra'ayi mai ban sha'awa. Haɗu: Rubutun harsashi na asali!

Koyaya, bari mu fara da mahallin da duk wannan ke faruwa: Kubernetes.

Kubernetes API da masu sarrafawa

API ɗin a Kubernetes ana iya wakilta azaman nau'in uwar garken fayil tare da kundayen adireshi na kowane nau'in abu. Abubuwan (albarkatu) akan wannan uwar garken ana wakilta ta fayilolin YAML. Bugu da ƙari, uwar garken yana da API na asali wanda ke ba ku damar yin abubuwa uku:

• karba albarkatun da nau'insa da sunansa;
• canza albarkatu (a wannan yanayin, uwar garken yana adana abubuwa "daidai" kawai - duk waɗanda ba a yi daidai ba ko waɗanda aka yi niyya don wasu kundayen adireshi an watsar da su);
• waƙa don albarkatun (a cikin wannan yanayin, mai amfani nan da nan ya karɓi sigar ta na yanzu / sabuntawa).

Don haka, Kubernetes yana aiki azaman nau'in uwar garken fayil (don bayyanar YAML) tare da hanyoyin asali guda uku (eh, a zahiri akwai wasu, amma zamu bar su a yanzu).

Matsalar ita ce uwar garken na iya adana bayanai kawai. Don yin aiki kuna buƙatar Mai kulawa - na biyu mafi mahimmanci da mahimmancin ra'ayi a cikin duniyar Kubernetes.

Akwai manyan nau'ikan masu sarrafawa guda biyu. Na farko yana ɗaukar bayanai daga Kubernetes, yana sarrafa shi bisa ga dabaru, kuma ya mayar da shi zuwa K8s. Na biyu yana ɗaukar bayanai daga Kubernetes, amma, ba kamar nau'in farko ba, yana canza yanayin wasu albarkatun waje.

Bari mu dubi tsarin samar da Tumaki a Kubernetes:

• Mai Gudanar da Ƙaddamarwa (an haɗa a kube-controller-manager) yana karɓar bayani game da Aiwatar da aiki kuma yana ƙirƙirar ReplicaSet.
• ReplicaSet yana ƙirƙira kwafi guda biyu (kwafs biyu) bisa wannan bayanin, amma waɗannan kwas ɗin ba a tsara su ba tukuna.
• Mai tsara jadawalin yana tsara kwas ɗin kuma yana ƙara bayanin kumburi ga YAML ɗin su.
• Kubelets suna yin canje-canje zuwa albarkatun waje (in ji Docker).

Sa'an nan kuma wannan jerin duka ana maimaita su a cikin juzu'i: kubelet yana duba kwantena, ya ƙididdige matsayin kundi sannan ya mayar da shi. Mai sarrafa ReplicaSet yana karɓar matsayi kuma yana sabunta yanayin saitin kwafi. Haka abin yake faruwa tare da Mai Kula da Ƙaddamarwa kuma mai amfani a ƙarshe ya sami sabon matsayi (na yanzu).

Shell-operator

Ya bayyana cewa Kubernetes ya dogara ne akan aikin haɗin gwiwa na masu sarrafawa daban-daban (Ma'aikatan Kubernetes kuma masu sarrafawa ne). Tambayar ta taso, ta yaya za ku ƙirƙiri ma'aikacin ku tare da ƙaramin ƙoƙari? Kuma a nan wanda muka ci gaba ya zo don ceto mai aiki da harsashi. Yana ba masu kula da tsarin damar ƙirƙirar maganganun nasu ta amfani da hanyoyin da suka saba.

Misali mai sauƙi: kwafin sirri

Bari mu kalli misali mai sauƙi.

Bari mu ce muna da gungu na Kubernetes. Yana da filin suna default da wani sirri mysecret. Bugu da kari, akwai wasu wuraren suna a cikin tari. Wasu daga cikinsu suna da takamaiman lakabin da aka makala musu. Burin mu shine mu kwafi Sirrin zuwa wuraren suna tare da tambari.

Ayyukan yana da rikitarwa ta gaskiyar cewa sabbin wuraren suna na iya bayyana a cikin gungu, kuma wasu daga cikinsu na iya samun wannan alamar. A gefe guda kuma, lokacin da aka goge alamar, Hakanan ya kamata a goge Sirrin. Baya ga wannan, Asirin da kansa zai iya canzawa: a wannan yanayin, dole ne a kwafi sabon Sirrin zuwa duk wuraren suna tare da lakabi. Idan Sirrin ya goge ba da gangan ba a kowane sarari suna, ya kamata ma'aikacin mu ya dawo da shi nan da nan.

Yanzu da aka tsara aikin, lokaci ya yi da za a fara aiwatar da shi ta amfani da mai sarrafa harsashi. Amma da farko yana da daraja faɗi wasu kalmomi game da mai sarrafa harsashi da kansa.

Yadda shell-operator ke aiki

Kamar sauran kayan aiki a cikin Kubernetes, mai sarrafa harsashi yana gudana a cikin kwas ɗinsa. A cikin wannan kwasfa a cikin kundin adireshi /hooks ana adana fayilolin aiwatarwa. Waɗannan na iya zama rubutun a cikin Bash, Python, Ruby, da sauransu. Muna kiran irin waɗannan fayilolin masu aiwatarwa hooks (ƙugiya).

Shell-operator yana biyan kuɗi zuwa abubuwan Kubernetes kuma yana gudanar da waɗannan ƙugiya don amsa waɗannan abubuwan da muke buƙata.

Ta yaya ma'aikacin harsashi ya san ƙugiya don gudu kuma yaushe? Ma'anar ita ce, kowane ƙugiya yana da matakai biyu. A lokacin farawa, mai sarrafa harsashi yana gudanar da duk ƙugiya tare da gardama --config Wannan shine matakin daidaitawa. Kuma bayan shi, an ƙaddamar da ƙugiya a cikin hanyar al'ada - a mayar da martani ga abubuwan da aka haɗa su. A cikin yanayin ƙarshe, ƙugiya tana karɓar mahallin ɗaure (mahallin dauri) - bayanai a cikin tsarin JSON, wanda za mu yi magana game da su dalla-dalla a ƙasa.

Yin aiki a Bash

Yanzu mun shirya don aiwatarwa. Don yin wannan, muna buƙatar rubuta ayyuka biyu (a hanya, muna ba da shawarar ɗakin karatu shell_lib, wanda ke sauƙaƙa rubutun ƙugiya a cikin Bash):

• ana buƙatar na farko don matakin daidaitawa - yana nuna mahallin ɗaure;
• na biyu yana ƙunshe da ainihin dabaru na ƙugiya.

#!/bin/bash

source /shell_lib.sh

function __config__() {
  cat << EOF
    configVersion: v1
    # BINDING CONFIGURATION
EOF
}

function __main__() {
  # THE LOGIC
}

hook::run "$@"

Mataki na gaba shine yanke shawarar abubuwan da muke bukata. A cikin yanayinmu, muna buƙatar bin diddigin:

• tushen sirri ga canje-canje;
• duk wuraren suna a cikin gungu, domin ku san waɗanne ne ke da tambarin maƙala da su;
• sirrin da aka yi niyya don tabbatar da cewa duk sun daidaita tare da sirrin tushen.

Biyan kuɗi zuwa tushen sirri

Tsarin dauri don shi abu ne mai sauƙi. Mun nuna cewa muna sha'awar Sirrin da sunan mysecret cikin suna default:

function __config__() {
  cat << EOF
    configVersion: v1
    kubernetes:
    - name: src_secret
      apiVersion: v1
      kind: Secret
      nameSelector:
        matchNames:
        - mysecret
      namespace:
        nameSelector:
          matchNames: ["default"]
      group: main
EOF

Sakamakon haka, ƙugiya za ta kunna lokacin da asirin tushen ya canza (src_secret) kuma sami mahallin ɗaure mai zuwa:

Kamar yadda kake gani, ya ƙunshi sunan da dukan abin.

Kula da wuraren suna

Yanzu kuna buƙatar biyan kuɗi zuwa wuraren suna. Don yin wannan, mun ƙididdige ƙayyadaddun tsari mai zuwa:

- name: namespaces
  group: main
  apiVersion: v1
  kind: Namespace
  jqFilter: |
    {
      namespace: .metadata.name,
      hasLabel: (
       .metadata.labels // {} |  
         contains({"secret": "yes"})
      )
    }
  group: main
  keepFullObjectsInMemory: false

Kamar yadda kake gani, sabon filin ya bayyana a cikin tsarin da sunan jqFilter. Kamar yadda sunansa ya nuna. jqFilter tace duk bayanan da ba dole ba kuma yana ƙirƙirar sabon abu JSON tare da filayen da ke da sha'awar mu. Kugiya mai irin wannan tsari zai sami mahallin ɗaure mai zuwa:

Ya ƙunshi tsararru filterResults ga kowane sarari suna a cikin tari. Boolean m hasLabel yana nuna ko alamar tana haɗe zuwa wurin da aka bayar. Mai zaɓe keepFullObjectsInMemory: false yana nuna cewa babu buƙatar ajiye cikakkun abubuwa a cikin ƙwaƙwalwar ajiya.

Bin diddigin sirrin manufa

Muna biyan kuɗi zuwa duk Sirrin da ke da ƙayyadaddun bayanin managed-secret: "yes" (Wadannan su ne manufa dst_secrets):

- name: dst_secrets
  apiVersion: v1
  kind: Secret
  labelSelector:
    matchLabels:
      managed-secret: "yes"
  jqFilter: |
    {
      "namespace":
        .metadata.namespace,
      "resourceVersion":
        .metadata.annotations.resourceVersion
    }
  group: main
  keepFullObjectsInMemory: false

A wannan yanayin jqFilter tace tana fitar da duk wani bayani sai dai sararin suna da siga resourceVersion. An wuce siga na ƙarshe zuwa bayanin lokacin ƙirƙirar sirrin: yana ba ku damar kwatanta nau'ikan asirin kuma ku ci gaba da sabunta su.

Kugiya da aka saita ta wannan hanya, idan an aiwatar da ita, zata sami mahallin ɗaure guda uku da aka kwatanta a sama. Ana iya tunanin su a matsayin wani nau'i na hoto (hotuna) tari.

Dangane da duk waɗannan bayanan, ana iya haɓaka ainihin algorithm. Yana jujjuya duk wuraren suna kuma:

• idan hasLabel al'amura true don sunan sunan yanzu:
  • yana kwatanta sirrin duniya da na gida:
    • idan sun kasance daya, ba ya yin kome;
    • idan sun bambanta - aiwatarwa kubectl replace ko create;
• idan hasLabel al'amura false don sunan sunan yanzu:
  • yana tabbatar da cewa Sirrin baya cikin sunan da aka bayar:
    • idan Sirrin gida yana nan, share shi ta amfani da shi kubectl delete;
    • idan ba a gano sirrin gida ba, ba ya yin komai.

Aiwatar da algorithm a cikin Bash za ku iya saukewa a cikin mu ma'ajiyar bayanai tare da misalai.

Wannan shine yadda muka sami damar ƙirƙirar mai sarrafa Kubernetes mai sauƙi ta amfani da layin 35 na tsarin YAML kuma kusan adadin Bash code! Aikin mai sarrafa harsashi shine haɗa su tare.

Koyaya, kwafin sirri ba shine kawai yanki na aikace-aikacen mai amfani ba. Ga 'yan ƙarin misalai don nuna abin da yake iyawa.

Misali 1: Yin canje-canje ga ConfigMap

Bari mu kalli Tattaunawa mai kunshe da kwasfa uku. Pods suna amfani da ConfigMap don adana wasu sanyi. Lokacin da aka ƙaddamar da kwas ɗin, ConfigMap yana cikin wani yanayi (bari mu kira shi v.1). Saboda haka, duk kwas ɗin suna amfani da wannan sigar ta musamman ta ConfigMap.

Yanzu bari mu ɗauka cewa ConfigMap ya canza (aya 2). Koyaya, kwas ɗin za su yi amfani da sigar da ta gabata ta ConfigMap (v.1):

Ta yaya zan iya samun su don canzawa zuwa sabon ConfigMap (v.2)? Amsar ita ce mai sauƙi: yi amfani da samfuri. Bari mu ƙara bayanin checksum zuwa sashin template Tsarin turawa:

A sakamakon haka, za a yi rajistar wannan lissafin a duk kwas ɗin, kuma zai kasance daidai da na Deployment. Yanzu kawai kuna buƙatar sabunta bayanin lokacin da ConfigMap ya canza. Kuma mai sarrafa harsashi ya zo da amfani a wannan yanayin. Duk abin da kuke buƙatar yi shine shirin ƙugiya da za ta shiga cikin ConfigMap kuma ta sabunta checksum.

Idan mai amfani ya yi canje-canje ga ConfigMap, mai sarrafa harsashi zai lura da su kuma ya sake ƙididdige adadin kuɗin. Bayan haka sihirin Kubernetes zai shiga cikin wasa: mawaƙin zai kashe kwaf ɗin, ƙirƙirar sabo, jira ya zama. Ready, kuma ya matsa zuwa na gaba. Sakamakon haka, Ƙaddamarwa zai daidaita aiki kuma ya canza zuwa sabon sigar ConfigMap.

Misali 2: Yin Aiki tare da Ma'anar Ma'anar Albarkatun Al'ada

Kamar yadda kuka sani, Kubernetes yana ba ku damar ƙirƙirar nau'ikan abubuwa na al'ada. Misali, zaku iya ƙirƙirar iri MysqlDatabase. Bari mu ce wannan nau'in yana da sigogin metadata guda biyu: name и namespace.

apiVersion: example.com/v1alpha1
kind: MysqlDatabase
metadata:
  name: foo
  namespace: bar

Muna da gungu na Kubernetes tare da wuraren suna daban-daban waɗanda za mu iya ƙirƙirar bayanan MySQL. A wannan yanayin, ana iya amfani da mai sarrafa kayan aiki don gano albarkatu MysqlDatabase, haɗa su zuwa uwar garken MySQL da aiki tare da jihohin da ake so da kuma lura na tari.

Misali na 3: Kula da hanyar sadarwa ta Cluster

Kamar yadda kuka sani, amfani da ping shine hanya mafi sauƙi don saka idanu akan hanyar sadarwa. A cikin wannan misali za mu nuna yadda ake aiwatar da irin wannan saka idanu ta amfani da shell-operator.

Da farko, kuna buƙatar biyan kuɗi zuwa nodes. Mai aiki da harsashi yana buƙatar suna da adireshin IP na kowane kumburi. Tare da taimakonsu, zai ping waɗannan nodes.

configVersion: v1
kubernetes:
- name: nodes
  apiVersion: v1
  kind: Node
  jqFilter: |
    {
      name: .metadata.name,
      ip: (
       .status.addresses[] |  
        select(.type == "InternalIP") |
        .address
      )
    }
  group: main
  keepFullObjectsInMemory: false
  executeHookOnEvent: []
schedule:
- name: every_minute
  group: main
  crontab: "* * * * *"

Alamar executeHookOnEvent: [] yana hana ƙugiya yin gudu don mayar da martani ga kowane lamari (wato, a mayar da martani ga canzawa, ƙarawa, share nodes). Duk da haka, ya zai gudu (kuma sabunta jerin nodes) An tsara - kowane minti daya, kamar yadda filin ya tsara schedule.

Yanzu tambaya ta taso, ta yaya daidai muke sanin matsaloli kamar asarar fakiti? Bari mu dubi lambar:

function __main__() {
  for i in $(seq 0 "$(context::jq -r '(.snapshots.nodes | length) - 1')"); do
    node_name="$(context::jq -r '.snapshots.nodes['"$i"'].filterResult.name')"
    node_ip="$(context::jq -r '.snapshots.nodes['"$i"'].filterResult.ip')"
    packets_lost=0
    if ! ping -c 1 "$node_ip" -t 1 ; then
      packets_lost=1
    fi
    cat >> "$METRICS_PATH" <<END
      {
        "name": "node_packets_lost",
        "add": $packets_lost,
        "labels": {
          "node": "$node_name"
        }
      }
END
  done
}

Muna maimaita ta cikin jerin nodes, samun sunayensu da adiresoshin IP, buga su kuma aika sakamakon zuwa Prometheus. Shell-operator na iya fitar da awo zuwa Prometheus, adana su zuwa fayil ɗin da ke bisa ga hanyar da aka kayyade a cikin canjin yanayi $METRICS_PATH.

Kamar wannan za ka iya yin afareta don sauƙi na saka idanu na cibiyar sadarwa a cikin gungu.

Tsarin layi

Wannan labarin ba zai cika ba ba tare da bayyana wata muhimmiyar hanyar da aka gina a cikin ma'aikacin harsashi ba. Ka yi tunanin cewa yana aiwatar da wani nau'in ƙugiya don amsa wani lamari a cikin tari.

• Me zai faru idan, a lokaci guda, wani abu ya faru a cikin gungu? Wani taron?
• Shin shell-operator zai gudanar da wani misali na ƙugiya?
• Idan, in ce, abubuwa biyar sun faru a cikin gungu lokaci ɗaya fa?
• Shin mai sarrafa harsashi zai sarrafa su a layi daya?
• Me game da albarkatun da aka cinye kamar ƙwaƙwalwar ajiya da CPU?

Abin farin ciki, mai sarrafa harsashi yana da ginanniyar hanyar yin layi a ciki. Ana yin layi da sarrafa duk abubuwan da suka faru a jere.

Bari mu kwatanta wannan da misalai. A ce muna da ƙugiya biyu. Lamarin na farko yana zuwa ƙugiya ta farko. Da zarar an gama sarrafa shi, layin yana motsawa gaba. Abubuwa uku na gaba ana tura su zuwa ƙugiya ta biyu - an cire su daga jerin gwano kuma an shigar da su a cikin "dam". Wato ƙugiya tana karɓar tsararrun abubuwan da suka faru - ko, mafi daidai, tsararrun mahallin ɗaure.

Suma wadannan za a iya haɗa abubuwan da suka faru zuwa babba ɗaya. Siga ce ke da alhakin wannan group a cikin tsarin ɗauri.

Kuna iya ƙirƙirar kowane adadin layukan /ƙugiya da haɗuwa iri-iri. Misali, jerin gwano ɗaya na iya aiki da ƙugiya biyu, ko akasin haka.

Duk abin da kuke buƙatar yi shine saita filin daidai queue a cikin tsarin ɗauri. Idan ba a fayyace sunan jerin gwano ba, ƙugiya tana gudana akan tsoffin layin (default). Wannan tsarin jerin gwano yana ba ku damar warware duk matsalolin sarrafa albarkatun gaba ɗaya yayin aiki tare da ƙugiya.

ƙarshe

Mun yi bayanin abin da mai sarrafa harsashi yake, mun nuna yadda za a iya amfani da shi don ƙirƙirar masu sarrafa Kubernetes da sauri ba tare da wahala ba, kuma mun ba da misalai da yawa na amfani da shi.

Cikakken bayani game da mai sarrafa harsashi, da kuma koyawa mai sauri kan yadda ake amfani da shi, ana samunsa a cikin daidaitaccen tsari. wuraren ajiya akan GitHub. Kada ka yi shakka a tuntube mu da tambayoyi: za ka iya tattauna su a cikin na musamman Rukunin Telegram (a cikin Rashanci) ko a cikin wannan dandalin (a Turanci).

Kuma idan kuna son shi, koyaushe muna farin cikin ganin sabbin batutuwa / PR / taurari akan GitHub, inda, ta hanya, zaku iya samun wasu ayyuka masu ban sha'awa. Daga cikin su yana da daraja haskaka adon-operator, wanda shine babban ɗan'uwan shell-operator. Wannan kayan aiki yana amfani da sigogin Helm don shigar da ƙari, na iya sadar da sabuntawa da saka idanu sigogi/daraja daban-daban, sarrafa tsarin shigarwa na sigogi, kuma yana iya canza su don amsa abubuwan da suka faru a cikin tari.

Bidiyo da nunin faifai

Bidiyo daga wasan kwaikwayon (~ mintuna 23):

Gabatar da rahoton:

PS

Karanta kuma a kan shafinmu:

• «Sauƙaƙan ƙirƙirar ma'aikatan Kubernetes tare da mai sarrafa harsashi: ci gaban aikin a cikin shekara";
• «Gabatar da mai sarrafa harsashi: ƙirƙirar masu aiki don Kubernetes kawai ya sami sauƙi";
• «Shin yana da sauƙi da dacewa don shirya gungu na Kubernetes? Sanarwa addon-operator";
• «Fadadawa da haɓaka Kubernetes" (rahoton bita da bidiyo).

source: www.habr.com