Haɗin Kubernetes Dashboard da Masu amfani da GitLab

Kubernetes Dashboard kayan aiki ne mai sauƙin amfani don samun bayanai na yau da kullun game da gungu na gudana da sarrafa shi tare da ƙaramin ƙoƙari. Kuna fara jin daɗinsa har ma lokacin da ake buƙatar samun damar yin amfani da waɗannan fasalulluka ba kawai ta masu gudanarwa / injiniyoyin DevOps ba, har ma da waɗanda ba su saba da na'ura mai ba da hanya tsakanin hanyoyin sadarwa da / ko ba su da niyya don magance duk ɓarnawar hulɗa tare da kubectl da sauran utilities. Wannan ya faru tare da mu: masu haɓakawa suna son saurin shiga yanar gizo na Kubernetes, kuma tunda muna amfani da GitLab, mafita ta zo ta halitta.

Me yasa wannan?

Masu haɓakawa kai tsaye suna iya sha'awar kayan aiki kamar K8s Dashboard don gyara ayyuka. Wani lokaci kana so ka duba rajistan ayyukan da albarkatun, da kuma wani lokacin kashe pods, sikelin Deployments/StatefulSets, kuma ko da zuwa ganga na'ura wasan bidiyo (akwai kuma buƙatun ga wanda, duk da haka, akwai wata hanya - misali, ta hanyar. kubectl-debug).

Bugu da ƙari, akwai lokacin tunani ga manajoji lokacin da suke so su kalli gungu - don ganin cewa "komai kore ne", don haka tabbatar da kansu cewa "komai yana aiki" (wanda, ba shakka, yana da dangi sosai ... amma wannan ya wuce iyakar labarin).

A matsayin daidaitaccen tsarin CI muna da amfani GitLab: duk masu haɓakawa suna amfani da shi kuma. Don haka, don ba su damar shiga, yana da ma'ana don haɗa Dashboard tare da asusun GitLab.

Zan kuma lura cewa muna amfani da NGINX Ingress. Idan kuna aiki tare da wasu ingress mafita, kuna buƙatar nemo kwatankwacin bayanan bayanan don izini.

Ƙoƙarin haɗin kai

Shigar da dashboard

Tsanaki: Idan za ku sake maimaita matakan da ke ƙasa, to - don guje wa ayyukan da ba dole ba - da farko karanta zuwa ƙaramin jigo na gaba.

Tun da muna amfani da wannan haɗin kai a yawancin shigarwa, mun sarrafa shigarwa ta atomatik. Ana buga hanyoyin da ake buƙata don wannan a cikin GitHub na musamman. Sun dogara ne akan ƙa'idodin YAML da aka gyara daga ma'ajiyar Dashboard na hukuma, da kuma rubutun Bash don aikawa da sauri.

Rubutun yana shigar da Dashboard a cikin gungu kuma ya tsara shi don haɗawa tare da GitLab:

$ ./ctl.sh  
Usage: ctl.sh [OPTION]... --gitlab-url GITLAB_URL --oauth2-id ID --oauth2-secret SECRET --dashboard-url DASHBOARD_URL
Install kubernetes-dashboard to Kubernetes cluster.
Mandatory arguments:
 -i, --install                install into 'kube-system' namespace
 -u, --upgrade                upgrade existing installation, will reuse password and host names
 -d, --delete                 remove everything, including the namespace
     --gitlab-url             set gitlab url with schema (https://gitlab.example.com)
     --oauth2-id              set OAUTH2_PROXY_CLIENT_ID from gitlab
     --oauth2-secret          set OAUTH2_PROXY_CLIENT_SECRET from gitlab
     --dashboard-url          set dashboard url without schema (dashboard.example.com)
Optional arguments:
 -h, --help                   output this message

Koyaya, kafin amfani da shi, kuna buƙatar zuwa GitLab: yankin Admin → Aikace-aikace - kuma ƙara sabon aikace-aikacen don kwamiti na gaba. Bari mu kira shi "kubernetes dashboard":

Sakamakon ƙara shi, GitLab zai samar da hashes:

Su ne ake amfani da su a matsayin hujja ga rubutun. A sakamakon haka, shigarwa yana kama da haka:

$ ./ctl.sh -i --gitlab-url https://gitlab.example.com --oauth2-id 6a52769e… --oauth2-secret 6b79168f… --dashboard-url dashboard.example.com

Bayan haka, bari mu duba cewa komai ya fara:

$ kubectl -n kube-system get pod | egrep '(dash|oauth)'
kubernetes-dashboard-76b55bc9f8-xpncp   1/1       Running   0          14s
oauth2-proxy-5586ccf95c-czp2v           1/1       Running   0          14s

Ba dade ko ba dade komai zai fara, duk da haka izini ba zai yi aiki nan da nan ba! Gaskiyar ita ce, a cikin hoton da aka yi amfani da shi (yanayin da ke cikin wasu hotuna yana kama da haka) ana aiwatar da hanyar da za a sake turawa a cikin kira ba daidai ba. Wannan lamarin ya kai ga cewa rantsuwa tana goge kuki da rantsuwa da kanta ke ba mu...

Ana magance matsalar ta hanyar gina hoton rantsuwar ku tare da faci.

Faci rantsuwa kuma sake sakawa

Don yin wannan, za mu yi amfani da Dockerfile mai zuwa:

FROM golang:1.9-alpine3.7
WORKDIR /go/src/github.com/bitly/oauth2_proxy

RUN apk --update add make git build-base curl bash ca-certificates wget 
&& update-ca-certificates 
&& curl -sSO https://raw.githubusercontent.com/pote/gpm/v1.4.0/bin/gpm 
&& chmod +x gpm 
&& mv gpm /usr/local/bin
RUN git clone https://github.com/bitly/oauth2_proxy.git . 
&& git checkout bfda078caa55958cc37dcba39e57fc37f6a3c842  
ADD rd.patch .
RUN patch -p1 < rd.patch 
&& ./dist.sh

FROM alpine:3.7
RUN apk --update add curl bash  ca-certificates && update-ca-certificates
COPY --from=0 /go/src/github.com/bitly/oauth2_proxy/dist/ /bin/

EXPOSE 8080 4180
ENTRYPOINT [ "/bin/oauth2_proxy" ]
CMD [ "--upstream=http://0.0.0.0:8080/", "--http-address=0.0.0.0:4180" ]

Kuma ga yadda rd.patch patch kanta yayi kama

diff --git a/dist.sh b/dist.sh
index a00318b..92990d4 100755
--- a/dist.sh
+++ b/dist.sh
@@ -14,25 +14,13 @@ goversion=$(go version | awk '{print $3}')
sha256sum=()
 
echo "... running tests"
-./test.sh
+#./test.sh
 
-for os in windows linux darwin; do
-    echo "... building v$version for $os/$arch"
-    EXT=
-    if [ $os = windows ]; then
-        EXT=".exe"
-    fi
-    BUILD=$(mktemp -d ${TMPDIR:-/tmp}/oauth2_proxy.XXXXXX)
-    TARGET="oauth2_proxy-$version.$os-$arch.$goversion"
-    FILENAME="oauth2_proxy-$version.$os-$arch$EXT"
-    GOOS=$os GOARCH=$arch CGO_ENABLED=0 
-        go build -ldflags="-s -w" -o $BUILD/$TARGET/$FILENAME || exit 1
-    pushd $BUILD/$TARGET
-    sha256sum+=("$(shasum -a 256 $FILENAME || exit 1)")
-    cd .. && tar czvf $TARGET.tar.gz $TARGET
-    mv $TARGET.tar.gz $DIR/dist
-    popd
-done
+os='linux'
+echo "... building v$version for $os/$arch"
+TARGET="oauth2_proxy-$version.$os-$arch.$goversion"
+GOOS=$os GOARCH=$arch CGO_ENABLED=0 
+    go build -ldflags="-s -w" -o ./dist/oauth2_proxy || exit 1
  
checksum_file="sha256sum.txt"
cd $DIR/dists
diff --git a/oauthproxy.go b/oauthproxy.go
index 21e5dfc..df9101a 100644
--- a/oauthproxy.go
+++ b/oauthproxy.go
@@ -381,7 +381,9 @@ func (p *OAuthProxy) SignInPage(rw http.ResponseWriter, req *http.Request, code
       if redirect_url == p.SignInPath {
               redirect_url = "/"
       }
-
+       if req.FormValue("rd") != "" {
+               redirect_url = req.FormValue("rd")
+       }
       t := struct {
               ProviderName  string
               SignInMessage string

Yanzu zaku iya gina hoton ku tura shi cikin GitLab ɗin mu. Na gaba a manifests/kube-dashboard-oauth2-proxy.yaml nuna amfani da hoton da ake so (maye shi da naku):

 image: docker.io/colemickens/oauth2_proxy:latest

Idan kuna da wurin yin rajista da aka rufe ta hanyar izini, kar a manta da ƙara amfani da sirrin don jawo hotuna:

      imagePullSecrets:
     - name: gitlab-registry

... kuma ƙara sirrin kanta don yin rajista:

---
apiVersion: v1
data:
 .dockercfg: eyJyZWdpc3RyeS5jb21wYW55LmNvbSI6IHsKICJ1c2VybmFtZSI6ICJvYXV0aDIiLAogInBhc3N3b3JkIjogIlBBU1NXT1JEIiwKICJhdXRoIjogIkFVVEhfVE9LRU4iLAogImVtYWlsIjogIm1haWxAY29tcGFueS5jb20iCn0KfQoK
=
kind: Secret
metadata:
 annotations:
 name: gitlab-registry
 namespace: kube-system
type: kubernetes.io/dockercfg

Mai karatu mai hankali zai ga cewa dogon kirtani da ke sama shine tushe64 daga saitin:

{"registry.company.com": {
 "username": "oauth2",
 "password": "PASSWORD",
 "auth": "AUTH_TOKEN",
 "email": "[email protected]"
}
}

Wannan shine bayanan mai amfani a GitLab, lambar Kubernetes za ta cire hoton daga wurin yin rajista.

Bayan duk abin da aka yi, za ka iya cire na yanzu (ba aiki daidai) Dashboard shigarwa tare da umurnin:

$ ./ctl.sh -d

... kuma sake shigar da komai:

$ ./ctl.sh -i --gitlab-url https://gitlab.example.com --oauth2-id 6a52769e… --oauth2-secret 6b79168f… --dashboard-url dashboard.example.com

Lokaci ya yi da za ku je Dashboard kuma ku nemo maɓallin shiga na archaic:

Bayan danna shi, GitLab zai gaishe mu, yana ba da damar shiga shafin da ya saba (tabbas, idan ba mu shiga can a baya ba):

Muna shiga tare da takaddun shaidar GitLab - kuma an yi komai:

Game da fasalin Dashboard

Idan kai mai haɓakawa ne wanda bai yi aiki tare da Kubernetes a baya ba, ko kuma kawai saboda wasu dalilai ba ku ci karo da Dashboard a baya ba, zan kwatanta wasu iyawar sa.

Da farko, zaku iya ganin cewa "komai kore ne":

Hakanan ana samun ƙarin cikakkun bayanai don kwasfan fayiloli, kamar masu canjin yanayi, hoton da aka zazzage, muhawarar ƙaddamarwa, da yanayinsu:

Ƙaddamarwa suna da matsayi na bayyane:

...da sauran bayanai:

... kuma akwai kuma ikon auna yawan turawa:

Sakamakon wannan aiki:

Daga cikin wasu fasalulluka masu amfani da aka ambata a farkon labarin akwai duban rajistan ayyukan:

... da aikin don shiga cikin na'ura mai kwakwalwa na kwandon da aka zaɓa:

Misali, zaku iya kuma duba iyakoki/buƙatun akan nodes:

Tabbas, waɗannan ba duka ikon kwamitin bane, amma ina fata ku sami ra'ayi na gaba ɗaya.

Lalacewar haɗin kai da Dashboard

A cikin haɗin gwiwar da aka kwatanta babu ikon samun damar shiga. Tare da shi, duk masu amfani da kowane damar zuwa GitLab suna samun damar shiga Dashboard. Suna da damar guda ɗaya a cikin Dashboard ɗin kanta, daidai da haƙƙin Dashboard ɗin kanta, wanda An bayyana a cikin RBAC. Babu shakka, wannan bai dace da kowa ba, amma ga lamarinmu ya zama isa.

Daga cikin fa'idodin rashin amfani a cikin Dashboard kanta, na lura da waɗannan:

• ba shi yiwuwa a shiga cikin na'ura mai kwakwalwa na kwandon init;
• ba shi yiwuwa a gyara Ƙaddamarwa da StatefulSets, kodayake ana iya gyara wannan a cikin ClusterRole;
• Daidaituwar Dashboard tare da sabbin nau'ikan Kubernetes da makomar aikin yana haifar da tambayoyi.

Matsala ta ƙarshe ta cancanci kulawa ta musamman.

Matsayin dashboard da madadin

Teburin dacewa da dashboard tare da sakewar Kubernetes, wanda aka gabatar a cikin sabon sigar aikin (v1.10.1), ba murna sosai:

Duk da wannan, akwai (riga da aka karɓa a cikin Janairu) PR # 3476, wanda ke ba da sanarwar tallafi ga K8s 1.13. Bugu da kari, daga cikin batutuwan aikin zaku iya samun nassoshi ga masu amfani da ke aiki tare da kwamitin a cikin K8s 1.14. Daga karshe, aikata a cikin tsarin lambar aikin kada ku tsaya. Don haka (akalla!) Matsayi na ainihi na aikin ba shi da kyau kamar yadda zai iya fara farawa daga teburin daidaitawa na hukuma.

A ƙarshe, akwai madadin Dashboard. Tsakanin su:

1. K8 dash - wani matashin sadarwa (na farko ya aikata kwanan wata zuwa Maris na wannan shekara), wanda ya riga ya ba da siffofi masu kyau, irin su bayyanar da halin yanzu na gungu da sarrafa abubuwansa. Matsayi a matsayin "ainihin dubawa", saboda tana sabunta bayanan da aka nuna ta atomatik ba tare da buƙatar ka sabunta shafin a cikin burauzar ba.
2. OpenShift Console - hanyar yanar gizo daga Red Hat OpenShift, wanda, duk da haka, zai kawo wasu ci gaban aikin zuwa gunkin ku, wanda bai dace da kowa ba.
3. Kubernator wani aiki ne mai ban sha'awa, wanda aka ƙirƙira azaman ƙananan matakin (fiye da Dashboard) tare da ikon duba duk abubuwan tari. Duk da haka, ga alama ci gabanta ya tsaya.
4. Polaris - kawai sauran rana sanar aikin da ya haɗu da ayyuka na panel (yana nuna halin yanzu na gungu, amma ba ya sarrafa abubuwansa) da kuma atomatik "tabbatar da mafi kyawun ayyuka" (duba gungu don daidaitawar daidaitawar ƙaddamarwa da ke gudana a ciki).

Maimakon yanke shawara

Dashboard daidaitaccen kayan aiki ne don gungu na Kubernetes da muke yi wa hidima. Haɗin kai tare da GitLab shima ya zama wani ɓangare na shigarwa na tsoho, saboda yawancin masu haɓakawa suna jin daɗin iyawar da suke da ita tare da wannan rukunin.

Kubernetes Dashboard lokaci-lokaci yana da zaɓuɓɓuka daga al'ummar Buɗewa (kuma muna farin cikin yin la'akari da su), amma a wannan matakin mun kasance tare da wannan mafita.

PS

Karanta kuma a kan shafinmu:

• «kubebox da sauran harsashi don Kubernetes";
• «Mafi kyawun ayyukan CI/CD tare da Kubernetes da GitLab (rahoton bita da bidiyo)";
• «Gina da tura aikace-aikace a cikin Kubernetes ta amfani da dapp da GitLab CI";
• «GitLab CI don ci gaba da haɗin kai da bayarwa a cikin samarwa. Kashi na 1: bututun mu".

source: www.habr.com