Gabatar da mai sarrafa harsashi: ƙirƙirar masu aiki don Kubernetes kawai ya sami sauƙi

An riga an sami labarai akan blog ɗinmu suna magana akai iya aiki a Kubernetes da kuma yadda rubuta ma'aikaci mai sauƙi da kanka. A wannan karon muna so mu gabatar muku da mafitarmu ta Open Source, wacce ke ɗaukar ƙirƙirar masu aiki zuwa matakin mafi sauƙi - duba. mai aiki da harsashi!

Me ya sa?

Tunanin mai sarrafa harsashi abu ne mai sauƙi: biyan kuɗi zuwa abubuwan da suka faru daga abubuwan Kubernetes, kuma lokacin da aka karɓi waɗannan abubuwan, ƙaddamar da shirin waje, samar da bayanai game da taron:

Bukatar ta taso ne lokacin da, yayin aikin gungu, ƙananan ayyuka sun fara bayyana cewa da gaske muna son yin aiki da kai ta hanyar da ta dace. Duk waɗannan ƙananan ayyuka an warware su ta amfani da rubutun bash mai sauƙi, kodayake, kamar yadda kuka sani, yana da kyau a rubuta masu aiki a Golang. Babu shakka, saka hannun jari a cikin cikakken ci gaban ma'aikaci don kowane irin wannan ƙaramin aiki ba zai yi tasiri ba.

Operator a cikin minti 15

Bari mu kalli misalin abin da za a iya sarrafa kansa a cikin gungu na Kubernetes da yadda mai sarrafa harsashi zai iya taimakawa. Misali zai zama kamar haka: maimaita wani sirri don samun damar yin rajistar docker.

Pods masu amfani da hotuna daga wurin yin rajistar masu zaman kansu dole ne su ƙunshi a cikin bayanansu hanyar haɗi zuwa sirri tare da bayanai don samun damar yin rijistar. Dole ne a ƙirƙiri wannan sirrin a kowane sarari suna kafin ƙirƙirar kwasfa. Ana iya yin wannan da hannu, amma idan muka kafa wurare masu ƙarfi, to, sunan sunan aikace-aikacen ɗaya zai zama mai yawa. Kuma idan kuma babu aikace-aikacen 2-3 ... adadin asirin ya zama babba sosai. Kuma wani ƙarin abu game da sirri: Ina so in canza maɓalli don samun damar yin rajista daga lokaci zuwa lokaci. Daga karshe, ayyukan hannu a matsayin mafita gaba daya mara tasiri - muna buƙatar sarrafa atomatik ƙirƙirar da sabunta abubuwan sirri.

Sauƙaƙe aiki da kai

Bari mu rubuta rubutun harsashi mai gudana sau ɗaya a kowane sakan N kuma mu bincika wuraren suna don kasancewar wani sirri, idan kuma babu wani sirri, to an ƙirƙira shi. Amfanin wannan maganin shine yana kama da rubutun harsashi a cikin cron - tsari mai mahimmanci da fahimta ga kowa da kowa. Abin da ya rage shi ne cewa a cikin tazara tsakanin ƙaddamar da shi za a iya ƙirƙirar sabon filin suna kuma na ɗan lokaci zai ci gaba da kasancewa ba tare da ɓoye ba, wanda zai haifar da kurakurai wajen ƙaddamar da pods.

Automation tare da shell-operator

Don rubutun mu ya yi aiki daidai, ana buƙatar ƙaddamar da ƙaddamarwar cron ta al'ada tare da ƙaddamarwa lokacin da aka ƙara sunan suna: a wannan yanayin, zaku iya ƙirƙirar sirri kafin amfani da shi. Bari mu ga yadda ake aiwatar da wannan ta amfani da shell-operator.

Da farko, bari mu dubi rubutun. Rubutun cikin sharuddan harsashi-mai aiki ana kiransa hooks. Kowane ƙugiya lokacin gudu da tuta --config yana sanar da ma'aikacin harsashi game da ɗaurinsa, watau. a kan waɗanne abubuwa ne ya kamata a ƙaddamar da shi. A cikin yanayinmu za mu yi amfani onKubernetesEvent:

#!/bin/bash
if [[ $1 == "--config" ]] ; then
cat <<EOF
{
"onKubernetesEvent": [
  { "kind": "namespace",
    "event":["add"]
  }
]}
EOF
fi

An bayyana a nan cewa muna sha'awar ƙara abubuwan da suka faru (add) abubuwa iri namespace.

Yanzu kuna buƙatar ƙara lambar da za a aiwatar lokacin da abin ya faru:

#!/bin/bash
if [[ $1 == "--config" ]] ; then
  # конфигурация
cat <<EOF
{
"onKubernetesEvent": [
{ "kind": "namespace",
  "event":["add"]
}
]}
EOF
else
  # реакция:
  # узнать, какой namespace появился
  createdNamespace=$(jq -r '.[0].resourceName' $BINDING_CONTEXT_PATH)
  # создать в нём нужный секрет
  kubectl create -n ${createdNamespace} -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
  ...
data:
  ...
EOF
fi

Mai girma! Sakamakon ya kasance ƙaramin, kyakkyawan rubutun. Don “rayar da shi”, akwai saura matakai biyu: shirya hoton kuma ƙaddamar da shi a cikin tari.

Ana shirya hoto tare da ƙugiya

Idan ka duba rubutun, za ka ga cewa ana amfani da umarnin kubectl и jq. Wannan yana nufin cewa hoton dole ne ya kasance yana da abubuwa masu zuwa: ƙugiya namu, mai sarrafa harsashi wanda zai lura da abubuwan da ke faruwa da kuma gudanar da ƙugiya, da kuma umarnin da ƙugiya ke amfani da shi (kubectl da jq). Hub.docker.com ya riga yana da shirye-shiryen da aka yi shi wanda a cikinsa aka haɗe mai sarrafa shell, kubectl da jq. Duk abin da ya rage shine ƙara ƙugiya mai sauƙi Dockerfile:

$ cat Dockerfile
FROM flant/shell-operator:v1.0.0-beta.1-alpine3.9
ADD namespace-hook.sh /hooks

$ docker build -t registry.example.com/my-operator:v1 . 
$ docker push registry.example.com/my-operator:v1

Gudu a cikin gungu

Bari mu sake duba ƙugiya kuma a wannan lokacin rubuta abin da ayyuka da abubuwan da yake yi a cikin gungu:

1. biyan kuɗi zuwa abubuwan ƙirƙirar sararin suna;
2. yana haifar da wani sirri a wuraren suna banda wanda aka harba shi.

Ya zama cewa faifan da za a ƙaddamar da hoton mu dole ne ya sami izini don yin waɗannan ayyukan. Ana iya yin wannan ta ƙirƙirar asusun sabis ɗin ku. Dole ne a yi izini ta hanyar ClusterRole da ClusterRoleBinding, saboda muna sha'awar abubuwa daga dukan gungu.

Bayanin ƙarshe a cikin YAML zai yi kama da haka:

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: monitor-namespaces-acc

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: monitor-namespaces
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "watch", "list"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list", "create", "patch"]

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: monitor-namespaces
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: monitor-namespaces
subjects:
  - kind: ServiceAccount
    name: monitor-namespaces-acc
    namespace: example-monitor-namespaces

Kuna iya ƙaddamar da hoton da aka haɗa a matsayin ƙaddamarwa mai sauƙi:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: my-operator
spec:
  template:
    spec:
      containers:
      - name: my-operator
        image: registry.example.com/my-operator:v1
      serviceAccountName: monitor-namespaces-acc

Don dacewa, an ƙirƙiri keɓan wurin suna inda za a ƙaddamar da mai sarrafa harsashi kuma za a yi amfani da bayanan da aka ƙirƙira:

$ kubectl create ns example-monitor-namespaces
$ kubectl -n example-monitor-namespaces apply -f rbac.yaml
$ kubectl -n example-monitor-namespaces apply -f deployment.yaml

Wannan ke nan: mai sarrafa harsashi zai fara, yin rajista ga abubuwan ƙirƙirar sararin suna kuma gudanar da ƙugiya lokacin da ake buƙata.

Ta haka ne, rubutun harsashi mai sauƙi ya juya ya zama mai aiki na gaske don Kubernetes kuma yana aiki azaman ɓangare na tari. Kuma duk wannan ba tare da hadaddun tsarin haɓaka masu aiki a Golang ba:

Akwai wani misali akan wannan al'amari...

Za mu bayyana ma'anarsa dalla-dalla a cikin ɗayan littattafai masu zuwa.

tacewa

Bin abubuwa yana da kyau, amma sau da yawa ana buƙatar amsawa canza wasu kaddarorin abu, misali, don canza adadin kwafi a cikin Ƙaddamarwa ko don canza alamun abu.

Lokacin da wani abu ya zo, mai sarrafa harsashi yana karɓar bayyanar JSON na abu. Za mu iya zaɓar kaddarorin da ke sha'awar mu a cikin wannan JSON kuma mu gudanar da ƙugiya kawai lokacin da suka canza. Akwai filin don wannan jqFilter, inda kake buƙatar saka jigon jq wanda za a yi amfani da shi ga bayyanar JSON.

Misali, don mayar da martani ga canje-canje a cikin lakabi don abubuwan ƙaddamarwa, kuna buƙatar tace filin labels fita daga filin metadata. Tsarin tsari zai kasance kamar haka:

cat <<EOF
{
"onKubernetesEvent": [
{ "kind": "deployment",
  "event":["update"],
  "jqFilter": ".metadata.labels"
}
]}
EOF

Wannan furci na jqFilter yana juya tsayin daka na JSON bayyanuwa zuwa gajeriyar JSON tare da alamomi:

Shell-operator zai gudanar da ƙugiya kawai lokacin da wannan gajeriyar JSON ta canza, kuma za a yi watsi da canje-canje zuwa wasu kaddarorin.

mahallin ƙaddamar da ƙugiya

Tsarin ƙugiya yana ba ku damar ƙayyade zaɓuɓɓuka da yawa don abubuwan da suka faru - alal misali, zaɓuɓɓuka 2 don abubuwan da suka faru daga Kubernetes da jadawalin 2:

{"onKubernetesEvent":[
  {"name":"OnCreatePod",
  "kind": "pod",
  "event":["add"]
  },
  {"name":"OnModifiedNamespace",
  "kind": "namespace",
  "event":["update"],
  "jqFilter": ".metadata.labels"
  }
],
"schedule": [
{ "name":"every 10 min",
  "crontab":"* */10 * * * *"
}, {"name":"on Mondays at 12:10",
"crontab": "* 10 12 * * 1"
]}

Karamin digression: i, mai sarrafa harsashi yana goyan bayan gudanar da rubutun salon crontab. Ana iya samun ƙarin cikakkun bayanai a ciki takardun.

Don bambanta dalilin da ya sa aka ƙaddamar da ƙugiya, mai sarrafa harsashi ya ƙirƙiri fayil na wucin gadi kuma ya wuce hanyar zuwa gare shi a cikin mai canzawa zuwa ƙugiya. BINDING_CONTEXT_TYPE. Fayil ɗin ya ƙunshi bayanin JSON na dalilin gudanar da ƙugiya. Misali, kowane minti 10 ƙugiya za ta gudana tare da abun ciki mai zuwa:

[{ "binding": "every 10 min"}]

... kuma a ranar Litinin za a fara da wannan:

[{ "binding": "every 10 min"}, { "binding": "on Mondays at 12:10"}]

domin onKubernetesEvent Za a sami ƙarin abubuwan jan hankali na JSON, saboda ya ƙunshi bayanin abin:

[
 {
 "binding": "onCreatePod",
 "resourceEvent": "add",
 "resourceKind": "pod",
 "resourceName": "foo",
 "resourceNamespace": "bar"
 }
]

Ana iya fahimtar abubuwan da ke cikin filayen daga sunayensu, kuma ana iya karanta ƙarin cikakkun bayanai a ciki takardun. Misalin samun sunan albarkatu daga fili resourceName An riga an nuna amfani da jq a cikin ƙugiya mai kwafin sirri:

jq -r '.[0].resourceName' $BINDING_CONTEXT_PATH

Kuna iya samun sauran filayen ta irin wannan hanya.

Abin da ke gaba?

A cikin ma'ajiyar aikin, in /misali kundayen adireshi, akwai misalan ƙugiya waɗanda ke shirye don gudu akan gungu. Lokacin rubuta ƙugiya na kanku, zaku iya amfani da su azaman tushe.

Akwai tallafi don tattara ma'auni ta amfani da Prometheus - ana siffanta ma'aunin da ke akwai a cikin sashe MITIRS.

Kamar yadda zaku iya tsammani, an rubuta ma'aikacin harsashi a cikin Go kuma an rarraba shi ƙarƙashin lasisin Buɗewa (Apache 2.0). Za mu yi godiya ga duk wani taimako na ci gaba aikin akan GitHub: da taurari, da batutuwa, da ja buƙatun.

Dage mayafin sirri, za mu kuma sanar da ku cewa shell-operator ne karami wani ɓangare na tsarin mu wanda zai iya ci gaba da shigar da add-ons a cikin gungu na Kubernetes har zuwa yau kuma yana aiwatar da ayyuka na atomatik daban-daban. Kara karantawa game da wannan tsarin ya fada a zahiri ranar Litinin a HighLoad ++ 2019 a St. Petersburg - nan ba da jimawa ba za mu buga bidiyon da kwafin wannan rahoto.

Muna da wani shiri don buɗe sauran wannan tsarin: addon-operator da tarin ƙugiya da kayayyaki. Af, addon-operator ya riga ya kasance akwai akan github, amma takardun don shi har yanzu yana kan hanya. An shirya sakin tarin kayayyaki don bazara.

Tsaya saurare!

PS

Karanta kuma a kan shafinmu:

• «Masu aiki don Kubernetes: yadda ake gudanar da aikace-aikacen da suka dace";
• «Rubuta ma'aikaci don Kubernetes a Golang";
• «Gabatar da sabon plugin don Grafana - Statusmap panel";
• «Gabatar da loghouse - tsarin Buɗewa don aiki tare da rajistan ayyukan a Kubernetes";
• «Mun gabatar da dapp bisa hukuma - kayan aikin DevOps don kiyaye CI/CD".

source: www.habr.com