Yadda Dailymotion ke amfani da Kubernetes: Aiwatar da Aikace-aikacen
Mu a Dailymotion mun fara amfani da Kubernetes a samarwa shekaru 3 da suka gabata. Amma ƙaddamar da aikace-aikace a cikin gungu da yawa yana da daɗi, don haka a cikin ƴan shekarun da suka gabata muna ƙoƙarin inganta kayan aikin mu da ayyukanmu.
A ina aka fara
Anan za mu rufe yadda muke tura aikace-aikacen mu a cikin gungu na Kubernetes da yawa a duniya.
Don tura abubuwan Kubernetes da yawa a lokaci ɗaya, muna amfani , kuma duk sigoginmu ana adana su a cikin ma'ajin git guda ɗaya. Don ƙaddamar da cikakken tarin aikace-aikacen daga ayyuka da yawa, muna amfani da abin da ake kira taswirar taƙaitawa. Mahimmanci, wannan ginshiƙi ne wanda ke bayyana dogaro kuma yana ba ku damar fara API da ayyukansa tare da umarni ɗaya.
Mun kuma rubuta ƙaramin rubutun Python a saman Helm don yin cak, ƙirƙira taswira, ƙara sirri, da tura aikace-aikace. Duk waɗannan ayyuka ana yin su ne akan dandalin CI na tsakiya ta amfani da hoton docker.
Mu kai ga batun.
Lura. Yayin da kuke karanta wannan, an riga an sanar da ɗan takarar farko na Helm 3. Babban juzu'in ya ƙunshi ɗimbin gyare-gyare don magance wasu batutuwan da muka taɓa fuskanta a baya.
Tsarin ci gaban ginshiƙi
Muna amfani da reshe don aikace-aikace, kuma mun yanke shawarar yin amfani da wannan hanyar zuwa ginshiƙi.
- Reshe dev amfani da shi don ƙirƙirar ginshiƙi waɗanda za a gwada akan ƙungiyoyin ci gaba.
- Lokacin da aka ƙaddamar da buƙatar ja zuwa master, ana duba su a cikin tsari.
- A ƙarshe, mun ƙirƙiri buƙatun ja don aiwatar da canje-canje ga reshe prod da kuma amfani da su a cikin samarwa.
Kowane mahalli yana da ma'ajiyar nasa keɓaɓɓen ma'ajiya wanda ke adana jadawalin mu, kuma muna amfani da shi tare da APIs masu amfani sosai. Ta wannan hanyar muna tabbatar da ƙaƙƙarfan keɓancewa tsakanin mahalli da gwajin taswira na ainihi kafin amfani da su wajen samarwa.
Ma'ajiyar jadawali a wurare daban-daban
Yana da kyau a lura cewa lokacin da masu haɓakawa suka tura reshen dev, ana tura sigar tasu ta atomatik zuwa dev Chartmuseum. Don haka, duk masu haɓakawa suna amfani da ma'ajiyar dev iri ɗaya, kuma kuna buƙatar ƙididdige sigar ginshiƙi a hankali don kar a yi amfani da canje-canjen wani ba da gangan ba.
Haka kuma, ƙaramin rubutun mu na Python yana tabbatar da abubuwan Kubernetes akan ƙayyadaddun Kubernetes Buɗe API ta amfani da su , kafin buga su akan Chartmusem.
Gabaɗaya bayanin aikin ci gaban ginshiƙi
- Kafa ayyukan bututu bisa ga ƙayyadaddun bayanai don kula da inganci (lint, gwajin naúrar).
- Tura hoton docker tare da kayan aikin Python waɗanda ke tura aikace-aikacen mu.
- Kafa muhalli da sunan reshe.
- Tabbatar da Kubernetes yaml fayiloli ta amfani da Kubeval.
- Ƙara sigar ginshiƙi ta atomatik da sigogin iyayenta (shafukan da suka dogara da ginshiƙi da ake canza).
- Miƙa ginshiƙi zuwa Chartmuseum wanda yayi daidai da mahallin sa
Sarrafa bambance-bambance a cikin gungu
Ƙungiyar Ƙungiyoyi
Akwai lokacin da muka yi amfani da shi , inda za a iya ayyana abubuwan Kubernetes daga wurin ƙarshen API guda ɗaya. Amma matsaloli sun taso. Misali, wasu abubuwan Kubernetes ba za a iya ƙirƙira su a cikin ƙarshen tarayya ba, yana sa da wuya a kula da abubuwan haɗin gwiwa da sauran abubuwa don gungu ɗaya.
Don magance matsalar, mun fara sarrafa gungu daban-daban, wanda ya sauƙaƙa tsarin sosai (mun yi amfani da sigar farko ta tarayya, wani abu zai iya canzawa a cikin na biyu).
Dandalin da aka rarraba Geo
A halin yanzu ana rarraba dandalinmu a cikin yankuna 6 - 3 a gida da 3 a cikin gajimare.
Rarraba Ayyuka
Ƙimar Global Helm
4 ƙimar Helm na duniya suna ba ku damar gano bambance-bambance tsakanin gungu. Duk sigogin mu suna da mafi ƙarancin ƙima.
global:
cloud: True
env: staging
region: us-central1
clusterName: staging-us-central1Ƙimar duniya
Waɗannan dabi'un suna taimakawa ayyana mahallin aikace-aikacen mu kuma ana amfani da su don dalilai daban-daban: saka idanu, ganowa, shiga, yin kiran waje, ƙira, da sauransu.
- "girgije": Muna da matasan dandalin Kubernetes. Misali, API ɗin mu ana tura shi a yankunan GCP da a cikin cibiyoyin bayanan mu.
- "env": Wasu dabi'u na iya canzawa don wuraren da ba samarwa ba. Misali, ma'anar albarkatu da daidaitawar atomatik.
- "yanki": Wannan bayanin yana taimakawa tantance wurin gungu kuma ana iya amfani dashi don tantance wuraren ƙarshen kusa don sabis na waje.
- "clustername": idan da lokacin da muke son ayyana ƙima ga gungu ɗaya.
Ga takamaiman misali:
{{/* Returns Horizontal Pod Autoscaler replicas for GraphQL*/}}
{{- define "graphql.hpaReplicas" -}}
{{- if eq .Values.global.env "prod" }}
{{- if eq .Values.global.region "europe-west1" }}
minReplicas: 40
{{- else }}
minReplicas: 150
{{- end }}
maxReplicas: 1400
{{- else }}
minReplicas: 4
maxReplicas: 20
{{- end }}
{{- end -}}Misalin samfurin Helm
An bayyana wannan ma'anar a cikin samfurin mataimaka don guje wa ƙunshewar Kubernetes YAML.
Sanarwa Aikace-aikace
Kayan aikin mu na turawa sun dogara ne akan fayilolin YAML da yawa. A ƙasa akwai misali na yadda muke ayyana sabis da ƙwanƙwasa topology (yawan kwafi) a cikin tari.
releases:
- foo.world
foo.world: # Release name
services: # List of dailymotion's apps/projects
foobar:
chart_name: foo-foobar
repo: [email protected]:dailymotion/foobar
contexts:
prod-europe-west1:
deployments:
- name: foo-bar-baz
replicas: 18
- name: another-deployment
replicas: 3Ma'anar Sabis
Wannan jita-jita ce ta duk matakan da ke ayyana tafiyar aikin mu. Mataki na ƙarshe yana tura aikace-aikacen zuwa gungun ma'aikata da yawa a lokaci guda.
Matakan Aiwatar da Jenkins
Asiri fa?
Game da tsaro, muna bin diddigin duk wani sirri daga wurare daban-daban kuma muna adana su a cikin wani wuri na musamman in Paris.
Kayan aikin mu na turawa suna fitar da ƙimar sirri daga Vault kuma, idan lokacin turawa ya zo, saka su cikin Helm.
Don yin wannan, mun bayyana taswira tsakanin sirrin da ke cikin Vault da sirrin da aikace-aikacenmu ke buƙata:
secrets:
- secret_id: "stack1-app1-password"
contexts:
- name: "default"
vaultPath: "/kv/dev/stack1/app1/test"
vaultKey: "password"
- name: "cluster1"
vaultPath: "/kv/dev/stack1/app1/test"
vaultKey: "password"- Mun fayyace ƙa'idodi na gaba ɗaya da za mu bi yayin yin rikodin sirri a cikin Vault.
- Idan sirrin ya tabbata zuwa takamaiman mahallin ko tari, kuna buƙatar ƙara takamaiman shigarwa. (A nan rukunin mahallin 1 yana da nasa ƙimar na sirri stack-app1-password).
- In ba haka ba ana amfani da ƙimar ta hanyar tsoho.
- Ga kowane abu a cikin wannan jerin a Kubernetes sirri an saka maɓalli-darajar biyu. Saboda haka, samfurin sirri a cikin sigoginmu yana da sauqi.
apiVersion: v1
data:
{{- range $key,$value := .Values.secrets }}
{{ $key }}: {{ $value | b64enc | quote }}
{{ end }}
kind: Secret
metadata:
name: "{{ .Chart.Name }}"
labels:
chartVersion: "{{ .Chart.Version }}"
tillerVersion: "{{ .Capabilities.TillerVersion.SemVer }}"
type: OpaqueMatsaloli da iyakoki
Yin aiki tare da ma'ajin ajiya da yawa
Yanzu mun raba ci gaban sigogi da aikace-aikace. Wannan yana nufin cewa masu haɓakawa dole ne suyi aiki a cikin ma'ajin git guda biyu: ɗaya don aikace-aikacen, ɗayan kuma don ayyana tura shi zuwa Kubernetes. Ma'ajiyar git 2 tana nufin gudanawar aiki 2, kuma yana da sauƙi ga sabon mai shiga ya ruɗe.
Sarrafar da taswirar gaba ɗaya matsala ce
Kamar yadda muka riga muka faɗa, ginshiƙai na gabaɗaya suna da amfani sosai don gano abin dogaro da sauri tura aikace-aikace da yawa. Amma muna amfani --reuse-valuesdon guje wa wuce duk ƙima a duk lokacin da muka tura aikace-aikacen da ke cikin wannan ginshiƙi na gaba ɗaya.
A cikin ci gaba da aikin isarwa, muna da dabi'u biyu ne kawai waɗanda ke canzawa akai-akai: adadin kwafi da alamar hoton (version). Sauran, mafi barga dabi'u ana canza su da hannu, kuma wannan yana da wuyar gaske. Bugu da ƙari, kuskure ɗaya na ƙaddamar da ginshiƙi na gaba ɗaya na iya haifar da gazawa mai tsanani, kamar yadda muka gani daga namu gogewa.
Ana ɗaukaka fayilolin sanyi da yawa
Lokacin da mai haɓakawa ya ƙara sabon aikace-aikacen, dole ne ya canza fayiloli da yawa: sanarwar aikace-aikacen, jerin abubuwan sirri, ƙara aikace-aikacen azaman abin dogaro idan an haɗa shi cikin ginshiƙi na gaba ɗaya.
An tsawaita izinin Jenkins sosai a cikin Vault
Yanzu muna da daya , wanda ke karanta duk sirrin daga Vault.
Tsarin juyawa ba mai sarrafa kansa bane
Don komawa baya, kuna buƙatar gudanar da umarni akan gungu da yawa, kuma wannan yana cike da kurakurai. Muna yin wannan aikin da hannu don tabbatar da cewa an ayyana ainihin sigar ID.
Muna matsawa zuwa GitOps
Manufar mu
Muna so mu mayar da ginshiƙi zuwa ma'ajiyar aikace-aikacen da yake turawa.
Tsarin aiki zai kasance daidai da na ci gaba. Misali, lokacin da aka tura reshe zuwa gwaninta, za a fara tura aikin ta atomatik. Babban bambanci tsakanin wannan hanya da tsarin aiki na yanzu zai zama haka komai za a sarrafa a git ( aikace-aikacen kanta da kuma yadda ake tura shi a Kubernetes ).
Akwai fa'idodi da yawa:
- Da yawa mafi bayyane ga mai haɓakawa. Yana da sauƙi don koyon yadda ake amfani da canje-canje a cikin ginshiƙi na gida.
- Ana iya ƙayyade ma'anar ƙaddamar da sabis wuri guda da lambar hidima.
- Sarrafa kawar da sigogin gaba ɗaya. Sabis ɗin zai sami nasa sakin Helm. Wannan zai ba ku damar sarrafa tsarin rayuwar aikace-aikacen (juyawa, haɓakawa) a ƙaramin matakin, don kada ya shafi wasu ayyuka.
- Amfanin git don sarrafa ginshiƙi: soke canje-canje, log log, da sauransu. Idan kuna buƙatar gyara canji zuwa ginshiƙi, zaku iya yin wannan ta amfani da git. Aiki yana farawa ta atomatik.
- Kuna iya la'akari da inganta ayyukan ci gaban ku tare da kayan aiki kamar Skaffold, wanda masu haɓakawa zasu iya gwada canje-canje a cikin mahallin kusa da samarwa.
Hijira mataki biyu
Masu haɓaka mu sun yi amfani da wannan aikin har tsawon shekaru 2 yanzu, don haka muna son ƙaura ta zama mara zafi sosai. Saboda haka, mun yanke shawarar ƙara matsakanci mataki a kan hanyar zuwa manufa.
Mataki na farko yana da sauƙi:
- Muna adana irin wannan tsari don saita tura aikace-aikacen, amma a cikin abu ɗaya da ake kira DailymotionRelease.
apiVersion: "v1"
kind: "DailymotionRelease"
metadata:
name: "app1.ns1"
environment: "dev"
branch: "mybranch"
spec:
slack_channel: "#admin"
chart_name: "app1"
scaling:
- context: "dev-us-central1-0"
replicas:
- name: "hermes"
count: 2
- context: "dev-europe-west1-0"
replicas:
- name: "app1-deploy"
count: 2
secrets:
- secret_id: "app1"
contexts:
- name: "default"
vaultPath: "/kv/dev/ns1/app1/test"
vaultKey: "password"
- name: "dev-europe-west1-0"
vaultPath: "/kv/dev/ns1/app1/test"
vaultKey: "password"- 1 saki a kowace aikace-aikace (ba tare da ginshiƙi na gaba ɗaya ba).
- Charts a cikin ma'ajiyar git na aikace-aikacen.
Mun yi magana da duk masu haɓakawa, don haka tsarin ƙaura ya riga ya fara. Har yanzu ana sarrafa matakin farko ta amfani da dandalin CI. Zan sake rubuta wani rubutu nan ba da jimawa ba game da mataki na biyu: yadda muka koma aikin GitOps tare da . Zan gaya muku yadda muka saita komai da waɗanne matsalolin da muka fuskanta (masu ajiya da yawa, sirri, da sauransu). Biyo labarai.
Anan mun yi ƙoƙarin bayyana ci gabanmu a cikin ayyukan tura aikace-aikacen a cikin shekarun da suka gabata, wanda ya haifar da tunani game da tsarin GitOps. Har yanzu ba mu kai ga burin ba kuma za mu bayar da rahoto game da sakamakon, amma yanzu mun tabbata cewa mun yi abin da ya dace lokacin da muka yanke shawarar sauƙaƙe komai da kawo shi kusa da halaye na masu haɓakawa.
source: www.habr.com