Kusuma shell-operator: kugadzira vashandisi veKubernetes zvangove nyore

Pakatove nezvinyorwa pane yedu blog kutaura nezvazvo opareta kugona muKubernetes uye sei nyora mushandisi ari nyore iwe pachako. Panguva ino tinoda kukuzivisa iwe yedu Open Source mhinduro, iyo inotora kusikwa kwevashandisi kune yakanyanya-nyore nhanho - tarisa shell-operator!

Sei?

Pfungwa yeshell-operator iri nyore: nyorera kune zviitiko kubva kuKubernetes zvinhu, uye kana zviitiko izvi zvagamuchirwa, tanga chirongwa chekunze, uchichipa ruzivo nezve chiitiko:

Kudiwa kwacho kwakamuka apo, panguva yekushanda kwemapoka, mabasa madiki akatanga kuoneka kuti taida chaizvo kuita otomatiki nenzira kwayo. Aya mabasa madiki ese akagadziriswa uchishandisa akareruka bash scripts, kunyangwe, sezvaunoziva, zviri nani kunyora vashandisi muGolang. Zviripachena, kuisa mari mukusimudzira kwakazara kweanoshanda kune yega yega basa diki rakadaro kungave kusashanda.

Operator mumaminitsi gumi nemashanu

Ngatitarisei muenzaniso wezvinogona kuita otomatiki muKubernetes cluster uye kuti iyo shell-operator inogona kubatsira sei. Muenzaniso ungave unotevera: kudzokorora chakavanzika kuti uwane iyo docker registry.

Mapodhi anoshandisa mapikicha kubva kune yakavanzika registry anofanirwa kuve mune yavo manifest link kune chakavanzika ine data yekuwana iyo registry. Chakavanzika ichi chinofanira kugadzirwa munzvimbo yega yega isati yagadzira mapodhi. Izvi zvinogona kuitwa nemaoko, asi kana tikamisa nharaunda dzine simba, ipapo nzvimbo yezita yeimwe application inova yakawanda. Uye kana panewo kwete 2-3 zvikumbiro ... nhamba yezvakavanzika inova yakakura kwazvo. Uye chimwe chinhu pamusoro pezvakavanzika: ndinoda kushandura kiyi kuti uwane registry nguva nenguva. Pakupedzisira, mabasa emaoko semhinduro kusashanda zvachose - Isu tinofanirwa kuita otomatiki kusikwa uye kugadzirisa zvakavanzika.

Nyore otomatiki

Ngatinyorei script shell inomhanya kamwechete paN masekondi uye inotarisa mazita enzvimbo yekuvapo kwechakavanzika, uye kana pasina chakavanzika, chinogadzirwa. Kubatsira kweiyi mhinduro ndeyekuti inoita senge shell script mu cron - yemhando yepamusoro uye inonzwisisika nzira kune wese munhu. Izvo zvakaderera ndezvekuti mukati mepakati pakati pekutanga kwayo nzvimbo itsva yezita inogona kugadzirwa uye kwenguva yakati icharamba isina chakavanzika, izvo zvinozotungamira mukukanganisa pakuvhura pods.

Automation ine shell-operator

Kuti script yedu ishande nemazvo, iyo yekirasi cron kuvhurwa inoda kutsiviwa nekutanga kana nzvimbo yezita yawedzerwa: mune iyi kesi, unogona kugadzira chakavanzika usati waishandisa. Ngatione kuti tingaite sei izvi uchishandisa shell-operator.

Kutanga, ngatitarisei pane script. Zvinyorwa mumatemu emushandisi wegoko anonzi hoko. Chiredzo chese kana chinomhanya nemureza --config inozivisa shell-operator nezvezvisungo zvayo, i.e. pamusoro pezviitiko zvipi zvazvinofanira kutangwa. Muchiitiko chedu tichashandisa onKubernetesEvent:

#!/bin/bash
if [[ $1 == "--config" ]] ; then
cat <<EOF
{
"onKubernetesEvent": [
  { "kind": "namespace",
    "event":["add"]
  }
]}
EOF
fi

Zvinotsanangurwa pano kuti isu tiri kufarira kuwedzera zviitiko (add) zvinhu zverudzi namespace.

Iye zvino iwe unofanirwa kuwedzera iyo kodhi iyo ichaitwa kana chiitiko chikaitika:

#!/bin/bash
if [[ $1 == "--config" ]] ; then
  # конфигурация
cat <<EOF
{
"onKubernetesEvent": [
{ "kind": "namespace",
  "event":["add"]
}
]}
EOF
else
  # реакция:
  # узнать, какой namespace появился
  createdNamespace=$(jq -r '.[0].resourceName' $BINDING_CONTEXT_PATH)
  # создать в нём нужный секрет
  kubectl create -n ${createdNamespace} -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
  ...
data:
  ...
EOF
fi

Hukuru! Chigumisiro chacho chaiva chinyorwa chiduku, chakanaka. Kuti "umutsidzire", kune matanho maviri asara: gadzirira mufananidzo uye uutange musumbu.

Kugadzirira mufananidzo nehokwe

Kana iwe ukatarisa pane script, unogona kuona kuti mirairo inoshandiswa kubectl и jq. Izvi zvinoreva kuti chifananidzo chinofanirwa kunge chine zvinhu zvinotevera: hoko yedu, goko-operator iyo inotarisisa zviitiko uye kumhanya hoko, uye mirairo inoshandiswa nehoko (kubectl uye jq). Hub.docker.com yatove neyakagadzirirwa-yakagadzirwa mufananidzo umo shell-operator, kubectl uye jq zvakaiswa. Zvose zvinosara ndezvekuwedzera chirauro chiri nyore Dockerfile:

$ cat Dockerfile
FROM flant/shell-operator:v1.0.0-beta.1-alpine3.9
ADD namespace-hook.sh /hooks

$ docker build -t registry.example.com/my-operator:v1 . 
$ docker push registry.example.com/my-operator:v1

Kumhanya musumbu

Ngatitarisei hoko zvakare uye panguva ino nyora pasi kuti ndezvipi zviito uye nezvinhu zvazvinoita musumbu:

1. inonyoresa kuzviitiko zvekugadzira nzvimbo yezita;
2. inogadzira chakavanzika munzvimbo dzemazita kunze kweiyo yainotangwa.

Zvinoitika kuti iyo pod ichavhurwa mufananidzo wedu inofanirwa kuve nemvumo yekuita izvi zviito. Izvi zvinogona kuitwa nekugadzira yako wega ServiceAccount. Mvumo inofanirwa kuitwa nenzira yeClusterRole uye ClusterRoleBinding, nekuti isu tiri kufarira zvinhu kubva musumbu rose.

Rondedzero yekupedzisira muYAML ichaita seizvi:

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: monitor-namespaces-acc

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: monitor-namespaces
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "watch", "list"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list", "create", "patch"]

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: monitor-namespaces
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: monitor-namespaces
subjects:
  - kind: ServiceAccount
    name: monitor-namespaces-acc
    namespace: example-monitor-namespaces

Iwe unogona kuvhura iyo yakaunganidzwa mufananidzo seyakapusa Deployment:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: my-operator
spec:
  template:
    spec:
      containers:
      - name: my-operator
        image: registry.example.com/my-operator:v1
      serviceAccountName: monitor-namespaces-acc

Kuti zvive nyore, nzvimbo yakaparadzana yemazita inogadzirwa uko iyo shell-operator ichavhurwa uye iyo yakasikwa mamanifesiti ichaiswa:

$ kubectl create ns example-monitor-namespaces
$ kubectl -n example-monitor-namespaces apply -f rbac.yaml
$ kubectl -n example-monitor-namespaces apply -f deployment.yaml

Ndizvo zvese: iyo shell-operator ichatanga, kunyorera kune namespace kugadzira zviitiko uye mhanyisa hoko pazvinenge zvichidikanwa.

Nokudaro, chinyorwa chakareruka cheganda chakashandurwa kuita mushandisi chaiye weKubernetes uye inoshanda sechikamu chesumbu. Uye zvese izvi pasina iyo yakaoma maitiro ekuvandudza vashandisi muGolang:

Pane mumwe mufananidzo panyaya iyi...

Ticharatidza zvarinoreva zvakadzama mune rimwe remabhuku anotevera.

mupise

Kutsvaga zvinhu zvakanaka, asi kazhinji pane kudiwa kwekuita kuchinja zvimwe zvinhu, semuenzaniso, kushandura nhamba yezvinyorwa muDeployment kana kushandura zvinyorwa zvezvinhu.

Kana chiitiko chasvika, shell-operator inogamuchira JSON manifest yechinhu chacho. Tinogona kusarudza zvivakwa zvinotifadza muJSON iyi uye tomhanyisa hoko chete pavanochinja. Pane munda weizvi jqFilter, paunoda kutsanangura jq kutaura kunozoiswa kuJSON manifest.

Semuyenzaniso, kuti upindure kune shanduko mumalabel eDeployment zvinhu, unofanirwa kusefa munda labels kunze kwemunda metadata. Iyo config ichave seizvi:

cat <<EOF
{
"onKubernetesEvent": [
{ "kind": "deployment",
  "event":["update"],
  "jqFilter": ".metadata.labels"
}
]}
EOF

Iyi jqFilter kutaura inoshandura Deployment's refu JSON manifest kuita pfupi JSON ine mavara:

shell-operator inongomhanyisa hoko kana iyi pfupi JSON yachinja, uye shanduko kune zvimwe zvivakwa zvicharegeredzwa.

Hook kutanga mamiriro

Iyo hook config inobvumidza iwe kutsanangura akati wandei sarudzo dzezviitiko - semuenzaniso, 2 sarudzo dzezviitiko kubva Kubernetes uye 2 masheti:

{"onKubernetesEvent":[
  {"name":"OnCreatePod",
  "kind": "pod",
  "event":["add"]
  },
  {"name":"OnModifiedNamespace",
  "kind": "namespace",
  "event":["update"],
  "jqFilter": ".metadata.labels"
  }
],
"schedule": [
{ "name":"every 10 min",
  "crontab":"* */10 * * * *"
}, {"name":"on Mondays at 12:10",
"crontab": "* 10 12 * * 1"
]}

Kuderera kudiki: hongu, shell-operator inotsigira kumhanya crontab maitiro zvinyorwa. Mamwe mashoko anogona kuwanikwa mukati zvinyorwa.

Kusiyanisa chikonzero nei hoko yakatangwa, iyo shell-operator inogadzira faira renguva pfupi uye inopfuudza nzira kuenda kwairi mukuchinja kune hoko. BINDING_CONTEXT_TYPE. Iyo faira ine JSON tsananguro yechikonzero chekumhanyisa hoko. Semuenzaniso, maminetsi ega ega hoko inomhanya neinotevera zvirimo:

[{ "binding": "every 10 min"}]

... uye neMuvhuro zvichatanga neizvi:

[{ "binding": "every 10 min"}, { "binding": "on Mondays at 12:10"}]

nokuti onKubernetesEvent Pachave nezvimwe zvinokonzeresa zveJSON, nekuti ine tsananguro yechinhu chacho:

[
 {
 "binding": "onCreatePod",
 "resourceEvent": "add",
 "resourceKind": "pod",
 "resourceName": "foo",
 "resourceNamespace": "bar"
 }
]

Zviri mukati mendima zvinogona kunzwisiswa kubva kumazita avo, uye zvimwe zvakawanda zvinogona kuverengerwa mukati zvinyorwa. Muenzaniso wekutora zita rekushandisa kubva kumunda resourceName kushandisa jq kwatoratidzwa mune hoko inodzokorora zvakavanzika:

jq -r '.[0].resourceName' $BINDING_CONTEXT_PATH

Iwe unogona kuwana mamwe minda nenzira yakafanana.

Chii chinotevera?

Munzvimbo yeprojekiti, in /emienzaniso madhairekitori, kune mienzaniso yezvikorekedzo zvakagadzirira kumhanya pane sumbu. Paunenge uchinyora zvikorekedzo zvako, unogona kuzvishandisa sehwaro.

Pane tsigiro yekuunganidza metric uchishandisa Prometheus - iyo inowanikwa metrics inotsanangurwa muchikamu METRICS.

Sezvaungafungidzira, iyo shell-operator yakanyorwa muGo uye yakagoverwa pasi peOpen Source rezinesi (Apache 2.0). Tichatenda chero rubatsiro rwebudiriro chirongwa paGitHub: uye nyeredzi, uye nyaya, uye dhonza zvikumbiro.

Kusimudza chidzitiro chekuvanzika, isu tichakuzivisa zvakare kuti shell-operator iri zvishoma chikamu chehurongwa hwedu chinogona kuchengetedza ma-add-on akaiswa muKubernetes cluster kusvika parizvino uye kuita akasiyana siyana otomatiki zviito. Verenga zvakawanda nezve system iyi akaudzwa chaizvoizvo musi weMuvhuro pa HighLoad ++ 2019 muSt. Petersburg - tichakurumidza kubudisa vhidhiyo uye zvinyorwa zvemushumo uyu.

Isu tine hurongwa hwekuvhura iyo yakasara yehurongwa: iyo addon-operator uye yedu yekuunganidza hoko uye modules. Nenzira, addon-operator yatove inowanikwa pa github, asi zvinyorwa zvayo zvichiri munzira. Kusunungurwa kwekuunganidza kwema modules kwakarongwa kwezhizha.

Ramba wakashama!

PS

Verenga zvakare pablog yedu:

• «Vashandi veKubernetes: maitiro ekumhanyisa maapplication";
• «Kunyora mushandisi weKubernetes muGolang";
• «Kuunza plugin nyowani yeGrafana - Statusmap pani";
• «Kuunza loghouse - Open Source system yekushanda nematanda muKubernetes";
• «Isu tinopa zviri pamutemo dapp - chishandiso cheDevOps cheCI/CD kugadzirisa".

Source: www.habr.com