Sethula i-shell-opharetha: ukudala ama-opharetha e-Kubernetes sekulula

Sezivele zikhona izindatshana kubhulogi yethu ezikhuluma ngazo amakhono opharetha ku-Kubernetes futhi kanjani bhala u-opharetha olula ngokwakho. Kulokhu sithanda ukwethula kuwena isisombululo sethu se-Open Source, esithatha ukwakhiwa kwama-opharetha kufinyelele ezingeni elilula kakhulu - hlola igobolondo-opharetha!

Kungani?

Umqondo we-shell-opharetha ulula kakhulu: bhalisela imicimbi evela ezintweni ze-Kubernetes, futhi lapho lezi zenzakalo zamukelwa, qalisa uhlelo lwangaphandle, ulunikeze ulwazi mayelana nomcimbi:

Isidingo saso savela lapho, ngesikhathi sokusebenza kwamaqoqo, imisebenzi emincane iqala ukubonakala esasifuna ngempela ukuzenzela ngendlela efanele. Yonke le misebenzi emincane yaxazululwa kusetshenziswa imibhalo ye-bash elula, nakuba, njengoba wazi, kungcono ukubhala opharetha ngesi-Golang. Ngokusobala, ukutshala imali ekuthuthukisweni kwesikali esigcwele somsebenzisi kulowo nalowo msebenzi omncane bekungeke kusebenze.

Umsebenzisi emizuzwini eyi-15

Ake sibheke isibonelo salokho okungenziwa ngokuzenzakalela kuqoqo le-Kubernetes nokuthi i-shell-opharetha ingasiza kanjani. Isibonelo kungaba okulandelayo: ukuphindaphinda imfihlo ukuze ufinyelele ukubhaliswa kwe-docker.

Amaphodi asebenzisa izithombe ezisuka ekubhaliseni okuyimfihlo kufanele aqukathe ku-manifest yawo isixhumanisi esiya kumfihlo enedatha yokufinyelela ekubhaliseni. Le mfihlo kufanele idalwe endaweni ngayinye yamagama ngaphambi kokudala ama-pods. Lokhu kungenziwa mathupha, kodwa uma simisa izindawo eziguquguqukayo, indawo yamagama yohlelo lokusebenza olulodwa izoba ningi. Futhi uma futhi kungekho izicelo ezingu-2-3 ... inani lezimfihlo liba likhulu kakhulu. Futhi enye into mayelana nezimfihlo: Ngingathanda ukushintsha ukhiye ukuze ngifinyelele ebhukwini ngezikhathi ezithile. Ekugcineni, imisebenzi yezandla njengesixazululo kungasebenzi ngokuphelele - sidinga ukwenza ngokuzenzakalelayo ukudalwa nokuvuselelwa kwezimfihlo.

I-automation elula

Masibhale umbhalo wegobolondo osebenza kanye njalo ngemizuzwana engu-N futhi uhlola izikhala zamagama ukuze uthole ukuba khona kwemfihlo, futhi uma ingekho imfihlo, iyadaleka. Inzuzo yalesi sixazululo ukuthi ibukeka njengeskripthi segobolondo ku-cron - indlela yakudala futhi eqondakalayo kuwo wonke umuntu. Okubi ukuthi esikhathini esiphakathi kokwethulwa kwayo indawo entsha yegama ingadalwa futhi isikhathi esithile izohlala ingenayo imfihlo, okuzoholela emaphutha ekuqaliseni ama-pods.

I-automation ene-shell-opharetha

Ukuze iskripthi sethu sisebenze kahle, ukwethulwa kwe-cron yakudala kudinga ukushintshwa ngokuqaliswa lapho indawo yegama yengezwa: kulokhu, ungakha imfihlo ngaphambi kokuyisebenzisa. Ake sibone ukuthi singakusebenzisa kanjani lokhu usebenzisa i-shell-opharetha.

Okokuqala, ake sibheke umbhalo. Imibhalo ngamagama e-shell-opharetha abizwa ngokuthi amahhuku. Ihhuku ngalinye uma ligijima nefulegi --config yazisa i-shell-opharetha mayelana nezibopho zayo, i.e. ukuthi yimiphi imicimbi okufanele yethulwe. Esimweni sethu sizosebenzisa onKubernetesEvent:

#!/bin/bash
if [[ $1 == "--config" ]] ; then
cat <<EOF
{
"onKubernetesEvent": [
  { "kind": "namespace",
    "event":["add"]
  }
]}
EOF
fi

Kuchazwe lapha ukuthi sinentshisekelo yokwengeza imicimbi (add) izinto zohlobo namespace.

Manje udinga ukwengeza ikhodi ezosetshenziswa uma kwenzeka umcimbi:

#!/bin/bash
if [[ $1 == "--config" ]] ; then
  # конфигурация
cat <<EOF
{
"onKubernetesEvent": [
{ "kind": "namespace",
  "event":["add"]
}
]}
EOF
else
  # реакция:
  # узнать, какой namespace появился
  createdNamespace=$(jq -r '.[0].resourceName' $BINDING_CONTEXT_PATH)
  # создать в нём нужный секрет
  kubectl create -n ${createdNamespace} -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
  ...
data:
  ...
EOF
fi

Kuhle! Umphumela waba umbhalo omncane, omuhle. Ukuze "usivuselele", kusele izinyathelo ezimbili: lungisa isithombe bese usivula kuqoqo.

Ukulungiselela isithombe ngehhuku

Uma ubheka umbhalo, ungabona ukuthi imiyalo isetshenzisiwe kubectl и jq. Lokhu kusho ukuthi isithombe kumele sibe nalezi zinto ezilandelayo: ihuku lethu, i-shell-operator ezoqapha imicimbi futhi iqhube ihuku, kanye nemiyalo esetshenziswa ihuku (kubectl kanye ne-jq). I-Hub.docker.com isivele inesithombe esenziwe ngomumo lapho i-shell-opharetha, i-kubectl ne-jq zihlanganiswa khona. Okusele nje ukwengeza i-hook elula Dockerfile:

$ cat Dockerfile
FROM flant/shell-operator:v1.0.0-beta.1-alpine3.9
ADD namespace-hook.sh /hooks

$ docker build -t registry.example.com/my-operator:v1 . 
$ docker push registry.example.com/my-operator:v1

Ukugijima ngeqoqo

Ake sibheke ihuku futhi kulokhu sibhale ukuthi yiziphi izenzo kanye nezinto ezenzayo kuqoqo:

1. ubhalisela imicimbi yokudala indawo yamagama;
2. kudala imfihlo ezindaweni zamagama ngaphandle kwaleyo eyethulwe kuyo.

Kuvele ukuthi i-pod lapho isithombe sethu sizokwethulwa khona kufanele ibe nezimvume zokwenza lezi zenzo. Lokhu kungenziwa ngokwakha eyakho i-ServiceAccount. Imvume kufanele yenziwe ngohlobo lwe-ClusterRole ne-ClusterRoleBinding, ngoba sinentshisekelo ezintweni ezivela kulo lonke iqoqo.

Incazelo yokugcina ku-YAML izobukeka kanje:

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: monitor-namespaces-acc

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: monitor-namespaces
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "watch", "list"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list", "create", "patch"]

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: monitor-namespaces
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: monitor-namespaces
subjects:
  - kind: ServiceAccount
    name: monitor-namespaces-acc
    namespace: example-monitor-namespaces

Ungaqalisa isithombe esihlanganisiwe njengokuthunyelwa okulula:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: my-operator
spec:
  template:
    spec:
      containers:
      - name: my-operator
        image: registry.example.com/my-operator:v1
      serviceAccountName: monitor-namespaces-acc

Ukuze kube lula, kwakhiwa indawo yamagama ehlukile lapho i-shell-opharetha izokwethulwa khona futhi kuzosetshenziswa ama-manifest adaliwe:

$ kubectl create ns example-monitor-namespaces
$ kubectl -n example-monitor-namespaces apply -f rbac.yaml
$ kubectl -n example-monitor-namespaces apply -f deployment.yaml

Yilokho kuphela: i-shell-opharetha izoqala, ibhalisele imicimbi yokudala indawo yamagama futhi isebenzise ihuku lapho kudingeka.

Ngakho, umbhalo wegobolondo olula uphenduke waba ngu-opharetha wangempela we-Kubernetes futhi isebenza njengengxenye yeqoqo. Futhi konke lokhu ngaphandle kwenqubo eyinkimbinkimbi yokuthuthukisa opharetha e-Golang:

Kukhona omunye umfanekiso ngalolu daba...

Sizokwembula incazelo yalo ngokuningiliziwe kokunye kwalezi zincwadi ezilandelayo.

Ukuhlunga

Ukulandelela izinto kuhle, kodwa ngokuvamile kunesidingo sokusabela ukushintsha ezinye izakhiwo zento, isibonelo, ukushintsha inombolo yezifaniso kokuthi Ukuthunyelwa noma ukushintsha amalebula ezinto.

Uma umcimbi ufika, i-shell-opharetha ithola i-JSON manifest yento. Singakhetha izakhiwo ezisithakaselayo kule JSON futhi sisebenzise ihuku kuphela lapho beshintsha. Kukhona insimu yalokhu jqFilter, lapho udinga ukucacisa khona inkulumo ethi jq ezosetshenziswa ku-manifest ye-JSON.

Isibonelo, ukuze uphendule kuzinguquko zamalebula wezinto Zokuthunyelwa, udinga ukuhlunga inkambu labels ngaphandle kwenkundla metadata. I-config izoba kanje:

cat <<EOF
{
"onKubernetesEvent": [
{ "kind": "deployment",
  "event":["update"],
  "jqFilter": ".metadata.labels"
}
]}
EOF

Lesi sisho se-jqFilter sishintsha i-JSON manifest ende ye-Deployment ibe i-JSON emfushane enamalebula:

i-shell-opharetha izosebenzisa ihhuku kuphela uma le JSON emfushane ishintsha, futhi izinguquko kwezinye izakhiwo zizozitshwa.

Ihuku lokuqalisa umongo

I-hook config ikuvumela ukuthi ucacise izinketho ezimbalwa zemicimbi - ngokwesibonelo, izinketho ezi-2 zemicimbi evela ku-Kubernetes kanye nezinhlelo ezi-2:

{"onKubernetesEvent":[
  {"name":"OnCreatePod",
  "kind": "pod",
  "event":["add"]
  },
  {"name":"OnModifiedNamespace",
  "kind": "namespace",
  "event":["update"],
  "jqFilter": ".metadata.labels"
  }
],
"schedule": [
{ "name":"every 10 min",
  "crontab":"* */10 * * * *"
}, {"name":"on Mondays at 12:10",
"crontab": "* 10 12 * * 1"
]}

Ukwehla okuncane: yebo, i-shell-opharetha isekela ukusebenzisa imibhalo yesitayela se-crontab. Imininingwane eyengeziwe ingatholakala ku imibhalo.

Ukuze uhlukanise ukuthi kungani ihuku yaqaliswa, i-shell-opharetha idala ifayela lesikhashana futhi idlulise indlela eya kulo ngokuguquguqukayo ukuya kuhhuku. BINDING_CONTEXT_TYPE. Ifayela liqukethe incazelo ye-JSON yesizathu sokuqalisa ihuku. Isibonelo, njalo ngemizuzu eyi-10 ihuku izosebenza nokuqukethwe okulandelayo:

[{ "binding": "every 10 min"}]

... futhi ngoMsombuluko izoqala ngalokhu:

[{ "binding": "every 10 min"}, { "binding": "on Mondays at 12:10"}]

Ukuze onKubernetesEvent Kuzoba khona izingcupho eziningi ze-JSON, ngoba iqukethe incazelo yento:

[
 {
 "binding": "onCreatePod",
 "resourceEvent": "add",
 "resourceKind": "pod",
 "resourceName": "foo",
 "resourceNamespace": "bar"
 }
]

Okuqukethwe kwezinkambu kungaqondwa emagameni abo, futhi imininingwane eyengeziwe ingafundwa kuyo imibhalo. Isibonelo sokuthola igama lensiza endaweni resourceName ukusebenzisa i-jq sekuvele kukhonjisiwe kuhhuku ephindaphinda izimfihlo:

jq -r '.[0].resourceName' $BINDING_CONTEXT_PATH

Ungathola ezinye izinkambu ngendlela efanayo.

Yini okulandelayo?

Endaweni yokugcina iphrojekthi, ku /izibonelo zezinkomba, kunezibonelo zezingwegwe ezilungele ukugijima kuqoqo. Lapho ubhala izingwegwe zakho, ungazisebenzisa njengesisekelo.

Kunosekelo lokuqoqa amamethrikhi kusetshenziswa i-Prometheus - amamethrikhi atholakalayo achazwe esigabeni IMITHI.

Njengoba ungase uqagele, i-shell-opharetha ibhalwe kokuthi Go futhi isatshalaliswe ngaphansi kwelayisensi yomthombo ovulekile (i-Apache 2.0). Sizobonga nganoma yiluphi usizo lwentuthuko iphrojekthi ku-GitHub: nezinkanyezi, nezindaba, kanye nezicelo zokudonsa.

Ukuphakamisa iveyili yokufihla, sizokwazisa futhi ukuthi i-shell-opharetha injalo encane ingxenye yesistimu yethu engagcina izengezo zifakwe kuqoqo le-Kubernetes zisesikhathini samanje futhi zenze izenzo ezizenzakalelayo ezihlukahlukene. Funda kabanzi mayelana nalesi simiso utshele ngokoqobo ngoMsombuluko e-HighLoad++ 2019 e-St. Petersburg - maduze sizoshicilela ividiyo nokulotshiwe kwalo mbiko.

Sinohlelo lokuvula lonke uhlelo: i-addon-opharetha kanye neqoqo lethu lamahhuku namamojula. Ngendlela, i-addon-opharetha isivele isivele iyatholakala ku-GitHub, kodwa imibhalo yayo isasendleleni. Ukukhululwa kokuqoqwa kwamamojula kuhlelwe ehlobo.

Hlala ubukele!

PS

Funda futhi kubhulogi yethu:

• «Ama-Opharetha e-Kubernetes: ukuthi zisebenza kanjani izinhlelo zokusebenza ezisezingeni eliphakeme";
• «Kubhalelwa u-opharetha we-Kubernetes ngesi-Golang";
• «Sethula i-plugin entsha ye-Grafana - Iphaneli ye-Statusmap";
• «Sethula i-loghouse - isistimu yomthombo ovulekile yokusebenza ngamalogi ku-Kubernetes";
• «Sethula ngokusemthethweni i-dapp - insiza ye-DevOps yokulungiswa kwe-CI/CD".

Source: www.habr.com