简介
- JumpServer是一款免费开源的堡垒机,可以帮助企业以更安全的方式管控和登录各种类型的资产。
- JumpServer 堡垒机支持事前授权、事中监察、事后审计,满足等保合规要求。
使用Helm安装JumpServer
在K8s上部署MySQL
由于JumpServer需要使用外部MySQL,因此需要自己配置
添加Helm源
sh
helm repo add bitnami https://charts.bitnami.com/bitnami下载MySQL Helm Chart
sh
# 下载Chart
helm fetch bitnami/mysql
# 解压
tar -xf mysql-9.12.3.tgz
# 进入解压的目录
[root@node1 jumpserver]# cd mysql/
[root@node1 mysql]# ls
Chart.lock charts Chart.yaml README.md templates values.schema.json values.yaml修改其中的values.yaml文件,内容如下
yaml
global:
imageRegistry: ""
## E.g.
## imagePullSecrets:
## - myRegistryKeySecretName
##
imagePullSecrets: []
storageClass: "csi-rbd-sc" # 修改为K8s集群上的sc名称
auth:
## @param auth.rootPassword Password for the `root` user. Ignored if existing secret is provided
## ref: https://github.com/bitnami/containers/tree/main/bitnami/mysql#setting-the-root-password-on-first-run
##
rootPassword: "mysql_password" # root账号密码
## @param auth.createDatabase Whether to create the .Values.auth.database or not
## ref: https://github.com/bitnami/containers/tree/main/bitnami/mysql#creating-a-database-on-first-run
##
createDatabase: true
## @param auth.database Name for a custom database to create
## ref: https://github.com/bitnami/containers/tree/main/bitnami/mysql#creating-a-database-on-first-run
##
database: "jumpserver" # 创建一个JumpServer数据库
## @param auth.username Name for a custom user to create
## ref: https://github.com/bitnami/containers/tree/main/bitnami/mysql#creating-a-database-user-on-first-run
##
username: "jms" # 创建用户jms
## @param auth.password Password for the new user. Ignored if existing secret is provided
##
password: "jms_password" # 创建的用户的密码
# 修改下探针的检测时间,否则的话会启动MySQL失败
livenessProbe:
enabled: true
initialDelaySeconds: 60 # 时间延长为60s
periodSeconds: 60 # 时间延长为60s
timeoutSeconds: 10 # 超时时间设置为10s
failureThreshold: 3
successThreshold: 1
readinessProbe:
enabled: true
initialDelaySeconds: 60
periodSeconds: 60
timeoutSeconds: 10
failureThreshold: 3
successThreshold: 1
startupProbe:
enabled: true
initialDelaySeconds: 60
periodSeconds: 60
timeoutSeconds: 10
failureThreshold: 10
successThreshold: 1创建名称空间
创建名称空间kms,后面的服务都部署在该名称空间下
sh
kubectl create ns jms部署MySQL
sh
helm install jms-mysql . -f values.yaml -n jms在k8s上部署redis
由于JumpServer需要使用外部redis,因此也需要自己配置
下载Redis Helm Chart
sh
helm fetch bitnami/redis
# 解压
tar -xf redis-18.0.4.tgz
# 进入目录
[root@node1 jumpserver]# cd redis/
[root@node1 redis]# ls
Chart.lock charts Chart.yaml img README.md templates values.schema.json values.yaml修改values.yaml文件内容如下
yaml
global:
imageRegistry: ""
## E.g.
## imagePullSecrets:
## - myRegistryKeySecretName
##
imagePullSecrets: []
storageClass: "csi-rbd-sc" # 修改为集群上的sc名称
redis:
password: "redis_password" # 修改redis密码应用Chart
sh
helm install jms-redis . -f values.yaml -n jms查看Pod
sh
[root@node1 redis]# kubectl get pods -n jms
NAME READY STATUS RESTARTS AGE
jms-mysql-0 1/1 Running 0 14m
jms-redis-master-0 1/1 Running 0 3m5s
jms-redis-replicas-0 1/1 Running 0 3m5s
jms-redis-replicas-1 1/1 Running 0 119s
jms-redis-replicas-2 1/1 Running 0 77s部署JumpServer
添加Helm源
sh
helm repo add jumpserver https://jumpserver.github.io/helm-charts搜索JumpServer Helm Chart
sh
[root@node1 jumpserver]# helm search repo jumpserver
NAME CHART VERSION APP VERSION DESCRIPTION
jumpserver/jumpserver 3.8.1 v3.8.1 A Helm chart for Deploying Jumpserver on Kubern...下载Helm Chart 以便修改其中的values.yml
sh
helm fetch jumpserver/jumpserver如果上一步下载网速慢无法下载的话可以克隆github项目
sh
# 如果上一步下载慢的话,可以使用该方法直接克隆项目
git clone https://github.com/jumpserver/helm-charts.git修改values.yaml
sh
# 本次示例克隆了github仓库上的项目,因此找到项目里面的values.yaml文件进行修改
[root@node1 jumpserver]# pwd
/root/jumpserver/helm-charts/charts/jumpserver
[root@node1 jumpserver]# ls
Chart.yaml configs README.md templates values.yaml修改values.yaml内容如下
sh
# 生成随机secret key
[root@node1 ~]# cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50
2c8jbQPosNKb2pC1iGkFwMHwYwg0XYaykCPiAeO8PccHAixbih
# 生成随机 bootstrap token
[root@node1 ~]# cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24
wF3NSIDTGGtO22cUNwBRV808
yaml
global:
imageRegistry: "docker.io" # 修改默认镜像仓库源
imageTag: v3.8.1
## E.g.
# imagePullSecrets:
# - myRegistryKeySecretName
##
imagePullSecrets: []
storageClass: "csi-rbd-sc" # 修改为K8s集群上的sc名称
## Please configure your MySQL server first
## Jumpserver will not start the external MySQL server.
##
externalDatabase:
engine: mysql
host: jms-mysql # 这里是前面创建的MySQL的Service名称
port: 3306
user: jms # 连接MySQL使用的用户名和密码
password: "jms_password"
database: jumpserver
## Please configure your Redis server first
## Jumpserver will not start the external Redis server.
##
externalRedis:
host: localhost
port: 6379
password: "redis_password"
core:
enabled: true
labels:
app.jumpserver.org/name: jms-core
config:
## Generate a new random secret key by execute `cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
secretKey: "2c8jbQPosNKb2pC1iGkFwMHwYwg0XYaykCPiAeO8PccHAixbih" # 填写上上面步骤生成的secret key
## Generate a new random bootstrap token by execute `cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24`
bootstrapToken: "wF3NSIDTGGtO22cUNwBRV808" # 填写上上面步骤生成的bootstrap token
# 注意: 将文件中所有的accessModes改为ReadWriteOnce
accessModes:
- ReadWriteOnce应用Chart
该步骤时间可能会较长
sh
helm install jumpserver . -f values.yaml -n jms查看Pod
sh
[root@node1 ~]# kubectl get service -n jms
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
jms-mysql ClusterIP 10.96.211.71 <none> 3306/TCP 146m
jms-mysql-headless ClusterIP None <none> 3306/TCP 146m
jms-redis-headless ClusterIP None <none> 6379/TCP 135m
jms-redis-master ClusterIP 10.96.40.37 <none> 6379/TCP 135m
jms-redis-replicas ClusterIP 10.96.237.101 <none> 6379/TCP 135m
jumpserver-jms-chen ClusterIP 10.96.66.253 <none> 8082/TCP 31m
jumpserver-jms-core ClusterIP 10.96.204.210 <none> 8080/TCP 31m
jumpserver-jms-kael ClusterIP 10.96.236.163 <none> 8083/TCP 31m
jumpserver-jms-koko ClusterIP 10.96.68.28 <none> 5000/TCP,2222/TCP 31m
jumpserver-jms-lion ClusterIP 10.96.26.169 <none> 8081/TCP 31m
jumpserver-jms-magnus ClusterIP 10.96.238.16 <none> 33061/TCP,33062/TCP,63790/TCP 31m
jumpserver-jms-web ClusterIP 10.96.209.160 <none> 80/TCP 31m查看service
sh
[root@node1 ~]# kubectl get service -n jms
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
jms-mysql ClusterIP 10.96.211.71 <none> 3306/TCP 131m
jms-mysql-headless ClusterIP None <none> 3306/TCP 131m
jms-redis-headless ClusterIP None <none> 6379/TCP 120m
jms-redis-master ClusterIP 10.96.40.37 <none> 6379/TCP 120m
jms-redis-replicas ClusterIP 10.96.237.101 <none> 6379/TCP 120m
jumpserver-jms-chen ClusterIP 10.96.66.253 <none> 8082/TCP 16m
jumpserver-jms-core ClusterIP 10.96.204.210 <none> 8080/TCP 16m
jumpserver-jms-kael ClusterIP 10.96.236.163 <none> 8083/TCP 16m
jumpserver-jms-koko ClusterIP 10.96.68.28 <none> 5000/TCP,2222/TCP 16m
jumpserver-jms-lion ClusterIP 10.96.26.169 <none> 8081/TCP 16m
jumpserver-jms-magnus ClusterIP 10.96.238.16 <none> 33061/TCP,33062/TCP,63790/TCP 16m
jumpserver-jms-web ClusterIP 10.96.209.160 <none> 80/TCP 16m使用Istio暴露jumpserver web服务
创建gateway
yaml
# jumpserver-gateway.yaml
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: jumpserver-gateway
namespace: istio-system
spec:
selector:
app: istio-ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "jumpserver.myk8s.cn"应用yaml文件
sh
kubectl apply -f jumpserver-gateway.yaml创建VirtualService
yaml
# jumpserver-virtualservice.yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: jumpserver-virtualservice
namespace: jms
spec:
hosts:
- "jumpserver.myk8s.cn"
gateways:
- istio-system/jumpserver-gateway
http:
- match:
- uri:
prefix: /
route:
- destination:
host: jumpserver-jms-web
port:
number: 80应用yaml文件
sh
[root@node1 jumpserver]# kubectl apply -f jumpserver-virtualservice.yaml
virtualservice.networking.istio.io/jumpserver-virtualservice created测试
查看istio ingressgateway的external-ip
sh
[root@node1 jumpserver]# kubectl get service -n istio-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
grafana ClusterIP 10.96.234.93 <none> 3000/TCP 13d
istio-egressgateway ClusterIP 10.96.24.219 <none> 80/TCP,443/TCP 14d
istio-ingressgateway LoadBalancer 10.96.174.147 192.168.0.111,192.168.0.222 15021:31848/TCP,80:31657/TCP,20001:31775/TCP,443:30425/TCP,31400:31780/TCP,15443:30671/TCP 14d
istiod ClusterIP 10.96.49.69 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 14d
jaeger-collector ClusterIP 10.96.63.79 <none> 14268/TCP,14250/TCP,9411/TCP,4317/TCP,4318/TCP 13d
kiali ClusterIP 10.96.202.30 <none> 20001/TCP,9090/TCP 13d
loki-headless ClusterIP None <none> 3100/TCP 13d
prometheus ClusterIP 10.96.109.177 <none> 9090/TCP 13d
tracing ClusterIP 10.96.141.120 <none> 80/TCP,16685/TCP 13d
zipkin ClusterIP 10.96.225.164 <none> 9411/TCP 13d在需要访问jumpserver服务的主机上修改hosts,将jumpserver.myk8s.cn解析为external-ip地址,这里解析为192.168.0.111
访问服务
