K8s部署Jumpserver并使用Istio对外暴露服务

简介

  • JumpServer是一款免费开源的堡垒机,可以帮助企业以更安全的方式管控和登录各种类型的资产。
  • JumpServer 堡垒机支持事前授权、事中监察、事后审计,满足等保合规要求。

使用Helm安装JumpServer

在K8s上部署MySQL

由于JumpServer需要使用外部MySQL,因此需要自己配置

添加Helm源

sh 复制代码
helm repo add bitnami https://charts.bitnami.com/bitnami

下载MySQL Helm Chart

sh 复制代码
# 下载Chart
helm fetch bitnami/mysql 

# 解压
tar -xf mysql-9.12.3.tgz

# 进入解压的目录
[root@node1 jumpserver]# cd mysql/
[root@node1 mysql]# ls
Chart.lock  charts  Chart.yaml  README.md  templates  values.schema.json  values.yaml

修改其中的values.yaml文件,内容如下

yaml 复制代码
global:
  imageRegistry: ""
  ## E.g.
  ## imagePullSecrets:
  ##   - myRegistryKeySecretName
  ##
  imagePullSecrets: []
  storageClass: "csi-rbd-sc"  # 修改为K8s集群上的sc名称
auth:
  ## @param auth.rootPassword Password for the `root` user. Ignored if existing secret is provided
  ## ref: https://github.com/bitnami/containers/tree/main/bitnami/mysql#setting-the-root-password-on-first-run
  ##
  rootPassword: "mysql_password"  # root账号密码
  ## @param auth.createDatabase Whether to create the .Values.auth.database or not
  ## ref: https://github.com/bitnami/containers/tree/main/bitnami/mysql#creating-a-database-on-first-run
  ##
  createDatabase: true  
  ## @param auth.database Name for a custom database to create
  ## ref: https://github.com/bitnami/containers/tree/main/bitnami/mysql#creating-a-database-on-first-run
  ##
  database: "jumpserver"  # 创建一个JumpServer数据库
  ## @param auth.username Name for a custom user to create
  ## ref: https://github.com/bitnami/containers/tree/main/bitnami/mysql#creating-a-database-user-on-first-run
  ##
  username: "jms"        # 创建用户jms
  ## @param auth.password Password for the new user. Ignored if existing secret is provided
  ##
  password: "jms_password"  # 创建的用户的密码
  
  # 修改下探针的检测时间,否则的话会启动MySQL失败
    livenessProbe:
        enabled: true
        initialDelaySeconds: 60  # 时间延长为60s
        periodSeconds: 60  # 时间延长为60s
        timeoutSeconds: 10 # 超时时间设置为10s
        failureThreshold: 3
        successThreshold: 1
    readinessProbe:
        enabled: true
        initialDelaySeconds: 60
        periodSeconds: 60
        timeoutSeconds: 10
        failureThreshold: 3
        successThreshold: 1 
    startupProbe:
        enabled: true
        initialDelaySeconds: 60
        periodSeconds: 60
        timeoutSeconds: 10
        failureThreshold: 10
        successThreshold: 1

创建名称空间

创建名称空间kms,后面的服务都部署在该名称空间下

sh 复制代码
 kubectl create ns jms

部署MySQL

sh 复制代码
helm install jms-mysql . -f values.yaml -n jms

在k8s上部署redis

由于JumpServer需要使用外部redis,因此也需要自己配置

下载Redis Helm Chart

sh 复制代码
helm fetch bitnami/redis

# 解压
tar -xf redis-18.0.4.tgz

# 进入目录
[root@node1 jumpserver]# cd redis/
[root@node1 redis]# ls
Chart.lock  charts  Chart.yaml  img  README.md  templates  values.schema.json  values.yaml

修改values.yaml文件内容如下

yaml 复制代码
global:
  imageRegistry: ""
  ## E.g.
  ## imagePullSecrets:
  ##   - myRegistryKeySecretName
  ##
  imagePullSecrets: []
  storageClass: "csi-rbd-sc"  # 修改为集群上的sc名称
  redis:
    password: "redis_password"  # 修改redis密码

应用Chart

sh 复制代码
helm install jms-redis . -f values.yaml  -n jms

查看Pod

sh 复制代码
[root@node1 redis]# kubectl get pods -n jms
NAME                   READY   STATUS    RESTARTS   AGE
jms-mysql-0            1/1     Running   0          14m
jms-redis-master-0     1/1     Running   0          3m5s
jms-redis-replicas-0   1/1     Running   0          3m5s
jms-redis-replicas-1   1/1     Running   0          119s
jms-redis-replicas-2   1/1     Running   0          77s

部署JumpServer

添加Helm源

sh 复制代码
helm repo add jumpserver https://jumpserver.github.io/helm-charts

搜索JumpServer Helm Chart

sh 复制代码
[root@node1 jumpserver]# helm search repo jumpserver
NAME                    CHART VERSION   APP VERSION     DESCRIPTION                                       
jumpserver/jumpserver   3.8.1           v3.8.1          A Helm chart for Deploying Jumpserver on Kubern...

下载Helm Chart 以便修改其中的values.yml

sh 复制代码
 helm fetch jumpserver/jumpserver

如果上一步下载网速慢无法下载的话可以克隆github项目

sh 复制代码
# 如果上一步下载慢的话,可以使用该方法直接克隆项目
git clone https://github.com/jumpserver/helm-charts.git

修改values.yaml

sh 复制代码
# 本次示例克隆了github仓库上的项目,因此找到项目里面的values.yaml文件进行修改
[root@node1 jumpserver]# pwd
/root/jumpserver/helm-charts/charts/jumpserver
[root@node1 jumpserver]# ls
Chart.yaml  configs  README.md  templates  values.yaml

修改values.yaml内容如下

sh 复制代码
# 生成随机secret key
[root@node1 ~]# cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50
2c8jbQPosNKb2pC1iGkFwMHwYwg0XYaykCPiAeO8PccHAixbih

# 生成随机 bootstrap token
[root@node1 ~]# cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24
wF3NSIDTGGtO22cUNwBRV808
yaml 复制代码
global:
  imageRegistry: "docker.io"  # 修改默认镜像仓库源
  imageTag: v3.8.1
  ## E.g.
  #  imagePullSecrets:
  #  - myRegistryKeySecretName
  ## 
  imagePullSecrets: []
  storageClass: "csi-rbd-sc"  # 修改为K8s集群上的sc名称

## Please configure your MySQL server first
## Jumpserver will not start the external MySQL server.
##
externalDatabase:
  engine: mysql
  host: jms-mysql  # 这里是前面创建的MySQL的Service名称
  port: 3306
  user: jms       # 连接MySQL使用的用户名和密码
  password: "jms_password"
  database: jumpserver

## Please configure your Redis server first
## Jumpserver will not start the external Redis server.
##
externalRedis:
  host: localhost
  port: 6379
  password: "redis_password"
core:
  enabled: true

  labels:
    app.jumpserver.org/name: jms-core

  config:
    ## Generate a new random secret key by execute `cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
    secretKey: "2c8jbQPosNKb2pC1iGkFwMHwYwg0XYaykCPiAeO8PccHAixbih"  # 填写上上面步骤生成的secret key
    ## Generate a new random bootstrap token by execute `cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24`
    bootstrapToken: "wF3NSIDTGGtO22cUNwBRV808" # 填写上上面步骤生成的bootstrap token
    
# 注意: 将文件中所有的accessModes改为ReadWriteOnce  
accessModes:
  - ReadWriteOnce

应用Chart

该步骤时间可能会较长

sh 复制代码
helm install jumpserver . -f values.yaml -n jms

查看Pod

sh 复制代码
[root@node1 ~]# kubectl get service -n jms
NAME                    TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)                         AGE
jms-mysql               ClusterIP   10.96.211.71    <none>        3306/TCP                        146m
jms-mysql-headless      ClusterIP   None            <none>        3306/TCP                        146m
jms-redis-headless      ClusterIP   None            <none>        6379/TCP                        135m
jms-redis-master        ClusterIP   10.96.40.37     <none>        6379/TCP                        135m
jms-redis-replicas      ClusterIP   10.96.237.101   <none>        6379/TCP                        135m
jumpserver-jms-chen     ClusterIP   10.96.66.253    <none>        8082/TCP                        31m
jumpserver-jms-core     ClusterIP   10.96.204.210   <none>        8080/TCP                        31m
jumpserver-jms-kael     ClusterIP   10.96.236.163   <none>        8083/TCP                        31m
jumpserver-jms-koko     ClusterIP   10.96.68.28     <none>        5000/TCP,2222/TCP               31m
jumpserver-jms-lion     ClusterIP   10.96.26.169    <none>        8081/TCP                        31m
jumpserver-jms-magnus   ClusterIP   10.96.238.16    <none>        33061/TCP,33062/TCP,63790/TCP   31m
jumpserver-jms-web      ClusterIP   10.96.209.160   <none>        80/TCP                          31m

查看service

sh 复制代码
[root@node1 ~]# kubectl get service -n jms
NAME                    TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)                         AGE
jms-mysql               ClusterIP   10.96.211.71    <none>        3306/TCP                        131m
jms-mysql-headless      ClusterIP   None            <none>        3306/TCP                        131m
jms-redis-headless      ClusterIP   None            <none>        6379/TCP                        120m
jms-redis-master        ClusterIP   10.96.40.37     <none>        6379/TCP                        120m
jms-redis-replicas      ClusterIP   10.96.237.101   <none>        6379/TCP                        120m
jumpserver-jms-chen     ClusterIP   10.96.66.253    <none>        8082/TCP                        16m
jumpserver-jms-core     ClusterIP   10.96.204.210   <none>        8080/TCP                        16m
jumpserver-jms-kael     ClusterIP   10.96.236.163   <none>        8083/TCP                        16m
jumpserver-jms-koko     ClusterIP   10.96.68.28     <none>        5000/TCP,2222/TCP               16m
jumpserver-jms-lion     ClusterIP   10.96.26.169    <none>        8081/TCP                        16m
jumpserver-jms-magnus   ClusterIP   10.96.238.16    <none>        33061/TCP,33062/TCP,63790/TCP   16m
jumpserver-jms-web      ClusterIP   10.96.209.160   <none>        80/TCP                          16m

使用Istio暴露jumpserver web服务

创建gateway

yaml 复制代码
# jumpserver-gateway.yaml
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: jumpserver-gateway
  namespace: istio-system
spec:
  selector:
    app: istio-ingressgateway
  servers:
  - port:
     number: 80
     name: http
     protocol: HTTP
    hosts:
    - "jumpserver.myk8s.cn"

应用yaml文件

sh 复制代码
kubectl apply -f jumpserver-gateway.yaml

创建VirtualService

yaml 复制代码
#  jumpserver-virtualservice.yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: jumpserver-virtualservice
  namespace: jms
spec:
  hosts:
  - "jumpserver.myk8s.cn"
  gateways:
  - istio-system/jumpserver-gateway
  http:
  - match:
     - uri:
         prefix: /
    route:
    - destination:
        host: jumpserver-jms-web
        port:
          number: 80

应用yaml文件

sh 复制代码
[root@node1 jumpserver]# kubectl apply -f jumpserver-virtualservice.yaml 
virtualservice.networking.istio.io/jumpserver-virtualservice created

测试

查看istio ingressgateway的external-ip

sh 复制代码
[root@node1 jumpserver]# kubectl get service -n istio-system
NAME                   TYPE           CLUSTER-IP      EXTERNAL-IP                   PORT(S)                                                                                      AGE
grafana                ClusterIP      10.96.234.93    <none>                        3000/TCP                                                                                     13d
istio-egressgateway    ClusterIP      10.96.24.219    <none>                        80/TCP,443/TCP                                                                               14d
istio-ingressgateway   LoadBalancer   10.96.174.147   192.168.0.111,192.168.0.222   15021:31848/TCP,80:31657/TCP,20001:31775/TCP,443:30425/TCP,31400:31780/TCP,15443:30671/TCP   14d
istiod                 ClusterIP      10.96.49.69     <none>                        15010/TCP,15012/TCP,443/TCP,15014/TCP                                                        14d
jaeger-collector       ClusterIP      10.96.63.79     <none>                        14268/TCP,14250/TCP,9411/TCP,4317/TCP,4318/TCP                                               13d
kiali                  ClusterIP      10.96.202.30    <none>                        20001/TCP,9090/TCP                                                                           13d
loki-headless          ClusterIP      None            <none>                        3100/TCP                                                                                     13d
prometheus             ClusterIP      10.96.109.177   <none>                        9090/TCP                                                                                     13d
tracing                ClusterIP      10.96.141.120   <none>                        80/TCP,16685/TCP                                                                             13d
zipkin                 ClusterIP      10.96.225.164   <none>                        9411/TCP                                                                                     13d

在需要访问jumpserver服务的主机上修改hosts,将jumpserver.myk8s.cn解析为external-ip地址,这里解析为192.168.0.111

访问服务

参考文章

相关推荐
啦啦右一35 分钟前
Spring Boot | (一)Spring开发环境构建
spring boot·后端·spring
森屿Serien36 分钟前
Spring Boot常用注解
java·spring boot·后端
青木沐1 小时前
Jenkins介绍
运维·jenkins
WTT00112 小时前
2024楚慧杯WP
大数据·运维·网络·安全·web安全·ctf
苹果醋32 小时前
React源码02 - 基础知识 React API 一览
java·运维·spring boot·mysql·nginx
日记跟新中2 小时前
Ubuntu20.04 修改root密码
linux·运维·服务器
盛派网络小助手2 小时前
微信 SDK 更新 Sample,NCF 文档和模板更新,更多更新日志,欢迎解锁
开发语言·人工智能·后端·架构·c#
唐小旭3 小时前
服务器建立-错误:pyenv环境建立后python版本不对
运维·服务器·python
BUG 4043 小时前
Linux——Shell
linux·运维·服务器