K8s部署Jumpserver并使用Istio对外暴露服务
简介
JumpServer是一款免费开源的堡垒机,可以帮助企业以更安全的方式管控和登录各种类型的资产。
JumpServer 堡垒机支持事前授权、事中监察、事后审计,满足等保合规要求。
使用Helm安装JumpServer
在K8s上部署MySQL
由于JumpServer需要使用外部MySQL,因此需要自己配置
添加Helm源helm repo add bitnami https://charts.bitnami.com/bitnami
下载MySQL Helm Chart
helm fetch bitnami/mysqltar -xf mysql-9.12.3.tgz[][]Chart.lock charts Chart.yaml README.md templates values.schema.json values.yaml
修改其中的values.yaml文件,内容如下
global:imageRegistry: ""imagePullSecrets: []storageClass: "csi-rbd-sc"auth:rootPassword: "mysql_password"createDatabase: truedatabase: "jumpserver"username: "jms"password: "jms_password"livenessProbe:enabled: trueinitialDelaySeconds: 60periodSeconds: 60timeoutSeconds: 10failureThreshold: 3successThreshold: 1readinessProbe:enabled: trueinitialDelaySeconds: 60periodSeconds: 60timeoutSeconds: 10failureThreshold: 3successThreshold: 1startupProbe:enabled: trueinitialDelaySeconds: 60periodSeconds: 60timeoutSeconds: 10failureThreshold: 10successThreshold: 1
创建名称空间
创建名称空间kms,后面的服务都部署在该名称空间下
kubectl create ns jms
部署MySQL
helm install jms-mysql . -f values.yaml -n jms
在k8s上部署redis
由于JumpServer需要使用外部redis,因此也需要自己配置
下载Redis Helm Chart
helm fetch bitnami/redistar -xf redis-18.0.4.tgz[][]Chart.lock charts Chart.yaml img README.md templates values.schema.json values.yaml
修改values.yaml文件内容如下
global:imageRegistry: ""imagePullSecrets: []storageClass: "csi-rbd-sc"redis:password: "redis_password"
应用Chart
helm install jms-redis . -f values.yaml -n jms
查看Pod
[root@node1 redis]NAME READY STATUS RESTARTS AGEjms-mysql-0 1/1 Running 0 14mjms-redis-master-0 1/1 Running 0 3m5sjms-redis-replicas-0 1/1 Running 0 3m5sjms-redis-replicas-1 1/1 Running 0 119sjms-redis-replicas-2 1/1 Running 0 77s
部署JumpServer
添加Helm源
helm repo add jumpserver https://jumpserver.github.io/helm-charts
搜索JumpServer Helm Chart
[]NAME CHART VERSION APP VERSION DESCRIPTIONjumpserver/jumpserver 3.8.1 v3.8.1 A Helm chart for Deploying Jumpserver on K
ubern...
下载Helm Chart 以便修改其中的values.yml
helm fetch jumpserver/jumpserver
如果上一步下载网速慢无法下载的话可以克隆github项目
git clone https://github.com/jumpserver/helm-charts.git
修改values.yaml
[]/root/jumpserver/helm-charts/charts/jumpserver[]Chart.yaml configs README.md templates values.yaml
修改values.yaml内容如下
~]2c8jbQPosNKb2pC1iGkFwMHwYwg0XYaykCPiAeO8PccHAixbih~]wF3NSIDTGGtO22cUNwBRV808global:imageRegistry: "docker.io"imageTag: v3.8.1imagePullSecrets: []storageClass: "csi-rbd-sc"externalDatabase:engine: mysqlhost: jms-mysqlport: 3306user: jmspassword: "jms_password"database: jumpserverexternalRedis:host: localhostport: 6379password: "redis_password"core:enabled: truelabels:: jms-coreconfig:secretKey: "2c8jbQPosNKb2pC1iGkFwMHwYwg0XYaykCPiAeO8PccHAixbih"bootstrapToken: "wF3NSIDTGGtO22cUNwBRV808"accessModes:ReadWriteOnce
应用Chart
该步骤时间可能会较长
helm install jumpserver . -f values.yaml -n jms
查看Pod
[root@node1 ~]NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGEjms-mysql ClusterIP 10.96.211.71 <none> 3306/TCP 146mjms-mysql-headless ClusterIP None <none> 3306/TCP 146mjms-redis-headless ClusterIP None <none> 6379/TCP 135mjms-redis-master ClusterIP 10.96.40.37 <none> 6379/TCP 135mjms-redis-replicas ClusterIP 10.96.237.101 <none> 6379/TCP 135mjumpserver-jms-chen ClusterIP 10.96.66.253 <none> 8082/TCP 31mjumpserver-jms-core ClusterIP 10.96.204.210 <none> 8080/TCP 31mjumpserver-jms-kael ClusterIP 10.96.236.163 <none> 8083/TCP 31mjumpserver-jms-koko ClusterIP 10.96.68.28 <none> 5000/TCP,2222/TCP 31mjumpserver-jms-lion ClusterIP 10.96.26.169 <none> 8081/TCP 31mjumpserver-jms-magnus ClusterIP 10.96.238.16 <none> 33061/TCP,33062/TCP,63790/TCP 31mjumpserver-jms-web ClusterIP 10.96.209.160 <none> 80/TCP
31m
查看service
[root@node1 ~]NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGEjms-mysql ClusterIP 10.96.211.71 <none> 3306/TCP 131mjms-mysql-headless ClusterIP None <none> 3306/TCP 131mjms-redis-headless ClusterIP None <none> 6379/TCP 120mjms-redis-master ClusterIP 10.96.40.37 <none> 6379/TCP 120mjms-redis-replicas ClusterIP 10.96.237.101 <none> 6379/TCP 120mjumpserver-jms-chen ClusterIP 10.96.66.253 <none> 8082/TCP 16mjumpserver-jms-core ClusterIP 10.96.204.210 <none> 8080/TCP 16mjumpserver-jms-kael ClusterIP 10.96.236.163 <none> 8083/TCP 16mjumpserver-jms-koko ClusterIP 10.96.68.28 <none> 5000/TCP,2222/TCP 16mjumpserver-jms-lion ClusterIP 10.96.26.169 <none> 8081/TCP 16mjumpserver-jms-magnus ClusterIP 10.96.238.16 <none> 33061/TCP,33062/TCP,63790/TCP 16mjumpserver-jms-web ClusterIP 10.96.209.160 <none> 80/TCP
16m
使用Istio暴露jumpserver web服务
创建gatewayapiVersion: networking.istio.io/v1beta1kind: Gatewaymetadata:name: jumpserver-gatewaynamespace: istio-systemspec:selector:app: istio-ingressgatewayservers:port:number: 80name: httpprotocol: HTTPhosts:"jumpserver.myk8s.cn"应用yaml文件kubectl apply -f jumpserver-gateway.yaml创建VirtualServiceapiVersion: networking.istio.io/v1beta1kind: VirtualServicemetadata:name: jumpserver-virtualservicenamespace: jmsspec:hosts:"jumpserver.myk8s.cn"gateways:istio-system/jumpserver-gatewayhttp:match:uri:prefix: /route:destination:host: jumpserver-jms-webport:number: 80应用yaml文件jumpserver]created
测试
查看istio ingressgateway的external-ip
[root@node1 jumpserver]NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGEgrafana ClusterIP 10.96.234.93 <none> 3000/TCP 13distio-egressgateway ClusterIP 10.96.24.219 <none> 80/TCP,443/TCP 14distio-ingressgateway LoadBalancer 10.96.174.147 192.168.0.111,192.168.0.222 15021:31848/TCP,80:31657/TCP,20001:31775/TCP,443:30425/TCP,31400:31780/TCP,15443:30671/TCP 14distiod ClusterIP 10.96.49.69 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 14djaeger-collector ClusterIP 10.96.63.79 <none> 14268/TCP,14250/TCP,9411/TCP,4317/TCP,4318/TCP 13dkiali ClusterIP 10.96.202.30 <none> 20001/TCP,9090/TCP 13dloki-headless ClusterIP None <none> 3100/TCP 13dprometheus ClusterIP 10.96.109.177 <none> 9090/TCP 13dtracing ClusterIP 10.96.141.120 <none> 80/TCP,16685/TCP 13dzipkin ClusterIP 10.96.225.164 <none> 9411/TCP
13d
在需要访问jumpserver服务的主机上修改hosts,将jumpserver.myk8s.cn解析为external-ip地址,这里解析为192.168.0.111
访问服务
微信扫码关注该文公众号作者
戳这里提交新闻线索和高质量文章给我们。
来源: qq
点击查看作者最近其他文章