Spinnaker
前言
Spinnaker 是 Netflix 在2015年開源的一款持續交付平臺,最初由 Netflix 開發,用於快速、可靠地發佈軟件變更。Spinnaker 使開發人員可以更輕鬆地專注於編寫代碼,而無需擔心底層的雲基礎設施,它可以和 Jenkins 以及其他流行的構建工具無縫集成。但是由於 GFW 的原因導致在國內部署Spinnaker非常困難,當然,你可以使用代理,但這就與本文的初衷不符。經過多次嘗試,終於在不使用代理的情況下安裝spinnaker,廢話不多說,直接進入正題。
安裝Halyard
Halyard
使用docker的方式安裝Halyard。
<code># useradd spinnaker
# cd /home/spinnaker
$ mkdir ~/.hal
$ docker run -d -p 8084:8084 -p 9000:9000 --name halyard --rm -v ~/.hal:/home/spinnaker/.hal -v ~/.kube:/home/spinnaker/.kube -it gcr.azk8s.cn/spinnaker-marketplace/halyard:1.31.1/<code>
啟動參數說明:/home/spinnaker/.hal目錄為halyard配置文件,/home/spinnaker/.kube為k8s集群認證目錄。
官網給出的鏡像地址 gcr.io 在國內是不能訪問的,需要將鏡像地址修改為gcr.azk8s.cn。
Spinnaker安裝前準備
Spinnaker VS K8S
spinnaker部署環境一共有三種:
- 在k8s分佈式安裝(推薦使用)
- 本地單臺機器安裝
- 本地git安裝
本文使用K8S方式。
<code>$ kubectl version
Client Version: version.Info{Major:"1", Minor:"16", GitVersion:"v1.16.0",GitCommit:"xxx", GitTreeState:"clean", BuildDate:"2019-09-18T14:36:53Z", GoVersion:"go1.12.9", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"14+", GitVersion:"v1.14.8-xx.1", GitCommit:"51888f5", GitTreeState:"", BuildDate:"2019-10-16T08:29:13Z", GoVersion:"go1.12.10", Compiler:"gc", Platform:"linux/amd64"}
$ kubectl create namespace spinnaker/<code>
配置spinnaker配置文件
主要設置docker鏡像倉庫及存儲,以下為配置文件示例。
<code>currentDeployment: default
deploymentConfigurations:
- name: default
version: local:1.17.6
providers:
appengine:
enabled: false
accounts: []
aws:
enabled: false
accounts: []
bakeryDefaults:
baseImages: []
defaultKeyPairTemplate: '{{name}}-keypair'
defaultRegions:
- name: huabei2
defaults:
iamRole: BaseIAMRole
ecs:
enabled: false
accounts: []
azure:
enabled: false
accounts: []
bakeryDefaults:
templateFile: azure-linux.json
baseImages: []
dcos:
enabled: false
accounts: []
clusters: []
dockerRegistry:
enabled: true
accounts:
# 鏡像倉庫地址
- name: dockerhub
requiredGroupMembership: []
providerVersion: V1
permissions: {}
# 你的鏡像倉庫地址
address: xxxx
# 鏡像倉庫認證
username: xxxxx
password: xxxxx
email: [email protected]
sortTagsByDate: true
repositories:
# 此處是你的namespace下的項目
- namespace/appname
# 鏡像倉庫地址
primaryAccount: dockerhub
google:
enabled: false
accounts: []
bakeryDefaults:
templateFile: gce.json
baseImages: []
zone: us-central1-f
network: default
useInternalIp: false
huaweicloud:
enabled: false
accounts: []
bakeryDefaults:
baseImages: []
kubernetes:
enabled: true
accounts:
# 此處為k8s集群名稱
- name: k8s
requiredGroupMembership: []
providerVersion: V2
permissions: {}
dockerRegistries: []
configureImagePullSecrets: true
cacheThreads: 1
namespaces:
# 此處把你的namespace 加進去
- yournamespace
omitNamespaces: []
kinds: []
omitKinds: []
customResources: []
cachingPolicies: []
# 此處為k8s集群認證文件地址
kubeconfigFile: /home/spinnaker/.kube/config
oAuthScopes: []
onlySpinnakerManaged: false
# 與k8s集群名稱一致
primaryAccount: k8s
oracle:
enabled: false
accounts: []
bakeryDefaults:
templateFile: oci.json
baseImages: []
cloudfoundry:
enabled: false
accounts: []
deploymentEnvironment:
size: SMALL
type: Distributed
# k8s集群名稱
accountName: k8s
imageVariant: SLIM
updateVersions: false
consul:
enabled: false
vault:
enabled: false
customSizing: {}
sidecars: {}
initContainers: {}
hostAliases: {}
affinity: {}
tolerations: {}
nodeSelectors: {}
gitConfig:
upstreamUser: spinnaker
livenessProbeConfig:
enabled: false
haServices:
clouddriver:
enabled: false
disableClouddriverRoDeck: false
echo:
enabled: false
persistentStorage:
# 此處配置存儲,示例為s3
persistentStoreType: s3
azs: {}
gcs: {}
redis: {}
# s3存儲的認證信息
s3:
bucket: xxx
rootFolder: xxx
region: xxx
pathStyleAccess: false
accessKeyId: xxx
secretAccessKey: xxx
oracle: {}
features:
auth: false
fiat: false
chaos: false
entityTags: false
pipelineTemplates: true
artifacts: true
metricStores:
datadog:
enabled: false
tags: []
prometheus:
enabled: false
add_source_metalabels: true
stackdriver:
enabled: false
newrelic:
enabled: false
tags: []
period: 30
enabled: false
notifications:
slack:
enabled: false
twilio:
enabled: false
baseUrl: https://api.twilio.com/
github-status:
enabled: false
timezone: Asia/Shanghai
ci:
jenkins:
enabled: false
masters: []
travis:
enabled: false
masters: []
wercker:
enabled: false
masters: []
concourse:
enabled: false
masters: []
gcb:
enabled: false
accounts: []
repository:
artifactory:
enabled: false
searches: []
security:
apiSecurity:
ssl:
enabled: false
# gate地址
overrideBaseUrl: https://spin-gate.xxx.com
uiSecurity:
ssl:
enabled: false
# deck地址
overrideBaseUrl: https://spinnaker.xxx.com
authn:
oauth2:
enabled: false
client: {}
resource: {}
userInfoMapping: {}
saml:
enabled: false
userAttributeMapping: {}
ldap:
enabled: false
x509:
enabled: false
iap:
enabled: false
enabled: false
authz:
groupMembership:
service: FILE
google:
roleProviderType: GOOGLE
github:
roleProviderType: GITHUB
file:
roleProviderType: FILE
ldap:
roleProviderType: LDAP
enabled: true
artifacts:
bitbucket:
enabled: false
accounts: []
gcs:
enabled: false
accounts: []
oracle:
enabled: false
accounts: []
github:
enabled: false
accounts: []
gitlab:
enabled: true
accounts:
- name: gitlab
token: xxx
gitrepo:
enabled: false
accounts: []
http:
enabled: false
accounts: []
helm:
enabled: false
accounts: []
s3:
enabled: false
accounts: []
maven:
enabled: false
accounts: []
templates: []
pubsub:
enabled: false
google:
enabled: false
pubsubType: GOOGLE
subscriptions: []
publishers: []
canary:
enabled: false
serviceIntegrations:
- name: google
enabled: false
accounts: []
gcsEnabled: false
stackdriverEnabled: false
- name: prometheus
enabled: false
accounts: []
- name: datadog
enabled: false
accounts: []
- name: signalfx
enabled: false
accounts: []
- name: aws
enabled: false
accounts: []
s3Enabled: false
- name: newrelic
enabled: false
accounts: []
reduxLoggerEnabled: true
defaultJudge: NetflixACAJudge-v1.0
stagesEnabled: true
templatesEnabled: true
showAllConfigsEnabled: true
plugins:
plugins: []
enabled: false
downloadingEnabled: false
spinnaker:
extensibility:
repositories: {}
webhook:
trust:
enabled: false
telemetry:
enabled: false
endpoint: https://stats.spinnaker.io
instanceId: xxx
connectionTimeoutMillis: 3000
readTimeoutMillis: 5000
/<code>
本地安裝spinnaker
接下來的操作尤為重要,我們採用本地安裝的方式,需要將bom設置為local,安裝版本1.17.6.
<code>$ pwd
/home/spinnaker
$ mkdir ~/.hal/.boms/bom -p
$ cd ~/.hal/.boms/bom
$ more 1.17.6.yml
version: 1.17.6
timestamp: '2020-01-14 08:44:42'
services:
echo:
version: local:2.9.1-20191216151527
commit: 771a15b2b7bd8d78f77caf3c3ecff950e187c1ae
clouddriver:
version: local:6.4.5-20200114034416
commit: 5f272cd8d3911423dfcf7e9448c31fe4aa045e2e
deck:
version: local:2.13.5-20200114034416
commit: 75cecc4cf1d52ff78fb1fb5e057b516c51be10fb
fiat:
version: local:1.8.3-20191202102650
commit: c62d038c2a9531042ff33c5992384184b1370b27
front50:
version: local:0.20.1-20191107034416
commit: 9415a443b0d6bf800ccca8c2764d303eb4d29366
gate:
version: local:1.13.0-20191029172246
commit: a453541b47c745a283712bb240ab392ad7319e8d
igor:
version: local:1.7.0-20191029183208
commit: 37fe1ed0c463bdaa87996a4d4dd81fee2325ec8e
kayenta:
version: local:0.12.0-20191023142816
commit: 5dcec805b7533d0406f1e657a62122f4278d665d
orca:
version: local:2.11.2-20191212093351
commit: b88f62a1b2b1bdee0f45d7f9491932f9c51371d9
rosco:
version: local:0.15.1-20191202163249
commit: 269dc830cf7ea2ee6c160163e30d6cbd099269c2
defaultArtifact: {}
monitoring-third-party:
version: local:0.16.0-20191007112816
commit: 59cbbec589f982864cee45d20c99c32d39c75f7f
monitoring-daemon:
version: local:0.16.0-20191007112816
commit: 59cbbec589f982864cee45d20c99c32d39c75f7f
dependencies:
redis:
version: 2:2.8.4-2
consul:
version: 0.7.5
vault:
version: 0.7.0
artifactSources:
debianRepository: https://dl.bintray.com/spinnaker-releases/debians
dockerRegistry: gcr.azk8s.cn/spinnaker-marketplace
googleImageProject: marketplace-spinnaker-release
gitPrefix: https://github.com/spinnaker/<code>
bom配置文件需要注意兩點,版本前需要加local,鏡像地址更換為國內地址!
配置完成之後,hal在deploy的時候不會去google拉取版本配置,而是從本地讀取,以echo為例,本地讀取目錄為~/.hal/.boms/echo/echo.yml,所以我們需要將相應的yml文件下載到本地相應目錄。
下載地址:https://github.com/spinnaker
以echo為例,下載文件為https://github.com/spinnaker/echo/tree/master/halconfig 內的文件,並放在本地目錄~/.hal/.boms/echo下。
下載完成後目錄結構如下:
<code>├── bom/
│ ├── 1.17.6.yml
├── clouddriver/
│ ├── clouddriver.yml
│ └── ...
├── deck/
│ ├── settings.js
......./<code>
正式部署Spinnaker
CICD
完成了這些基本工作,就可以愉快的(無需代理)的部署spinnaker了。
<code># 設置hal使用本地文件系統的bom斑斑
$ hal config version edit --version local:1.17.6
$hal deploy apply
+ Get current deployment
Success
+ Prep deployment
Success
Problems in default.security:
- WARNING Your UI or API domain does not have override base URLs
set even though your Spinnaker deployment is a Distributed deployment on a
remote cloud provider. As a result, you will need to open SSH tunnels against
that deployment to access Spinnaker.
? We recommend that you instead configure an authentication
mechanism (OAuth2, SAML2, or x509) to make it easier to access Spinnaker
securely, and then register the intended Domain and IP addresses that your
publicly facing services will be using.
+ Preparation complete... deploying Spinnaker
+ Get current deployment
Success
+ Apply deployment
Success
+ Deploy spin-redis
Success
+ Deploy spin-clouddriver
Success
+ Deploy spin-front50
Success
+ Deploy spin-orca
Success
+ Deploy spin-deck
Success
+ Deploy spin-echo
Success
+ Deploy spin-gate
Success
+ Deploy spin-rosco
Success
+ Deploy spin-igor
Success
+ Run `hal deploy connect` to connect to Spinnaker./<code>
查看spinnaker在k8s中的部署情況:
<code># kubens spinnaker
Context "xxxx" modified.
Active namespace is "spinnaker".
# kubectl get pods
NAME READY STATUS RESTARTS AGE
spin-clouddriver-7fb74cf5c6-c7g87 1/1 Running 0 10m
spin-deck-76b4df7b48-nnj8x 1/1 Running 0 10m
spin-echo-cccf9f7db-bn6t5 1/1 Running 0 10m
spin-fiat-7dc9547ff5-jqw7l 1/1 Running 0 10m
spin-front50-5744455478-qmg2x 1/1 Running 0 10m
spin-gate-6bbb57846c-tplqg 1/1 Running 0 10m
spin-igor-74bfbc6c57-xtbb8 1/1 Running 0 10m
spin-orca-78dc9844cb-6w4ww 1/1 Running 0 10m
spin-redis-6bf56c789c-lbq6l 1/1 Running 0 10m
spin-rosco-664b65f8d6-6n58m 1/1 Running 0 10m/<code>
配置ingress
配置ingress訪問spinnaker。
<code>$ more spinnaker-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: spinnaker
namespace: spinnaker
annotations:
kubernetes.io/ingress.class: web
nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
tls:
- secretName: ingress-niucache
hosts:
- spinnaker.xxx.com
- spin-gate.xxx.com
rules:
- host: spinnaker.xxx.com
http:
paths:
- path: /
backend:
serviceName: spin-deck
servicePort: 9000
- host: spin-gate.xxx.com
http:
paths:
- path: /
backend:
serviceName: spin-gate
servicePort: 8084
# kubectl get ingress
NAME HOSTS ADDRESS PORTS AGE
spinnaker spinnaker.xxx.com,spin-gate.xxx.com xx 80, 443 10m
/<code>
訪問spinnaker
將域名做好解析之後就可以訪問spinnaker了。
spinnaker界面
後記
為了繞過GW安裝spinnaker,真是煞費苦心,為了做個記錄,同時分享給有需要的朋友。標題寫的離線安裝,不是真正的離線,意思是無需代理,但是還需要可以連接互聯網下載鏡像的,但是如果鏡像都在本地的鏡像倉庫中,那就可以做到真正離線了。本文只是介紹了spinnaker的安裝,並沒有提及使用,個人覺得spinnaker最難的地方就是安裝,使用的話,大家可以參考官方文檔,已經很詳細了,如果以後有需要,再補充使用的文檔吧。
分享到:
閱讀更多 DevOps筆記 的文章
