k8s安装并迁移jumpserver
一、环境
二、安装依赖服务
以下操作按需操作
1.安装Helm
wget https://get.helm.sh/helm-v3.12.1-linux-amd64.tar.gz
tar xf helm-v3.12.1-linux-amd64.tar.gz
mv linux-amd64/helm /usr/local/bin/
helm version
helm repo add jumpserver https://jumpserver.github.io/helm-charts #添加jumpserver chart仓库
helm repo list
2.修改github解析
访问https://sites.ipaddress.com/github.com/#ipinfo获取github.com最新解析IP并配置部署机器hosts文件
140.82.113.3 github.com #如果不行访问该网站https://ping.chinaz.com/github.com挑选响应最快的IP
3.安装MySQL
namespace
kubectl create namespace jumpserver
pvc.yaml(storageClass根据实际情况修改)
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
annotations:
volume.beta.kubernetes.io/storage-provisioner: nasplugin.csi.alibabacloud.com
name: mysql-data
namespace: jumpserver
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 50Gi
storageClassName: alicloud-disk-nas
config.yaml
kind: ConfigMap
apiVersion: v1
metadata:
name: mysql-config
namespace: jumpserver
data:
my.cnf: |-
[mysqld]
skip-host-cache
skip-name-resolve
datadir=/var/lib/mysql
socket=/var/run/mysqld/mysqld.sock
secure-file-priv=/var/lib/mysql-files
user=mysql
symbolic-links=0
pid-file=/var/run/mysqld/mysqld.pid
[client]
socket=/var/run/mysqld/mysqld.sock
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mysql.conf.d/
deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: jumpserver-mysql
namespace: jumpserver
spec:
selector:
matchLabels:
app: mysql-5.7
template:
metadata:
labels:
app: mysql-5.7
spec:
containers:
- name: mysql
image: mysql:5.7.42
env:
- name: MYSQL_ROOT_PASSWORD
value: "System@123"
ports:
- containerPort: 3306
volumeMounts:
- name: mysql-data
mountPath: /var/lib/mysql
subPath: mysql
- name: config
mountPath: /etc/my.cnf
subPath: my.cnf
volumes:
- name: mysql-data
persistentVolumeClaim:
claimName: mysql-data
- name: config
configMap:
name: mysql-config
svc.yaml
apiVersion: v1
kind: Service
metadata:
labels:
app: jumpserver-mysql-svc
name: jumpserver-mysql-svc
namespace: jumpserver
spec:
ports:
- name: tcp-mysql-3306
nodePort: 30306
port: 3306
protocol: TCP
targetPort: 3306
selector:
app: mysql-5.7
type: NodePort
部署后创建数据库
kubectl get pods -n jumpserver -o wide
mysql -uroot -h 172.17.0.5 -p
CREATE DATABASE IF NOT EXISTS jumpserver DEFAULT CHARSET utf8mb4 COLLATE utf8mb4_general_ci;
4.安装Redis
pvc.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
annotations:
volume.beta.kubernetes.io/storage-provisioner: nasplugin.csi.alibabacloud.com
name: redis-data
namespace: jumpserver
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 20Gi
storageClassName: alicloud-disk-nas
config.yaml
apiVersion: v1
data:
redis.conf: |-
bind 0.0.0.0
port 6379
requirepass System@123
pidfile /var/run/redis_6379.pid
save 900 1
save 300 10
save 60 10000
rdbcompression yes
rdbchecksum yes
dbfilename dump.rdb
appendonly yes
appendfilename "appendonly.aof"
appendfsync everysec
dir /data
logfile "/data/redis-6379.log"
kind: ConfigMap
metadata:
name: redis-config
namespace: jumpserver
deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: jumpserver-redis
namespace: jumpserver
spec:
replicas: 1
selector:
matchLabels:
app: jumpserver-redis
template:
metadata:
labels:
app: jumpserver-redis
spec:
containers:
- image: redis:6.0.9
command: ["redis-server","/etc/redis/redis.conf"]
name: redis
ports:
- containerPort: 6379
volumeMounts:
- name: redis-config
mountPath: /etc/redis/redis.conf
subPath: redis.conf
- name: redis-data
mountPath: /data
volumes:
- name: redis-config
configMap:
name: redis-config
- name: redis-data
persistentVolumeClaim:
claimName: redis-data
svc.yaml
apiVersion: v1
kind: Service
metadata:
labels:
app: jumpserver-redis-svc
name: jumpserver-redis-svc
namespace: jumpserver
spec:
ports:
- name: tcp-redis-6379
port: 6379
protocol: TCP
targetPort: 6379
selector:
app: jumpserver-redis
三、修改配置
1.下载配置
wget https://raw.githubusercontent.com/jumpserver/helm-charts/main/charts/jumpserver/values.yaml
2.修改镜像仓库地址
3.配置SC
4.配置MySQL和Redis
5.配置ingress hosts
6.配置秘钥
其余配置按需修改
四、部署jumpserver
helm install jms-k8s jumpserver/jumpserver -n jumpserver -f values.yaml
[root@iZbp10kr3w2ijv03yu6htrZ jumpserver]# helm -n jumpserver ls -a
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
jms-k8s jumpserver 1 2023-07-13 11:50:39.910210139 +0800 CST deployed jumpserver-3.4.3 v3.4.3
[root@iZbp10kr3w2ijv03yu6htrZ jumpserver]# kubectl get pods -n jumpserver
NAME READY STATUS RESTARTS AGE
jms-k8s-jumpserver-jms-celery-59d99c46b6-mg9z4 1/1 Running 0 67s
jms-k8s-jumpserver-jms-core-5c6c75c5df-c7fl7 1/1 Running 0 67s
jms-k8s-jumpserver-jms-koko-77db949f7d-cb9hk 1/1 Running 0 67s
jms-k8s-jumpserver-jms-lion-58b9f94fb8-7hmp7 1/1 Running 0 67s
jms-k8s-jumpserver-jms-magnus-6df6755469-6hml5 1/1 Running 0 67s
jms-k8s-jumpserver-jms-web-7b6c46b6c4-hsjg9 1/1 Running 0 67s
jumpserver-mysql-77656bd48-svkb9 1/1 Running 0 24h
jumpserver-redis-75898bdd9-rs8kg 1/1 Running 0 24h
五、登录验证
访问ingress域名(绑定hosts或者配置NDS解析) 登录用户密码:admin/admin
如果只是搭建那么此时就完成了
六、导入原数据库数据到新数据库
由于我的服务都在阿里云所以这里使用阿里云的DTS服务的数据迁移功能(免费),本地可以使用mysqldump或其他工具
七、重启服务
kubectl delete pods -n jumpserver -l app.kubernetes.io/name=jumpserver
八解决报错
1.报错内容
{"error":"service account registration disabled"}
2.解决方法
登录jumpserver(用户、密码、MFA与原jumpserver一致),系统设置--安全设置--终端注册
3.重启报错应用
for i in `kubectl get deployments.apps -n jumpserver|awk '/0\/1/ {print $1}'` ;do kubectl scale deployment ${i} --replicas=0 -n jumpserver;done
for i in `kubectl get deployments.apps -n jumpserver|awk '/0\/0/ {print $1}'` ;do kubectl scale deployment ${i} --replicas=1 -n jumpserver;done
root@iZbp10kr3w2ijv03yu6htrZ ~]# kubectl get pods -n jumpserver -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
jms-k8s-jumpserver-jms-celery-59d99c46b6-88r88 1/1 Running 0 14m 172.17.1.146 cn-hangzhou.10.1.6.116 <none> <none>
jms-k8s-jumpserver-jms-core-5c6c75c5df-k7tmb 1/1 Running 0 14m 172.17.1.157 cn-hangzhou.10.1.6.116 <none> <none>
jms-k8s-jumpserver-jms-koko-77db949f7d-dqs9v 1/1 Running 0 76s 172.17.1.160 cn-hangzhou.10.1.6.116 <none> <none>
jms-k8s-jumpserver-jms-lion-58b9f94fb8-br54f 1/1 Running 0 76s 172.17.0.58 cn-hangzhou.10.1.8.212 <none> <none>
jms-k8s-jumpserver-jms-magnus-6df6755469-vtc9x 1/1 Running 0 7s 172.17.0.60 cn-hangzhou.10.1.8.212 <none> <none>
jms-k8s-jumpserver-jms-web-7b6c46b6c4-j9xnr 1/1 Running 0 14m 172.17.1.148 cn-hangzhou.10.1.6.116 <none> <none>
4.控制台确认并删除无效终端应用
至此所以操作完毕
参考文档:
"一劳永逸" 的话,有是有的,而 "一劳永逸" 的事却极少