k8s部署实例

k8s部署实例

1. 持久化nginx或php等静态资源的pod

1.1 需求

不想每次都把代码打包到nginx镜像，想要持久化代码，但是持久化代码需要挂载网络磁盘nfs或oss等，每次开发完成，都需要将代码放到网络磁盘中，不想每次都手动更新网络磁盘中的代码。

1.2 方案

(一个pod内同时有nginx+php容器也可以这么做，多个容器同理)
设置一个初始化容器（初始化容器用过之后就会消失），初始化容器挂载nfs到指定目录，然后利用git拉取代码到指定目录，这样nfs中就有代码了
因为pod启动时会先启动初始化容器（详情见：https://blog.csdn.net/martinlinux/article/details/125299226 >> 2.1 pod过程），所以在将nginx容器挂载上nfs，这样nginx的html目录中就有代码了

1.3 解决步骤

1. 创建git拉取时使用的账号密码 secret资源

我这里的账号密码是root 12345678，因为使用Opaque类型的secret，所以需要先把账号密码加密
echo ‘root’ | base64
echo ‘12345678’ | base64

vim git-base.yaml

apiVersion: v1
kind: Secret
metadata:
        name: git-secret
        namespace: dev
type: Opaque
data:
        username: cm9vdA==
        password: MTIzNDU2Nzg=
1
2
3
4
5
6
7
8
9

2. 部署pod

apiVersion: apps/v1
kind: Deployment
metadata:
   name: nginx-web
   labels:
      app: nginx-web
      env: dev
   namespace: dev
spec:
   replicas: 1
   selector:
      matchLabels:
         app: nginx-web
   template:
      metadata:
         labels:
            app: nginx-web
      spec:
         initContainers:
         - name: git-base
           image: git-base:2.24.4
           env:		#因为初始化容器是一次性的，所以这里直接把账号密码映射到环境变量
           - name: GIT_USER
             valueFrom:
                secretKeyRef:
                   name: git-secret
                   key: username
           - name: GIT_PASSWORD
             valueFrom:
                secretKeyRef:
                   name: git-secret
                   key: password
           workingDir: /usr/local/src
           command: ['/bin/sh','-c']
           args: ['git clone http://$GIT_USER:$GIT_PASSWORD@192.168.8.10/prd_web/web01.git']
           volumeMounts:
           - mountPath: /usr/local/src
             name: htmldata
         containers:
         - name: nginx-web
           image: nginx-base:1.16.1
           volumeMounts:
           - mountPath: /usr/local/nginx/html
             name: htmldata
         volumes:
         - name: htmldata
           nfs:
              server: 192.168.8.30
              path: /data/redis
              readOnly: false
---
apiVersion: v1
kind: Service
metadata:
   name: nginx-web-svc
   namespace: dev
spec:
   type: NodePort
   selector:
      app: nginx-web
   ports:
   - name: nginx-http
     protocol: TCP
     port: 80
     targetPort: 80
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65

2. 持久化nginx+php等静态资源的pod（OSS方式）

2.1 需求

不想每次都把代码打包到nginx镜像和php镜像，(配置文件也需要实时更新)想要持久化代码，但是持久化代码需要挂载网络磁盘nfs或oss等，每次开发完成，都需要将代码放到网络磁盘中，不想每次都手动更新网络磁盘中的代码。

2.2 方案

(一个pod内同时有nginx+php容器也可以这么做，多个容器同理)
设置一个初始化容器（初始化容器用过之后就会消失），初始化容器挂载nfs到指定目录，然后利用git拉取代码到指定目录，这样nfs中就有代码了
因为pod启动时会先启动初始化容器（详情见：https://blog.csdn.net/martinlinux/article/details/125299226 >> 2.1 pod过程），所以在将nginx容器挂载上nfs，这样nginx的html目录中就有代码了

2.3 解决步骤

2.3.1 configmap资源

1. 创建拉取git凭证(这里是使用ssh方式拉取的)

注意： 和下方secret资源中的git凭证是一样的git-secret，无状态部署的时候使用任何一个都可以

apiVersion: v1
kind: ConfigMap
metadata:
  name: tdd-code-configmap
  namespace: testphp
data:
  id_rsa: |-
    -----BEGIN RSA PRIVATE KEY-----
     私钥
    -----END RSA PRIVATE KEY-----
  id_rsa.pub: >-
    公钥
  #创建这个是因为拉取的时候需要输入yes
  known_hosts: >-
    数据
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

2.nginx+php服务配置文件

apiVersion: v1
kind: ConfigMap
metadata:
  name: tdd-web-configmap
  namespace: testphp
data:
  nginx.conf: |-
    user  root;
    worker_processes  1;

    #error_log  logs/error.log;
    #error_log  logs/error.log  notice;
    #error_log  logs/error.log  info;

    #pid        logs/nginx.pid;


    events {
        worker_connections  1024;
    }


    http {
        include       mime.types;
        default_type  application/octet-stream;

        #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
        #                  '$status $body_bytes_sent "$http_referer" '
        #                  '"$http_user_agent" "$http_x_forwarded_for"';

        #access_log  logs/access.log  main;
        sendfile        on;
        #tcp_nopush     on;

        keepalive_timeout  65;

        #gzip  on;

        server {
            listen       80;
            server_name  0.0.0.0;

            #charset koi8-r;

            #access_log  logs/host.access.log  main;

            location / {
                root   html/cka_test;
                index  index.html index.htm;
            }

            #error_page  404              /404.html;

            # redirect server error pages to the static page /50x.html
            #
            error_page   500 502 503 504  /50x.html;
            location = /50x.html {
                root   html;
            }

            # proxy the PHP scripts to Apache listening on 127.0.0.1:80
            #
            #location ~ \.php$ {
            #    proxy_pass   http://127.0.0.1;
            #}

            # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
            #
            location ~ \.php$ {
                root           html/cka_test;
                ###因为部署在一个pod之中所以写127.0.0.1或者svc的名称都可以
                fastcgi_pass   127.0.0.1:9000;
                fastcgi_index  index.php;
                fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
                include        fastcgi_params;
            }

            # deny access to .htaccess files, if Apache's document root
            # concurs with nginx's one
            #
            #location ~ /\.ht {
            #    deny  all;
            #}
        }

    }
  php-fpm.conf: |-
    [global]
    pid = /usr/local/var/run/php-fpm.pid
    error_log = /usr/local/var/log/php/php-fpm.log
    daemonize = no
    include=etc/php-fpm.d/*.conf
  www.conf: |-
    [www]
    user = root
    group = root
    listen = 127.0.0.1:9000
    pm = dynamic
    pm.max_children = 5
    pm.start_servers = 2
    pm.min_spare_servers = 1
    pm.max_spare_servers = 3
    pm.max_requests = 1000
    slowlog = /usr/local/var/log/$pool.log.slow
    request_slowlog_timeout = 15
    request_slowlog_trace_depth = 20
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106

2.4 secret资源

1.创建拉取git的凭证

apiVersion: v1
kind: Secret
metadata:
  name: git-secret
  namespace: testphp
type: Opaque
data:
  #这些是base64转码过的
  id_rsa: >-
    blUvVnpKYU9GU2xlU29yaXdmdGN4WStZcjlVUENyZ21tNFZCQ1FSM3gwSHRIN3lhT00KM1RkNjB5ZEV4cmVNNzJzZVc5elFDQ1h5UDl1aHUyVnBKNS9nWlFJREFRQUJBb0lCQVFDMml1dnVuNlNUMWovagptWjlYditmUnZHZ1k3MU5OS2FoTVNMZmNVNnRIcWVVUE5Wby9Fc3pxRXl4c0tHcWZMeEE1cU9rL21FbHM1Qmw0Cjh0cmphMC9KR3FSTHFwRzh3cXJwUzJjcGk0SzdVeVAyTW1lcUFXZ09kMnZzbDhmcEpvVmdoVmwwT0VQSlpRbXUKNWpCMjhrTlNsbzJ3djZyWmMzV1FKWTl4VmJhQWVER2cyak1NWVkzUFJqQUFYd3FpU2Ftd3FCL210TEsyaGdUUApRUXVQcjNYZzhwRjZDbjRBVGhyWWtjeGNxckIzWWYwYkcvaGJGTFI3RTlxSFdETUZ1SGlrS3BUS000OEgweWIxCjA1WFN5cW5rVVVMYnZ1NFhkT3Y1VENDMVdLeDhUbmdt
  id_rsa_pub: >-
    VLaXVMQisxekZqNWl2MVE4S3VDYWJoVUVKQkhmSFFlMGZ2Sm80emROM3JUSjBUR3Q0enZheDViM05BSUpmSS8yNkc3Wldrbm4rQmwgcm9vdEBtYXN0ZXIwMQ==
  known_hosts: >-
    E2NS41yRUFBQUFEQVFBQkFBQUJBUUQ2V2JWYWxjelNES0M0a3RqUnpETkMxcUlOREFWaXcvb0dBOHVkN3FINUY5WEZaNFFBV2habUZCc3ArY3BwQklPTTYzZXhqYzRPOXZiek1yZDdBVUl0WGlneW1HZlRxckd0NVZ5a0lpYU5oan
1
2
3
4
5
6
7
8
9
10
11
12
13
14

2.创建读写oss凭证

apiVersion: v1
data:
  #阿里云账号的AKID 需要读写权限
  akId: AccessKey ID   
  akSecret: AccessKey Secret
kind: Secret
metadata:
  name: tdd-oss-secret
  namespace: testphp
type: Opaque
1
2
3
4
5
6
7
8
9
10

3.创建拉取容器镜像仓库凭证

1. 找一台机器登录docker longin登录仓库 docker login url
2. base64 -w 0 ~/.docker/config.json 生成的数据写入下方的data中

apiVersion: v1
data:
  .dockerconfigjson: 上方生成的数据
kind: Secret
metadata:
  name: docker-secret
  namespace: testphp
type: kubernetes.io/dockerconfigjson
1
2
3
4
5
6
7
8

2.5 存储

2.5.1 代码存储卷OSS-PV

apiVersion: v1
kind: PersistentVolume
metadata:
  name: tdd-web-pv
  labels:
    alicloud-pvname: tdd-web-pv
spec:
  accessModes:
    - ReadWriteMany
  capacity:
    storage: 20Gi
  ##选择csi
  csi:
    driver: ossplugin.csi.alibabacloud.com
    nodePublishSecretRef:
	  #选择testphp命名空间下的保密字典test-toodudu
      name: test-toodudu
      namespace: testphp
    volumeAttributes:
      bucket: test-k8s-toodudu
      otherOpts: ''
      url: oss-url.aliyuncs.com
    volumeHandle: tdd-web-pv
  persistentVolumeReclaimPolicy: Retain
  storageClassName: oss
  volumeMode: Filesystem
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

2.5.2 代码存储声明OSS-PVC

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: tdd-web-pvc
  namespace: testphp
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 2Gi
    limits:
      storage: 5Gi
  volumeName: tdd-web-pv
  volumeMode: Filesystem
  storageClassName: oss
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

2.5.3 日志存储卷OSS-LOG-PV

apiVersion: v1
kind: PersistentVolume
metadata:
  name: tdd-web-log-pv
  labels:
    alicloud-pvname: tdd-web-log-pv
spec:
  accessModes:
    - ReadWriteMany
  capacity:
    storage: 60Gi
  ##选择csi
  csi:
    driver: ossplugin.csi.alibabacloud.com
    nodePublishSecretRef:
	  #选择testphp命名空间下的保密字典test-toodudu
      name: test-toodudu
      namespace: testphp
    volumeAttributes:
      bucket: test-k8s-toodudu-log
      otherOpts: ''
      url: oss-url.aliyuncs.com
    volumeHandle: tdd-web-log-pv
  persistentVolumeReclaimPolicy: Retain
  storageClassName: oss
  volumeMode: Filesystem
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

2.5.4 日志存储卷OSS-LOG-PVC

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: tdd-web-log-pvc
  namespace: testphp
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 20Gi
    limits:
      storage: 50Gi
  volumeName: tdd-web-log-pv
  volumeMode: Filesystem
  storageClassName: oss
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

2.6 无状态资源

apiVersion: apps/v1
kind: Deployment
metadata:
   name: tdd-web
   labels:
      app: tdd-web
      env: testphp
   namespace: testphp
spec:
   replicas: 1
   selector:
      matchLabels:
         app: tdd-web
   template:
      metadata:
         labels:
            app: tdd-web
      spec:
         imagePullSecrets:
            - name: docker-secret
         #初始化容器
         initContainers:
         - name: git-base
           image: registry.cn-beijing.aliyuncs.com/ygbid-docker/base:git-2.24.4
           imagePullPolicy: Always
           env:
           - name: GIT_URL
             value: 'git@codeup.aliyun.com:5eb94095053c10a2a600128a/ibi_yunwei/cka_test.git'
           - name: GIT_BRANCH
             value: 'master'
           - name: id_rsa
             valueFrom:
             #这里我使用的是secret资源中git凭证，使用configmap资源中的git凭证也可以，使用configmap的时候参数是需要改变的
                secretKeyRef:
                   name: git-secret
                   key: id_rsa
           - name: id_rsa_pub
             valueFrom:
                secretKeyRef:
                   name: git-secret
                   key: id_rsa_pub
           - name: known_hosts
             valueFrom:
                secretKeyRef:
                   name: git-secret
                   key: known_hosts
           workingDir: /usr/local/src
           #将git拉取凭证写入ssh密钥文件中，然后拉取代码
           command: ['/bin/sh','-c']
           args: ['echo -e "$id_rsa" > /root/.ssh/id_rsa && echo $id_rsa_pub > /root/.ssh/id_rsa.pub && echo $known_hosts > /root/.ssh/known_hosts && chmod 0600 /root/.ssh/*  && rm -rf ./cka_test && git clone -b $GIT_BRANCH $GIT_URL']
           volumeMounts:
             - mountPath: /usr/local/src
               name: tdd-web-data
         containers:
         - name: nginx-web
           image: registry.cn-beijing.aliyuncs.com/ygbid-docker/base:nginx-1.16.1
           imagePullPolicy: Always
           volumeMounts:
             #挂载代码卷
             - mountPath: /usr/local/nginx/html
               name: tdd-web-data
             #挂载配置卷
             - name: tdd-web-configmap
               mountPath: /usr/local/nginx/conf/nginx.conf
               subPath: nginx.conf
             #挂载日志卷
             - name: tdd-log
               mountPath: /usr/local/nginx/logs
         - name: php-web
           image: registry.cn-beijing.aliyuncs.com/ygbid-docker/base:php-7.3.8
           imagePullPolicy: Always
           #因为我配置文件中是root启动，所以这里需要改一下php的启动命令，-R表示允许root启动
           command: ['php-fpm','-R']
           volumeMounts:
             #挂载代码卷
             - mountPath: /var/www/html
               name: tdd-web-data
             #挂载配置卷
             - name: tdd-web-configmap
               mountPath: /usr/local/etc/php-fpm.conf
               subPath: php-fpm.conf
             - name: tdd-web-configmap
               mountPath: /usr/local/etc/php-fpm.d/www.conf
               subPath: www.conf
             #挂载日志卷
             - name: tdd-log
               mountPath: /usr/local/var/log
         volumes:
         - name: tdd-web-configmap
           configMap:
              name: tdd-web-configmap
              items:
              - key: nginx.conf
                path: nginx.conf
              - key: php-fpm.conf
                path: php-fpm.conf
              - key: www.conf
                path: www.conf
         - name: tdd-web-data
           persistentVolumeClaim:
              claimName: tdd-web-pvc
         - name: tdd-log
           persistentVolumeClaim:
              claimName: tdd-web-log-pvc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104

2.7 svc资源

apiVersion: v1
kind: Service
metadata:
   name: tdd-web-svc
   namespace: testphp
spec:
   type: ClusterIP
   selector:
      app: tdd-web
   ports:
   - name: tdd-web-80
     protocol: TCP
     port: 80
     targetPort: 80
   - name: tdd-web-9000
     protocol: TCP
     port: 9000
     targetPort: 9000
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

3.部署rabbitmq集群

namespace

kubectl create ns rabbitmq
1

3.1 ConfigMap

配置文件解释
#default_pass/default_pass：声明用户名和密码（虽然有部分文章记录可以通过环境变量的方式声明，但是经测试，针对此版本如果指定了configmap即rabbitmq的配置文件，声明的环境变量是没有用的，都需要在配置文件中指定）
#default_user = admin
#default_pass = admin123
#guest默认为只能本地登录,设置为false，表示可以远程登录
loopback_users.guest = false
cluster_formation.peer_discovery_backend = rabbit_peer_discovery_k8s
cluster_formation.k8s.host = kubernetes.rabbitmq.svc.cluster.local
#RabbitMQ节点名应该根据pod的主机名或IP地址进行设置，但是podIP地址不稳定，所以设置为hostname
cluster_formation.k8s.address_type = hostname
cluster_formation.k8s.service_name = rabbitmq-headless
#rabbitmq is rabbitmq-cluster’s namespace
cluster_formation.k8s.hostname_suffix = .rabbitmq-headless.rabbitmq.svc.cluster.local
#节点清理检测多长时间运行一次
cluster_formation.node_cleanup.interval = 30
#如果需要自动删除未知/不存在的节点，请设置为false。这可能很危险
cluster_formation.node_cleanup.only_log_warning = true
cluster_partition_handling = autoheal
#队列主节点的策略，有三大策略 min-masters，client-local，random
queue_master_locator = min-masters
#cluster_formation.randomized_startup_delay_range.min = 0
#cluster_formation.randomized_startup_delay_range.max = 2
#触发流量控制的内存阈值，可以为相对值(0.5),或者绝对值
vm_memory_high_watermark.absolute = 1GB
#Rabbitmq存储数据的可用空间限制，当低于该值的时候，将触发流量限制，设置可参考vm_memory_high_watermark参数
disk_free_limit.absolute = 2GB

#Source: rabbitmq-ha/templates/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: rabbitmq-rabbitmq-ha
  namespace: rabbitmq
  labels:
    app: rabbitmq-ha
    chart: rabbitmq-ha-1.36.4
    release: rabbitmq
data:
  enabled_plugins: |
    [
      rabbitmq_shovel,
      rabbitmq_shovel_management,
      rabbitmq_federation,
      rabbitmq_federation_management,


      rabbitmq_consistent_hash_exchange,
      rabbitmq_management,
      rabbitmq_peer_discovery_k8s
    ].

  rabbitmq.conf: |
    ## RabbitMQ configuration
    ## Ref: https://github.com/rabbitmq/rabbitmq-server/blob/master/docs/rabbitmq.conf.example

    ## Authentification

    ## Clustering
    cluster_formation.peer_discovery_backend  = rabbit_peer_discovery_k8s
    cluster_formation.k8s.host = kubernetes.default.svc.cluster.local
    cluster_formation.k8s.address_type = hostname
    cluster_formation.node_cleanup.interval = 10
    # Set to false if automatic cleanup of absent nodes is desired.
    # This can be dangerous, see http://www.rabbitmq.com/cluster-formation.html#node-health-checks-and-cleanup.
    cluster_formation.node_cleanup.only_log_warning = true
    cluster_partition_handling = autoheal
    ## The default "guest" user is only permitted to access the server
    ## via a loopback interface (e.g. localhost)
    loopback_users.guest = false

    management.load_definitions = /etc/definitions/definitions.json

    ## Memory-based Flow Control threshold
    vm_memory_high_watermark.absolute = 256MB

    ## Auth HTTP Backend Plugin

    ## LDAP Plugin

    ## MQTT Plugin

    ## Web MQTT Plugin

    ## STOMP Plugin

    ## Web STOMP Plugin

    ## Prometheus Plugin

    ## AMQPS support
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63

3.2 Secret

apiVersion: v1
kind: Secret
metadata:
  name: rabbitmq-rabbitmq-ha
  namespace: rabbitmq
  labels:
    app: rabbitmq-ha
    chart: rabbitmq-ha-1.36.4
    release: "rabbitmq"
type: Opaque
data:
  rabbitmq-username: "Z3Vlc3Q="
  rabbitmq-password: "N09KV3JsSHpvdk5mZ3ZHQVNScTAyRnRX"
  rabbitmq-management-username: "bWFuYWdlbWVudA=="
  rabbitmq-management-password: "RUtEY1lCamdKR1d0VFBwR1pDa3lVZ2U3"
  rabbitmq-erlang-cookie: "ZHlIdjJWbWVJdFB2S2JoRjhZeUEyRGFkODZzNnNFbkg="
  definitions.json: "ewogICJnbG9iYWxfcGFyYW1ldGVycyI6IFsKICAgIAogIF0sCiAgInVzZXJzIjogWwogICAgewogICAgICAibmFtZSI6ICJtYW5hZ2VtZW50IiwKICAgICAgInBhc3N3b3JkIjogIkVLRGNZQmpnSkdXdFRQcEdaQ2t5VWdlNyIsCiAgICAgICJ0YWdzIjogIm1hbmFnZW1lbnQiCiAgICB9LAogICAgewogICAgICAibmFtZSI6ICJndWVzdCIsCiAgICAgICJwYXNzd29yZCI6ICI3T0pXcmxIem92TmZndkdBU1JxMDJGdFciLAogICAgICAidGFncyI6ICJhZG1pbmlzdHJhdG9yIgogICAgfQogIF0sCiAgInZob3N0cyI6IFsKICAgIHsKICAgICAgIm5hbWUiOiAiLyIKICAgIH0KICBdLAogICJwZXJtaXNzaW9ucyI6IFsKICAgIHsKICAgICAgInVzZXIiOiAiZ3Vlc3QiLAogICAgICAidmhvc3QiOiAiLyIsCiAgICAgICJjb25maWd1cmUiOiAiLioiLAogICAgICAicmVhZCI6ICIuKiIsCiAgICAgICJ3cml0ZSI6ICIuKiIKICAgIH0KICBdLAogICJwYXJhbWV0ZXJzIjogWwogICAgCiAgXSwKICAicG9saWNpZXMiOiBbCiAgICAKICBdLAogICJxdWV1ZXMiOiBbCiAgICAKICBdLAogICJleGNoYW5nZXMiOiBbCiAgICAKICBdLAogICJiaW5kaW5ncyI6IFsKICAgIAogIF0KfQ=="
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

- definitions.json

{
  "global_parameters": [
    
  ],
  "users": [
    {
      "name": "management",
      "password": "EKDcYBjgJGWtTPpGZCkyUge7",
      "tags": "management"
    },
    {
      "name": "guest",
      "password": "7OJWrlHzovNfgvGASRq02FtW",
      "tags": "administrator"
    }
  ],
  "vhosts": [
    {
      "name": "/"
    }
  ],
  "permissions": [
    {
      "user": "guest",
      "vhost": "/",
      "configure": ".*",
      "read": ".*",
      "write": ".*"
    }
  ],
  "parameters": [
    
  ],
  "policies": [
    
  ],
  "queues": [
    
  ],
  "exchanges": [
    
  ],
  "bindings": [
    
  ]
}

- rabbitmq-username
guest

- rabbitmq-password
7OJWrlHzovNfgvGASRq02FtW



- rabbitmq-management-password
EKDcYBjgJGWtTPpGZCkyUge7

- rabbitmq-management-username
management


- rabbitmq-erlang-cookie
dyHv2VmeItPvKbhF8YyA2Dad86s6sEnH
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66

3.3 ServiceAccount

# Source: rabbitmq-ha/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    app: rabbitmq-ha
    chart: rabbitmq-ha-1.36.4
    release: "rabbitmq"
  name: rabbitmq-rabbitmq-ha
  namespace: rabbitmq
automountServiceAccountToken: true
1
2
3
4
5
6
7
8
9
10
11

3.4 Role

# Source: rabbitmq-ha/templates/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  labels:
    app: rabbitmq-ha
    chart: rabbitmq-ha-1.36.4
    release: "rabbitmq"
  name: rabbitmq-rabbitmq-ha
  namespace: rabbitmq
rules:
  - apiGroups: [""]
    resources: ["endpoints"]
    verbs: ["get"]
1
2
3
4
5
6
7
8
9
10
11
12
13
14

3.5 RoleBinging

# Source: rabbitmq-ha/templates/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    app: rabbitmq-ha
    chart: rabbitmq-ha-1.36.4
    release: "rabbitmq"
    heritage: "Helm"
  name: rabbitmq-rabbitmq-ha
  namespace: rabbitmq
subjects:
  - kind: ServiceAccount
    name: rabbitmq-rabbitmq-ha
    namespace: rabbitmq
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: rabbitmq-rabbitmq-ha
Service
# Source: rabbitmq-ha/templates/service-discovery.yaml
apiVersion: v1
kind: Service
metadata:
  name: rabbitmq-rabbitmq-ha-discovery
  namespace: rabbitmq
  labels:
    app: rabbitmq-ha
    chart: rabbitmq-ha-1.36.4
    release: rabbitmq
spec:
  clusterIP: None
  ports:
    - name: http
      protocol: TCP
      port: 15672
      targetPort: http
    - name: amqp
      protocol: TCP
      port: 5672
      targetPort: amqp
    - name: epmd
      protocol: TCP
      port: 4369
      targetPort: epmd
  publishNotReadyAddresses: true
  selector:
    app: rabbitmq-ha
    release: rabbitmq
  type: ClusterIP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50

3.6 Service

# Source: rabbitmq-ha/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
  name: rabbitmq-rabbitmq-ha
  namespace: rabbitmq
  labels:
    app: rabbitmq-ha
    chart: rabbitmq-ha-1.36.4
    release: rabbitmq
    heritage: Helm
spec:
  ports:
    - name: http
      protocol: TCP
      port: 15672
      targetPort: http
    - name: amqp
      protocol: TCP
      port: 5672
      targetPort: amqp
    - name: epmd
      protocol: TCP
      port: 4369
      targetPort: epmd
  selector:
    app: rabbitmq-ha
    release: rabbitmq
  type: ClusterIP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

3.7 StatefulSet

# Source: rabbitmq-ha/templates/statefulset.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: rabbitmq-rabbitmq-ha
  namespace: rabbitmq
  labels:
    app: rabbitmq-ha
    chart: rabbitmq-ha-1.36.4
    release: rabbitmq
    heritage: Helm
spec:
  #pod管理策略，有状态的服务按顺序启动容器，例如master节点先启动
  podManagementPolicy: OrderedReady
  serviceName: rabbitmq-rabbitmq-ha-discovery
  replicas: 3
  updateStrategy:
    type: OnDelete
  selector:
    matchLabels:
      app: rabbitmq-ha
      release: rabbitmq
  template:
    metadata:
      labels:
        app: rabbitmq-ha
        release: rabbitmq
      annotations:
        checksum/config: 53a4503332f4f41b81943686ae339e73331cfee32b9216bbb2071ff1243650d5
        checksum/secret: 742f34b4c06e7a69d056af6708b39515d44d84e36f85a2b6ccb6a9d85a36d371
    spec:
      terminationGracePeriodSeconds: 10
      securityContext:
          fsGroup: 101
          runAsGroup: 101
          runAsNonRoot: true
          runAsUser: 100
      serviceAccountName: rabbitmq-rabbitmq-ha
      initContainers:
        - name: bootstrap
          image: busybox:1.30.1
          imagePullPolicy: IfNotPresent
          command: ['sh']
          args:
          - "-c"
          - |
            set -ex
            cp /configmap/* /etc/rabbitmq
            echo "${RABBITMQ_ERLANG_COOKIE}" > /var/lib/rabbitmq/.erlang.cookie
          env:
          - name: POD_NAME
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: metadata.name
          - name: RABBITMQ_MNESIA_DIR
            value: /var/lib/rabbitmq/mnesia/rabbit@$(POD_NAME).rabbitmq-rabbitmq-ha-discovery.rabbitmq（部署的命名空间的名字）.svc.cluster.local
          - name: RABBITMQ_ERLANG_COOKIE
            valueFrom:
              secretKeyRef:
                name: rabbitmq-rabbitmq-ha
                key: rabbitmq-erlang-cookie
          resources:
            {}
          volumeMounts:
            - name: configmap
              mountPath: /configmap
            - name: config
              mountPath: /etc/rabbitmq
            - name: data
              mountPath: /var/lib/rabbitmq
      containers:
        - name: rabbitmq-ha
          image: rabbitmq:3.8.0-alpine
          imagePullPolicy: IfNotPresent
          ports:
            - name: epmd
              protocol: TCP
              containerPort: 4369
            - name: amqp
              protocol: TCP
              containerPort: 5672
            - name: http
              protocol: TCP
              containerPort: 15672
          livenessProbe:
            exec:
              command:
              - /bin/sh
              - -c
              - 'wget -O - -q --header "Authorization: Basic `echo -n \"$RABBIT_MANAGEMENT_USER:$RABBIT_MANAGEMENT_PASSWORD\"
                | base64`" http://localhost:15672/api/healthchecks/node | grep -qF "{\"status\":\"ok\"}"'
            failureThreshold: 6
            initialDelaySeconds: 120
            periodSeconds: 10
            timeoutSeconds: 5
          readinessProbe:
            exec:
              command:
              - /bin/sh
              - -c
              - 'wget -O - -q --header "Authorization: Basic `echo -n \"$RABBIT_MANAGEMENT_USER:$RABBIT_MANAGEMENT_PASSWORD\"
                | base64`" http://localhost:15672/api/healthchecks/node | grep -qF "{\"status\":\"ok\"}"'
            failureThreshold: 6
            initialDelaySeconds: 20
            periodSeconds: 5
            timeoutSeconds: 3
          env:
            - name: MY_POD_NAME
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.name
            - name: RABBITMQ_USE_LONGNAME
              value: "true"
            - name: RABBITMQ_NODENAME
              value: rabbit@$(MY_POD_NAME).rabbitmq-rabbitmq-ha-discovery.rabbitmq（部署的命名空间）.svc.cluster.local
            - name: K8S_HOSTNAME_SUFFIX
              value: .rabbitmq-rabbitmq-ha-discovery.rabbitmq（部署的命名空间）.svc.cluster.local
            - name: K8S_SERVICE_NAME
              value: rabbitmq-rabbitmq-ha-discovery
            - name: RABBITMQ_ERLANG_COOKIE
              valueFrom:
                secretKeyRef:
                  name: rabbitmq-rabbitmq-ha
                  key: rabbitmq-erlang-cookie
            - name: RABBIT_MANAGEMENT_USER
              valueFrom:
                secretKeyRef:
                  name: rabbitmq-rabbitmq-ha
                  key: rabbitmq-management-username
            - name: RABBIT_MANAGEMENT_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: rabbitmq-rabbitmq-ha
                  key: rabbitmq-management-password
          resources:
            {}
          volumeMounts:
            - name: data
              mountPath: /var/lib/rabbitmq
            - name: config
              mountPath: /etc/rabbitmq
            - name: definitions
              mountPath: /etc/definitions
              readOnly: true
      #requiredDuringSchedulingIgnoredDuringExecution：硬性要求，必须满足条件，保证分散部署的效果最好使用用此方式
#	preferredDuringSchedulingIgnoredDuringExecution：软性要求，可以不完全满足，即有可能同一node上可以跑多个副本
      affinity:
        podAntiAffinity:
        #如果节点上的pod标签存在满足app: rabbitmq-ha，release: rabbitmq，则不能部署到节点上
          preferredDuringSchedulingIgnoredDuringExecution:
            - weight: 1
              podAffinityTerm:
                topologyKey: "kubernetes.io/hostname"
                labelSelector:
                  matchLabels:
                    app: rabbitmq-ha
                    release: rabbitmq
      volumes:
        - name: config
          emptyDir: {}
        - name: configmap
          configMap:
            name: rabbitmq-rabbitmq-ha
        - name: definitions
          secret:
            secretName: rabbitmq-rabbitmq-ha
            items:
            - key: definitions.json
              path: definitions.json
  volumeClaimTemplates:
    - metadata:
        name: data
        annotations:
      spec:
        accessModes:
          - "ReadWriteOnce"
        resources:
          requests:
            storage: "8Gi"
        storageClassName: "rabbitmq"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182

3.8 StorageClass

#如果使用本地磁盘这个就用不到
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: rabbitmq
mountOptions:
  - 'nolock,tcp,noresvport'
  - vers=3
parameters:
  path: /xxxxxx/rabbitmq
  server: 666666666.cn-beijing.nas.aliyuncs.com
  volumeAs: subpath
provisioner: nasplugin.csi.alibabacloud.com
reclaimPolicy: Retain
volumeBindingMode: Immediate
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

3.9 PV

3.9.1 本地磁盘做PV

apiVersion: v1
kind: PersistentVolume
metadata:
  name: rabbitmq-local-0
  labels:
    app: rabbitmq-data-0
spec:
  accessModes:
  - ReadWriteOnce
  capacity:
    storage: 3Gi
  #声明适合的pvc
  claimRef:
    apiVersion: v1
    kind: PersistentVolumeClaim
    name: data-rabbitmq-rabbitmq-ha-0
    namespace: rabbitmq
  local:
    path: /data/rabbitmq/data/data01
  nodeAffinity:
    required:
      nodeSelectorTerms:
      - matchExpressions:
        - key: kubernetes.io/hostname
          operator: In
          values:
          - node02
  persistentVolumeReclaimPolicy: Retain
  storageClassName: rabbitmq
---
apiVersion: v1
kind: PersistentVolume
metadata:
  name: rabbitmq-local-1
  labels:
    app: rabbitmq-data-1
spec:
  accessModes:
  - ReadWriteOnce
  capacity:
    storage: 3Gi
  claimRef:
    apiVersion: v1
    kind: PersistentVolumeClaim
    name: data-rabbitmq-rabbitmq-ha-1
    namespace: rabbitmq
  local:
    path: /data/rabbitmq/data/data02
  nodeAffinity:
    required:
      nodeSelectorTerms:
      - matchExpressions:
        - key: kubernetes.io/hostname
          operator: In
          values:
          - node02
  persistentVolumeReclaimPolicy: Retain
  storageClassName: rabbitmq
---
apiVersion: v1
kind: PersistentVolume
metadata:
  name: rabbitmq-local-2
  labels:
    app: rabbitmq-data-2
spec:
  accessModes:
  - ReadWriteOnce
  capacity:
    storage: 3Gi
  claimRef:
    apiVersion: v1
    kind: PersistentVolumeClaim
    name: data-rabbitmq-rabbitmq-ha-2
    namespace: rabbitmq
  local:
    path: /data/rabbitmq/data/data03
  nodeAffinity:
    required:
      nodeSelectorTerms:
      - matchExpressions:
        - key: kubernetes.io/hostname
          operator: In
          values:
          - node02
  persistentVolumeReclaimPolicy: Retain
  storageClassName: rabbitmq
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87

3.9.2 StorageClass创建的PV

1. data-rabbitmq-rabbitmq-ha-0

apiVersion: v1
kind: PersistentVolume
metadata:
  name: nas-2f929e65-4585-4e1d-bbfe-ad5679526d46
spec:
  accessModes:
    - ReadWriteOnce
  capacity:
    storage: 8Gi
  claimRef:
    apiVersion: v1
    kind: PersistentVolumeClaim
    name: data-rabbitmq-rabbitmq-ha-0
    namespace: pub
  csi:
    driver: nasplugin.csi.alibabacloud.com                                                                                                                                                                                                                                                                                                                                                            
    fsType: ext4
    volumeAttributes:
      path: /nas-2f929e65-4585-4e1d-bbfe-ad5679526d46
      server: 666666666.cn-beijing.nas.aliyuncs.com
      storage.kubernetes.io/csiProvisionerIdentity: 1638948116227-8081-nasplugin.csi.alibabacloud.com
      volumeAs: subpath
    volumeHandle: nas-2f929e65-4585-4e1d-bbfe-ad5679526d46
  mountOptions:
    - 'nolock,tcp,noresvport'
    - vers=3
  persistentVolumeReclaimPolicy: Delete
  storageClassName: rabbitmq
  volumeMode: Filesystem
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

2. data-rabbitmq-rabbitmq-ha-1

apiVersion: v1
kind: PersistentVolume
metadata:
  name: nas-9ce64f6e-2377-49c5-925d-7c167ef11c4d
spec:
  accessModes:
    - ReadWriteOnce
  capacity:
    storage: 8Gi
  claimRef:
    apiVersion: v1
    kind: PersistentVolumeClaim
    name: data-rabbitmq-rabbitmq-ha-1
    namespace: pub
  csi:
    driver: nasplugin.csi.alibabacloud.com
    fsType: ext4
    volumeAttributes:
      path: /nas-9ce64f6e-2377-49c5-925d-7c167ef11c4d
      server: 666666666.cn-beijing.nas.aliyuncs.com
      storage.kubernetes.io/csiProvisionerIdentity: 1638948116227-8081-nasplugin.csi.alibabacloud.com
      volumeAs: subpath
    volumeHandle: nas-9ce64f6e-2377-49c5-925d-7c167ef11c4d
  mountOptions:
    - 'nolock,tcp,noresvport'
    - vers=3
  persistentVolumeReclaimPolicy: Delete
  storageClassName: rabbitmq
  volumeMode: Filesystem
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

3. data-rabbitmq-rabbitmq-ha-2

apiVersion: v1
kind: PersistentVolume
metadata:
  name: nas-03602164-e318-4ea0-93e3-aba48b2c9263
spec:
  accessModes:
    - ReadWriteOnce
  capacity:
    storage: 8Gi
  claimRef:
    apiVersion: v1
    kind: PersistentVolumeClaim
    name: data-rabbitmq-rabbitmq-ha-2
    namespace: pub
  csi:
    driver: nasplugin.csi.alibabacloud.com
    fsType: ext4
    volumeAttributes:
      path: /nas-03602164-e318-4ea0-93e3-aba48b2c9263
      server: 666666666.cn-beijing.nas.aliyuncs.com
      storage.kubernetes.io/csiProvisionerIdentity: 1638948116227-8081-nasplugin.csi.alibabacloud.com
      volumeAs: subpath
    volumeHandle: nas-03602164-e318-4ea0-93e3-aba48b2c9263
  mountOptions:
    - 'nolock,tcp,noresvport'
    - vers=3
  persistentVolumeReclaimPolicy: Delete
  storageClassName: rabbitmq
  volumeMode: Filesystem
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

3.10 PVC

3.10.1 本地磁盘pvc

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  labels:
    app: rabbitmq-ha
    release: rabbitmq
  name: data-rabbitmq-rabbitmq-ha-0
  namespace: rabbitmq
spec:
  selector:
    matchLabels:
      app: rabbitmq-data-0
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 3Gi
  storageClassName: rabbitmq
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  labels:
    app: rabbitmq-ha
    release: rabbitmq
  name: data-rabbitmq-rabbitmq-ha-1
  namespace: rabbitmq
spec:
  selector:
    matchLabels:
      app: rabbitmq-data-1
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 3Gi
  storageClassName: rabbitmq
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  labels:
    app: rabbitmq-ha
    release: rabbitmq
  name: data-rabbitmq-rabbitmq-ha-2
  namespace: rabbitmq
spec:
  selector:
    matchLabels:
      app: rabbitmq-data-2
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 3Gi
  storageClassName: rabbitmq
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56

3.10.2 StorageClass中的pvc

1. data-rabbitmq-rabbitmq-ha-0

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  labels:
    app: rabbitmq-ha
    release: rabbitmq
  name: data-rabbitmq-rabbitmq-ha-0
  namespace: rabbitmq
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 8Gi
  storageClassName: rabbitmq
  volumeMode: Filesystem
  volumeName: nas-c99ec219-c2af-41d7-9956-1cf83c60ffc8
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

2. data-rabbitmq-rabbitmq-ha-1

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  labels:
    app: rabbitmq-ha
    release: rabbitmq
  name: data-rabbitmq-rabbitmq-ha-1
  namespace: rabbitmq
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 8Gi
  storageClassName: rabbitmq
  volumeMode: Filesystem
  volumeName: nas-8028a035-152c-40bf-a799-fd3f24211679
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

3. data-rabbitmq-rabbitmq-ha-2

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  labels:
    app: rabbitmq-ha
    release: rabbitmq
  name: data-rabbitmq-rabbitmq-ha-2
  namespace: rabbitmq
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 8Gi
  storageClassName: rabbitmq
  volumeMode: Filesystem
  volumeName: nas-2afc1c88-8afa-4fd0-a9e5-74a0cffc6ab9
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

3.11 Ingress

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/service-weight: ''
  generation: 3
  name: rabbitmq
  namespace: rabbitmq
spec:
  rules:
    - host: rabbitmq.timerovers.com
      http:
        paths:
          - backend:
              service:
                name: rabbit-svc
                port:
                  number: 15672
            path: /
            pathType: ImplementationSpecific
  tls:
    - hosts:
        - rabbitmq.timerovers.com
      secretName: timerovers.tls
status:
  loadBalancer:
    ingress:
      - ip: 213.13.33.3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28