使用 Helm 包管理工具簡化 Kubernetes 應用部署

當在 Kubernetes 中已經部署不少應用時，後續須要對每一個應用的 yaml 文件進行維護操做，這個過程會變的很繁瑣，咱們可使用 Helm 來簡化這些工做。Helm 是 Kubernetes 的一個包管理工具，用來簡化 Kubernetes 應用的部署和管理。

部署 Helm 客戶端與服務端

部署客戶端

在 GitHub上 Helm Realese 下載最新的二進制文件

$ tar -zxvf helm-v2.11.0-linux-amd64.tar.gz
$ mv linux-amd64/helm /usr/local/bin/helm
$ helm help

部署服務端（tiller ）

$ helm init --upgrade --tiller-image sapcc/tiller:v2.11.0
Creating /root/.helm 
Creating /root/.helm/repository 
Creating /root/.helm/repository/cache 
Creating /root/.helm/repository/local 
Creating /root/.helm/plugins 
Creating /root/.helm/starters 
Creating /root/.helm/cache/archive 
Creating /root/.helm/repository/repositories.yaml 
Adding stable repo with URL: https://kubernetes-charts.storage.googleapis.com 
Adding local repo with URL: http://127.0.0.1:8879/charts 
$HELM_HOME has been configured at /root/.helm.

Tiller (the Helm server-side component) has been installed into your Kubernetes Cluster.

Please note: by default, Tiller is deployed with an insecure 'allow unauthenticated users' policy.
To prevent this, run `helm init` with the --tiller-tls-verify flag.
For more information on securing your installation see: https://docs.helm.sh/using_helm/#securing-your-helm-installation
Happy Helming!

備註: 在 DockerHub 上找到了同步的鏡像 ：https://hub.docker.com/r/sapcc/tiller/ 。

查看

$ kubectl get pod -n kube-system -l app=helm
NAME                             READY   STATUS    RESTARTS   AGE
tiller-deploy-69c9dc58bd-jvzkr   1/1     Running   0          3m2s
$ helm version
Client: &version.Version{SemVer:"v2.11.0", GitCommit:"2e55dbe1fdb5fdb96b75ff144a339489417b146b", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.11.0", GitCommit:"2e55dbe1fdb5fdb96b75ff144a339489417b146b", GitTreeState:"clean"}

配置 RBAC

$ vi rbac-config.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: tiller
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: tiller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: tiller
    namespace: kube-system

執行

$ kubectl create -f rbac-config.yaml
serviceaccount/tiller created
clusterrolebinding.rbac.authorization.k8s.io/tiller created
$ kubectl patch deploy --namespace kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'
deployment.extensions/tiller-deploy patched

備註：上述咱們爲 Tiller 管理員提供了對整個羣集的訪問權限，若是不須要授予 Tiller 集羣管理員訪問權限，能夠指定 Role 和 RoleBinding 來將 Tiller 的範圍限制爲特定的 namespace 中，官方文檔是新建一個 namespace 作的(https://docs.helm.sh/using_helm/#role-based-access-control) 。

部署一個程序

建立一個配置文件

$ helm create helm-test
Creating helm-test

$  tree.
├── helm-test
│   ├── charts
│   ├── Chart.yaml
│   ├── templates
│   │   ├── deployment.yaml
│   │   ├── _helpers.tpl
│   │   ├── ingress.yaml
│   │   ├── NOTES.txt
│   │   └── service.yaml
│   └── values.yaml

文件說明：

• charts 目錄中文件是本 chart 依賴的 chart，當前是空的 。
• Chart.yaml 這個 yaml 文件用於描述 Chart 的基本信息，如名稱，版本等。
• templates 是 Kubernetes manifest 文件模板目錄，模板使用 chart 配置的值生成 Kubernetes manifest 文件，還包含部署 Pod 依賴的 deploymnet，ingress，service 對象。
• templates/NOTES.txt 純文本文件，可在其中填寫 chart 的使用說明。
• value.yaml 是 chart 配置的默認值。

查看 value.yaml （能夠知道部署的是一個 Nginx 服務） 

# cat values.yaml 
# Default values for helm-test.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

replicaCount: 1

image:
  repository: nginx
  tag: stable
  pullPolicy: IfNotPresent

nameOverride: ""
fullnameOverride: ""

service:
  type: ClusterIP
  port: 80

ingress:
  enabled: false
  annotations: {}
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
  path: /
  hosts:
    - chart-example.local
  tls: []
  #  - secretName: chart-example-tls
  #    hosts:
  #      - chart-example.local

resources: {}
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  # limits:
  #  cpu: 100m
  #  memory: 128Mi
  # requests:
  #  cpu: 100m
  #  memory: 128Mi

nodeSelector: {}

tolerations: []

affinity: {}

部署應用

$ helm install ./helm-test
NAME:   famous-bison
LAST DEPLOYED: Fri Nov  2 19:50:16 2018
NAMESPACE: default
STATUS: DEPLOYED

RESOURCES:
==> v1/Service
NAME                    AGE
famous-bison-helm-test  0s

==> v1beta2/Deployment
famous-bison-helm-test  0s

==> v1/Pod(related)

NAME                                     READY  STATUS             RESTARTS  AGE
famous-bison-helm-test-8568b9cb46-969pn  0/1    ContainerCreating  0         0s


NOTES:
1. Get the application URL by running these commands:
  export POD_NAME=$(kubectl get pods --namespace default -l "app.kubernetes.io/name=helm-test,app.kubernetes.io/instance=famous-bison" -o jsonpath="{.items[0].metadata.name}")
  echo "Visit http://127.0.0.1:8080 to use your application"
  kubectl port-forward $POD_NAME 8080:80

查看

$ kubectl get pods  --all-namespaces
NAMESPACE     NAME                                        READY   STATUS    RESTARTS   AGE
default       musty-shark-helm-test-578886d7b9-sdppq      1/1     Running   0          82s
$ kubectl get  services  --all-namespaces    
NAMESPACE     NAME                      TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)           AGE
default       kubernetes                ClusterIP   10.96.0.1        <none>        443/TCP           3d3h
default       musty-shark-helm-test     ClusterIP   10.102.19.244    <none>        80/TCP            2m29s

Helm 命令

$ helm list
NAME            REVISION        UPDATED                         STATUS          CHART           APP VERSION     NAMESPACE
famous-bison    1               Fri Nov  2 19:50:16 2018        DEPLOYED        helm-test-0.1.0 1.0             default  
$ helm list
NAME            REVISION        UPDATED                         STATUS          CHART           APP VERSION     NAMESPACE
famous-bison    1               Fri Nov  2 19:50:16 2018        DEPLOYED        helm-test-0.1.0 1.0             default  
$ helm package helm-test
Successfully packaged chart and saved it to: /opt/helm/helm-test-0.1.0.tgz
$ helm delete famous-bison
release "famous-bison" deleted

Helm 倉庫

Helm 也包含 Repo 倉庫的功能與 Docker Registry 比較相似

$ helm repo list
NAME    URL                                             
stable  https://kubernetes-charts.storage.googleapis.com
local   http://127.0.0.1:8879/charts

不過這個鏡像一樣是被 Ban ，咱們也能夠本身搭建本身的倉庫用於自定義的包版本管理。經過 helm search 命令能夠找到咱們想要的 chart 包，而後經過 helm install 命令來安裝。

$ helm search redis
NAME                                    CHART VERSION   APP VERSION     DESCRIPTION                                                 
stable/prometheus-redis-exporter        0.3.2           0.21.1          Prometheus exporter for Redis metrics                       
stable/redis                            4.2.6           4.0.11          Open source, advanced key-value store. It is often referr...
stable/redis-ha                         3.0.0           4.0.11          Highly available Kubernetes implementation of Redis         
stable/sensu                            0.2.3           0.28            Sensu monitoring framework backed by the Redis transport

安裝

$ helm install stable/redis

備註：

官方應用同步源

• https://github.com/cnych/kube-charts-mirror

REFER:
https://docs.helm.sh/using_helm/
https://github.com/helm/helm
https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/
https://docs.helm.sh/using_helm/#using-ssl-between-helm-and-tiller
https://medium.com/virtuslab/think-twice-before-using-helm-25fbb18bc822
恕我直言，對Helm你們仍是要三思然後用
https://mp.weixin.qq.com/s?__biz=MzIzNjUxMzk2NQ==&mid=2247490052&idx=1&sn=197ae17ce1156e19a279f7695361c532&chksm=e8d7e5c6dfa06cd0d3d8e6b591ad6149ed4e76a096679497f8b40a627ecff7c37af006887587