欢迎关注我的公众号:
目前刚开始写一个月,一共写了18篇原创文章,文章目录如下:
istio防故障利器,你知道几个,istio新手不要读,太难!
不懂envoyfilter也敢说精通istio系列-http-rbac-不要只会用AuthorizationPolicy配置权限
不懂envoyfilter也敢说精通istio系列-02-http-corsFilter-不要只会vs
不懂envoyfilter也敢说精通istio系列-03-http-csrf filter-再也不用再代码里写csrf逻辑了
不懂envoyfilter也敢说精通istio系列http-jwt_authn-不要只会RequestAuthorization
不懂envoyfilter也敢说精通istio系列-05-fault-filter-故障注入不止是vs
不懂envoyfilter也敢说精通istio系列-06-http-match-配置路由不只是vs
不懂envoyfilter也敢说精通istio系列-07-负载均衡配置不止是dr
不懂envoyfilter也敢说精通istio系列-08-连接池和断路器
不懂envoyfilter也敢说精通istio系列-09-http-route filter
不懂envoyfilter也敢说精通istio系列-network filter-redis proxy
不懂envoyfilter也敢说精通istio系列-network filter-HttpConnectionManager
不懂envoyfilter也敢说精通istio系列-ratelimit-istio ratelimit完全手册
————————————————
manifest文件:
[root@master01 manifest]# cat ./*
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: mysql-clusterrole-binding
labels:
app: "mysql"
component: "mysql"
chart: "mysql-0.1"
release: "mysql"
heritage: "Helm"
roleRef:
kind: ClusterRole
name: mysql-clusterrole
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: mysql-sa
namespace: mysql
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: mysql-clusterrole
labels:
app: "mysql"
component: "mysql"
chart: "mysql-0.1"
release: "mysql"
heritage: "Helm"
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
apiVersion: v1
data:
my.cnf: |
[mysqld]
skip-name-resolve
port=3306
innodb_file_per_table = 1
kind: ConfigMap
metadata:
name: mysql-configmap
labels:
app: "mysql"
component: "mysql"
chart: "mysql"
release: "mysql"
heritage: "helm"
apiVersion: apps/v1
kind: Deployment
metadata:
name: mysql
labels:
app: mysql
chart: "mysql-0.1"
release: "mysql"
heritage: "Helm"
spec:
progressDeadlineSeconds: 600
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: mysql
release: mysql
replicas: 1
template:
metadata:
labels:
app: mysql
release: mysql
spec:
tolerations:
- key: "example-key"
operator: "Exists"
effect: "NoSchedule"
serviceAccountName: mysql-sa
terminationGracePeriodSeconds: 60
containers:
- name: mysql
image: mysql:5.6
imagePullPolicy: IfNotPresent
ports:
- containerPort: 3306
env:
- name: MYSQL_ROOT_PASSWORD
value: "mysql"
readinessProbe:
exec:
command:
- sh
- -c
- "mysqladmin ping -u root -p${MYSQL_ROOT_PASSWORD}"
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 3
livenessProbe:
exec:
command:
- sh
- -c
- "mysqladmin ping -u root -p${MYSQL_ROOT_PASSWORD}"
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 3
resources:
requests:
cpu: 0.2
memory: 100Mi
limits:
cpu: 0.5
memory: 500Mi
securityContext:
allowPrivilegeEscalation: false
volumeMounts:
- mountPath: /var/lib/mysql
name: data
- name: configurations
mountPath: /etc/mysql/conf.d/
subPath: mysql.cnf
volumes:
- name: data
persistentVolumeClaim:
claimName: mysql-nfs-pvc
- name: configurations
configMap:
name: mysql-configmap
apiVersion: autoscaling/v1
kind: HorizontalPodAutoscaler
metadata:
name: mysql-hpa
labels:
app: "mysql"
component: "mysql"
chart: "mysql-0.1"
release: "mysql"
heritage: "Helm"
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: mysql
minReplicas: 1
maxReplicas: 5
targetCPUUtilizationPercentage: 50
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: mysql-pdb
labels:
app: "mysql"
component: "mysql"
chart: "mysql-0.1"
release: "mysql"
heritage: "Helm"
spec:
minAvailable: 1
selector:
matchLabels:
app: mysql
release: mysql
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: mysql-psp
labels:
app: "mysql"
component: "mysql"
chart: "mysql-0.1"
release: "mysql"
heritage: "Helm"
spec:
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: mysql-nfs-pvc
labels:
app: "mysql"
component: "mysql"
chart: "mysql-0.1"
release: "mysql"
heritage: "Helm"
spec:
storageClassName: mysql-sc
accessModes:
- ReadWriteMany
resources:
requests:
storage: 500Mi
apiVersion: v1
kind: ServiceAccount
metadata:
name: mysql-sa
labels:
app: mysql
chart: mysql-0.1
release: mysql
heritage: helm
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: mysql-sc
labels:
app: "mysql"
component: "mysql"
chart: "mysql-0.1"
release: "mysql"
heritage: "Helm"
provisioner: fuseim.pri/ifs
reclaimPolicy: Retain
apiVersion: v1
kind: Service
metadata:
name: mysql-svc
labels:
app: "mysql"
component: "mysql"
chart: "mysql-0.1"
release: "mysql"
heritage: "Helm"
spec:
selector:
app: mysql
release: mysql
type: NodePort
ports:
- name: tcp
port: 3306
targetPort: 3306template文件:
[root@master01 templates]# cat ./*
{{- if .Values.rbac.create}}
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{include "mysql.fullname" .}}-binding
labels:{{include "mysql.labels" .|nindent 4}}
roleRef:
kind: ClusterRole
name: {{include "mysql.fullname" .}}-clusterrole
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: {{include "mysql.fullname" .}}-sa
namespace: {{.Release.Namespace}}
{{- end}}
{{- if .Values.rbac.create}}
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{include "mysql.fullname" .}}-clusterrole
labels:{{include "mysql.labels" .|nindent 4}}
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
{{- end}}
apiVersion: v1
data:
my.cnf: |
[mysqld]
skip-name-resolve
port=3306
innodb_file_per_table = 1
kind: ConfigMap
metadata:
name: {{include "mysql.fullname" .}}-configmap
labels:{{include "mysql.labels" .|nindent 4}}
apiVersion: {{include "deployment.apiVersion" .}}
kind: Deployment
metadata:
name: {{include "mysql.fullname" .}}
labels:{{include "mysql.labels" .|nindent 4}}
spec:
progressDeadlineSeconds: {{.Values.deployment.progressDeadlineSeconds}}
{{- if .Values.deployment.strategy}}
strategy:{{toYaml .Values.deployment.strategy|nindent 4}}
{{- end}}
revisionHistoryLimit: {{.Values.deployment.revisionHistoryLimit}}
selector:
matchLabels: {{include "mysql.selectorLabels" .|nindent 6}}
replicas: {{.Values.deployment.replicaCount}}
template:
metadata:
labels: {{include "mysql.labels" .|nindent 8}}
spec:
{{- if .Values.deployment.tolerations}}
tolerations:{{toYaml .Values.deployment.tolerations|nindent 8}}
{{- end}}
serviceAccountName: {{include "mysql.serviceAccountName" .}}
terminationGracePeriodSeconds: {{.Values.deployment.terminationGracePeriodSeconds}}
containers:
- name: mysql
image: {{.Values.deployment.image.repository}}:{{.Values.deployment.image.tag}}
imagePullPolicy: {{.Values.deployment.image.pullPolicy}}
ports:
- containerPort: 3306
env:
- name: MYSQL_ROOT_PASSWORD
value: {{.Values.deployment.mysql_root_password|quote}}
{{- if .Values.deployment.readinessProbe}}
readinessProbe:
exec:
command:
- sh
- -c
- "mysqladmin ping -u root -p${MYSQL_ROOT_PASSWORD}"
initialDelaySeconds: {{.Values.deployment.readinessProbe.initialDelaySeconds}}
periodSeconds: {{.Values.deployment.readinessProbe.periodSeconds}}
timeoutSeconds: {{.Values.deployment.readinessProbe.timeoutSeconds}}
successThreshold: {{.Values.deployment.readinessProbe.successThreshold}}
failureThreshold: {{.Values.deployment.readinessProbe.failureThreshold}}
{{- end}}
{{- if .Values.deployment.livenessProbe}}
livenessProbe:
exec:
command:
- sh
- -c
- "mysqladmin ping -u root -p${MYSQL_ROOT_PASSWORD}"
initialDelaySeconds: {{.Values.deployment.livenessProbe.initialDelaySeconds}}
periodSeconds: {{.Values.deployment.livenessProbe.periodSeconds}}
timeoutSeconds: {{.Values.deployment.livenessProbe.timeoutSeconds}}
successThreshold: {{.Values.deployment.livenessProbe.successThreshold}}
failureThreshold: {{.Values.deployment.livenessProbe.failureThreshold}}
{{- end}}
{{- if .Values.deployment.resources}}
resources:{{toYaml .Values.deployment.resources|nindent 10}}
{{- end}}
{{- if .Values.deployment.securityContext}}
securityContext:{{toYaml .Values.deployment.securityContext|nindent 10}}
{{- end}}
volumeMounts:
- mountPath: /var/lib/mysql
name: data
- name: configurations
mountPath: /etc/mysql/conf.d/
subPath: mysql.cnf
volumes:
- name: data
persistentVolumeClaim:
claimName: {{include "mysql.fullname" .}}-pvc
- name: configurations
configMap:
name: {{include "mysql.fullname" .}}-configmap
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "mysql.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "mysql.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "mysql.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "mysql.labels" -}}
helm.sh/chart: {{ include "mysql.chart" . }}
{{ include "mysql.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{/*
Selector labels
*/}}
{{- define "mysql.selectorLabels" -}}
app.kubernetes.io/name: {{ include "mysql.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "mysql.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "mysql.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for deployment.
*/}}
{{- define "deployment.apiVersion" -}}
{{- if semverCompare ">=1.9-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "apps/v1" -}}
{{- else -}}
{{- print "extensions/v1beta1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiGroup for PodSecurityPolicy.
*/}}
{{- define "podSecurityPolicy.apiGroup" -}}
{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "policy" -}}
{{- else -}}
{{- print "extensions" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for podSecurityPolicy.
*/}}
{{- define "podSecurityPolicy.apiVersion" -}}
{{- if semverCompare ">=1.10-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "policy/v1beta1" -}}
{{- else -}}
{{- print "extensions/v1beta1" -}}
{{- end -}}
{{- end -}}
{{- if .Values.hpa.create}}
apiVersion: autoscaling/v1
kind: HorizontalPodAutoscaler
metadata:
name: {{include "mysql.fullname" .}}-hpa
labels:{{include "mysql.labels" .|nindent 4}}
spec:
scaleTargetRef:
apiVersion: {{include "deployment.apiVersion" .}}
kind: Deployment
name: {{include "mysql.fullname" .}}
minReplicas: {{.Values.hpa.minReplicas}}
maxReplicas: {{.Values.hpa.maxReplicas}}
targetCPUUtilizationPercentage: {{.Values.hpa.targetCPUUtilizationPercentage}}
{{- end}}
1. Get the application URL by running these commands:
{{- if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "mysql.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "mysql.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "mysql.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
echo http://$SERVICE_IP:{{ .Values.service.port }}
{{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "mysql.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80
{{- end }}
{{- if and .Values.pdb.create (or (gt (.Values.deployment.replicaCount|int) 1) .Values.hpa.create )}}
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: {{include "mysql.fullname" .}}-pdb
labels: {{include "mysql.labels" .|nindent 4}}
spec:
minAvailable: {{.Values.pdb.minAvailable}}
selector:
matchLabels:{{include "mysql.selectorLabels" .|nindent 6}}
{{- end}}
{{- if .Values.psp.create}}
apiVersion: {{include "podSecurityPolicy.apiVersion" .}}
kind: PodSecurityPolicy
metadata:
name: {{include "mysql.fullname" .}}-psp
labels: {{include "mysql.labels" .|nindent 4}}
spec:
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
{{- end}}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{include "mysql.fullname" .}}-pvc
labels: {{include "mysql.labels" .|nindent 4}}
spec:
storageClassName: {{include "mysql.fullname" .}}-sc
accessModes:{{toYaml .Values.pvc.accessModes|nindent 2}}
resources:
requests:
storage: {{.Values.pvc.storage}}
{{- if .Values.serviceAccount.create}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{include "mysql.fullname" .}}-sa
labels: {{include "mysql.labels" .|nindent 4}}
{{- end}}
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: {{include "mysql.fullname" .}}-sc
labels: {{include "mysql.labels" .|nindent 4}}
provisioner: {{.Values.sc.provisioner}}
reclaimPolicy: {{.Values.sc.reclaimPolicy}}
apiVersion: v1
kind: Service
metadata:
name: {{include "mysql.fullname" .}}-svc
labels: {{include "mysql.labels" .|nindent 4}}
spec:
selector:{{include "mysql.selectorLabels" .|nindent 4}}
{{- if eq .Values.service.type "NodePort"}}
type: NodePort
ports:
- name: tcp
port: 3306
targetPort: 3306
{{- if .Values.service.nodePort}}
nodePort: {{.Values.service.nodePort}}
{{- end}}
{{- else if eq .Values.service.type "ClusterIP"}}
ports:
- name: tcp
port: 3306
targetPort: 3306
{{- end}}
扫一扫
4279
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
