{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在當今瞬息萬變的DevOps世界中,遵循最佳實踐至關重要。這些最佳實踐涉及安全性、訪問控制、資源限制等方面。在DevOps中最爲重要的事情之一是持續集成(CI)和持續交付(CD)。而且對於一個有效部署來說,持續集成是極爲關鍵的部分。但是在集成的過程中我們總是一次又一次地重複手動步驟——尤其是在節點配置方面。此時,我們需要“萬物自動化”的思維方式來保證我們工作的正常運轉,以便我們可以高效執行並確保我們的應用程序得以有效部署和運行。通過GitLab CI\/CD,你會獲得一個對用戶友好的UI,它可以配置構建(build)並根據需要對其進行自定義。它還包括了設置流水線觸發器、構建變量、license合規性等。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"從統一的控制檯查看構建步驟極爲有益,特別當你正在試圖排除構建故障時。每個構建步驟也會顯示運行命令的CLI輸出。這可以讓你從一個視角瞭解構建過程中發生的事情,而無需SSH進入runner節點。CI\/CD工具通常與構建文件一起工作,它決定了構建步驟。當使用GitLab CI\/CD時,構建文件被稱爲.gitlab-ci.yaml。在本文中,你將會了解到構建文件的組合方式及其作用。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"GitLab CI工具如何與AWS進行通信以觸發新資源的啓動是我們部署的另一個重要部分。我們的部署還包括Terraform、RKE和Rancher2。主要目標是產生一個按需部署和銷燬基礎設施的流水線。最終結果是我們可以通過點擊一個按鈕來觸發,或者用一條(或兩條)CLI命令來獲得一個高可用的、一致的部署。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"你可以訪問以下鏈接查看本文的源代碼:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"underline"}],"text":"https:\/\/gitlab.com\/iby.autometa\/rancher-deploy"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"部署流程"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在這個部署中每個組件都有其特定的目的,部署的目標是按照安全、低成本和高可用的最佳實踐以部署所需的最少資源。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"但是首先我們要了解CI\/CD流水線是什麼?從概念上來說,CI\/CD流水線應該有3個階段——source、build和deploy:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"Source:"},{"type":"text","text":"每個部署都需要一個代碼管理工具,常見的工具包括Github和GitLab。Bitbucket也是一個不錯的選擇。在本文的場景中,我們選擇GitLab,因爲它除了作爲我們的源碼管理工具之外,還可以提供內置的CI\/CD功能。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"Build:"},{"type":"text","text":"在構建文件.gitlab-ci.yaml中提到的步驟(stages)將定義構建步驟。在這個階段中,GitLab平臺將驗證代碼並運行一個terraform plan。在各個步驟中,可以傳遞命令、設置變量、構建Docker鏡像、創建文件等。這使得我們可以將步驟解耦,也就是說如果我們選擇移除步驟或添加新的步驟將更加容易。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"Deploy:"},{"type":"text","text":"在這一步驟中,有兩個手動操作。我們採取的第一個手動操作是deploy。這個選項會使用Terraform代碼啓動基礎設施的創建。一旦執行了這個手動步驟,GitLab就會聯繫到AWS,用訪問權限和祕鑰進行認證,並開始將基礎設施部署到公有云中(本例爲AWS)。另一個發揮重要作用的組件是 provider.tf 文件。這個文件定義了部署的雲提供程序。我們的第二個手動選項是destroy。就像deploy一樣,它是手動觸發的。在某些情況下此步驟可以自動化,但在大多數情況下,我們在執行部署或銷燬部署時都要小心謹慎。同時建議執行這些步驟時限制訪問權限,因爲安全的最佳實踐包括使用用戶數據庫,併爲這些手動步驟的執行申請權限。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"基礎設施圖解"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"此圖展示了此部署中使用的所有工具及其在本次部署中提供的功能:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"GitLab:代碼管理和CI\/CD"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"AWS:彈性計算機雲(EC2)、簡單存儲服務(S3)、Route 53(R53)、安全組、彈性負載均衡(ELB)。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"S3:在本次部署中,我們需要手動創建S3 bucket。在你開始你的部署之前,確保你已經創建你的bucket並在變量部分指定了它。S3 bucket將維護terraform.tfstate文件。如果你想了解更多關於管理Terraform狀態歡迎查閱以下鏈接:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"underline"}],"text":"https:\/\/www.terraform.io\/docs\/state\/index.html"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Terraform:基礎設施即代碼(IaC);RKE提供程序-允許配置Kubernetes集羣;Rancher 2.x提供程序-允許從Terraform代碼中配置Rancher管理的集羣;Helm提供程序-可以安裝Helm chart並最終在創建的基礎設施上安裝Rancher。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/14\/14fc2bfec2bd0a1f27a3251bb539f77b.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"CI\/CD流水線如何工作?"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"CI\/CD 的步驟"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"構建文件的第一部分包括我們將在部署中需要執行的階段:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"\nstages:\n - validate\n - plan_before_apply\n - apply\n - destroy"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"Before Script"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"before script爲這次部署的成功奠定了基礎,在這個過程中會創建兩個文件:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1、backend.ft:這個文件將負責存放ftstate的s3 bucket。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"\n - |\n cat < backend.tf\n terraform {\n backend \"s3\" {\n bucket = \"$BUCKET_NAME\"\n key = \"$BUCKET_KEY\"\n region = \"us-east-1\"\n encrypt = true\n }\n }\n EOF"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2、variables.tf:這個文件將保存證書、VPC、K8S版本等。這些參數是從GitLab dashboard的settings部分傳遞過來的。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"\n cat < variables.tf\n variable \"aws_access_keys\" {\n type = map(string)\n description = \"AWS Access Keys for terraform deployment\"\n\n default = {\n access_key = \"$AWS_ACCESS_KEY_ID\"\n secret_key = \"$AWS_SECRET_ACCESS_KEY\"\n region = \"us-east-1\"\n }\n }\n variable \"number_of_nodes\" {"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"構建階段"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1、 "},{"type":"text","marks":[{"type":"strong"}],"text":"Validate:"},{"type":"text","text":"將驗證工作目錄下的配置文件"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"\n validate:\n stage: validate\n script:\n - terraform validate"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2、 plan_before_apply:將運行terraform plan並創建一個執行計劃(execution plan)"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"plan_before_apply:\nstage: plan_before_apply\nscript:\n - terraform plan\ndependencies:\n - validate"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3、 Apply:將運行terraform apply並執行該計劃。這是一個手動步驟。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"apply:\nstage: apply\nscript:\n - apk update && apk add curl git\n - curl -LO https:\/\/storage.googleapis.com\/kubernetes-release\/release\/`curl -s https:\/\/storage.googleapis.com\/kubernetes-release\/release\/stable.txt`\/bin\/linux\/amd64\/kubectl\n - chmod u+x kubectl && mv kubectl \/bin\/kubectl\n - mkdir -p ~\/.kube\n - echo '' > ~\/.kube\/config\n - apk add --update --no-cache curl ca-certificates\n - curl -L https:\/\/get.helm.sh\/helm-v3.1.2-linux-amd64.tar.gz |tar xvz\n - mv linux-amd64\/helm \/usr\/bin\/helm\n - chmod +x \/usr\/bin\/helm\n - terraform apply --auto-approve"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"4、 Destroy:將銷燬在apply步驟中創建的所有資源。這個步驟也是一個手動的步驟。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"destroy:\nstage: destroy\nscript:\n - mkdir -p ~\/.kube\n - echo '' > ~\/.kube\/config\n - terraform state rm \"helm_release.cert_manager\"\n - terraform state rm \"helm_release.rancher\"\n - terraform destroy --auto-approve\ndependencies:\n - apply\nwhen: manual\n"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"Apply"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"要執行terraform apply,需要導航到項目的CI\/CD部門。點擊New Pipleline並運行新的流水線。一旦完成驗證和計劃步驟,點擊apply步驟並運行。你應該可以瞭解提交到repo的情況。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"Destroy"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"要銷燬部署,請點擊CI\/CD控制檯中的destroy步驟並運行。Terraform將銷燬流水線之前創建的所有基礎設施。唯一會留下的是包含 terraform.tfstate 的 s3 bucket。如果你需要執行銷燬步驟,Terraform狀態是至關重要的。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"變量"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"要設置集羣的節點數、Kubernetes版本、Rancher版本等,請導航至項目的“Settings”頁面,然後在CI \/ CD下設置變量。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"環境變量的建議值"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/56\/564642b183ac57ec4e710def63444302.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"AWS雲提供程序"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們在此部署中使用了 AWS 雲提供程序。有關提供程序及其工作方式的更多信息,請參考 AWS 文檔:https:\/\/www.terraform.io\/docs\/providers\/aws\/index.html"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"provider.tf文件提供了一個如何使用提供程序的好例子。這個文件將允許Terraform代碼與AWS交互,並部署資源(EC2、安全組、負載均衡器等)。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"\nprovider \"aws\" {\nregion = \"us-east-1\"\nprofile = \"default\"\naccess_key = lookup(var.aws_access_keys, \"access_key\")\nsecret_key = lookup(var.aws_access_keys, \"secret_key\")\n\n}"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"Rancher2 提供程序"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Rancher2提供程序是一個Terraform組件,需要作爲插件導入才能工作。rancher-ha.tf文件提供了一個很好的例子來說明如何使用提供程序。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"\nresource \"rancher2_bootstrap\" \"admin\" {\nprovider = rancher2.bootstrap\ndepends_on = [null_resource.wait_for_rancher]\npassword = var.ui_password\n}"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們使用Rancher2提供程序來創建Rancher UI管理賬戶。瞭解更多關於Rancher2提供程序的信息,歡迎查閱以下文檔:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"underline"}],"text":"https:\/\/registry.terraform.io\/providers\/rancher\/rancher2\/latest\/docs"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"GitLab Runner"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果你沒有配置runner節點,你可以使用這個repo來設置runner的正確配置("},{"type":"text","marks":[{"type":"underline"}],"text":"https:\/\/gitlab.com\/iby.autometa\/gitlab-runner-aws"},{"type":"text","text":")。或者按照GitLab文檔中的說明來設置一個新的runner("},{"type":"text","marks":[{"type":"underline"}],"text":"https:\/\/docs.gitlab.com\/runner\/install\/"},{"type":"text","text":")。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果你已經有一個正在運行的runner,你可以簡單地添加這個配置。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"\n#Register the runner\nsudo gitlab-runner register \\\n--non-interactive \\\n--url \"https:\/\/gitlab.com\/\" \\\n--registration-token \"\" \\\n--executor \"docker\" \\\n--docker-image hashicorp\/terraform \\\n--description \"docker-runner\" \\\n--tag-list \"\" \\\n--run-untagged=\"true\" \\\n--locked=\"false\" \\\n--access-level=\"not_protected\""}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"結論"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這篇文章給予了我們幾點啓示:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"首先,我們需要以自動化第一的思維方式來思考我們的日常工作。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"其次,我們可以利用CI\/CD的幾個好處:使用CI\/CD工具可以降低手動管理基礎設施的成本;CI\/CD工具使我們能夠更有效地協作;而且CI\/CD工具可以讓我們深入瞭解構建步驟和runner節點的CLI輸出。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"總的來說,使用CI\/CD有助於我們在代碼集成、代碼構建和代碼部署階段遵循最佳實踐。隨着基礎設施即代碼工具(如Terraform)和AWS、Azure和GCP的雲提供商,CI\/CD工具可以讓你輕鬆地將代碼與基礎設施一起部署。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"本文轉載自:RancherLabs(ID:RancherLabs)"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"原文鏈接:"},{"type":"link","attrs":{"href":"https:\/\/mp.weixin.qq.com\/s\/6sU1XpSd6J-w8qwKNqm6fQ","title":"xxx","type":null},"content":[{"type":"text","text":"硬核乾貨 | 使用GitLab CI部署Rancher集羣"}]}]}]}
硬核乾貨|使用GitLab CI部署Rancher集羣
{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在當今瞬息萬變的DevOps世界中,遵循最佳實踐至關重要。這些最佳實踐涉及安全性、訪問控制、資源限制等方面。在DevOps中最爲重要的事情之一是持續集成(CI)和持續交付(CD)。而且對於一個有效部署來說,持續集成是極爲關鍵的部分。但是在集成的過程中我們總是一次又一次地重複手動步驟——尤其是在節點配置方面。此時,我們需要“萬物自動化”的思維方式來保證我們工作的正常運轉,以便我們可以高效執行並確保我們的應用程序得以有效部署和運行。通過GitLab CI\/CD,你會獲得一個對用戶友好的UI,它可以配置構建(build)並根據需要對其進行自定義。它還包括了設置流水線觸發器、構建變量、license合規性等。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"從統一的控制檯查看構建步驟極爲有益,特別當你正在試圖排除構建故障時。每個構建步驟也會顯示運行命令的CLI輸出。這可以讓你從一個視角瞭解構建過程中發生的事情,而無需SSH進入runner節點。CI\/CD工具通常與構建文件一起工作,它決定了構建步驟。當使用GitLab CI\/CD時,構建文件被稱爲.gitlab-ci.yaml。在本文中,你將會了解到構建文件的組合方式及其作用。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"GitLab CI工具如何與AWS進行通信以觸發新資源的啓動是我們部署的另一個重要部分。我們的部署還包括Terraform、RKE和Rancher2。主要目標是產生一個按需部署和銷燬基礎設施的流水線。最終結果是我們可以通過點擊一個按鈕來觸發,或者用一條(或兩條)CLI命令來獲得一個高可用的、一致的部署。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"你可以訪問以下鏈接查看本文的源代碼:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"underline"}],"text":"https:\/\/gitlab.com\/iby.autometa\/rancher-deploy"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"部署流程"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在這個部署中每個組件都有其特定的目的,部署的目標是按照安全、低成本和高可用的最佳實踐以部署所需的最少資源。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"但是首先我們要了解CI\/CD流水線是什麼?從概念上來說,CI\/CD流水線應該有3個階段——source、build和deploy:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"Source:"},{"type":"text","text":"每個部署都需要一個代碼管理工具,常見的工具包括Github和GitLab。Bitbucket也是一個不錯的選擇。在本文的場景中,我們選擇GitLab,因爲它除了作爲我們的源碼管理工具之外,還可以提供內置的CI\/CD功能。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"Build:"},{"type":"text","text":"在構建文件.gitlab-ci.yaml中提到的步驟(stages)將定義構建步驟。在這個階段中,GitLab平臺將驗證代碼並運行一個terraform plan。在各個步驟中,可以傳遞命令、設置變量、構建Docker鏡像、創建文件等。這使得我們可以將步驟解耦,也就是說如果我們選擇移除步驟或添加新的步驟將更加容易。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"Deploy:"},{"type":"text","text":"在這一步驟中,有兩個手動操作。我們採取的第一個手動操作是deploy。這個選項會使用Terraform代碼啓動基礎設施的創建。一旦執行了這個手動步驟,GitLab就會聯繫到AWS,用訪問權限和祕鑰進行認證,並開始將基礎設施部署到公有云中(本例爲AWS)。另一個發揮重要作用的組件是 provider.tf 文件。這個文件定義了部署的雲提供程序。我們的第二個手動選項是destroy。就像deploy一樣,它是手動觸發的。在某些情況下此步驟可以自動化,但在大多數情況下,我們在執行部署或銷燬部署時都要小心謹慎。同時建議執行這些步驟時限制訪問權限,因爲安全的最佳實踐包括使用用戶數據庫,併爲這些手動步驟的執行申請權限。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"基礎設施圖解"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"此圖展示了此部署中使用的所有工具及其在本次部署中提供的功能:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"GitLab:代碼管理和CI\/CD"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"AWS:彈性計算機雲(EC2)、簡單存儲服務(S3)、Route 53(R53)、安全組、彈性負載均衡(ELB)。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"S3:在本次部署中,我們需要手動創建S3 bucket。在你開始你的部署之前,確保你已經創建你的bucket並在變量部分指定了它。S3 bucket將維護terraform.tfstate文件。如果你想了解更多關於管理Terraform狀態歡迎查閱以下鏈接:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"underline"}],"text":"https:\/\/www.terraform.io\/docs\/state\/index.html"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Terraform:基礎設施即代碼(IaC);RKE提供程序-允許配置Kubernetes集羣;Rancher 2.x提供程序-允許從Terraform代碼中配置Rancher管理的集羣;Helm提供程序-可以安裝Helm chart並最終在創建的基礎設施上安裝Rancher。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/14\/14fc2bfec2bd0a1f27a3251bb539f77b.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"CI\/CD流水線如何工作?"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"CI\/CD 的步驟"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"構建文件的第一部分包括我們將在部署中需要執行的階段:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"\nstages:\n - validate\n - plan_before_apply\n - apply\n - destroy"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"Before Script"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"before script爲這次部署的成功奠定了基礎,在這個過程中會創建兩個文件:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1、backend.ft:這個文件將負責存放ftstate的s3 bucket。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"\n - |\n cat < backend.tf\n terraform {\n backend \"s3\" {\n bucket = \"$BUCKET_NAME\"\n key = \"$BUCKET_KEY\"\n region = \"us-east-1\"\n encrypt = true\n }\n }\n EOF"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2、variables.tf:這個文件將保存證書、VPC、K8S版本等。這些參數是從GitLab dashboard的settings部分傳遞過來的。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"\n cat < variables.tf\n variable \"aws_access_keys\" {\n type = map(string)\n description = \"AWS Access Keys for terraform deployment\"\n\n default = {\n access_key = \"$AWS_ACCESS_KEY_ID\"\n secret_key = \"$AWS_SECRET_ACCESS_KEY\"\n region = \"us-east-1\"\n }\n }\n variable \"number_of_nodes\" {"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"構建階段"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1、 "},{"type":"text","marks":[{"type":"strong"}],"text":"Validate:"},{"type":"text","text":"將驗證工作目錄下的配置文件"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"\n validate:\n stage: validate\n script:\n - terraform validate"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2、 plan_before_apply:將運行terraform plan並創建一個執行計劃(execution plan)"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"plan_before_apply:\nstage: plan_before_apply\nscript:\n - terraform plan\ndependencies:\n - validate"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3、 Apply:將運行terraform apply並執行該計劃。這是一個手動步驟。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"apply:\nstage: apply\nscript:\n - apk update && apk add curl git\n - curl -LO https:\/\/storage.googleapis.com\/kubernetes-release\/release\/`curl -s https:\/\/storage.googleapis.com\/kubernetes-release\/release\/stable.txt`\/bin\/linux\/amd64\/kubectl\n - chmod u+x kubectl && mv kubectl \/bin\/kubectl\n - mkdir -p ~\/.kube\n - echo '' > ~\/.kube\/config\n - apk add --update --no-cache curl ca-certificates\n - curl -L https:\/\/get.helm.sh\/helm-v3.1.2-linux-amd64.tar.gz |tar xvz\n - mv linux-amd64\/helm \/usr\/bin\/helm\n - chmod +x \/usr\/bin\/helm\n - terraform apply --auto-approve"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"4、 Destroy:將銷燬在apply步驟中創建的所有資源。這個步驟也是一個手動的步驟。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"destroy:\nstage: destroy\nscript:\n - mkdir -p ~\/.kube\n - echo '' > ~\/.kube\/config\n - terraform state rm \"helm_release.cert_manager\"\n - terraform state rm \"helm_release.rancher\"\n - terraform destroy --auto-approve\ndependencies:\n - apply\nwhen: manual\n"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"Apply"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"要執行terraform apply,需要導航到項目的CI\/CD部門。點擊New Pipleline並運行新的流水線。一旦完成驗證和計劃步驟,點擊apply步驟並運行。你應該可以瞭解提交到repo的情況。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"Destroy"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"要銷燬部署,請點擊CI\/CD控制檯中的destroy步驟並運行。Terraform將銷燬流水線之前創建的所有基礎設施。唯一會留下的是包含 terraform.tfstate 的 s3 bucket。如果你需要執行銷燬步驟,Terraform狀態是至關重要的。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"變量"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"要設置集羣的節點數、Kubernetes版本、Rancher版本等,請導航至項目的“Settings”頁面,然後在CI \/ CD下設置變量。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"環境變量的建議值"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/56\/564642b183ac57ec4e710def63444302.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"AWS雲提供程序"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們在此部署中使用了 AWS 雲提供程序。有關提供程序及其工作方式的更多信息,請參考 AWS 文檔:https:\/\/www.terraform.io\/docs\/providers\/aws\/index.html"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"provider.tf文件提供了一個如何使用提供程序的好例子。這個文件將允許Terraform代碼與AWS交互,並部署資源(EC2、安全組、負載均衡器等)。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"\nprovider \"aws\" {\nregion = \"us-east-1\"\nprofile = \"default\"\naccess_key = lookup(var.aws_access_keys, \"access_key\")\nsecret_key = lookup(var.aws_access_keys, \"secret_key\")\n\n}"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"Rancher2 提供程序"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Rancher2提供程序是一個Terraform組件,需要作爲插件導入才能工作。rancher-ha.tf文件提供了一個很好的例子來說明如何使用提供程序。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"\nresource \"rancher2_bootstrap\" \"admin\" {\nprovider = rancher2.bootstrap\ndepends_on = [null_resource.wait_for_rancher]\npassword = var.ui_password\n}"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們使用Rancher2提供程序來創建Rancher UI管理賬戶。瞭解更多關於Rancher2提供程序的信息,歡迎查閱以下文檔:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"underline"}],"text":"https:\/\/registry.terraform.io\/providers\/rancher\/rancher2\/latest\/docs"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"GitLab Runner"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果你沒有配置runner節點,你可以使用這個repo來設置runner的正確配置("},{"type":"text","marks":[{"type":"underline"}],"text":"https:\/\/gitlab.com\/iby.autometa\/gitlab-runner-aws"},{"type":"text","text":")。或者按照GitLab文檔中的說明來設置一個新的runner("},{"type":"text","marks":[{"type":"underline"}],"text":"https:\/\/docs.gitlab.com\/runner\/install\/"},{"type":"text","text":")。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果你已經有一個正在運行的runner,你可以簡單地添加這個配置。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"\n#Register the runner\nsudo gitlab-runner register \\\n--non-interactive \\\n--url \"https:\/\/gitlab.com\/\" \\\n--registration-token \"\" \\\n--executor \"docker\" \\\n--docker-image hashicorp\/terraform \\\n--description \"docker-runner\" \\\n--tag-list \"\" \\\n--run-untagged=\"true\" \\\n--locked=\"false\" \\\n--access-level=\"not_protected\""}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"結論"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這篇文章給予了我們幾點啓示:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"首先,我們需要以自動化第一的思維方式來思考我們的日常工作。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"其次,我們可以利用CI\/CD的幾個好處:使用CI\/CD工具可以降低手動管理基礎設施的成本;CI\/CD工具使我們能夠更有效地協作;而且CI\/CD工具可以讓我們深入瞭解構建步驟和runner節點的CLI輸出。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"總的來說,使用CI\/CD有助於我們在代碼集成、代碼構建和代碼部署階段遵循最佳實踐。隨着基礎設施即代碼工具(如Terraform)和AWS、Azure和GCP的雲提供商,CI\/CD工具可以讓你輕鬆地將代碼與基礎設施一起部署。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"本文轉載自:RancherLabs(ID:RancherLabs)"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"原文鏈接:"},{"type":"link","attrs":{"href":"https:\/\/mp.weixin.qq.com\/s\/6sU1XpSd6J-w8qwKNqm6fQ","title":"xxx","type":null},"content":[{"type":"text","text":"硬核乾貨 | 使用GitLab CI部署Rancher集羣"}]}]}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章