±à¼ÍƼö: |
±¾ÎÄÖ÷Òª½éÉÜʹÓÃ
AWS Service Broker ͨ¹ý Kubernetes Ô¤ÅäÖÃРAWS
·þÎñµÄ¹¤×÷Á÷³ÌÒÔ¼°ÈçºÎÔÚÄúµÄÓ¦ÓóÌÐòÖÐʹÓÃËü£¬Ï£Íû¶ÔÄúµÄѧϰÓÐËù°ïÖú¡£
±¾ÎÄÀ´×ÔÓÚÑÇÂíÑ·AWS¹Ù·½²©¿Í£¬ÓÉ»ðÁú¹ûÈí¼þAlice±à¼¡¢ÍƼö¡£ |
|
ÎãÓ¹ÖÃÒÉ£¬ÈÝÆ÷ÒѾ¸Ä±äÁËÎÒÃǹ¹½¨ÏîÄ¿µÄ·½Ê½¡£ÈÝÆ÷»¯¹¤×÷Á÷³Ì·½·¨µÄÖ¸µ¼ÔÔòÖ®Ò»Êǽ«¿ØÖÆÈ¨½»»¹¸ø¿ª·¢ÈËÔ±£¬ÈÃËûÃÇÄܹ»Ñ¡Ôñ×Ô¼ºµÄÒÀÀµÏîÒÔ¼°Ê¹ÓÃÒÀÀµÏîµÄ·½Ê½
¨C ×îÖØÒªµÄÊÇ£¬ËûÃÇÐèÒªÒÀÀµÏîµÄʱ¼ä¡£Èç½ñ£¬¿ÖÅÂûÈË¿ÉÒԵȴýÔËÓªÍŶÓÈýÖÜʱ¼ä£¬ÈÃËûÃÇÈ¥Ô¤ÅäÖÃÒ»¸öÊý¾Ý¿â¡£
Òò´Ë£¬ÉçÇøÐèÒªÄóöÒ»ÖÖ·½·¨À´È·±£ÎÞÂÛÄúµÄÈÝÆ÷Ôںδ¦ÔËÐУ¬Äú¶¼ÄÜʼÖÕÒÔ¼òµ¥¡¢¿ÉÔ¤²âµÄ·½Ê½À´¿ØÖÆÄúµÄÍⲿÒÀÀµÏî¡£½â¾ö·½°¸£ºOpen
Service Broker (OSB) API¡£½ñÌ죬ÎÒ½«ÏòÄú½éÉÜ AWS Service Broker£¬ËüÊÇÒ»¿î
OSB API ¹¤¾ß£¬ÔÊÐíÄúͨ¹ýÈκÎÖ§³Ö OSB API µÄƽֱ̨½ÓÔ¤ÅäÖà RDS ºÍ EMR µÈ
AWS ·þÎñ¡£Ä¿Ç°ÕâЩƽ̨°üÀ¨ Kubernetes¡¢OpenShift ºÍ Cloud Foundry¡£ÎÒÃÇÔÚ
re:Invent 2017 ´ó»áÉÏ·¢²¼ÁË AWS Service Broker ¼°Æä×î³õÖ§³ÖµÄ 10
Ïî·þÎñ¡£½ñÄê 4 ÔÂÎÒÃÇÓÖÔö¼ÓÁË 8 Ïî·þÎñ£¬²¢ÇÒÎÒÃÇ»á¼ÌÐøÒÔÕý³£½Ú×àÔö¼Ó¶Ô¸ü¶à AWS ·þÎñµÄÖ§³Ö¡£Kubernetes
ÖзþÎñ´úÀí·½·¨±³ºóµÄ¼Ü¹¹·Ç³£¼òµ¥¡£Kubernetes µÄ Service Catalog ÏîÄ¿½«ÔÊÐí¼æÈÝ
OSB µÄ·þÎñ´úÀíÏòĿ¼ע²á¿ÉÓ÷þÎñÁÐ±í¡£Æ½Ì¨ÖоßÓÐÕýȷȨÏÞµÄÈκÎÓû§¶¼¿ÉÒÔÕë¶ÔÈκοÉÓ÷þÎñ¼Æ»®Ïò
Service Catalog Ìá³öÇëÇó¡£´úÀí½«Ô¤ÅäÖ÷þÎñ²¢½«·µ»ØµÄÐÅÏ¢ÓëÒ»×é secret °ó¶¨¡£

ÎÒÒ»Ö±ÈÏΪ½âÊÍijÖÖ¶«Î÷µÄ×îºÃ·½Ê½¾ÍÊÇչʾËüµÄ¹¤×÷ÔÀí¡£ËùÒÔ£¬ÈÃÎÒÃÇÖ±½Ó¿ªÊ¼°É£¬ÕâÑùÄú¿ÉÒÔÇ××Ô³¢ÊÔ¡£
ÄúÐèÒªµÄ¹¤¾ß
ΪÁ˸úËæ´Ë²©ÎĽøÐвÙ×÷£¬ÄúÐèÒª×öһЩ׼±¸¡£ÎÒ²»»á½éÉÜÕâЩÒÀÀµÏîµÄ°²×°»ò²¿Ê𣬵«ÊÇÎÒÃÇÔÚÏßÌṩÁË¿ÉÓÃ×ÊÔ´µÄÍêÕûÁÐ±í£¬ÒÔ°ïÖúÄú×ÔÐÐÍê³ÉÕâЩ²Ù×÷¡£
1.¾ßÓд´½¨ IAM ȨÏÞµÄ AWS ÕË»§
2.kops ¼¯Èº (Kubernetes v1.9.3)
3.Helm v2.9.0-rc5
4.AWS CLI v1.15.11
5.Python 2.7.13+
°²×° Kubernetes Service Catalog
Kubernetes Service Catalog ÊÇÓÃÓÚ½«ËùÓзþÎñͨ¸æ¸ø Kubernetes
ƽ̨µÄ»úÖÆ¡£ÔÚ¹ÜÀí AWS ·þÎñʱ£¬Service Catalog Óë AWS Service Broker
½øÐÐͨÐÅ¡£°²×° Service Catalog µÄ·½·¨Óкܶ࣬ÎÒ¸öÈËÈÏΪʹÓà Helm ÊÇ×î¼òµ¥µÄ¡£Service
Catalog ÓÐÒ»¸öÃûΪ svcat µÄ CLI£¬¿ÉÒÔʹ°²×°¹ý³Ì±äµÃ¸ü¼ÓÇáËÉ¡£
ÏÂÔØ svcat CLI
ÕâÒ»²½½«ÏÂÔØÊÊÓÃÓÚ Linux µÄ svcat CLI£¬µ«¶ÔÓÚÿÖÖÖ÷Á÷²Ù×÷ϵͳ£¬Ëü¶¼ÓÐÊÊÓõİ汾¡£ÒªÁ˽âÍêÕûµÄ°²×°ËµÃ÷£¬Çë²ÎÔÄ´Ë´¦µÄÎĵµ¡£Èç¹ûÄúʹÓÃ
Linux£¬¿ÉÒÔÔËÐÐÒÔÏÂÃüÁ
curl -sLo svcat
https://download.svcat.sh/cli/latest/linux/amd64/svcat
chmod +x svcat
sudo mv svcat /usr/local/bin
svcat install plugin |

½« Service Catalog ͼ±í´æ´¢¿âÌí¼Óµ½ Helm ²¢°²×° Service Catalog
helm repo add
svc-cat https://svc-catalog-charts.storage.googleapis.com
helm install svc-cat/catalog --name catalog --namespace
catalog |
Òª¼ì²éÊÇ·ñÒѳɹ¦°²×°£¬Äú¿ÉÒÔÁгöÆô¶¯ÖÁ catalog ÃüÃû¿Õ¼äµÄ pod£º
kubectl get pods
--namespace=catalog |

ȨÏÞ
ÏÖÔÚÄúÒѾ²¿ÊðÁË Kubernetes Service Catalog£¬ÄúÐèҪȷ±£ AWS Service
Broker ¾ßÓÐÕýÈ·µÄȨÏÞ£¬ÒÔÔÚÄúµÄ AWS ÕË»§ÖÐÆô¶¯ AWS ·þÎñ¡£AWS Service Broker
¿ÉÒÔͨ¹ýÒÔÏÂÁ½ÖÖ·½Ê½Ö®Ò»»ñȡȨÏÞ£º
¾²Ì¬ÅäÖÃÅäÖÃÎļþÖÐµÄÆ¾Ö¤£¨ÊÊÓÃÓÚ±¾µØ²¿Êð£©
ʹÓà AWS SDK Credential Provider Chain£¨ÔÚ AWS Éϲ¿ÊðʱµÄ×î¼Ñʵ¼ù£©
AWS Service Broker ʹÓà CloudFormation À´¹ÜÀíÔÚÄúµÄ AWS ÕË»§Öд´½¨µÄËùÓÐ×ÊÔ´µÄÉúÃüÖÜÆÚ£¬Òò´ËÎÒÃÇÐèÒª´´½¨
CloudFormation ÔÚ´´½¨·þÎñʱËù³Ðµ£µÄ½ÇÉ«¡£
ÏÂÔØÄú½«ÔÚ±¾ÑÝÁ·ÖÐʹÓõÄÄ£°åºÍ¶¨Òå
curl -kLO https://s3.amazonaws.com/awsservicebroker/assets/blog-templates.tar.gz
mkdir blogtemplates
tar -xvf blog-templates.tar.gz -C blogtemplates
cd blogtemplates |

¼ÇÏ ARN µÄÖµ£»ÔÚÎÒÉÔºóÌá¼°ÒÔÏÂÄÚÈݵIJ½ÖèÖлáÓõ½£º ${CFN_POLICY_ARN}
´´½¨Ð½ÇÉ«²¢¸½¼Ó²ßÂÔ
Ôڴ˲¿·ÖÖУ¬ÎÒÃǽ«´´½¨ CloudFormation ½ÇÉ«£¬¸Ã½ÇÉ«½«ÓÉ·þÎñ´úÀí³Ðµ££¬²¢½«Ð´´½¨µÄ²ßÂÔ¸½¼Óµ½¸Ã½ÇÉ«¡£ÎÒÃÇ»¹½«±à¼
kops ÅäÖÃÒÔÌí¼ÓÆäËû½Úµã½ÇÉ«¡£
aws iam create-policy
--policy-name "aws-service-broker-cfn-deploy-policy"
\
--policy-document file://cfn-deployment-policy.json |

¼ÇϽÇÉ« ARN¡£ÔÚÎÒÉÔºóÌá¼°ÒÔÏÂÄÚÈݵĵط½»áÓõ½£º ${CFN_ROLE_ARN}¡£ÏÖÔÚ£¬½«ÎÒÃÇ֮ǰ´´½¨µÄ²ßÂÔ¸½¼Óµ½Ð½ÇÉ«£º
aws iam attach-role-policy
\
--role-name "aws-servicebroker-cfn-deploy-role"
\
--policy-arn ${CFN_POLICY_ARN} |
Èç¹û´ËÃüÁî¿ÉÒÔÔËÐУ¬Ôò CLI Öн«Ã»ÓÐÊä³ö£¬Òò´ËÈç¹ûûÓзµ»ØÈκÎÄÚÈÝ£¬Ôò±íʾ´´½¨³É¹¦¡£
ʹÓø½¼ÓµÄ½ÚµãȨÏޱ༠kops ¼¯ÈºÅäÖÃ
ÎÒÃÇÏÖÔÚÐèÒª±à¼ kops ¼¯ÈºÅäÖã¬ÒÔÏò kops ²¿ÊðµÄ½ÚµãÌí¼Ó¶îÍâµÄȨÏÞ¡£ÎÒÃÇʹÓà kops
CLI À´Íê³É´Ë²Ù×÷£º
kops edit cluster
${CLUSTER_NAME} |
Õâ»á½«ÄúµÄ $EDITOR ´ò¿ªÖÁ kops ¼¯ÈºÇåµ¥Îļþ¡£ÔÚ´ËÎļþµÄ .specÏ£¬ÎÒÃÇÐèÒªÌí¼ÓÒÔÏÂÄÚÈÝ£º
# ...
additionalPolicies:
node: |
[
{ "Action": [ "cloudformation:CancelUpdateStack",
"cloudformation:ContinueUpdateRollback",
"cloudformation:CreateStack", "cloudformation:CreateUploadBucket",
"cloudformation:DeleteStack", "cloudformation:DescribeAccountLimits",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStacks",
"cloudformation:GetStackPolicy",
"cloudformation:ListStackResources",
"cloudformation:ListStacks", "cloudformation:SetStackPolicy",
"cloudformation:UpdateStack", "iam:AddUserToGroup",
"iam:AttachUserPolicy", "iam:CreateAccessKey",
"iam:CreatePolicy", "iam:CreatePolicyVersion",
"iam:CreateUser", "iam:DeleteAccessKey",
"iam:DeletePolicy", "iam:DeletePolicyVersion",
"iam:DeleteRole", "iam:DeleteUser",
"iam:DeleteUserPolicy", "iam:DetachUserPolicy",
"iam:GetPolicy", "iam:GetPolicyVersion",
"iam:GetUser", "iam:GetUserPolicy",
"iam:ListAccessKeys", "iam:ListGroups",
"iam:ListGroupsForUser", "iam:ListInstanceProfiles",
"iam:ListPolicies", "iam:ListPolicyVersions",
"iam:ListRoles", "iam:ListUserPolicies",
"iam:ListUsers", "iam:PutUserPolicy",
"iam:RemoveUserFromGroup", "iam:UpdateUser",
"ec2:DescribeVpcs", "ec2:DescribeSubnets",
"ec2:DescribeAvailabilityZones"
], "Resource": [ "*"
], "Effect": "Allow"
},
{ "Action": [ "iam:PassRole"
], "Resource": [ "arn:aws:iam::*:role/aws-servicebroker-cfn-deploy-role"
], "Effect": "Allow"
},
{ "Action": [ "ssm:GetParameters"
], "Resource": [ "arn:aws:ssm:*:*:parameter/asb-access-key-id-*",
"arn:aws:ssm:*:*:parameter/asb-secret-access-key-*"
], "Effect": "Allow"
}
] |
ÔÚÄúÏÂÔØµÄ tarball ÖУ¬ÓÐÒ»¸öÍêÕûÅäÖÃÎļþʾÀý£¬±£´æÎª kops-config-example.yaml.
ÔÚÄúµÄ $EDITOR ÖÐʹÓÃдÈëÎļþÃüÁî±£´æÎļþ£¬È»ºó¸üм¯Èº£º
kops update cluster
${CLUSTER_NAME} ¨Cyes |
Íê³É¸üкó£¬È·È϶îÍâµÄ²ßÂÔÒѸ½¼Óµ½ kops ½Úµã½ÇÉ«¡£´ËʱÄúÓ¦¸Ã»á¿´µ½Ò»¸öÃûΪ additional.nodes.${CLUSTER_NAME}
µÄ²ßÂÔ¡£
aws iam list-role-policies
--role-name nodes.${CLUSTER_NAME} |

°²×° AWS Service Broker
ΪÁ˼ò»¯Æð¼û£¬ÎÒÃÇ´´½¨ÁËһЩ½« AWS Service Broker ²¿Êðµ½ Kubernetes
¼¯ÈºµÄ½Å±¾¡£Ê×ÏÈ£¬ÏÂÔØ zip Îļþ£º
curl -kLO https://s3.amazonaws.com/awsservicebroker/assets/aws-service-broker-install.tar.gz
mkdir awssb
tar -xvf aws-service-broker-install.tar.gz -C
awssb
cd awssb |
ÔÚ´ËÐÂÎļþ¼ÐÖУ¬Äú½«ÕÒµ½Ò»¸öÃûΪ k8s-variables µÄ YAML Îļþ¡£´ò¿ª¸ÃÎļþ²¢±à¼ÒÔÏÂÅäÖÃÓ³É䣺
aws_cloudformation_role_arn:
${CFN_ROLE_ARN}
region: YOUR_REGION
vpc_id: VPC_IN_WHICH_KOPS_IS_RUNNING |
ÈÃÅäÖÃÎļþµÄÆäÓಿ·Ö±£³Ö²»±ä¡£

ÏÖÔÚ£¬ÔËÐа²×°³ÌÐò½Å±¾¡£
chmod +x install_aws_service_broker.sh
./install_aws_service_broker.sh |
°²×°³ÌÐòÔËÐÐÍê±Ïºó£¬Çë¼ì²é AWS Service Broker pod ÊÇ·ñÕýÔÚÔËÐУ¬·þÎñÊÇ·ñÒÑ´´½¨
kubectl get pods
--namespace=aws-service-broker
kubectl get svc |

È·ÈÏ AWS Service Broker ÒÑÏò Service Catalog ×¢²á
ÏÖÔÚ AWS Service Broker ÒÑÍê³É²¿Êð²¢ÕýÔÚÔËÐУ¬ÎÒÃÇ¿ÉÒÔÈ·ÈÏËüÒÑÏò Service
Catalog ×¢²á£¬²¢¿É²é¿´ËüÌṩµÄ·þÎñÁÐ±í¡£
kubectl plugin
svcat get brokers
kubectl plugin svcat get classes |

Ô¤ÅäÖÃÐ嵀 SQS ¶ÓÁÐ
¼ÌÐøÏÂÒ»²½£¬Ô¤ÅäÖÃÒ»¸ö¼òµ¥µÄ SQS ¶ÓÁУ¬ÒÔ±ãÉÔºóÏòÆä·¢²¼ÏûÏ¢¡£Ê¹ÓÃÒÔÏÂÄÚÈÝ´´½¨Ò»¸öÃûΪ provision-sqs.yaml
µÄÎļþ£º
apiVersion: servicecatalog.k8s.io/v1beta1
kind: ServiceInstance
metadata:
name: opensource-blog-sqs-demo
spec:
clusterServiceClassExternalName: dh-sqs
clusterServicePlanExternalName: standard |
ÏÖÔÚ£¬Ê¹Óà kubectl Ó¦Óøü¸Ä£¬²¢¼ì²éÔ¤ÅäÖÃÊÇ·ñ³É¹¦
kubectl apply
-f provision-sqs.yaml
kubectl plugin svcat get instances |

Äú»¹¿ÉÒÔÈ·ÈÏÒÑʹÓà AWS CLI ´´½¨ SQS ¶ÓÁС£
aws --region
YOUR_REGION sqs list-queues --queue-name-prefix
AWSServiceBroker |

°ó¶¨Ô¤ÅäÖ÷þÎñÒÔ¹©Ê¹ÓÃ
ÏÖÔÚ£¬·þÎñÒÑÍê³ÉÔ¤ÅäÖã¬ÎÒÃÇÐèÒª°ó¶¨ËüÒÔ±ã·ÃÎʶÓÁС£Ôڰ󶨹ý³ÌÖУ¬´úÀí½«´´½¨Ò»×éÐ嵀 secret£¬Äú¿ÉÒÔÔÚ¼¯ÈºµÄÈÎÒâ
pod ÖÐʹÓÃÕâЩ secret¡£Ê¹ÓÃÒÔÏÂÄÚÈÝ´´½¨Ò»¸öÃûΪ sqs-demo-binding.yaml
µÄÎļþ£º
apiVersion: servicecatalog.k8s.io/v1beta1
kind: ServiceBinding
metadata:
name: os-blog-sqs-binding
spec:
instanceRef:
name: opensource-blog-sqs-demo |
ÏÖÔÚ£¬Ê¹Óà kubectl Ó¦Óøü¸Ä£º
kubectl apply
-f sqs-demo-binding.yaml |
ÎÒÃÇÀ´È·ÈÏÒ»ÏÂÊÇ·ñÒѰ󶨳ɹ¦£º
kubectl plugin
svcat get bindings
kubectl plugin svcat describe binding os-blog-sqs-binding |
´Ëʱ£¬Ó¦¸ÃÓÐÒ»¸öд´½¨µÄ secret£¬ÆäÖаüº¬Ê¹Óô˷þÎñËùÐèµÄËùÓÐÐÅÏ¢¡£

½« secret ¸½¼Óµ½ÈÎÒâ pod
ÏÖÔÚÄúÒÑÓµÓÐ°ó¶¨µÄ secret£¬ÏñÆäËûÈκΠsecret Ò»Ñù£¬Äú¿ÉÒÔ½«ËüÓ³Éäµ½ Kubernetes
¼¯ÈºÖеÄÈÎÒâ pod¡£ÒÔÏÂʾÀý»á½« pod ÄÚµÄ QUEUE_URL ºÍQUEUE_ARN »·¾³±äÁ¿Ó³ÉäÖÁ
QueueURL ºÍ QueueARN ¼ü£¨Î»ÓÚ os-blog-sqs-binding secretÖУ©£º
apiVersion: v1
kind: Pod
metadata:
name: sqs-demo-app-pod
spec:
containers:
- name: psuedocontainer
image: busybox
env:
- name: SQS_QUEUE_URL
valueFrom:
secretKeyRef:
name: os-blog-sqs-binding
key: QueueURL
- name: SQS_QUEUE_ARN
valueFrom:
secretKeyRef:
name: os-blog-sqs-binding
key: QueueARN
restartPolicy: Never |
|