1、docker启动mysql

  1. docker pull mysql:8.0
  3. docker run --name mysql -p 3306:3306 -e MYSQL_ROOT_PASSWORD=123456 -d mysql:8.0
  • -p 3306:3306 :映射容器服务的 3306 端口到宿主机的 3306 端口,外部主机可以直接通过 宿主机ip:3306 访问到 MySQL 的服务。
  • MYSQL_ROOT_PASSWORD=123456:设置 MySQL 服务 root 用户的密码。

2、单节点mysql服务

1)创建pvc

  1. apiVersion: v1
  2. kind: PersistentVolumeClaim
  3. metadata:
  4.   name: mysql-pvc
  5.   namespace: app-001
  6. spec:
  7.   storageClassName: csi-hostpath-sc 
  8.   accessModes:
  9.     - ReadWriteOnce
  10.   resources:
  11.     requests:
  12.       storage: 10Gi
  1. kubectl apply -f mysql-pvc.yaml

2)创建service

  1. apiVersion: v1
  2. kind: Service
  3. metadata:
  4.   name: mysql-svc
  5.   namespace: app-001
  6. spec:
  7.   ports:
  8.   - port: 3306
  9.   selector:
  10.     app: mysql
  11.   clusterIP: None
  1. kubectl apply -f mysql-svc.yaml

3)创建statefulset

  1. apiVersion: apps/v1
  2. kind: StatefulSet
  3. metadata:
  4.   name: mysql
  5.   namespace: app-001
  6. spec:
  7.   serviceName: mysql-svc
  8.   selector:
  9.     matchLabels:
  10.       app: mysql
  11.   template:
  12.     metadata:
  13.       labels:
  14.         app: mysql
  15.     spec:
  16.       containers:
  17.       - image: mysql:5.7
  18.         name: mysql
  19.         env:
  20.           # Use secret in real usage
  21.         - name: MYSQL_ROOT_PASSWORD
  22.           value: password # 密码
  23.         ports:
  24.         - containerPort: 3306
  25.           name: mysql
  26.         resources:
  27.           limits:
  28.             cpu: 800m
  29.             memory: 1Gi
  30.           requests:
  31.             cpu: 500m
  32.             memory: 800Mi
  33.         volumeMounts:
  34.         - name: mysql-persistent-storage
  35.           mountPath: /var/lib/mysql
  36.       volumes:
  37.       - name: mysql-persistent-storage
  38.         persistentVolumeClaim:
  39.           claimName: mysql-pvc
  1. kubectl apply -f mysql-sts.yaml

4)测试

  1. kubectl run -it --rm --image=mysql:5.7 --restart=Never mysql-client -- mysql -h mysql-0.mysql-svc.app-001.svc.cluster.local -ppassword
  3. kubectl delete po mysql-client

导入SQL

youyiyuan.sql

  1. $ docker run -itd --rm --name import-test geray/centos:v7-1 bash
  2. $ docker cp youyiyuan.sql import-test:/
  4. $ docker exec -it import-test bash 
  5. $ yum -y install mysql
  6. $ mysql -h 10.244.36.126 -uroot -ppassword
  7. $ mysql -h 10.244.36.126 -uroot -ppassword < youyiyuan.sql

3、部署web

1)创建configmap或者secret

  1. cat db.properties
  2. driverClass=com.mysql.cj.jdbc.Driver
  3. # 应该使用mysql的svc名称(mysql-svc.app-001.svc.cluster.local)
  4. # 由于是单实例mysql,所以这里直接使用了pod名称
  5. url=jdbc:mysql://mysql-0.mysql-svc.app-001.svc.cluster.local:3306/youyiyuan
  6. username=root
  7. userpwd=password
  1. $ kubectl create secret generic web-youyiyuan-secret --from-file=db.properties -n app-001 -o yaml --dry-run=client | tee web-secret.yaml
  3. apiVersion: v1
  4. data:
  5.   db.properties: ZHJpdmVyQ2xhc3M9Y29tLm15c3FsLmNqLmpkYmMuRHJpdmVyCnVybD1qZGJjOm15c3FsOi8vbXlzcWwtMC5teXNxbC1zdmMuYXBwLTAwMS5zdmMuY2x1c3Rlci5sb2NhbDozMzA2L3lvdXlpeXVhbgp1c2VybmFtZT1yb290CnVzZXJwd2Q9cGFzc3dvcmQK
  6. kind: Secret
  7. metadata:
  8.   name: web-youyiyuan-secret
  9.   namespace: app-001
  1. kubectl apply -f web-secret.yaml

2)创建deployment

  1. apiVersion: apps/v1
  2. kind: Deployment
  3. metadata:
  4.   name: web-youyiyuan
  5.   namespace: app-001
  6.   labels:
  7.     app: web-youyiyuan
  8. spec:
  9.   replicas: 3
  10.   selector:
  11.     matchLabels:
  12.       app: web-youyiyuan
  13.   template:
  14.     metadata:
  15.       labels:
  16.         app: web-youyiyuan
  17.     spec:
  18.       containers:
  19.       - image: geray/youyiyuan:v1
  20.         name: youyiyuan
  21.         resources:
  22.           limits:
  23.             memory: "200Mi"
  24.             cpu: "500m"
  25.           requests:
  26.             memory: "200Mi"
  27.             cpu: "300m"
  28.         livenessProbe:
  29.           httpGet:
  30.             path: /
  31.             port: 8080
  32.           initialDelaySeconds: 3
  33.           periodSeconds: 3
  34.         volumeMounts:
  35.         - name: db-file
  36.           mountPath: "/usr/local/tomcat/webapps/youyiyuan3/WEB-INF/classes/db.properties"
  37.           subPath: db.properties # subPath不会覆盖原有目录或目录的其他文件
  38.           readOnly: true
  39.       volumes:
  40.         - name: db-file
  41.           secret:
  42.             secretName: web-youyiyuan-secret
  1. kubectl apply -f web-deployemnt.yaml

3)创建service

  1. kubectl expose deployment web-youyiyuan --type=NodePort --port=8080 --target-port=8080 --name web-youyiyuan-svc -o yaml --dry-run=client | tee web-youyiyuan-svc.yaml
  3. apiVersion: v1
  4. kind: Service
  5. metadata:
  6.   name: web-youyiyuan-svc
  7.   namespace: app-001
  8. spec:
  9.   ports:
  10.   - port: 8080
  11.     protocol: TCP
  12.     targetPort: 8080
  13.   selector:
  14.     app: web-youyiyuan
  15.   type: NodePort
  1. kubectl apply -f  web-youyiyuan-svc.yaml

4)创建ingress(https)

  • 自制证书文件
  1. openssl genrsa -out tls-yyy.key 2048
  3. openssl req -new -x509 -key tls-yyy.key -out tls-yyy.crt -subj /C=CN/ST=GS/L=LZ/O=devops/CN=demo.youyiyuan.cn
  5. # 两个文件tls-yyy.key  tls-yyy.crt

k8s-项目部署 - 图1

  • 生成secret
  1. kubectl create secret tls web-yyy -n app-001 --cert=tls-yyy.crt --key=tls-yyy.key -o yaml --dry-run=client | tee secret-yyy.yaml

下面是第二种方式

  1. cat crets.sh 
  2. cat > ca-config.json <<EOF
  3. {
  4.   "signing": {
  5.     "default": {
  6.       "expiry": "87600h"
  7.     },
  8.     "profiles": {
  9.       "kubernetes": {
  10.          "expiry": "87600h",
  11.          "usages": [
  12.             "signing",
  13.             "key encipherment",
  14.             "server auth",
  15.             "client auth"
  16.         ]
  17.       }
  18.     }
  19.   }
  20. }
  21. EOF
  23. cat > ca-csr.json <<EOF
  24. {
  25.     "CN": "kubernetes",
  26.     "key": {
  27.         "algo": "rsa",
  28.         "size": 2048
  29.     },
  30.     "names": [
  31.         {
  32.             "C": "CN",
  33.             "L": "Beijing",
  34.             "ST": "Beijing"
  35.         }
  36.     ]
  37. }
  38. EOF
  40. cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
  42. cat > demo.youyiyuan.cn-csr.json <<EOF
  43. {
  44.   "CN": "demo.youyiyuan.cn",
  45.   "hosts": [],
  46.   "key": {
  47.     "algo": "rsa",
  48.     "size": 2048
  49.   },
  50.   "names": [
  51.     {
  52.       "C": "CN",
  53.       "L": "BeiJing",
  54.       "ST": "BeiJing"
  55.     }
  56.   ]
  57. }
  58. EOF
  60. # 这里可以使用k8s的ca和ca-key
  61. cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes demo.youyiyuan.cn-csr.json | cfssljson -bare demo.youyiyuan.cn

ingress.yaml

  1. $ kubectl -n app-001 create ingress web-youyiyun-ing --rule="demo.youyiyuan.cn/*=web-youyiyuan-svc:8080" -o yaml --dry-run=client | tee /aliang-cka-06/mysql/mysql/web/web-youyiyuan-ingress.yaml
  3. apiVersion: networking.k8s.io/v1
  4. kind: Ingress
  5. metadata:
  6.   name: web-youyiyuan-ing
  7.   namespace: app-001
  8. spec:
  9.   rules:
  10.   - host: demo.youyiyuan.cn
  11.     http:
  12.       paths:
  13.       - backend:
  14.           service:
  15.             name: web-youyiyuan-svc
  16.             port:
  17.               number: 8080
  18.         path: /
  19.         pathType: Prefix
  20.   tls:
  21.   - hosts:
  22.       - demo.youyiyuan.cn
  23.     secretName: web-youyiyuan-svc

4、网络策略

只允许本名称空间下的带有app=web-youyiyuan标签的pod访问3306端口

  1. apiVersion: networking.k8s.io/v1
  2. kind: NetworkPolicy
  3. metadata:
  4.   name: db-network-policy
  5.   namespace: app-001
  6. spec:
  7.   podSelector: {}
  8.   policyTypes:
  9.   - Ingress
  10.   ingress:
  11.   - from:
  12.     - podSelector:
  13.         matchLabels:
  14.           app: web-youyiyuan
  15.     ports:
  16.     - protocol: TCP
  17.       port: 3306