kubernetes部署jumpserver2.0堡垒机
官方文档
https://github.com/jumpserver/Dockerfile
先准备mysql库
create database jumpserver default charset 'utf8' collate 'utf8_bin';
grant all on jumpserver.* to 'jumpserver'@'%' identified by '11111111111111111111111';
k8s部署
pvc 存储
pvc jms-core-data
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: jms-core-data
namespace: sre
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: "200Gi"
volumeName:
storageClassName: nfs-ssd
pvc jms-koko-keys
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: jms-koko-keys
namespace: sre
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: "200Gi"
volumeName:
storageClassName: nfs-ssd
pvc jms-guacamole-keys
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: jms-guacamole-keys
namespace: sre
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: "200Gi"
volumeName:
storageClassName: nfs-ssd
ConfigMap jms-config
apiVersion: v1
kind: ConfigMap
metadata:
name: jms-config
namespace: sre
data:
redis_host: redis-jumpserver
redis_port: "6379"
redis_password: 22222222222222222222222222
mysql_host: mysql-sre-ink-db
mysql_port: "3306"
mysql_db: jumpserver
mysql_user: jumpserver
mysql_password: 11111111111111111111111
core_host: http://core:8080
guacamole_log_level: ERROR
jumpserver_enable_drive: "true"
jumpserver_key_dir: "/config/guacamole/keys"
guacamole_home: "/config/guacamole"
secret_key: B3f2w8P2PfxIAS7s4URrD9YmSbtqX4vXdPUL217kL9XPUOWrmy
bootstrap_token: 7Q11Vz6R2J6BLAdO
# SECRET_KEY 保护签名数据的密匙, 首次安装请一定要修改并牢记, 后续升级和迁移不可更改, 否则将导致加密的数据不可解密。
# BOOTSTRAP_TOKEN 为组件认证使用的密钥, 仅组件注册时使用。组件指 koko、guacamole
部署组件
Deployment jms-core 8080 8070
apiVersion: apps/v1
kind: Deployment
metadata:
name: jms-core
namespace: sre
labels:
jms: core
spec:
selector:
matchLabels:
jms: core
template:
metadata:
labels:
jms: core
spec:
containers:
- name: jms-core
image: registry.cn-hangzhou.aliyuncs.com/pub_img/jms_core:2.0.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8070
name: ws
- containerPort: 8080
name: http
env:
- name: REDIS_HOST
valueFrom:
configMapKeyRef:
name: jms-config
key: redis_host
- name: REDIS_PORT
valueFrom:
configMapKeyRef:
name: jms-config
key: redis_port
- name: REDIS_PASSWORD
valueFrom:
configMapKeyRef:
name: jms-config
key: redis_password
- name: DB_HOST
valueFrom:
configMapKeyRef:
name: jms-config
key: mysql_host
- name: DB_PORT
valueFrom:
configMapKeyRef:
name: jms-config
key: mysql_port
- name: DB_NAME
valueFrom:
configMapKeyRef:
name: jms-config
key: mysql_db
- name: DB_USER
valueFrom:
configMapKeyRef:
name: jms-config
key: mysql_user
- name: DB_PASSWORD
valueFrom:
configMapKeyRef:
name: jms-config
key: mysql_password
- name: SECRET_KEY
valueFrom:
configMapKeyRef:
name: jms-config
key: secret_key
- name: BOOTSTRAP_TOKEN
valueFrom:
configMapKeyRef:
name: jms-config
key: bootstrap_token
volumeMounts:
- name: core-data
mountPath: /opt/jumpserver/data
volumes:
- name: core-data
persistentVolumeClaim:
claimName: jms-core-data
service core
kind: Service
apiVersion: v1
metadata:
labels:
jms: core
name: core
namespace: sre
spec:
ports:
- port: 8070
targetPort: 8070
protocol: TCP
name: ws
- port: 8080
targetPort: 8080
protocol: TCP
name: http
selector:
jms: core
Deployment jms-koko 2222 5000
apiVersion: apps/v1
kind: Deployment
metadata:
name: jms-koko
namespace: sre
labels:
jms: koko
spec:
selector:
matchLabels:
jms: koko
template:
metadata:
labels:
jms: koko
spec:
containers:
- name: jms-koko
image: registry.cn-hangzhou.aliyuncs.com/pub_img/jms_koko:20200618
imagePullPolicy: IfNotPresent
ports:
- containerPort: 2222
name: ssh
- containerPort: 5000
name: http
env:
- name: CORE_HOST
valueFrom:
configMapKeyRef:
name: jms-config
key: core_host
- name: BOOTSTRAP_TOKEN
valueFrom:
configMapKeyRef:
name: jms-config
key: bootstrap_token
volumeMounts:
- name: koko-keys
mountPath: /opt/koko/data/keys
volumes:
- name: koko-keys
persistentVolumeClaim:
claimName: jms-koko-keys
service koko
kind: Service
apiVersion: v1
metadata:
labels:
jms: koko
name: koko
namespace: sre
spec:
ports:
- port: 2222
targetPort: 2222
protocol: TCP
name: ssh
- port: 5000
targetPort: 5000
protocol: TCP
name: http
selector:
jms: koko
Deployment jms-guacamole
apiVersion: apps/v1
kind: Deployment
metadata:
name: jms-guacamole
namespace: sre
labels:
jms: guacamole
spec:
selector:
matchLabels:
jms: guacamole
template:
metadata:
labels:
jms: guacamole
spec:
containers:
- name: jms-guacamole
image: registry.cn-hangzhou.aliyuncs.com/pub_img/jms_guacamole:20200618
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8080
name: guacamole
env:
- name: JUMPSERVER_SERVER
valueFrom:
configMapKeyRef:
name: jms-config
key: core_host
- name: GUACAMOLE_LOG_LEVEL
valueFrom:
configMapKeyRef:
name: jms-config
key: guacamole_log_level
- name: JUMPSERVER_ENABLE_DRIVE
valueFrom:
configMapKeyRef:
name: jms-config
key: jumpserver_enable_drive
- name: BOOTSTRAP_TOKEN
valueFrom:
configMapKeyRef:
name: jms-config
key: bootstrap_token
- name: JUMPSERVER_KEY_DIR
valueFrom:
configMapKeyRef:
name: jms-config
key: jumpserver_key_dir
- name: GUACAMOLE_HOME
valueFrom:
configMapKeyRef:
name: jms-config
key: guacamole_home
volumeMounts:
- name: guacamole-keys
mountPath: /config/guacamole/keys
volumes:
- name: guacamole-keys
persistentVolumeClaim:
claimName: jms-guacamole-keys
service guacamole
kind: Service
apiVersion: v1
metadata:
labels:
jms: guacamole
name: guacamole
namespace: sre
spec:
ports:
- port: 8080
targetPort: 8080
protocol: TCP
selector:
jms: guacamole
Deployment jms-nginx
apiVersion: apps/v1
kind: Deployment
metadata:
name: jms-nginx
namespace: sre
labels:
jms: nginx
spec:
selector:
matchLabels:
jms: nginx
template:
metadata:
labels:
jms: nginx
spec:
containers:
- name: jms-nginx
#image: jumpserver/jms_nginx:2.0.0
image: registry.cn-hangzhou.aliyuncs.com/pub_img/jms_nginx:2.0.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
name: nginx
volumeMounts:
- name: core-data
mountPath: /opt/jumpserver/data
volumes:
- name: core-data
persistentVolumeClaim:
claimName: jms-core-data
service nginx
kind: Service
apiVersion: v1
metadata:
labels:
jms: nginx
name: jms-nginx
namespace: sre
spec:
ports:
- port: 80
targetPort: 80
protocol: TCP
selector:
jms: nginx
Ingress http
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: jump-test-org
namespace: sre
annotations:
kubernetes.io/ingress.class: nginx
#nginx.ingress.kubernetes.io/rewrite-target: /$2
nginx.ingress.kubernetes.io/proxy-body-size: 10240m
nginx.ingress.kubernetes.io/proxy-connect-timeout: "300"
nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
nginx.ingress.kubernetes.io/proxy-send-timeout: "300"
spec:
rules:
- host: jump.test.org
http:
paths:
- path: /
backend:
serviceName: jms-nginx
servicePort: 80
http://jump.test.org/
admin admin