kubernetes部署jumpserver2.0堡垒机

  sre

5fcdc24fc04304146.png_fo742.png

官方文档

https://github.com/jumpserver/Dockerfile

先准备mysql库

create database jumpserver default charset 'utf8' collate 'utf8_bin';
grant all on jumpserver.* to 'jumpserver'@'%' identified by '11111111111111111111111';

k8s部署

pvc 存储

pvc jms-core-data

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: jms-core-data
  namespace: sre
spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: "200Gi"
  volumeName: 
  storageClassName: nfs-ssd

pvc jms-koko-keys

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: jms-koko-keys
  namespace: sre
spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: "200Gi"
  volumeName: 
  storageClassName: nfs-ssd

pvc jms-guacamole-keys

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: jms-guacamole-keys
  namespace: sre
spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: "200Gi"
  volumeName: 
  storageClassName: nfs-ssd

ConfigMap jms-config

apiVersion: v1
kind: ConfigMap
metadata:
  name: jms-config
  namespace: sre
data:
  redis_host: redis-jumpserver
  redis_port: "6379"
  redis_password: 22222222222222222222222222
  mysql_host: mysql-sre-ink-db
  mysql_port: "3306"
  mysql_db: jumpserver
  mysql_user: jumpserver
  mysql_password: 11111111111111111111111
  core_host: http://core:8080
  guacamole_log_level: ERROR
  jumpserver_enable_drive: "true"
  jumpserver_key_dir: "/config/guacamole/keys"
  guacamole_home: "/config/guacamole"
  secret_key: B3f2w8P2PfxIAS7s4URrD9YmSbtqX4vXdPUL217kL9XPUOWrmy
  bootstrap_token: 7Q11Vz6R2J6BLAdO
  # SECRET_KEY 保护签名数据的密匙, 首次安装请一定要修改并牢记, 后续升级和迁移不可更改, 否则将导致加密的数据不可解密。
  # BOOTSTRAP_TOKEN 为组件认证使用的密钥, 仅组件注册时使用。组件指 koko、guacamole

部署组件

Deployment jms-core 8080 8070

apiVersion: apps/v1
kind: Deployment
metadata:
  name: jms-core
  namespace: sre
  labels:
    jms: core
spec:
  selector:
    matchLabels:
      jms: core
  template:
    metadata:
      labels:
        jms: core
    spec:
      containers:
      - name: jms-core
        image: registry.cn-hangzhou.aliyuncs.com/pub_img/jms_core:2.0.0
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 8070
          name: ws
        - containerPort: 8080
          name: http
        env:
        - name: REDIS_HOST
          valueFrom:
            configMapKeyRef:
              name: jms-config
              key: redis_host
        - name: REDIS_PORT
          valueFrom:
            configMapKeyRef:
              name: jms-config
              key: redis_port
        - name: REDIS_PASSWORD
          valueFrom:
            configMapKeyRef:
              name: jms-config
              key: redis_password
        - name: DB_HOST
          valueFrom:
            configMapKeyRef:
              name: jms-config
              key: mysql_host
        - name: DB_PORT
          valueFrom:
            configMapKeyRef:
              name: jms-config
              key: mysql_port
        - name: DB_NAME
          valueFrom:
            configMapKeyRef:
              name: jms-config
              key: mysql_db
        - name: DB_USER
          valueFrom:
            configMapKeyRef:
              name: jms-config
              key: mysql_user
        - name: DB_PASSWORD
          valueFrom:
            configMapKeyRef:
              name: jms-config
              key: mysql_password
        - name: SECRET_KEY
          valueFrom:
            configMapKeyRef:
              name: jms-config
              key: secret_key
        - name: BOOTSTRAP_TOKEN
          valueFrom:
            configMapKeyRef:
              name: jms-config
              key: bootstrap_token
        volumeMounts:
        - name: core-data
          mountPath: /opt/jumpserver/data
      volumes:
      - name: core-data
        persistentVolumeClaim:
          claimName: jms-core-data


service core

kind: Service
apiVersion: v1
metadata:
  labels:
    jms: core
  name: core
  namespace: sre
spec:
  ports:
    - port: 8070
      targetPort: 8070
      protocol: TCP
      name: ws
    - port: 8080
      targetPort: 8080
      protocol: TCP
      name: http
  selector:
    jms: core


Deployment jms-koko 2222 5000

apiVersion: apps/v1
kind: Deployment
metadata:
  name: jms-koko
  namespace: sre
  labels:
    jms: koko
spec:
  selector:
    matchLabels:
      jms: koko
  template:
    metadata:
      labels:
        jms: koko
    spec:
      containers:
      - name: jms-koko
        image: registry.cn-hangzhou.aliyuncs.com/pub_img/jms_koko:20200618
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 2222
          name: ssh
        - containerPort: 5000
          name: http
        env:
        - name: CORE_HOST
          valueFrom:
            configMapKeyRef:
              name: jms-config
              key: core_host
        - name: BOOTSTRAP_TOKEN
          valueFrom:
            configMapKeyRef:
              name: jms-config
              key: bootstrap_token
        volumeMounts:
        - name: koko-keys
          mountPath: /opt/koko/data/keys
      volumes:
      - name: koko-keys
        persistentVolumeClaim:
          claimName: jms-koko-keys


service koko

kind: Service
apiVersion: v1
metadata:
  labels:
    jms: koko
  name: koko
  namespace: sre
spec:
  ports:
    - port: 2222
      targetPort: 2222
      protocol: TCP
      name: ssh
    - port: 5000
      targetPort: 5000
      protocol: TCP
      name: http
  selector:
    jms: koko


Deployment jms-guacamole

apiVersion: apps/v1
kind: Deployment
metadata:
  name: jms-guacamole
  namespace: sre
  labels:
    jms: guacamole
spec:
  selector:
    matchLabels:
      jms: guacamole
  template:
    metadata:
      labels:
        jms: guacamole
    spec:
      containers:
      - name: jms-guacamole
        image: registry.cn-hangzhou.aliyuncs.com/pub_img/jms_guacamole:20200618
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 8080
          name: guacamole
        env:
        - name: JUMPSERVER_SERVER
          valueFrom:
            configMapKeyRef:
              name: jms-config
              key: core_host
        - name: GUACAMOLE_LOG_LEVEL
          valueFrom:
            configMapKeyRef:
              name: jms-config
              key: guacamole_log_level
        - name: JUMPSERVER_ENABLE_DRIVE
          valueFrom:
            configMapKeyRef:
              name: jms-config
              key: jumpserver_enable_drive
        - name: BOOTSTRAP_TOKEN
          valueFrom:
            configMapKeyRef:
              name: jms-config
              key: bootstrap_token
        - name: JUMPSERVER_KEY_DIR
          valueFrom:
            configMapKeyRef:
              name: jms-config
              key: jumpserver_key_dir
        - name: GUACAMOLE_HOME
          valueFrom:
            configMapKeyRef:
              name: jms-config
              key: guacamole_home
        volumeMounts:
        - name: guacamole-keys
          mountPath: /config/guacamole/keys
      volumes:
      - name: guacamole-keys
        persistentVolumeClaim:
          claimName: jms-guacamole-keys

service guacamole

kind: Service
apiVersion: v1
metadata:
  labels:
    jms: guacamole
  name: guacamole
  namespace: sre
spec:
  ports:
    - port: 8080
      targetPort: 8080
      protocol: TCP
  selector:
    jms: guacamole


Deployment jms-nginx

apiVersion: apps/v1
kind: Deployment
metadata:
  name: jms-nginx
  namespace: sre
  labels:
    jms: nginx
spec:
  selector:
    matchLabels:
      jms: nginx
  template:
    metadata:
      labels:
        jms: nginx
    spec:
      containers:
      - name: jms-nginx
        #image: jumpserver/jms_nginx:2.0.0
        image: registry.cn-hangzhou.aliyuncs.com/pub_img/jms_nginx:2.0.0
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 80
          name: nginx
        volumeMounts:
        - name: core-data
          mountPath: /opt/jumpserver/data
      volumes:
      - name: core-data
        persistentVolumeClaim:
          claimName: jms-core-data

service nginx

kind: Service
apiVersion: v1
metadata:
  labels:
    jms: nginx
  name: jms-nginx
  namespace: sre
spec:
  ports:
    - port: 80
      targetPort: 80
      protocol: TCP
  selector:
    jms: nginx


Ingress http

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: jump-test-org
  namespace: sre
  annotations:
    kubernetes.io/ingress.class: nginx
    #nginx.ingress.kubernetes.io/rewrite-target: /$2
    nginx.ingress.kubernetes.io/proxy-body-size: 10240m
    nginx.ingress.kubernetes.io/proxy-connect-timeout: "300"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "300"
spec:
  rules:
  - host: jump.test.org
    http:
      paths:
      - path: /
        backend:
          serviceName: jms-nginx
          servicePort: 80


http://jump.test.org/

admin admin

LEAVE A COMMENT

Captcha Code