k8s与CICD--利用flux部署应用到kubernetes

前言

一直在思考部署应用到k8s的姿势，之前介绍过helm，个人感觉helm把记 录数据放到k8s中不是特别好。最近发现了weave的flux项目(A tool for deploying container images to Kubernetes services)。

flux简介和注意事项

flux简介

先上图，大致看一下flux的理念。

1：flux可以和任意你喜欢的CI工具搭配比如：Drone,CircleCI,gitlabCI等。实际上flux做了CD的环节。

2：flux可以帮助你安全地更新应用。一般会遇到更新过程出错的问题，在flux实现中，每个部署的应用的yaml文件存储在git仓库里，所以每次更改都可以追踪，所以也能精确回滚到任何一个历史版本。这点我是觉得非常好的。当应用需要更新镜像的时候，有以下几个步骤：

1. Clone the repository
2. Find the deployment files that use the image in question (there may be more than one, since we have e.g., sidecar containers that use the same image)
3. Update a few fields in each file, in slightly different ways (e.g., put the image name in the template, and the tag part of the image name in a version label)
4. Commit and push the change back to Git

如果只是更新镜像，其实有更简单的操作：

$ fluxctl release --service=sock-shop/front-end --update-all-images Submitting release job... Release job submitted, ID cc08f78c-0e66-24a9-9215-82c80cc646c3 Status: Complete. Here's what happened: 1. Submitted job. 2. Calculating release actions. 3. Release latest images to sock-shop/front-end 4. Clone the config repo. 5. Clone OK. 6. Update 1 images(s) in the resource definition file for sock-shop/front-end: front-end (weaveworksdemos/front-end:0.2.0 -> weaveworksdemos/front-end:7f511af2d21fd601b86b3bed7baa6adfa9c8c669). 7. Update pod controller OK. 8. Commit and push the config repo. 9. Pushed commit: Release latest images to sock-shop/front-end 10. Regrade 1 service(s): sock-shop/front-end. Took 55.810622454s

此处会引出和drone结合的想法。这一点在总结里会详细阐述。

3： flux很好解决了可视化的问题，通过几个指令就能清楚知道正在发生的。flux有controller的概念。

 $ fluxctl list-services --namespace=sock-shop SERVICE CONTAINER IMAGE RELEASE POLICY sock-shop/cart cart weaveworksdemos/cart:0.3.0 sock-shop/cart-db cart-db mongo sock-shop/catalogue catalogue weaveworksdemos/catalogue:0.2.0 sock-shop/catalogue-db catalogue-db weaveworksdemos/catalogue-db:0.2.0 sock-shop/front-end front-end weaveworksdemos/front-end:0.2.0 sock-shop/orders orders weaveworksdemos/orders:0.3.0 sock-shop/orders-db orders-db mongo sock-shop/payment payment weaveworksdemos/payment:0.3.0 sock-shop/queue-master queue-master weaveworksdemos/queue-master:0.3.0 sock-shop/rabbitmq rabbitmq rabbitmq:3 sock-shop/shipping shipping weaveworksdemos/shipping:0.3.0 sock-shop/user user weaveworksdemos/user:0.3.0 sock-shop/user-db user-db weaveworksdemos/user-db:0.3.0 

$ fluxctl list-images --service=sock-shop/front-end SERVICE CONTAINER IMAGE CREATED sock-shop/front-end front-end weaveworksdemos/front-end | 7f511af2d21fd601b86b3bed7baa6adfa9c8c669 18 Nov 16 16:00 UTC | latest 18 Nov 16 16:00 UTC | snapshot 18 Nov 16 16:00 UTC | 16007dddd86b2ebb41d8880c53b77580cab13f02 18 Nov 16 11:23 UTC | a0eaf8c8ffc0b81c2199adaf7d67466891bb3205 17 Nov 16 10:22 UTC | 1b664cc81d9cf25b213000686a9e8d6477ae1b06 16 Nov 16 20:31 UTC | ce1efe59c32d3c53344defdda4d5b643272022b8 16 Nov 16 20:29 UTC | 4c33b216ae902ad89b9c3ca30a99a44833d16d5b 10 Nov 16 21:34 UTC | 7015587783bc8f7a9c3d5cfa51e5a257fe188c4b 10 Nov 16 11:34 UTC | 4d3ea2896c81e40a630d36cdc29ce740e7617016 10 Nov 16 11:30 UTC : '-> 0.2.0 09 Nov 16 10:26 UTC

4：flux实际上可以做到完全自动检测git仓库中yaml文件的变化以及registry中镜像的更新，进而自动部署。
It is most useful when used as a deployment tool at the end of a Continuous Delivery pipeline. Flux will make sure that your new container images and config changes are propagated to the cluster。
大意就是，利用flux作为cd pipeline中最后一个环节，可以很好地解决镜像更新或是yaml文件更新。

flux部署到k8s中注意事项

由于fluxd需要从git仓库中拉取代码，所以会有一个ssh key的问题。
注意flux-secret.yaml文件：

--- apiVersion: v1 kind: Secret metadata: name: flux-git-deploy type: Opaque 

并没有data一项。实际上，flux默认会给我们生成一个key。

然后可以执行

$ fluxctl identity ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1fndADrb1fp6a+7QusXMU9qI2CNodLyMR82/6Li8rAstUCMRI9SjThAAbzyIfuCX61YCjWGj6qHyPusmfOssErbs7+rs6Q3y0RrACZT7w4HTgODX4aXGMigVY+IztpDv+XYztTqLCwMVfsrQWvo/WrtbltCdjzTP3gR7nWriPzCks3KbEFZkk4bCISJzV19RBCQzJBlE6afOAreCCdhooy80zmWOmHqc+OVDbAVTOC5Bcht/EaHNXGCwcHijiNd0MPah6OKI+gG/eDB2OLixdhoNTzeEYN6vB5Y/wwNuH/m29y46EM6mfXuq6KkD+/YT9J0XiTx

就可以获得到public key。这个时候复制到github 仓库的 deploy key即可。

总结

1：如何与drone结合？
首先我是认可将yaml存储在git仓库中，做版本控制。
实际上flux类似于helm，分为fluxd和一个命令行工具fluxctl，fluxd相当于server部署在k8s集群中。那么将fluxctl做成一个drone的插件。放在drone pipeline中最后一步。类似于现在很多helm插件的玩法。
这个插件只需要完成更新镜像的功能即可。毕竟整个pipeline中，更新代码到仓库中触发编译，构建，推送新镜像到harbor，最终对于k8s集群，只需要应用替换新的镜像即可。所以不需要去监听registry这个功能。也不需要关注git中yaml的变化，拉取最新的即可。
具体实现思路：

• 将新的镜像name和要更新的目标，以及yaml文件路径等作为drone插件的输入参数
• 然后执行下面的类似命令

$ fluxctl release --controller=default:deployment/helloworld --update-image=quay.io/weaveworks/helloworld:master-a000001 Submitting release ... Commit pushed: 33ce4e3 Applied 33ce4e38048f4b787c583e64505485a13c8a7836 CONTROLLER STATUS UPDATES default:deployment/helloworld success helloworld: quay.io/weaveworks/helloworld:master-9a16ff945b9e -> master-a000001 $ fluxctl list-images --controller default:deployment/helloworld CONTROLLER CONTAINER IMAGE CREATED default:deployment/helloworld helloworld quay.io/weaveworks/helloworld | master-9a16ff945b9e 20 Jul 16 13:19 UTC | master-b31c617a0fe3 20 Jul 16 13:19 UTC | master-a000002 12 Jul 16 17:17 UTC '-> master-a000001 12 Jul 16 17:16 UTC sidecar quay.io/weaveworks/sidecar '-> master-a000002 23 Aug 16 10:05 UTC master-a000001 23 Aug 16 09:53 UTC 

2：抛开drone，对于整个paas平台。flux提供的自动监控registry和yaml git 仓库的功能，也能丰富用户的各种玩法。

3：接下来就是drone-flux插件。该插件是我实现本想法而实现的的一个插件。

本文转自中文社区-k8s与CICD--利用flux部署应用到kubernetes