Red Hat OpenShift 官方支援 Helm 3 啦!

承襲上篇 愛的走馬看花 Red Hat CoreOS 與 Red Hat OpenShift Part 3 精神，繼續寫一點東西，但因本週太忙了，只講一個大家都很關注的 Kubernetes 套件管理程式 - Helm 3 內容

走馬看花之旅: 第四天

Helm 畢業啦!

於 2020/04/30 時，Cloud Native Computing Foundation Announces Helm Graduation，Helm 從 CNCF 基金會畢業啦!它是 CNCF 第 10 個正式畢業的專案，因為它充分展現出使用者廣泛地採用、開放的專案治理以及對 CNCF 社區可持續性包容的堅定承諾

使用 Helm 3

The package manager for Kubernetes

Red Hat OpenShift 4 終於支援了 Helm 3，所以目前共有 2 種套件管理方式可以做選擇使用:

1. Operator Framework
2. Helm 3

兩者的能力差異如下

	Helm 3	Operator Framework
套件化	Y	Y
App 安裝能力	Y	Y
App 更新能力	Y	Y
App 自動備份和還原	X	Y
工作負載分析和紀錄	X	Y
App 層級自動化擴縮容	X	Y
自動最佳化	X	Y

至於要用哪一個…嘿嘿 要看你的角色是什麼，這邊就不提太多了

安裝 Helm 3

因為 helm 3 之後移除了原先 v2 的 Tiller 角色，單純僅使用 helm 來進行操作，所以安裝過程其實相當簡單，不需要碰到 OpenShift 就可以搞定，詳細可以參考 CNCF發布Kubernetes應用程式管理工具Helm 3 - IThome 一文

bastion.ocp4.internal

$ wget https://mirror.openshift.com/pub/openshift-v4/clients/helm/3.1.1/helm-linux-amd64
$ chmod +x helm-linux-amd64
$ mv helm-linux-amd64 /usr/local/bin/helm

$ helm version
version.BuildInfo{Version:"v3.1+unreleased", GitCommit:"7ebdbb86fca32c77f2fce166f7f9e58ebf7e9946", GitTreeState:"clean", GoVersion:"go1.13.4"}

使用外部匯入 helm charts

當你有網路可以連的時候，這個是蠻常見的用法，可以參考一下使用過程

# 使用 Helm Stable Charts
$ helm repo add helm-stable-charts https://kubernetes-charts.storage.googleapis.com/
"helm-stable-charts" has been added to your repositories

# 使用 Helm Incubartor Charts
$ helm repo add helm-incubator-charts https://kubernetes-charts-incubator.storage.googleapis.com
"helm-incubator-charts" has been added to your repositories

# Update charts from these repos
$ helm repo update
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "helm-incubator-charts" chart repository
...Successfully got an update from the "helm-stable-charts" chart repository
Update Complete. ⎈ Happy Helming!⎈

# Search charts
# helm search repo <name>
$ helm search repo mysql
NAME                                            CHART VERSION   APP VERSION   DESCRIPTION
helm-incubator-charts/mysqlha                   2.0.0           5.7.13        MySQL cluster with a single master and zero or ...
helm-stable-charts/mysql                        1.6.3           5.7.28        Fast, reliable, scalable, and easy to use open-...
helm-stable-charts/mysqldump                    2.6.0           2.4.1         A Helm chart to help backup MySQL databases usi...
helm-stable-charts/prometheus-mysql-exporter    0.5.2           v0.11.0       A Helm chart for prometheus mysql exporter with...
helm-stable-charts/percona                      1.2.1           5.7.26        free, fully compatible, enhanced, open source d...
helm-stable-charts/percona-xtradb-cluster       1.0.3           5.7.19        free, fully compatible, enhanced, open source d...
helm-stable-charts/phpmyadmin                   4.3.5           5.0.1         DEPRECATED phpMyAdmin is an mysql administratio...
helm-stable-charts/gcloud-sqlproxy              0.6.1           1.11          DEPRECATED Google Cloud SQL Proxy
helm-stable-charts/mariadb                      7.3.14          10.3.22       DEPRECATED Fast, reliable, scalable, and easy t...

# Inspect mysql
# helm inspect all|chart|values|readme <name>
$ helm inspect chart helm-stable-charts/mysql
apiVersion: v1
appVersion: 5.7.28
description: Fast, reliable, scalable, and easy to use open-source relational database
  system.
home: https://www.mysql.com/
icon: https://www.mysql.com/common/logos/logo-mysql-170x115.png
keywords:
- mysql
- database
- sql
maintainers:
- email: [email protected]
  name: olemarkus
- email: [email protected]
  name: viglesiasce
name: mysql
sources:
- https://github.com/kubernetes/charts
- https://github.com/docker-library/mysql
version: 1.6.3

# Create a new project - test-mariadb
$ oc new-project test-mysql
Now using project "test-mysql" on server "https://api.ocp4.internal:6443".

# Install charts - mysql
$ helm install mysql-dev helm-stable-charts/mysql
NAME: mysql-dev
LAST DEPLOYED: Sun Apr 26 18:27:10 2020
NAMESPACE: test-mysql
STATUS: deployed
REVISION: 1
NOTES:
MySQL can be accessed via port 3306 on the following DNS name from within your cluster:
mysql-dev.test-mysql.svc.cluster.local

To get your root password run:

    MYSQL_ROOT_PASSWORD=$(kubectl get secret --namespace test-mysql mysql-dev -o jsonpath="{.data.mysql-root-password}" | base64 --decode; echo)

To connect to your database:

1. Run an Ubuntu pod that you can use as a client:

    kubectl run -i --tty ubuntu --image=ubuntu:16.04 --restart=Never -- bash -il

2. Install the mysql client:

    $ apt-get update && apt-get install mysql-client -y

3. Connect using the mysql cli, then provide your password:
    $ mysql -h mysql-dev -p

To connect to your database directly from outside the K8s cluster:
    MYSQL_HOST=127.0.0.1
    MYSQL_PORT=3306

    # Execute the following command to route the connection:
    kubectl port-forward svc/mysql-dev 3306

    mysql -h ${MYSQL_HOST} -P${MYSQL_PORT} -u root -p${MYSQL_ROOT_PASSWORD}

# Check Charts list
$ helm list
NAME            NAMESPACE       REVISION        UPDATED                                       STATUS          CHART           APP VERSION
mysql-dev       test-mysql      1               2020-04-26 18:27:10.979294793 +0800 CST       deployed        mysql-1.6.3     5.7.28

# Check Mysql server is ready
$ oc get all
NAME                            READY   STATUS    RESTARTS   AGE
pod/mysql-dev-d8b597f5f-b2nxn   1/1     Running   0          31s

NAME                TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)    AGE
service/mysql-dev   ClusterIP   172.30.4.152   <none>        3306/TCP   31s

NAME                        READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/mysql-dev   1/1     1            1           31s

NAME                                  DESIRED   CURRENT   READY   AGE
replicaset.apps/mysql-dev-d8b597f5f   1         1         1       31s

# Uninstall charts and project
$ helm uninstall mysql-dev
release "mysql-dev" uninstalled

$ oc delete project test-mysql
project.project.openshift.io "test-mysql" deleted

使用自行下載 helm charts

現實是，一票環境都不給連網路，所以自然也沒有什麼 helm repo 可以用，所以要大部分應該都會改用這個作法，整體核心還是在如何離線操作 GitOps 及使用離線 Container Registry 身上

# Example: IBM/helm101
$ git clone https://github.com/IBM/helm101

# Create a new project - test-mariadb
$ oc new-project test-my-first-helm-chart
Now using project "test-my-first-helm-chart" on server "https://api.ocp4.internal:6443".

# Install guestbook using helm 3
$ cd helm101/charts
$ helm install guestbook-demo ./guestbook/ --namespace test-my-first-helm-chart

# Check Charts list
$ helm list
NAME            NAMESPACE                       REVISION        UPDATED                                       STATUS          CHART                 APP VERSION
guestbook-demo  test-my-first-helm-chart        1               2020-04-26 18:45:34.084900528 +0800 CST       deployed        guestbook-0.2.0

# Check Guestbook server is ready
$ oc get all
NAME                                  READY   STATUS    RESTARTS   AGE
pod/guestbook-demo-67f5b45d45-kscnt   1/1     Running   0          2m39s
pod/guestbook-demo-67f5b45d45-tv4dr   1/1     Running   0          2m39s
pod/redis-master-68857cd57c-7m585     1/1     Running   0          2m39s
pod/redis-slave-bbd8d8545-6nwh5       1/1     Running   0          2m39s
pod/redis-slave-bbd8d8545-xgkmb       1/1     Running   0          2m39s

NAME                     TYPE           CLUSTER-IP       EXTERNAL-IP
 PORT(S)          AGE
service/guestbook-demo   LoadBalancer   172.30.216.24    <pending>
 3000:32765/TCP   2m39s
service/redis-master     ClusterIP      172.30.64.237    <none>
 6379/TCP         2m39s
service/redis-slave      ClusterIP      172.30.143.221   <none>
 6379/TCP         2m39s

NAME                             READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/guestbook-demo   2/2     2            2           2m39s
deployment.apps/redis-master     1/1     1            1           2m39s
deployment.apps/redis-slave      2/2     2            2           2m39s

NAME                                        DESIRED   CURRENT   READY
  AGE
replicaset.apps/guestbook-demo-67f5b45d45   2         2         2
  2m39s
replicaset.apps/redis-master-68857cd57c     1         1         1
  2m39s
replicaset.apps/redis-slave-bbd8d8545       2         2         2
  2m39s

# Uninstall charts and project
$ helm uninstall guestbook-demo
release "guestbook-demo" uninstalled

$ oc delete project test-my-first-helm-chart
project.project.openshift.io "test-my-first-helm-chart" deleted

環境資訊

• Red Hat OpenShift 4.3.13 (Kubernetes v1.16.2)
• Red Hat Enterprise Linux 7.7 as bastion server
• helm v3.1+unreleased

Appendix

延伸閱讀

• 初探云原生应用管理（一）: Helm 与 App Hub
• 初探云原生应用管理（二）: 为什么你必须尽快转向 Helm v3
• 云原生生态周报 Vol. 19 | Helm 推荐用户转向 V3

結語

我覺得 Red Hat 官方開始支援是對的，剛好 Helm 3 後對底層進行了大改造，原先的資安問題除了移除 Tiller 以外，也同時透過 OpenShift 預設相較嚴苛 RBAC 來做到比較好的保護，算是一個各得其所的使用方式

References

• CNCF發布Kubernetes應用程式管理工具Helm 3 - IThome
• helm/charts - GitHub
• IBM/helm101 - GitHub
• 愛的走馬看花 Red Hat CoreOS 與 Red Hat OpenShift Part 3
• helm
• Cloud Native Computing Foundation Announces Helm Graduation