如何创建一个Kustomize通用的Sidecar组件

huangapple go评论60阅读模式
英文:

How to create a kustomize common sidecar component

问题

在Kubernetes集群上,我有多个Deployment资源。出于安全考虑,我正在使用一个边车代理模式,其中Service将代理流量到边车,边车将确保在传递给部署的应用程序之前进行身份验证。

我正在尝试使用Kustomize来完成这个任务。由于边车定义可能是特定于环境的,我不想在我的基本清单中包括边车,但希望它作为覆盖层。由于我有多个需要附加边车的部署,似乎将边车规范作为一个常见的共享组件是合适的。这似乎是Kustomize Component资源的适当使用方式,但也许我错了。

我有类似以下的结构:

.
├── base
│   ├── app1
│   │   ├── deployment.yaml
│   │   └── kustomization.yaml
│   ├── app2
│   │   ├── deployment.yaml
│   │   └── kustomization.yaml
│   └── app3
│       ├── deployment.yaml
│       └── kustomization.yaml
├── components
│   └── sidecar
│       ├── deployment-sidecar.yaml
│       └── kustomization.yaml
└── overlays
    └── dev
        └── kustomization.yaml

我希望将边车组件应用于这3个应用程序部署,但似乎找不到一种方法来实现这一点。我在这里是否误用了组件?

我的components/sidecar/kustomization.yaml文件如下:

apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component

patches:
  - path: deployment-sidecar.yaml
    target:
      labelSelector: xxx

这可以工作,但它在组件中指定了补丁的目标,而我希望让组件更通用,而是在overlays/dev中指定目标。

是否有更好的处理方式?总之,我希望覆盖层能够定义何时应添加边车,以及应将其添加到哪些具体的部署中。

英文:

On a Kubernetes cluster, I have multiple Deployment resources. For security, I am using a sidecar proxy pattern where the Service will proxy traffic to the sidecar, which will ensure authentication before passing on to the deployed application.

I am trying to set up Kustomize to do this. Since the sidecar definition is likely environment specific, I don't want to include the sidecar in my base manifests, but would like it to be an overlay. Since I have multiple deployments that will need to attach that sidecar, it seemed appropriate to have the sidecar specification be a common shared component. This seemed like appropriate use of the Kustomize Component resource, but perhaps I'm wrong.

I have something similar to the following:

.
├── base
│   ├── app1
│   │   ├── deployment.yaml
│   │   └── kustomization.yaml
│   ├── app2
│   │   ├── deployment.yaml
│   │   └── kustomization.yaml
│   └── app3
│       ├── deployment.yaml
│       └── kustomization.yaml
├── components
│   └── sidecar
│       ├── deployment-sidecar.yaml
│       └── kustomization.yaml
└── overlays
    └── dev
        └── kustomization.yaml

I'd like the sidecar component to be applied to the 3 app deployments, but I can't seem to find a way to do this. Am I misusing components here?

My components/sidecar/kustomization.yaml file looks like:

apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component

patches:
  - path: deployment-sidecar.yaml
    target:
      labelSelector: xxx

This works, however it specifies the target of the patch in the component, whereas I would like to leave the component more generic and instead specify the target in overlays/dev.

Is there a better way to be handling this? In summary, I want the overlay to be able to define when the sidecar should be added, and to which specific deployments to add it to.

答案1

得分: 2

总结一下,我希望能够定义覆盖层何时添加侧车,以及要将其添加到哪些特定的部署中。

我的第一个想法是你可以有一个标签,表示“应用侧车补丁”,并在组件中使用它:

apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component

patches:
  - path: deployment-sidecar.yaml
    target:
      labelSelector: "inject-sidecar=true"

然后在你的覆盖层中,使用补丁将该标签应用于特定的部署:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
  - ../../base

components:
  - ../../sidecar

patches:
  - target:
      kind: Deployment
      labelSelector: "app=app1"
    patch: |
      - op: add
        path: /metadata/labels/inject-sidecar
        value: "true"      

不幸的是,这不会起作用,因为补丁是在处理所有资源和组件之后应用的。

尽管如此,我们仍然可以做到,但这需要一个中间阶段。我们可以通过在dev覆盖层内创建另一个组件来实现这一点,该组件负责应用标签。在overlays/dev/apply-labels/kustomization.yaml中,您有一个包含应用inject-sidecar标签到特定部署中的逻辑的kustomization.yaml

apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component

patches:
  - target:
      kind: Deployment
      labelSelector: "app=app1"
    patch: |
      - op: add
        path: /metadata/labels/inject-sidecar
        value: "true"      

然后在overlays/dev/kustomization.yaml中:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

components:
  - apply-labels
  - ../../components/sidecar

这可以实现你想要的效果:

  • 侧车补丁在一个地方指定
  • 你的覆盖层确定要将侧车补丁应用于哪些部署

这里有一定的复杂性,只有在以下情况下才是必要的:

  • 你有多个覆盖层
  • 你想有选择地将侧车仅应用于一些部署
  • 你希望覆盖层控制应用补丁的部署

如果其中任何一点不成立,你可以简化配置。

英文:

> In summary, I want the overlay to be able to define when the sidecar should be added, and to which specific deployments to add it to.

My first thought was that you could have a label that means "apply the sidecar patch", and use that in the Component:

apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component

patches:
  - path: deployment-sidecar.yaml
    target:
      labelSelector: "inject-sidecar=true"

And then in your overlay(s), use a patch to apply that label to specific deployments:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
  - ../../base

components:
  - ../../sidecar

patches:
  - target:
      kind: Deployment
      labelSelector: "app=app1"
    patch: |
      - op: add
        path: /metadata/labels/inject-sidecar
        value: "true"

Unfortunately, this won't work because patches are applied after processing all resources and components.

We can still do this, but it requires an intermediate stage. We can get that by creating another component inside the dev overlay that is responsible for applying the labels. In overlays/dev/apply-labels/kustomization.yaml you have a kustomization.yaml that contains the logic for applying the inject-sidecar label to specific Deployments (using a label selector, name patterns, or other criteria):

apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component

patches:
  - target:
      kind: Deployment
      labelSelector: "app=app1"
    patch: |
      - op: add
        path: /metadata/labels/inject-sidecar
        value: "true"

And then in overlays/dev/kustomization.yaml you have:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

components:
  - apply-labels
  - ../../components/sidecar

This gets you what you want:

  • The sidecar patch is specified in a single place
  • Your overlay determines to which deployments you apply the sidecar patch

There's a level of complexity here that is only necessary if:

  • You have multiple overlays
  • You want to selectively apply the sidecar only to some deployments
  • You want the overlay to control to which deployments the patch is applied

If any of those things aren't true you can simplify the configuration.

huangapple
  • 本文由 发表于 2023年2月24日 03:00:02
  • 转载请务必保留本文链接:https://go.coder-hub.com/75549207.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定