compute-nest-best-practice/ack-nginx/template.yaml (455 lines of code) (raw):
ROSTemplateFormatVersion: '2015-09-01'
Description:
zh-cn: 创建ACK集群,配置ECS、VPC、SLB及安全组,自动部署Nginx应用,支持付费方式和资源时长选择。
en: Create an ACK (Alibaba Cloud Container Service for Kubernetes) cluster, configure
ECS (Elastic Compute Service), VPC (Virtual Private Cloud), SLB (Server Load Balancer),
and security groups. Automate the deployment of the Nginx application, with support
for selecting payment options and resource duration.
Parameters:
# 付费类型
PayType:
Type: String
Label:
en: ECS Instance Charge Type
zh-cn: 付费类型
Default: PostPaid
AllowedValues:
# 按量
- PostPaid
# 包年包月
- PrePaid
AssociationProperty: ChargeType
AssociationPropertyMetadata:
LocaleKey: InstanceChargeType
# 如果是包年包月 周期单位
PayPeriodUnit:
Type: String
Label:
en: Pay Period Unit
zh-cn: 购买资源时长周期
Default: Month
AllowedValues:
- Month
- Year
AssociationProperty: PayPeriodUnit
AssociationPropertyMetadata:
Visible:
Condition:
Fn::Not:
Fn::Equals:
- ${PayType}
- PostPaid
# 如果是包年包月 周期
PayPeriod:
Type: Number
Description:
en: When the resource purchase duration is Month, the value of Period ranges from 1 to 9, 12, 24, 36, 48, or 60. <br><b><font color='red'> When ECS instance types are PrePaid valid </b></font>
zh-cn: 当购买资源时长为Month时,Period取值:1~9 <br><b><font color='red'>当ECS实例类型为PrePaid有效</b></font>
Label:
en: Period
zh-cn: 购买资源时长
Default: 1
AllowedValues:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
AssociationProperty: PayPeriod
AssociationPropertyMetadata:
Visible:
Condition:
Fn::Not:
Fn::Equals:
- ${PayType}
- PostPaid
# 可用区
ZoneId:
Type: String
AssociationProperty: ALIYUN::ECS::Instance:ZoneId
Label:
en: Zone ID
zh-cn: 可用区
# 新建ack所在的vpc的网段
VpcCidrBlock:
Type: String
Label:
en: VPC CIDR IPv4 Block
zh-cn: 专有网络IPv4网段
Description:
zh-cn: VPC的ip地址段范围,<br>您可以使用以下的ip地址段或其子网:<br><font color='green'>[10.0.0.0/8]</font><br><font color='green'>[172.16.0.0/12]</font><br><font color='green'>[192.168.0.0/16]</font>
en: 'The ip address range of the VPC in the CidrBlock form; <br>You can use the following ip address ranges and their subnets: <br><font color=''green''>[10.0.0.0/8]</font><br><font color=''green''>[172.16.0.0/12]</font><br><font color=''green''>[192.168.0.0/16]</font>'
Default: 192.168.0.0/16
AssociationProperty: ALIYUN::VPC::VPC::CidrBlock
# 新建ack所在的交换机的网段
VSwitchCidrBlock:
Type: String
Label:
en: VSwitch CIDR Block
zh-cn: 交换机子网网段
Description:
zh-cn: 必须属于VPC的子网段。
en: Must belong to the subnet segment of VPC.
Default: 192.168.1.0/24
AssociationProperty: ALIYUN::VPC::VSwitch::CidrBlock
AssociationPropertyMetadata:
VpcCidrBlock: VpcCidrBlock
# 定义ack和ecs对应的登录密码
LoginPassword:
NoEcho: true
Type: String
Description:
en: Server login password, Length 8-30, must contain three(Capital letters, lowercase letters, numbers, ()`~!@#$%^&*_-+=|{}[]:;<>,.?/ Special symbol in)
zh-cn: 服务器登录密码,长度8-30,必须包含三项(大写字母、小写字母、数字、 ()`~!@#$%^&*_-+=|{}[]:;<>,.?/ 中的特殊符号)
Label:
en: Instance Password
zh-cn: 实例密码
ConstraintDescription:
en: Length 8-30, must contain three(Capital letters, lowercase letters, numbers, ()`~!@#$%^&*_-+=|{}[]:;<>,.?/ Special symbol in)
zh-cn: 长度8-30,必须包含三项(大写字母、小写字母、数字、 ()`~!@#$%^&*_-+=|{}[]:;<>,.?/ 中的特殊符号)
AssociationProperty: ALIYUN::ECS::Instance::Password
AllowedPattern: '^[a-zA-Z0-9-\(\)\`\~\!\@\#\$\%\^\&\*\_\-\+\=\|\{\}\[\]\:\;\<\>\,\.\?\/]*$'
MinLength: 8
MaxLength: 30
# ack worker的实例类型
WorkerInstanceType:
Type: String
Label:
en: Worker Nodes Types
zh-cn: Worker节点规格
AssociationProperty: ALIYUN::ECS::Instance::InstanceType
AssociationPropertyMetadata:
ZoneId: ${ZoneId}
Default: ecs.g6.large
WorkerSystemDiskCategory:
Type: String
# ack worker的磁盘类型
AllowedValues:
- cloud_efficiency
- cloud_ssd
- cloud_essd
AssociationPropertyMetadata:
LocaleKey: DiskCategory
InstanceType: ${WorkerInstanceType}
Label:
en: Worker System Disk Category
zh-cn: Worker 系统盘磁盘类型
Default: cloud_essd
# ack worker的系统盘大小
WorkerSystemDiskSize:
Type: Number
Label:
en: Worker System Disk Size(GB)
zh-cn: Worker节点系统盘大小(GB)
MinValue: 1
Default: 120
# ack Pod网络CIDR,仅网络模式为flannel时需要该参数
PodCidr:
Type: String
Description:
zh-cn: 请填写有效的私有网段,即以下网段及其子网:10.0.0.0/8,172.16-31.0.0/12-16,192.168.0.0/16<br>不能与 VPC 及 VPC 内已有 Kubernetes 集群使用的网段重复。<font color='blue'><b>创建成功后不能修改</b></font>
en: 'Please fill in a valid private segment, i.e. the following segments and their subnets: 10.0.0.0/8, 172.16-31.0.0/12-16, 192.168.0.0/16<br> which cannot duplicate the network segments already used by clusters in VPC and VPC Kunetberes. <font color=''blue''><b>Cannot be modified after successful creation</b></font>'
Label:
zh-cn: Pod 网络 CIDR
en: Pod Network CIDR
AssociationProperty: ALIYUN::CS::ManagedKubernetesCluster::PodCidr
Default: 10.0.0.0/16
# ServiceCIDR
ServiceCidr:
Type: String
Description:
zh-cn: 可选范围:10.0.0.0/16-24,172.16-31.0.0/16-24,192.168.0.0/16-24<br>不能与 VPC 及 VPC 内已有 Kubernetes 集群使用的网段重复。<font color='blue'><b>创建成功后不能修改</b></font>
en: 'Optional range: 10.0.0.0/16-24, 172.16-31.0.0/16-24, 192.168.0.0/16-24<br> cannot duplicate segments already used by existing Kubernetes clusters in VPC and VPC.<font color=''blue''><b>Cannot be modified after successful creation</b></font>'
Label:
zh-cn: Service CIDR
en: Service CIDR
AssociationProperty: ALIYUN::CS::ManagedKubernetesCluster::ServiceCidr
Default: 172.16.0.0/16
EcsInstanceType:
Type: String
Label:
en: Instance Type
zh-cn: 跳板机实例类型
AssociationProperty: ALIYUN::ECS::Instance::InstanceType
AssociationPropertyMetadata:
ZoneId: ${ZoneId}
Default: ecs.g6.large
SystemDiskCategory:
Type: String
AllowedValues:
- cloud_efficiency
- cloud_ssd
- cloud_essd
Label:
en: System Disk Category
zh-cn: 系统盘类型
AssociationProperty: ALIYUN::ECS::Disk::SystemDiskCategory
AssociationPropertyMetadata:
LocaleKey: DiskCategory
InstanceType: ${EcsInstanceType}
Default: cloud_essd
SystemDiskSize:
Default: 40
Type: Number
Label:
zh-cn: 系统盘空间 (GB)
en: System Disk Space (GB)
LoadBalancerSpec:
Type: String
AssociationProperty: ALIYUN::SLB::Instance::InstanceType
Label:
en: Specifications
zh-cn: 规格
Default: slb.s1.small
# 定义资源
Resources:
# 新建vpc
EcsVpc:
Type: ALIYUN::ECS::VPC
Properties:
VpcName:
Ref: ALIYUN::StackName
CidrBlock:
Ref: VpcCidrBlock
# 新建vswitch
EcsVSwitch:
Type: ALIYUN::ECS::VSwitch
Properties:
VSwitchName:
Ref: ALIYUN::StackName
VpcId:
Ref: EcsVpc
ZoneId:
Ref: ZoneId
CidrBlock:
Ref: VSwitchCidrBlock
# 新建安全组
EcsSecurityGroup:
Type: ALIYUN::ECS::SecurityGroup
Properties:
SecurityGroupName:
Ref: ALIYUN::StackName
VpcId:
Ref: EcsVpc
# 只开放访问外网的规则
SecurityGroupEgress:
- PortRange: '-1/-1'
Priority: 1
IpProtocol: all
DestCidrIp: 0.0.0.0/0
NicType: intranet
# 新建托管版ack
ManagedKubernetesCluster:
Type: ALIYUN::CS::ManagedKubernetesCluster
Properties:
Name:
Ref: ALIYUN::StackName
ChargeType:
Ref: PayType
Period:
Ref: PayPeriod
PeriodUnit:
Ref: PayPeriodUnit
VSwitchIds:
- Ref: EcsVSwitch
VpcId:
Ref: EcsVpc
WorkerInstanceTypes:
- Ref: WorkerInstanceType
# 定义ack节点数
NumOfNodes: 3
ClusterSpec: ack.pro.small
# flannel 模式指定
ContainerCidr:
Ref: PodCidr
# terway 模式指定
# PodVswitchIds:
# - Ref: EcsVSwitch
ServiceCidr:
Ref: ServiceCidr
ZoneIds:
- Ref: ZoneId
SecurityGroupId:
Ref: EcsSecurityGroup
WorkerSystemDiskCategory:
Ref: WorkerSystemDiskCategory
WorkerSystemDiskSize:
Ref: WorkerSystemDiskSize
LoginPassword:
Ref: LoginPassword
SnatEntry: true
# 指定插件
Addons:
# 网络插件
- Name: flannel
Config: ''
# - Name: terway-eniip
# Config: ''
# 存储插件
# - Name: csi-plugin
# Config: ''
# - Name: csi-provisioner
# Config: ''
# - Name: storage-operator
# Config: '{"CnfsOssEnable":"false","CnfsNasEnable":"true"}'
# ingres插件
# - Name: nginx-ingress-controller
# Config: '{"IngressSlbNetworkType":"intranet","IngressSlbSpec":"slb.s2.small"}'
# 新建负载均衡
Slb:
Type: ALIYUN::SLB::LoadBalancer
Properties:
LoadBalancerName:
Ref: ALIYUN::StackName
PayType:
Ref: PayType
PricingCycle:
Ref: PayPeriodUnit
Duration:
Ref: PayPeriod
VpcId:
Ref: EcsVpc
VSwitchId:
Ref: EcsVSwitch
LoadBalancerSpec:
Ref: LoadBalancerSpec
AddressType: intranet
# 新建eip
EipSlbAddress:
Type: ALIYUN::VPC::EIP
Properties:
Name:
Ref: ALIYUN::StackName
InternetChargeType: PayByTraffic
Bandwidth: 100
# 绑定eip到负载均衡
EipSlbAddressAssociation:
Type: ALIYUN::VPC::EIPAssociation
Properties:
InstanceId:
Ref: Slb
AllocationId:
Ref: EipSlbAddress
# 定义waitCondition和waitConditionHandle来等待跳板机命令执行完毕部署成功
WaitCondition:
Type: ALIYUN::ROS::WaitCondition
DependsOn:
- ManagedKubernetesCluster
Properties:
Count: 1
Handle:
Ref: WaitConditionHandle
# 等待300s
Timeout: 300
WaitConditionHandle:
Type: ALIYUN::ROS::WaitConditionHandle
# 新建ecs跳板集用于后续的部署运维
EcsInstanceJumpBox:
Type: ALIYUN::ECS::InstanceGroup
DependsOn:
- ManagedKubernetesCluster
- Slb
Properties:
InstanceName:
Ref: ALIYUN::StackName
InstanceChargeType:
Ref: PayType
Period:
Ref: PayPeriod
PeriodUnit:
Ref: PayPeriodUnit
ImageId: centos_7
InstanceType:
Ref: EcsInstanceType
VpcId:
Ref: EcsVpc
ZoneId:
Ref: ZoneId
VSwitchId:
Ref: EcsVSwitch
SecurityGroupId:
Ref: EcsSecurityGroup
AllocatePublicIP: false
Password:
Ref: LoginPassword
MaxAmount: 1
SystemDiskSize:
Ref: SystemDiskSize
SystemDiskCategory:
Ref: SystemDiskCategory
# cloud-init执行用户命令
# /var/log/cloud-init.log /var/log/cloud-init-output.log 可以看到执行日志
# /var/lib/cloud/instance/scripts/part-001 为具体的脚本 可以sh 执行来排查问题
UserData:
# Fn::Sub 会对 ${xxx} 定义的变量做替换
Fn::Sub:
- |
#!/bin/bash
# 安装kubectl
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
install -o root -g root -m 0755 kubectl /usr/bin/kubectl
# 配置kubeconfig信息
mkdir -p ~/.kube
echo '${KubeConfig}' >> ~/.kube/config
echo '${ApplicationYaml}' > ~/application.yaml
sleep 10
# 应用容器模版
kubectl --kubeconfig ~/.kube/config apply -f ~/application.yaml
# 执行成功回调WaitCondition结束waitCondition的等待
${CurlCli} -d "{\"Data\" : \"Success\", \"status\" : \"SUCCESS\"}"
# 获取到ack的kubeconfig写入到 ${KubeConfig}变量里
- KubeConfig:
Fn::GetAtt:
- ManagedKubernetesCluster
- PrivateUserKubConfig
# 获取到waitConditionHandle的地址放到 ${CurlCli}变量里
CurlCli:
Fn::GetAtt:
- WaitConditionHandle
- CurlCli
# application.yaml定义通过Fn::Sub替换LoadBalancerId
ApplicationYaml:
Fn::Sub:
- |
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
labels:
app: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-id: ${LoadBalancerId}
service.beta.kubernetes.io/alicloud-loadbalancer-force-override-listeners: "true"
labels:
app: nginx
name: nginx-svc
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
app: nginx
type: LoadBalancer
- LoadBalancerId:
Fn::GetAtt:
- Slb
- LoadBalancerId
# 定义输出
Outputs:
# 将公网ip做为http返回的地址显示在控制台
Endpoint:
Description:
zh-cn: 对外暴露的公网IP地址
en: Public IP Addresses
Value:
Fn::Sub:
- http://${ServerAddress}
- ServerAddress:
Fn::GetAtt:
- EipSlbAddress
- EipAddress
Metadata:
ALIYUN::ROS::Interface:
# 定义参数分组
ParameterGroups:
- Parameters:
- PayType
- PayPeriodUnit
- PayPeriod
Label:
default:
en: PayType Configuration
zh-cn: 付费类型配置
- Parameters:
- ZoneId
- VpcCidrBlock
- VSwitchCidrBlock
- LoginPassword
Label:
en: Basic Configuration
zh-cn: 基础配置
- Parameters:
- WorkerInstanceType
- WorkerSystemDiskCategory
- WorkerSystemDiskSize
- ServiceCidr
- PodCidr
Label:
en: Kubernetes配置
zh-cn: KUBERNETES
- Parameters:
- EcsInstanceType
- SystemDiskSize
- SystemDiskCategory
Label:
en: ECS跳板机配置
zh-cn: ECS跳板机配置
- Parameters:
- LoadBalancerSpec
Label:
en: 负载均衡配置
zh-cn: 负载均衡配置