使用 AKS 引擎在 Azure Stack Hub 上部署 Kubernetes 群集Deploy a Kubernetes cluster with the AKS engine on Azure Stack Hub

可以从运行 AKS 引擎的客户端 VM 中,在 Azure Stack Hub 上部署 Kubernetes 群集。You can deploy a Kubernetes cluster on Azure Stack Hub from a client VM running the AKS engine. 本文介绍如何编写群集规范,如何使用 apimodel.json 文件部署群集,以及如何使用 Helm 部署 MySQL 来检查群集。In this article, we look at writing a cluster specification, deploying a cluster with the apimodel.json file, and checking your cluster by deploying MySQL with Helm.

定义群集规范Define a cluster specification

可使用称为 API 模型的 JSON 格式在文档文件中指定群集规范。You can specify a cluster specification in a document file using the JSON format called the API model. AKS 引擎在 API 模型中使用群集规范来创建群集。The AKS engine uses a cluster specification in the API model to create your cluster.

更新 API 模型Update the API model

本部分介绍如何为群集创建 API 模型。This section looks at creating an API model for your cluster.

  1. 首先使用 Azure Stack Hub 示例 API 模型文件,为部署创建本地副本。Start by using an Azure Stack Hub example API Model file and make a local copy for your deployment. 在安装 AKS 引擎的计算机上运行:From the machine, you installed AKS engine, run:

    curl -o kubernetes-azurestack.json https://raw.githubusercontent.com/Azure/aks-engine/master/examples/azure-stack/kubernetes-azurestack.json
    

    备注

    如果已断开连接,可以下载该文件,并将其手动复制到计划在其上编辑文件的已断开连接的计算机。If you are disconnected, you can download the file and manually copy it to the disconnected machine where you plan to edit it. 可以使用 PuTTY 或 WinSCP 等工具将文件复制到 Linux 计算机。You can copy the file to your Linux machine using tools such as PuTTY or WinSCP.

  2. 若要在编辑器中打开 API 模型,可以使用 nano:To open API model in an editor, you can use nano:

    nano ./kubernetes-azurestack.json
    

    备注

    如果尚未安装 nano,可在 Ubuntu 上安装 nano:sudo apt-get install nanoIf you don't have nano installed, you can install nano on Ubuntu: sudo apt-get install nano.

  3. 在 kubernetes-azurestack.json 文件中找到 orchestratorRelease 和 orchestratorVersion。In the kubernetes-azurestack.json file, find orchestratorRelease and orchestratorVersion. 选择一个受支持的 Kubernetes 版本。Select one of the supported Kubernetes versions. 例如,对 orchestratorRelease 使用 1.14 或 1.15,对 orchestratorVersion 使用 1.14.7 或 1.15.10。For example, for orchestratorRelease use 1.14 or 1.15 and for orchestratorVersion use 1.14.7 or 1.15.10 respectively. orchestratorRelease 指定为 x.xx,将 orchestratorVersion 指定为 x.xx.x。Specify the orchestratorRelease as x.xx and orchestratorVersion as x.xx.x. 有关当前版本的列表,请参阅受支持的 AKS 引擎版本For a list of current versions, see Supported AKS engine Versions

  4. 找到 customCloudProfile 并提供租户门户的 URL。Find customCloudProfile and provide the URL to the tenant portal. 例如,https://portal.local.azurestack.externalFor example, https://portal.local.azurestack.external.

  5. 如果使用的是 AD FS,请添加 "identitySystem":"adfs"Add "identitySystem":"adfs" if you're using AD FS. 例如,For example,

        "customCloudProfile": {
            "portalURL": "https://portal.local.azurestack.external",
            "identitySystem": "adfs"
        },
    

    备注

    如果为标识系统使用 Azure AD,则无需添加 identitySystem 字段。If you're using Azure AD for your identity system, you don't need to add the identitySystem field.

  6. 找到 portalURL 并提供租户门户的 URL。Find portalURL and provide the URL to the tenant portal. 例如,https://portal.local.azurestack.externalFor example, https://portal.local.azurestack.external.

  7. masterProfile 中设置以下字段:In masterProfile, set the following fields:

    字段Field 说明Description
    dnsPrefixdnsPrefix 输入用于标识 VM 主机名的唯一字符串。Enter a unique string that will serve to identify the hostname of VMs. 例如基于资源组名称的名称。For example, a name based on the resource group name.
    countcount 输入要用于部署的主机数。Enter the number of masters you want for your deployment. HA 部署的最小使用数为 3,非 HA 部署的最小使用数可为 1。The minimum for an HA deployment is 3, but 1 is allowed for non-HA deployments.
    vmSizevmSize 输入 Azure Stack Hub 支持的大小,例如 Standard_D2_v2Enter a size supported by Azure Stack Hub, example Standard_D2_v2.
    distrodistro 输入 aks-ubuntu-16.04Enter aks-ubuntu-16.04.
  8. agentPoolProfiles 更新中:In agentPoolProfiles update:

    字段Field 说明Description
    countcount 输入要用于部署的代理数。Enter the number of agents you want for your deployment. 每个订阅使用的节点的最大数目为 50 个。The maximum count of nodes to use per subscription is 50. 如果要为每个订阅部署多个群集,请确保代理总数不超过 50 个。If you are deploying more than one cluster per subscription ensure that the total agent count doesn't go beyond 50. 请确保使用示例 API 模型 JSON 文件中指定的配置项目。Make sure to use the configuration items specified in the sample API model JSON file.
    vmSizevmSize 输入 Azure Stack Hub 支持的大小,例如 Standard_D2_v2Enter a size supported by Azure Stack Hub, example Standard_D2_v2.
    distrodistro 输入 aks-ubuntu-16.04Enter aks-ubuntu-16.04.
  9. linuxProfile 更新中:In linuxProfile update:

    字段Field 说明Description
    adminUsernameadminUsername 输入 VM 管理员用户名。Enter the VM admin user name.
    sshssh 输入将用于 VM 的 SSH 身份验证的公钥。Enter the public key that will be used for SSH authentication with VMs. 依次使用 ssh-rsa 和密钥。Use ssh-rsa and then the key. 有关创建公钥的说明,请参阅为 Linux 创建 SSH 密钥For instructions on creating a public key, see Create an SSH key for Linux.

    如果要部署到自定义虚拟网络,可在将 Kubernetes 群集部署到自定义虚拟网络中找到有关查找必需的密钥和值并将其添加到 API 模型中适当数组中的说明。If you are deploying to a custom virtual network, you can find instructions on finding and adding the required key and values to the appropriate arrays in the API Model in Deploy a Kubernetes cluster to a custom virtual network.

    备注

    Azure Stack Hub 的 AKS 引擎不允许你提供自己的证书来创建群集。The AKS engine for Azure Stack Hub doesn't allow you to provide your own certificates for the creation of the cluster.

有关 API 模型的详细信息More information about the API model

部署 Kubernetes 群集Deploy a Kubernetes cluster

收集 API 模型中的所有必需值后,便可以创建群集。After you have collected all the required values in your API model, you can create your cluster. 此时应该:At this point you should:

要求 Azure Stack Hub 操作员:Ask your Azure Stack Hub operator to:

  • 验证系统的运行状况,建议运行 Test-AzureStack 和 OEM 供应商的硬件监视工具。Verify the health of the system, suggest running Test-AzureStack and your OEM vendor's hardware monitoring tool.
  • 验证系统容量,包括内存、存储和公共 IP 等资源。Verify the system capacity including resources such as memory, storage, and public IPs.
  • 提供与你的订阅关联的配额的详细信息,以便验证是否有足够的空间来容纳你计划使用的 VM 数量。Provide details of the quota associated with your subscription so that you can verify that there is still enough space for the number of VMs you plan to use.

继续部署群集:Proceed to deploy a cluster:

  1. 查看 Azure Stack Hub CLI 标志上 AKS 引擎的可用参数。Review the available parameters for AKS engine on Azure Stack Hub CLI flags.

    参数Parameter 示例Example 说明Description
    azure-envazure-env AzureStackCloudAzureStackCloud 若要向 AKS 引擎指示目标平台是 Azure Stack Hub,请使用 AzureStackCloudTo indicate to AKS engine that your target platform is Azure Stack Hub use AzureStackCloud.
    identity-systemidentity-system adfsadfs 可选。Optional. 如果使用 Active Directory 联合身份验证服务 (AD FS),请指定标识管理解决方案。Specify your identity management solution if you are using Active Directory Federated Services (AD FS).
    locationlocation locallocal Azure Stack Hub 的区域名称。The region name for your Azure Stack Hub. 对于 ASDK,此区域设置为 localFor the ASDK, the region is set to local.
    resource-groupresource-group kube-rgkube-rg 输入新资源组的名称,或者选择现有资源组。Enter the name of a new resource group or select an existing resource group. 资源名称必须为字母数字,且必须小写。The resource name needs to be alphanumeric and lowercase.
    api-modelapi-model ./kubernetes-azurestack.json./kubernetes-azurestack.json 群集配置文件的路径或 API 模型。Path to the cluster configuration file, or API model.
    output-directoryoutput-directory kube-rgkube-rg 输入要包含输出文件 apimodel.json 以及其他生成的文件的目录名称。Enter the name of the directory to contain the output file apimodel.json as well as other generated files.
    client-idclient-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 输入服务主体 GUID。Enter the service principal GUID. Azure Stack Hub 管理员创建服务主体时标识为应用程序 ID 的客户端 ID。The Client ID identified as the Application ID when your Azure Stack Hub administrator created the service principal.
    client-secretclient-secret xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 输入服务主体密码。Enter the service principal secret. 在创建服务时设置的客户端密码。You set up the client secret when creating your service.
    subscription-idsubscription-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 输入订阅 ID。Enter your Subscription ID. 必须提供租户的订阅。You must provide a subscription for the tenent. 不支持部署到管理订阅。Deployment to the administrative subscription is not supported. 有关详细信息,请参阅订阅套餐For more information, see Subscribe to an offer

    以下是示例:Here is an example:

    aks-engine deploy \
    --azure-env AzureStackCloud \
    --location <for asdk is local> \
    --resource-group kube-rg \
    --api-model ./kubernetes-azurestack.json \
    --output-directory kube-rg \
    --client-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
    --client-secret xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
    --subscription-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
    --identity-system adfs # required if using AD FS
    
  2. 如果由于某种原因,输出目录在创建后执行失败,可以更正此问题并重新运行该命令。If for some reason the execution fails after the output directory has been created, you can correct the issue and rerun the command. 如果正在重新运行部署并在之前已经使用了相同的输出目录,则 AKS 引擎将返回一个错误,指出该目录已存在。If you are rerunning the deployment and had used the same output directory before, the AKS engine will return an error saying that the directory already exists. 可使用标志 --force-overwrite 覆盖现有目录。You can overwrite the existing directory by using the flag: --force-overwrite.

  3. 将 AKS 引擎群集配置保存在安全、已加密的位置。Save the AKS engine cluster configuration in a secure, encrypted location.

    找到文件 apimodel.jsonLocate the file apimodel.json. 将其保存到安全位置。Save it to a secure location. 此文件将用作所有其他 AKS 引擎操作的输入。This file will be used as input in all of your other AKS engine operations.

    生成的 apimodel.json 包含“输入 API 模型”中使用的服务主体、密码和 SSH 公钥。The generated apimodel.json contains the service principal, secret, and SSH public key you use in the input API model. 它还包含 AKS 引擎执行所有其他操作所需的所有其他元数据。It also has all the other metadata needed by the AKS engine to perform all other operations. 如果丢失,AKS 引擎将无法配置群集。If you lose it, the AKS engine won't be able configure the cluster.

    机密未加密。The secrets are unencrypted. 将该文件保存在已加密的安全位置。Keep the file in an encrypted, secure place.

验证群集Verify your cluster

使用 Helm 部署 MySql 来检查群集,从而验证群集。Verify your cluster by deploying MySql with Helm to check your cluster.

  1. 使用 Azure Stack Hub 门户获取其中一个主节点的公共 IP 地址。Get the public IP address of one of your master nodes using the Azure Stack Hub portal.

  2. 在可访问 Azure Stack Hub 实例的计算机上,使用客户端(如 PuTTY 或 MobaXterm)通过 SSH 连接到新的主节点。From a machine with access to your Azure Stack Hub instance, connect via SSH into the new master node using a client such as PuTTY or MobaXterm.

  3. 对于 SSH 用户名,可使用“azureuser”和为群集部署提供的密钥对的私钥文件。For the SSH username, you use "azureuser" and the private key file of the key pair you provided for the deployment of the cluster.

  4. 运行以下命令以创建 Redis master 的示例部署(仅适用于连接的标记):Run the following commands to create a sample deployment of a Redis master (for connected stamps only):

    kubectl apply -f https://k8s.io/examples/application/guestbook/redis-master-deployment.yaml
    
    1. 查询 Pod 列表:Query the list of pods:

      kubectl get pods
      
    2. 响应应类似于以下形式:The response should be similar to the following:

      NAME                            READY     STATUS    RESTARTS   AGE
      redis-master-1068406935-3lswp   1/1       Running   0          28s
      
    3. 查看部署日志:View the deployment logs:

      kubectl logs -f <pod name>
      

    对于包含 Redis master 的示例 PHP 应用的完整部署,请按照此处说明操作。For a complete deployment of a sample PHP app that includes the Redis master, follow the instructions here.

  5. 对于已断开连接的标记,使用以下命令即可:For a disconnected stamp, the following commands should be sufficient:

    1. 首先检查群集终结点是否正在运行:First check that the cluster endpoints are running:

      kubectl cluster-info
      

      输出应如下所示:The output should look similar to the following:

      Kubernetes master is running at https://democluster01.location.domain.com
      CoreDNS is running at https://democluster01.location.domain.com/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
      kubernetes-dashboard is running at https://democluster01.location.domain.com/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy
      Metrics-server is running at https://democluster01.location.domain.com/api/v1/namespaces/kube-system/services/https:metrics-server:/proxy
      
    2. 然后查看节点状态:Then, review node states:

      kubectl get nodes
      

      输出应如下所示:The output should be similar to the following:

      k8s-linuxpool-29969128-0   Ready      agent    9d    v1.15.5
      k8s-linuxpool-29969128-1   Ready      agent    9d    v1.15.5
      k8s-linuxpool-29969128-2   Ready      agent    9d    v1.15.5
      k8s-master-29969128-0      Ready      master   9d    v1.15.5
      k8s-master-29969128-1      Ready      master   9d    v1.15.5
      k8s-master-29969128-2      Ready      master   9d    v1.15.5
      
  6. 若要清理上一步中的 redis POD 部署,请运行以下命令:To clean up the redis POD deployment from the previous step, run the following command:

    kubectl delete deployment -l app=redis
    

轮换服务主体机密Rotate your service principle secret

使用 AKS 引擎部署 Kubernetes 群集后,服务主体 (SPN) 会用于管理与 Azure Stack Hub 实例上的 Azure 资源管理器的交互。After the deployment of the Kubernetes cluster with AKS engine, the service principal (SPN) is used for managing interactions with the Azure Resource Manager on your Azure Stack Hub instance. 在某些时候,此服务主体的机密可能会过期。At some point, the secret for this the service principal may expire. 如果机密过期,可以通过以下方式刷新凭据:If your secret expires, you can refresh the credentials by:

  • 使用新的服务主体机密更新每个节点。Updating each node with the new service principal secret.
  • 或更新 API 模型凭据并运行升级。Or updating the API model credentials and running the upgrade.

手动更新每个节点Update each node manually

  1. 从云运营商处获取服务主体的新机密。Get a new secret for your service principal from your cloud operator. 有关 Azure Stack Hub 的说明,请参阅使用应用标识访问 Azure Stack Hub 资源For instructions for Azure Stack Hub, see Use an app identity to access Azure Stack Hub resources.
  2. 使用云运营商提供的新凭据更新每个节点上的 /etc/kubernetes/azure.jsonUse the new credentials provided by your cloud operator to update /etc/kubernetes/azure.json on each node. 进行更新后,重启 kubelet 和 kube-controller-manager 。After making the update, restart both kubelet and kube-controller-manager.

使用 aks-engine update 更新群集Update the cluster with aks-engine update

此外,也可以替换 apimodel.json 中的凭据,并使用更新的 json 对相同或较新的 Kubernetes 版本运行升级。Alternatively, you can replace the credentials in the apimodel.json and run upgrade using the updated json to the same or newer Kubernetes version. 有关升级模型的说明,请参阅升级 Azure Stack Hub 上的 Kubernetes 群集For instructions on upgrading the model see Upgrade a Kubernetes cluster on Azure Stack Hub

后续步骤Next steps