環(huán)境

• RHEL 9.3
• Red Hat OpenShift Local 2.32

登錄

通過 crc console --credentials 可以查看登錄信息：

$ crc console --credentials
To login as a regular user, run 'oc login -u developer -p developer https://api.crc.testing:6443'.
To login as an admin, run 'oc login -u kubeadmin -p 9cdKu-ihELt-PYiiN-aazX2 https://api.crc.testing:6443'

登錄：

$ oc login -u kubeadmin -p 9cdKu-ihELt-PYiiN-aazX2 https://api.crc.testing:6443
Login successful.You have access to 66 projects, the list has been suppressed. You can list all projects with 'oc projects'Using project "default".

注： https://api.crc.testing:6443 是可選的，缺省就是登錄本機(jī)。

查看當(dāng)前身份：

$ oc whoami
kubeadmin

登錄時(shí)，可以加上 --web 選項(xiàng)，啟動(dòng)web console，通過web console登錄：

$ oc login --web
Opening login URL in the default browser: https://oauth-openshift.apps-crc.testing/oauth/authorize?client_id=openshift-cli-client&code_challenge=FXeS7NXkkgk-c8T2IBC62OerE5idgtetRqackO6n15E&code_challenge_method=S256&redirect_uri=http%3A%2F%2F127.0.0.1%3A35445%2Fcallback&response_type=code

創(chuàng)建project

Project使得用戶社區(qū)可以在隔離中組織和管理其內(nèi)容。Project是OCP對(duì)Kubernetes namespace的擴(kuò)展。Project具有額外的功能，使得用戶能夠自我provision（self-provisioning）。

用戶需要從管理員處接收project的訪問權(quán)限。集群管理員可以允許開發(fā)人員創(chuàng)建自己的project。多數(shù)情況下，用戶會(huì)自動(dòng)獲得其自己的project的訪問權(quán)限。

每個(gè)project都有自己的一系列對(duì)象、策略、約束和service帳戶。

創(chuàng)建project user-getting-started ：

$ oc new-project user-getting-started --display-name="Getting Started with OpenShift"
Now using project "user-getting-started" on server "https://api.crc.testing:6443".You can add applications to this project with the 'new-app' command. For example, try:oc new-app rails-postgresql-exampleto build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application:kubectl create deployment hello-node --image=registry.k8s.io/e2e-test-images/agnhost:2.43 -- /agnhost serve-hostname

創(chuàng)建project后，會(huì)自動(dòng)切換到該project。

賦予查看權(quán)限

OCP會(huì)在每個(gè)project中自動(dòng)創(chuàng)建一些特殊的service帳戶。默認(rèn)服務(wù)帳戶會(huì)負(fù)責(zé)運(yùn)行pod。OCP使用并將此service帳戶注入到所啟動(dòng)的每個(gè)pod中。

本例為默認(rèn)的 ServiceAccount 對(duì)象創(chuàng)建一個(gè) RoleBinding 對(duì)象。Service帳戶與 OCP API通信，以了解project中的 pod、service和資源。

將查看（view）角色添加到 user-get-started project中的默認(rèn)service帳戶：

$ oc adm policy add-role-to-user view -z default -n user-getting-started
clusterrole.rbac.authorization.k8s.io/view added: "default"

部署第一個(gè)image

在OCP中部署應(yīng)用的最簡(jiǎn)單方法是運(yùn)行已有的容器image。本例部署一個(gè)應(yīng)用的前端組件，名為 national-parks-app 。該web應(yīng)用顯示一個(gè)交互式的地圖，顯示全球主要國(guó)家公園的位置。

$ oc new-app quay.io/openshiftroadshow/parksmap:latest --name=parksmap -l 'app=national-parks-app,component=parksmap,role=frontend,app.kubernetes.io/part-of=national-parks-app'
--> Found container image 0c2f55f (3 years old) from quay.io for "quay.io/openshiftroadshow/parksmap:latest"* An image stream tag will be created as "parksmap:latest" that will track this image--> Creating resources with label app=national-parks-app,app.kubernetes.io/part-of=national-parks-app,component=parksmap,role=frontend ...imagestream.image.openshift.io "parksmap" createddeployment.apps "parksmap" createdservice "parksmap" created
--> SuccessApplication is not exposed. You can expose services to the outside world by executing one or more of the commands below:'oc expose service/parksmap' Run 'oc status' to view your app.

創(chuàng)建route

外部客戶端可以通過路由層訪問OCP里運(yùn)行的應(yīng)用，該路由層后端的數(shù)據(jù)對(duì)象被稱為route。默認(rèn)的OCP路由器（HAProxy）使用傳入請(qǐng)求的HTTP header來確定代理連接的位置。

也可以為route定義安全性，比如TLS。

查看service：

$ oc get service
NAME       TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)    AGE
parksmap   ClusterIP   10.217.4.38   <none>        8080/TCP   6m11s

注：我使用的是Red Hat OpenShift Local，所以沒有 EXTERNAL-IP 。

創(chuàng)建route：

$ oc create route edge parksmap --service=parksmap
route.route.openshift.io/parksmap created

查看route：

$ oc get route
NAME       HOST/PORT                                        PATH   SERVICES   PORT       TERMINATION   WILDCARD
parksmap   parksmap-user-getting-started.apps-crc.testing          parksmap   8080-tcp   edge          None

檢查pod

OCP使用Kubernetes的pod概念，它是部署在同一主機(jī)上的一個(gè)或多個(gè)容器，也是可被定義、部署和管理的最小計(jì)算單元。對(duì)于容器來說，pod大致相當(dāng)于機(jī)器實(shí)例（物理的或虛擬的）。

可以查看集群中的pod，并確定這些pod以及整個(gè)集群的健康狀態(tài)。

$ oc get pod
NAME                       READY   STATUS    RESTARTS   AGE
parksmap-69b46d5f7-glwd2   1/1     Running   0          14m

查看pod詳細(xì)信息：

$ oc describe pod
Name:             parksmap-69b46d5f7-glwd2
Namespace:        user-getting-started
Priority:         0
Service Account:  default
Node:             crc-ksq4m-master-0/192.168.126.11
Start Time:       Fri, 09 Feb 2024 08:09:58 +0800
Labels:           app=national-parks-appapp.kubernetes.io/part-of=national-parks-appcomponent=parksmapdeployment=parksmappod-template-hash=69b46d5f7role=frontend
Annotations:      k8s.v1.cni.cncf.io/network-status:[{"name": "openshift-sdn","interface": "eth0","ips": ["10.217.0.65"],"default": true,"dns": {}}]openshift.io/generated-by: OpenShiftNewAppopenshift.io/scc: restricted-v2seccomp.security.alpha.kubernetes.io/pod: runtime/default
Status:           Running
SeccompProfile:   RuntimeDefault
IP:               10.217.0.65
IPs:IP:           10.217.0.65
Controlled By:  ReplicaSet/parksmap-69b46d5f7
Containers:parksmap:Container ID:   cri-o://36d858cc571f219418f2d5fefcd4ebd606611c51a57f779c26fa6d3f86559f03Image:          quay.io/openshiftroadshow/parksmap@sha256:89d1e324846cb431df9039e1a7fd0ed2ba0c51aafbae73f2abd70a83d5fa173bImage ID:       quay.io/openshiftroadshow/parksmap@sha256:89d1e324846cb431df9039e1a7fd0ed2ba0c51aafbae73f2abd70a83d5fa173bPort:           8080/TCPHost Port:      0/TCPState:          RunningStarted:      Fri, 09 Feb 2024 08:10:34 +0800Ready:          TrueRestart Count:  0Environment:    <none>Mounts:/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-92x92 (ro)
Conditions:Type              StatusInitialized       True Ready             True ContainersReady   True PodScheduled      True 
Volumes:kube-api-access-92x92:Type:                    Projected (a volume that contains injected data from multiple sources)TokenExpirationSeconds:  3607ConfigMapName:           kube-root-ca.crtConfigMapOptional:       <nil>DownwardAPI:             trueConfigMapName:           openshift-service-ca.crtConfigMapOptional:       <nil>
QoS Class:                   BestEffort
Node-Selectors:              <none>
Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300snode.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:Type    Reason          Age   From               Message----    ------          ----  ----               -------Normal  Scheduled       15m   default-scheduler  Successfully assigned user-getting-started/parksmap-69b46d5f7-glwd2 to crc-ksq4m-master-0Normal  AddedInterface  15m   multus             Add eth0 [10.217.0.65/23] from openshift-sdnNormal  Pulling         15m   kubelet            Pulling image "quay.io/openshiftroadshow/parksmap@sha256:89d1e324846cb431df9039e1a7fd0ed2ba0c51aafbae73f2abd70a83d5fa173b"Normal  Pulled          14m   kubelet            Successfully pulled image "quay.io/openshiftroadshow/parksmap@sha256:89d1e324846cb431df9039e1a7fd0ed2ba0c51aafbae73f2abd70a83d5fa173b" in 34.192111778s (34.19212265s including waiting)Normal  Created         14m   kubelet            Created container parksmapNormal  Started         14m   kubelet            Started container parksmap

注：也可以 oc describe pod xxx 查看某個(gè)pod的詳細(xì)信息。本例中在當(dāng)前project里只有一個(gè)pod，所以二者效果都一樣。

擴(kuò)展應(yīng)用

在Kubernetes中， Deployment 對(duì)象定義了如何部署應(yīng)用。多數(shù)情況下，用戶會(huì)把pod、service、ReplicaSets、deployment資源一起使用。在大多數(shù)情況下，OCP會(huì)創(chuàng)建這些資源。

在部署 national-parks-app image時(shí)，會(huì)創(chuàng)建一個(gè)deployment資源。本例只部署了一個(gè)pod。

把應(yīng)用從一個(gè)pod實(shí)例擴(kuò)展到兩個(gè)pod實(shí)例：

$ oc scale --current-replicas=1 --replicas=2 deployment/parksmap
deployment.apps/parksmap scaled

查看pod：

$ oc get pods
NAME                       READY   STATUS    RESTARTS   AGE
parksmap-69b46d5f7-btk54   1/1     Running   0          33s
parksmap-69b46d5f7-glwd2   1/1     Running   0          22m

把應(yīng)用縮減回一個(gè)pod實(shí)例：

$ oc scale --current-replicas=2 --replicas=1 deployment/parksmap
deployment.apps/parksmap scaled

查看pod：

$ oc get pods
NAME                       READY   STATUS    RESTARTS   AGE
parksmap-69b46d5f7-glwd2   1/1     Running   0          24m

部署一個(gè)Python應(yīng)用

本例為 parksmap 應(yīng)用部署后端service。Python應(yīng)用在MongoDB數(shù)據(jù)庫執(zhí)行2D地理空間（ geo-spatial）查詢，以定位和返回世界上所有國(guó)家公園的地圖坐標(biāo)。

部署的后端service是 nationalparks 。

創(chuàng)建Python應(yīng)用：

$ oc new-app python~https://github.com/openshift-roadshow/nationalparks-py.git --name nationalparks -l 'app=national-parks-app,component=nationalparks,role=backend,app.kubernetes.io/part-of=national-parks-app,app.kubernetes.io/name=python' --allow-missing-images=true
warning: Cannot check if git requires authentication.
--> Found image 3c5d265 (5 weeks old) in image stream "openshift/python" under tag "3.9-ubi8" for "python"Python 3.9 ---------- Python 3.9 available as container is a base platform for building and running various Python 3.9 applications and frameworks. Python is an easy to learn, powerful programming language. It has efficient high-level data structures and a simple but effective approach to object-oriented programming. Python's elegant syntax and dynamic typing, together with its interpreted nature, make it an ideal language for scripting and rapid application development in many areas on most platforms.Tags: builder, python, python39, python-39, rh-python39* A source build using source code from https://github.com/openshift-roadshow/nationalparks-py.git will be created* The resulting image will be pushed to image stream tag "nationalparks:latest"* Use 'oc start-build' to trigger a new build--> Creating resources with label app=national-parks-app,app.kubernetes.io/name=python,app.kubernetes.io/part-of=national-parks-app,component=nationalparks,role=backend ...imagestream.image.openshift.io "nationalparks" createdbuildconfig.build.openshift.io "nationalparks" createddeployment.apps "nationalparks" createdservice "nationalparks" created
--> SuccessBuild scheduled, use 'oc logs -f buildconfig/nationalparks' to track its progress.Application is not exposed. You can expose services to the outside world by executing one or more of the commands below:'oc expose service/nationalparks' Run 'oc status' to view your app.

創(chuàng)建route來暴露 nationalparks 應(yīng)用：

$ oc create route edge nationalparks --service=nationalparks
route.route.openshift.io/nationalparks created

查看route：

$ oc get route
NAME            HOST/PORT                                             PATH   SERVICES        PORT       TERMINATION   WILDCARD
nationalparks   nationalparks-user-getting-started.apps-crc.testing          nationalparks   8080-tcp   edge          None
parksmap        parksmap-user-getting-started.apps-crc.testing               parksmap        8080-tcp   edge          None

連接數(shù)據(jù)庫

接下來，部署并連接一個(gè)MongoDB數(shù)據(jù)庫， national -parks-app 應(yīng)用將會(huì)存儲(chǔ)位置信息于該數(shù)據(jù)庫。一旦把 national-parks-app 應(yīng)用標(biāo)記為地圖可視化工具的后端， parksmap deployment會(huì)使用OCP發(fā)現(xiàn)機(jī)制來自動(dòng)顯示地圖。

連接數(shù)據(jù)庫：

$ oc new-app quay.io/centos7/mongodb-36-centos7 --name mongodb-nationalparks -e MONGODB_USER=mongodb -e MONGODB_PASSWORD=mongodb -e MONGODB_DATABASE=mongodb -e MONGODB_ADMIN_PASSWORD=mongodb -l 'app.kubernetes.io/part-of=national-parks-app,app.kubernetes.io/name=mongodb'
--> Found container image dc18f52 (2 years old) from quay.io for "quay.io/centos7/mongodb-36-centos7"MongoDB 3.6 ----------- MongoDB (from humongous) is a free and open-source cross-platform document-oriented database program. Classified as a NoSQL database program, MongoDB uses JSON-like documents with schemas. This container image contains programs to run mongod server.Tags: database, mongodb, rh-mongodb36* An image stream tag will be created as "mongodb-nationalparks:latest" that will track this image--> Creating resources with label app.kubernetes.io/name=mongodb,app.kubernetes.io/part-of=national-parks-app ...imagestream.image.openshift.io "mongodb-nationalparks" createddeployment.apps "mongodb-nationalparks" createdservice "mongodb-nationalparks" created
--> SuccessApplication is not exposed. You can expose services to the outside world by executing one or more of the commands below:'oc expose service/mongodb-nationalparks' Run 'oc status' to view your app.

創(chuàng)建secret

Secret 對(duì)象提供了一種機(jī)制來保存敏感信息，如密碼、OCP客戶端配置文件、私有源倉庫憑證等。Secret把敏感內(nèi)容與pod解耦?？梢酝ㄟ^volume插件把secret mount到容器中，系統(tǒng)也可以為pod而使用secret執(zhí)行操作。本例添加secret nationalparks-mongodb-parameters ，并將它mount到 nationalparks 工作負(fù)載中。

創(chuàng)建secret：

$ oc create secret generic nationalparks-mongodb-parameters --from-literal=DATABASE_SERVICE_NAME=mongodb-nationalparks --from-literal=MONGODB_USER=mongodb --from-literal=MONGODB_PASSWORD=mongodb --from-literal=MONGODB_DATABASE=mongodb --from-literal=MONGODB_ADMIN_PASSWORD=mongodb
secret/nationalparks-mongodb-parameters created

更新環(huán)境變量，把mongodb secret 附加到 nationalpartks 工作負(fù)載：

$ oc set env --from=secret/nationalparks-mongodb-parameters deploy/nationalparks
deployment.apps/nationalparks updated

顯示 nationalpartks deployment的狀態(tài)：

$ oc rollout status deployment nationalparks
deployment "nationalparks" successfully rolled out

顯示 mongodb-nationalparks deployment的狀態(tài)：

$ oc rollout status deployment mongodb-nationalparks
deployment "mongodb-nationalparks" successfully rolled out

直接看當(dāng)前project里所有deployment的更新狀態(tài)：

$ oc rollout status deployment
deployment "mongodb-nationalparks" successfully rolled out
deployment "nationalparks" successfully rolled out
deployment "parksmap" successfully rolled out

加載數(shù)據(jù)并顯示國(guó)家公園地圖

目前已經(jīng)部署了 parksmap 和 Nationalparks 應(yīng)用，然后部署了 mongodb-nationalparks 數(shù)據(jù)庫。但是，還沒有把數(shù)據(jù)加載到數(shù)據(jù)庫中。

加載國(guó)家公園數(shù)據(jù)：

$ oc exec $(oc get pods -l component=nationalparks | tail -n 1 | awk '{print $1;}') -- curl -s http://localhost:8080/ws/data/load
"Items inserted in database: 2893"

驗(yàn)證：

$ oc exec $(oc get pods -l component=nationalparks | tail -n 1 | awk '{print $1;}') -- curl -s http://localhost:8080/ws/data/all | jq .
[{"id": "Arikok National Park","latitude": "12.489967","longitude": "-69.9273915","name": "Arikok National Park"},{"id": "Wakhan National Park","latitude": "36.845432","longitude": "72.28375","name": "Wakhan National Park"},
......
......{"id": "Great Zimbabwe","latitude": "-20.2674635","longitude": "30.9337986","name": "Great Zimbabwe"}
]

為route添加label：

$ oc label route nationalparks type=parksmap-backend
route.route.openshift.io/nationalparks labeled

查看route：

$ oc get routes
NAME            HOST/PORT                                             PATH   SERVICES        PORT       TERMINATION   WILDCARD
nationalparks   nationalparks-user-getting-started.apps-crc.testing          nationalparks   8080-tcp   edge          None
parksmap        parksmap-user-getting-started.apps-crc.testing               parksmap        8080-tcp   edge          None

打開瀏覽器，訪問 https://parksmap-user-getting-started.apps-crc.testing ，如下：

清理

crc delete -f

參考

• https://access.redhat.com/documentation/en-us/openshift_container_platform/4.14/html-single/getting_started/index#openshift-cli