在 Azure Kubernetes Service (AKS) 中使用 Helm 安裝應用程式Install applications with Helm in Azure Kubernetes Service (AKS)

Helm 是開放原始碼的封裝工具,可協助您安裝和管理 Kubernetes 應用程式的生命週期。Helm is an open-source packaging tool that helps you install and manage the lifecycle of Kubernetes applications. Helm 類似於 APTYum 等 Linux 套件管理工具,可用於管理 Kubernetes 圖表 (即預先設定的 Kubernetes 資源套件)。Similar to Linux package managers such as APT and Yum, Helm is used to manage Kubernetes charts, which are packages of preconfigured Kubernetes resources.

本文示範如何在 AKS 上的 Kubernetes 叢集中設定及使用 Helm。This article shows you how to configure and use Helm in a Kubernetes cluster on AKS.

開始之前Before you begin

此文章假設您目前具有 AKS 叢集。This article assumes that you have an existing AKS cluster. 如果您需要 AKS 叢集,請參閱使用 Azure CLI使用 Azure 入口網站的 AKS 快速入門。If you need an AKS cluster, see the AKS quickstart using the Azure CLI or using the Azure portal.

您也需要安裝 Helm CLI,這是在您的開發系統上執行的用戶端。You also need the Helm CLI installed, which is the client that runs on your development system. 它可讓您使用 Helm 來啟動、停止和管理應用程式。It allows you to start, stop, and manage applications with Helm. 如果您使用 Azure Cloud Shell,則已安裝 Helm CLI。If you use the Azure Cloud Shell, the Helm CLI is already installed. 如需本機平臺上的安裝指示,請參閱安裝 HelmFor installation instructions on your local platform see, Installing Helm.

重要

Helm 的目的是要在 Linux 節點上執行。Helm is intended to run on Linux nodes. 如果您的叢集中有 Windows Server 節點,您必須確定 Helm pod 只排程在 Linux 節點上執行。If you have Windows Server nodes in your cluster, you must ensure that Helm pods are only scheduled to run on Linux nodes. 您也必須確定您安裝的任何 Helm 圖表也會排程在正確的節點上執行。You also need to ensure that any Helm charts you install are also scheduled to run on the correct nodes. 本文中的命令會使用節點選取器來確定 pod 已排程至正確的節點,但並非所有的 Helm 圖表都可以公開節點選取器。The commands in this article use node-selectors to make sure pods are scheduled to the correct nodes, but not all Helm charts may expose a node selector. 您也可以考慮在叢集上使用其他選項,例如污點You can also consider using other options on your cluster, such as taints.

建立服務帳戶Create a service account

在已啟用 RBAC 的 AKS 叢集中部署 Helm 之前,您需要適用於 Tiller 服務的服務帳戶與角色繫結。Before you can deploy Helm in an RBAC-enabled AKS cluster, you need a service account and role binding for the Tiller service. 如需在已啟用 RBAC 的叢集中保護 Helm/Tiller 的詳細資訊,請參閱Tiller、命名空間和 RBACFor more information on securing Helm / Tiller in an RBAC enabled cluster, see Tiller, Namespaces, and RBAC. 如果 AKS 叢集未啟用 RBAC,請略過此步驟。If your AKS cluster is not RBAC enabled, skip this step.

建立名為 helm-rbac.yaml 的檔案,然後將下列 YAML 複製進來:Create a file named helm-rbac.yaml and copy in the following YAML:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: tiller
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: tiller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: tiller
    namespace: kube-system

使用 kubectl apply 命令來建立服務帳戶和角色繫結:Create the service account and role binding with the kubectl apply command:

kubectl apply -f helm-rbac.yaml

保護 Tiller 和 HelmSecure Tiller and Helm

Helm 用戶端和 Tiller 服務會使用 TLS/SSL 互相驗證及通訊。The Helm client and Tiller service authenticate and communicate with each other using TLS/SSL. 這個驗證方法有助於保護 Kubernetes 叢集,以及驗證可以部署哪些服務。This authentication method helps to secure the Kubernetes cluster and what services can be deployed. 為了提高安全性,您可以產生自己的簽署憑證。To improve security, you can generate your own signed certificates. 每個 Helm 使用者會收到自己的用戶端憑證,而 Tiller 會在 Kubernetes 叢集中初始化,並且套用憑證。Each Helm user would receive their own client certificate, and Tiller would be initialized in the Kubernetes cluster with certificates applied. 如需詳細資訊,請參閱在 Helm 與 Tiller 之間使用 TLS/SSLFor more information, see Using TLS/SSL between Helm and Tiller.

使用了已啟用 RBAC 的 Kubernetes 叢集,您就可以控制 Tiller 對於叢集的存取權層級。With an RBAC-enabled Kubernetes cluster, you can control the level of access Tiller has to the cluster. 您可以定義 Kubernetes 命名空間 (Tiller 部署於其中),並且限制 Tiller 後續可以在其中部署資源的命名空間。You can define the Kubernetes namespace that Tiller is deployed in, and restrict what namespaces Tiller can then deploy resources in. 這個方法可讓您在不同的命名空間中建立 Tiller 執行個體並且限制部署界限,以及將 Helm 用戶端使用者的範圍限制為特定命名空間。This approach lets you create Tiller instances in different namespaces and limit deployment boundaries, and scope the users of Helm client to certain namespaces. 如需詳細資訊,請參閱Helm 以角色為基礎的存取控制For more information, see Helm role-based access controls.

設定 HelmConfigure Helm

若要將基本 Tiller 部署至 AKS 叢集中,請使用helm init命令。To deploy a basic Tiller into an AKS cluster, use the helm init command. 如果您的叢集並未啟用 RBAC,請移除 --service-account 引數和值。If your cluster is not RBAC enabled, remove the --service-account argument and value. 下列範例也會將歷程記錄設定為最大值200。The following examples also set the history-max to 200.

如果您已為 Tiller 和 Helm 設定 TLS/SSL,請略過這個基本初始化步驟,改為提供必要的 --tiller-tls-,如接下來的範例所示。If you configured TLS/SSL for Tiller and Helm, skip this basic initialization step and instead provide the required --tiller-tls- as shown in the next example.

helm init --history-max 200 --service-account tiller --node-selectors "beta.kubernetes.io/os=linux"

如果您已在 Helm 與 Tiller 之間設定 TLS/SSL,請提供 --tiller-tls-* 參數和您自己的憑證名稱,如下列範例所示:If you configured TLS/SSL between Helm and Tiller provide the --tiller-tls-* parameters and names of your own certificates, as shown in the following example:

helm init \
    --tiller-tls \
    --tiller-tls-cert tiller.cert.pem \
    --tiller-tls-key tiller.key.pem \
    --tiller-tls-verify \
    --tls-ca-cert ca.cert.pem \
    --history-max 200 \
    --service-account tiller \
    --node-selectors "beta.kubernetes.io/os=linux"

尋找 Helm 圖表Find Helm charts

使用 Helm 圖表將應用程式部署到 Kubernetes 叢集中。Helm charts are used to deploy applications into a Kubernetes cluster. 若要搜尋預先建立的 Helm 圖表,請使用Helm search命令:To search for pre-created Helm charts, use the helm search command:

helm search

下列扼要範例輸出顯示一些可供使用的 Helm 圖表:The following condensed example output shows some of the Helm charts available for use:

$ helm search

NAME                           CHART VERSION    APP VERSION  DESCRIPTION
stable/aerospike               0.1.7            v3.14.1.2    A Helm chart for Aerospike in Kubernetes
stable/anchore-engine          0.1.7            0.1.10       Anchore container analysis and policy evaluatio...
stable/apm-server              0.1.0            6.2.4        The server receives data from the Elastic APM a...
stable/ark                     1.0.1            0.8.2        A Helm chart for ark
stable/artifactory             7.2.1            6.0.0        Universal Repository Manager supporting all maj...
stable/artifactory-ha          0.2.1            6.0.0        Universal Repository Manager supporting all maj...
stable/auditbeat               0.1.0            6.2.4        A lightweight shipper to audit the activities o...
stable/aws-cluster-autoscaler  0.3.3                         Scales worker nodes within autoscaling groups.
stable/bitcoind                0.1.3            0.15.1       Bitcoin is an innovative payment network and a ...
stable/buildkite               0.2.3            3            Agent for Buildkite
stable/burrow                  0.4.4            0.17.1       Burrow is a permissionable smart contract machine
stable/centrifugo              2.0.1            1.7.3        Centrifugo is a real-time messaging server.
stable/cerebro                 0.1.0            0.7.3        A Helm chart for Cerebro - a web admin tool tha...
stable/cert-manager            v0.3.3           v0.3.1       A Helm chart for cert-manager
stable/chaoskube               0.7.0            0.8.0        Chaoskube periodically kills random pods in you...
stable/chartmuseum             1.5.0            0.7.0        Helm Chart Repository with support for Amazon S...
stable/chronograf              0.4.5            1.3          Open-source web application written in Go and R...
stable/cluster-autoscaler      0.6.4            1.2.2        Scales worker nodes within autoscaling groups.
stable/cockroachdb             1.1.1            2.0.0        CockroachDB is a scalable, survivable, strongly...
stable/concourse               1.10.1           3.14.1       Concourse is a simple and scalable CI system.
stable/consul                  3.2.0            1.0.0        Highly available and distributed service discov...
stable/coredns                 0.9.0            1.0.6        CoreDNS is a DNS server that chains plugins and...
stable/coscale                 0.2.1            3.9.1        CoScale Agent
stable/dask                    1.0.4            0.17.4       Distributed computation in Python with task sch...
stable/dask-distributed        2.0.2                         DEPRECATED: Distributed computation in Python
stable/datadog                 0.18.0           6.3.0        DataDog Agent
...

若要更新圖表清單,請使用 helm repo update 命令。To update the list of charts, use the helm repo update command. 以下範例顯示成功存放庫更新的情況:The following example shows a successful repo update:

$ helm repo update

Hold tight while we grab the latest from your chart repositories...
...Skip local chart repository
...Successfully got an update from the "stable" chart repository
Update Complete.

執行 Helm 圖表Run Helm charts

若要安裝具有 Helm 的圖表,請使用Helm install命令,並指定要安裝的圖表名稱。To install charts with Helm, use the helm install command and specify the name of the chart to install. 若要查看如何安裝 Helm 圖,讓我們使用 Helm 圖表來安裝基本的 nginx 部署。To see installing a Helm chart in action, let's install a basic nginx deployment using a Helm chart. 如果您已設定 TLS/SSL,請新增 --tls 參數以使用 Helm 用戶端憑證。If you configured TLS/SSL, add the --tls parameter to use your Helm client certificate.

helm install stable/nginx-ingress \
    --set controller.nodeSelector."beta\.kubernetes\.io/os"=linux \
    --set defaultBackend.nodeSelector."beta\.kubernetes\.io/os"=linux

下列扼要範例輸出顯示 Helm 圖表所建立的 Kubernetes 資源部署狀態:The following condensed example output shows the deployment status of the Kubernetes resources created by the Helm chart:

$ helm install stable/nginx-ingress --set controller.nodeSelector."beta\.kubernetes\.io/os"=linux --set defaultBackend.nodeSelector."beta\.kubernetes\.io/os"=linux

NAME:   flailing-alpaca
LAST DEPLOYED: Thu May 23 12:55:21 2019
NAMESPACE: default
STATUS: DEPLOYED

RESOURCES:
==> v1/ConfigMap
NAME                                      DATA  AGE
flailing-alpaca-nginx-ingress-controller  1     0s

==> v1/Pod(related)
NAME                                                            READY  STATUS             RESTARTS  AGE
flailing-alpaca-nginx-ingress-controller-56666dfd9f-bq4cl       0/1    ContainerCreating  0         0s
flailing-alpaca-nginx-ingress-default-backend-66bc89dc44-m87bp  0/1    ContainerCreating  0         0s

==> v1/Service
NAME                                           TYPE          CLUSTER-IP  EXTERNAL-IP  PORT(S)                     AGE
flailing-alpaca-nginx-ingress-controller       LoadBalancer  10.0.109.7  <pending>    80:31219/TCP,443:32421/TCP  0s
flailing-alpaca-nginx-ingress-default-backend  ClusterIP     10.0.44.97  <none>       80/TCP                      0s
...

需要一或兩分鐘的時間,nginx 輸入控制器服務的外部 IP位址才會填入,並可讓您使用網頁瀏覽器來存取它。It takes a minute or two for the EXTERNAL-IP address of the nginx-ingress-controller service to be populated and allow you to access it with a web browser.

列出 Helm 版本List Helm releases

若要查看叢集上所安裝的版本清單,請使用helm list命令。To see a list of releases installed on your cluster, use the helm list command. 下列範例顯示在上一個步驟中部署的 nginx 輸入版本。The following example shows the nginx-ingress release deployed in the previous step. 如果您已設定 TLS/SSL,請新增 --tls 參數以使用 Helm 用戶端憑證。If you configured TLS/SSL, add the --tls parameter to use your Helm client certificate.

$ helm list

NAME                REVISION    UPDATED                     STATUS      CHART                 APP VERSION   NAMESPACE
flailing-alpaca   1         Thu May 23 12:55:21 2019    DEPLOYED    nginx-ingress-1.6.13    0.24.1      default

清除資源Clean up resources

部署 Helm 圖表時會建立一些 Kubernetes 資源。When you deploy a Helm chart, a number of Kubernetes resources are created. 這些資源包含 Pod、部署和服務。These resources include pods, deployments, and services. 若要清除這些資源,請使用 helm delete 命令,並指定在先前 helm list 命令中找到的版本名稱。To clean up these resources, use the helm delete command and specify your release name, as found in the previous helm list command. 下列範例會刪除名為flailing-alpaca的發行:The following example deletes the release named flailing-alpaca:

$ helm delete flailing-alpaca

release "flailing-alpaca" deleted

後續步驟Next steps

如需使用 Helm 管理 Kubernetes 應用程式部署的詳細資訊,請參閱 Helm 文件。For more information about managing Kubernetes application deployments with Helm, see the Helm documentation.