19.3.8 配置管理在多环境与多集群中的实践
配置管理在多环境与多集群中的实践#
多环境(开发、测试、预发、生产)与多集群场景的配置管理目标是“差异显式、继承清晰、可回滚”。推荐采用“配置即代码 + 分层继承”策略:全局基线(安全、审计、日志、时区)→ 环境参数(资源配额、功能开关)→ 集群特有项(地域、网络拓扑、硬件差异),并以统一模板渲染与发布。
目录与模板示例(可直接执行)#
# 1) 初始化目录
mkdir -p repo/{templates,envs,clusters,inventory}
cat > repo/templates/nginx.conf.j2 <<'EOF'
user nginx;
worker_processes {{ worker_processes }};
events { worker_connections {{ worker_connections }}; }
http {
server {
listen {{ listen_port }};
server_name {{ server_name }};
location / { root {{ doc_root }}; }
}
}
EOF
# 2) 全局/环境/集群变量
cat > repo/envs/global.yml <<'EOF'
worker_processes: 2
worker_connections: 1024
doc_root: /usr/share/nginx/html
EOF
cat > repo/envs/prod.yml <<'EOF'
listen_port: 80
server_name: www.example.com
EOF
cat > repo/clusters/prod-bj.yml <<'EOF'
worker_processes: 4
EOF
Ansible 分层覆盖与发布(含安装)#
# 安装 Ansible(以 Ubuntu 为例)
sudo apt-get update && sudo apt-get install -y ansible
# inventory
cat > repo/inventory/prod.ini <<'EOF'
[web]
10.0.10.11
10.0.10.12
EOF
# playbook
cat > repo/deploy.yml <<'EOF'
- hosts: web
become: yes
vars_files:
- envs/global.yml
- envs/prod.yml
- clusters/prod-bj.yml
tasks:
- name: render nginx conf
template:
src: templates/nginx.conf.j2
dest: /etc/nginx/nginx.conf
- name: reload nginx
service:
name: nginx
state: reloaded
EOF
# 执行发布
cd repo
ansible-playbook -i inventory/prod.ini deploy.yml
# 预期效果:/etc/nginx/nginx.conf 中 worker_processes 为 4
Kubernetes 多环境配置(含 Secret 与 ConfigMap)#
# 1) 安装 kubectl(示例)
curl -LO https://dl.k8s.io/release/v1.27.4/bin/linux/amd64/kubectl
sudo install -m 0755 kubectl /usr/local/bin/kubectl
# 2) 创建 ConfigMap/Secret
kubectl create ns prod
kubectl -n prod create configmap app-config \
--from-literal=LOG_LEVEL=INFO \
--from-literal=DB_HOST=10.0.20.10
kubectl -n prod create secret generic db-secret \
--from-literal=DB_USER=app \
--from-literal=DB_PASS='S3cret!'
# 3) 引用示例(部署片段)
cat > deploy.yaml <<'EOF'
apiVersion: apps/v1
kind: Deployment
metadata:
name: app
namespace: prod
spec:
replicas: 2
selector:
matchLabels: {app: app}
template:
metadata:
labels: {app: app}
spec:
containers:
- name: app
image: nginx:1.25
envFrom:
- configMapRef: {name: app-config}
- secretRef: {name: db-secret}
EOF
kubectl apply -f deploy.yaml
配置漂移检测(示例)#
# Ansible 检测配置漂移(不变更,仅报告)
ansible -i inventory/prod.ini web -m command -a "nginx -T" > /tmp/live.conf
diff -u /etc/nginx/nginx.conf /tmp/live.conf || true
# Kubernetes 对比当前与期望
kubectl -n prod diff -f deploy.yaml
常见问题与排错#
# 1) Ansible 变量未生效:检查加载顺序
ansible-playbook -i inventory/prod.ini deploy.yml -vv
# 2) Nginx 重载失败:查看语法
nginx -t
# 3) K8s Secret 未加载:检查环境变量
kubectl -n prod exec -it deploy/app -- env | grep DB_
练习#
- 将
worker_processes改为 8,仅在prod-bj集群生效并发布验证。 - 为
test环境新增一份envs/test.yml,将listen_port改为 8080 并部署。 - 用
kubectl diff验证配置变更,再执行apply生效。