[Kubernetes (K8S) Helm] Helm install JumpServer as a bastion on Kubernetes (K8S)

Posted on 2022-04-02 Edited on 2024-09-12 In Cloud Native , Kubernetes (K8S) , Helm Views: Word count in article: 7.9k Reading time ≈ 7 mins.

JumpServer

JumpServer is a Privileged Access Management (PAM) Complying with 4A Protocol of Operation and Security Auditing. JumpServer provides features include authentication, authorization, accounting and auditing.

This article is about how to use Helm to install JumpServer on Kubernetes (K8S).

Prerequisites

Kubernetes (K8S)
Kubernetes (K8s) is an open-source system for automating deployment, scaling, and management of containerized applications.

For more information about installing and using Kubernetes (K8s), see the Kubernetes (K8s) Docs.
StorageClass

A StorageClass provides a way for administrators to describe the “classes” of storage they offer. Different classes might map to quality-of-service levels, or to backup policies, or to arbitrary policies determined by the cluster administrators. Kubernetes itself is unopinionated about what classes represent. This concept is sometimes called “profiles” in other storage systems.

Storage Classes | Kubernetes - https://kubernetes.io/docs/concepts/storage/storage-classes/
Helm
Helm is the best way to find, share, and use software built for Kubernetes.
1
2
# Mac OS X
$ brew install helm
For more information about installing and using Helm, see the Helm Docs.

Installation

First, install MySQL databa to persistent data, and Redis to cache data.

Install MySQL

values.yaml

Edit mysql/values.yaml and replace content within {{ }}.

# mysql/values.yaml


# charts/values.yaml at master · bitnami/charts
# https://github.com/bitnami/charts/blob/master/bitnami/mysql/values.yaml

## MySQL Authentication parameters
##
auth:
  ## @param auth.rootPassword Password for the `root` user. Ignored if existing secret is provided
  ## ref: https://github.com/bitnami/bitnami-docker-mysql#setting-the-root-password-on-first-run
  ##
  rootPassword: "{{ .Values.mysql.rootPassword }}"

Install release

Helm install Reids into bitnami-mysql namespace.

# crate namespace:
$ kubectl create namespace bitnami-mysql

# Add the Bitnami Helm repository:
$ helm repo add bitnami https://charts.bitnami.com/bitnami

# Update your local Helm chart repository cache:
$ helm repo update

# To install Helm chart:
$ helm install bitnami-mysql bitnami/mysql -n bitnami-mysql -f values.yaml

See pods about MySQL.

1
2
3

$ kubectl get pods -n bitnami-mysql
NAME      READY   STATUS    RESTARTS   AGE
mysql-0   1/1     Running   0          40h

Create JumpServer database

Remember to replace <Your JumpServer Database Password> within your password.

# Enter into bitnami-mysql container
$ kubectl exec -i -t -n bitnami-mysql mysql-0 -c mysql -- sh -c "clear; (bash || ash || sh)"

# Enter into MySQL shell
$ mysql -u root -p

create database jumpserver default character set utf8 collate utf8_general_ci;

create user 'jumpserver'@'localhost' identified by '<Your JumpServer Database Password>';

create user 'jumpserver'@'%' identified by '<Your JumpServer Database Password>';

grant all privileges on 'jumpserver'.* to 'jumpserver'@'%' identified by '<Your JumpServer Database Password>';

Install Redis

values.yaml

Edit redis/values.yaml and replace content within {{ }}.

# redis/values.yaml

# charts/values.yaml at master · bitnami/charts
# https://github.com/bitnami/charts/blob/master/bitnami/redis/values.yaml

## @param global.imageRegistry Global Docker image registry
## @param global.imagePullSecrets Global Docker registry secret names as an array
## @param global.storageClass Global StorageClass for Persistent Volume(s)
## @param global.redis.password Global Redis&trade; password (overrides `auth.password`)
##
global:

  redis:
    password: "{{ .Values.redis.password }}"

Install release

Helm install Reids into bitnami-redis-jumpserver namespace.

# crate namespace:
$ kubectl create namespace bitnami-redis-jumpserver

# Add the Bitnami Helm repository:
$ helm repo add bitnami https://charts.bitnami.com/bitnami

# Update your local Helm chart repository cache:
$ helm repo update

# To install Helm chart:
$ helm install bitnami-redis-jumpserver bitnami/redis -n bitnami-redis-jumpserver -f values.yaml

See pods about Redis.

$ kubectl get pods -n bitnami-redis-jumpserver
NAME                                  READY   STATUS    RESTARTS      AGE
bitnami-redis-jumpserver-master-0     1/1     Running   0             22h
bitnami-redis-jumpserver-replicas-0   1/1     Running   0             22h
bitnami-redis-jumpserver-replicas-1   1/1     Running   4 (22h ago)   23h
bitnami-redis-jumpserver-replicas-2   1/1     Running   4 (22h ago)   23h

Install JumpServer

values.yaml

Edit jumpserver/values.yaml and replace content within {{ }}.

# jumpserver/values.yaml


# helm-charts/values.yaml at main · jumpserver/helm-charts
# https://github.com/jumpserver/helm-charts/blob/main/charts/jumpserver/values.yaml

## @param global.imageRegistry Global Docker image registry
## @param global.imagePullSecrets Global Docker registry secret names as an array
## @param global.storageClass Global StorageClass for Persistent Volume(s)
## @param global.redis.password Global Redis&trade; password (overrides `auth.password`)
##
global:
  storageClass: "{{ .Values.global.storageClass }}"

## If the MySQL database included in the chart is disabled, JumpServer will
## use below parameters to connect to an external MySQL server.
##
externalDatabase:
  engine: mysql
  host: mysql.bitnami-mysql
  port: 3306
  user: jumpserver
  password: "{{ .Values.externalDatabase.password }}"
  database: jumpserver

## If the Redis database included in the chart is disabled, JumpServer will
## use below parameters to connect to an external Redis server.
##
externalRedis:
  host: redis-master.bitnami-redis-jumpserver
  port: 6379
  password: "{{ .Values.externalRedis. }}"

ingress:

  hosts:
    - "{{ .Values.ingress.host }}"

  tls:
    - secretName: "{{ .Values.ingress.tls }}"
core:

  config:
    # Generate a new random secret key by execute `cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
    secretKey: "{{ .Values.core.config.secretKey }}"
    # Generate a new random bootstrap token by execute `cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24`
    bootstrapToken: "{{ .Values.core.config.bootstrapToken }}"

koko:

  persistence:
    storageClassName: "{{ .Values.externalRedis. }}"

lion:

  persistence:
    storageClassName: "{{ .Values.externalRedis. }}"

Install Release

Helm install jumpserver into jumpserver namespace.

# crate namespace:
$ kubectl create namespace jumpserver

# Add the JumpServer Helm repository:
$ helm repo add jumpserver https://jumpserver.github.io/helm-charts

# Update your local Helm chart repository cache:
$ helm repo update

# To install Helm chart:
$ helm install jumpserver jumpserver/jumpserver -n jumpserver -f values.yaml

See pods about jumpserver.

$ kubectl get pods -n jumpserver
NAME                                    READY   STATUS    RESTARTS   AGE
jumpserver-jms-celery-776df64f9-4t5rt   1/1     Running   0          18h
jumpserver-jms-core-7f7fdbc5b-q52jd     1/1     Running   0          18h
jumpserver-jms-koko-5d66f96bcc-wrfqh    1/1     Running   0          18h
jumpserver-jms-lion-7c7c4fd5b4-9zgsl    1/1     Running   0          18h
jumpserver-jms-web-5d9d95db88-7hpvr     1/1     Running   0          18h

Uninstall Release

Destroy release created by Helm.

$ helm uninstall jumpserver -n jumpserver

$ helm uninstall bitnami-mysql -n bitnami-mysql

$ helm uninstall bitnami-redis-jumpserver -n bitnami-redis-jumpserver

FAQS

unbound immediate PersistentVolumeClaims for `koko` and `lion` pods.

Remember to set koko and lion storageClassName within values.yaml.

+ koko:
+ 
+   persistence:
+     storageClassName: "{{ .Values.externalRedis. }}"
+ 
+ lion:
+ 
+   persistence:
+     storageClassName: "{{ .Values.externalRedis. }}"