Kubernetes Helm Charts：模板化、值管理与 ArgoCD GitOps

Helm 是 Kubernetes 的包管理器。设计良好的图表（Chart）能使部署在不同环境中可重复、可配置且可回滚。

图表结构

my-service/
├── Chart.yaml
├── values.yaml              # 默认值
├── values-staging.yaml
├── values-production.yaml
└── templates/
    ├── _helpers.tpl
    ├── deployment.yaml
    ├── service.yaml
    ├── ingress.yaml
    ├── hpa.yaml
    └── NOTES.txt

生产部署模板

# templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ include "my-service.fullname" . }}
  labels:
    {{- include "my-service.labels" . | nindent 4 }}
  annotations:
    # 配置变更时强制重启
    checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
spec:
  {{- if not .Values.autoscaling.enabled }}
  replicas: {{ .Values.replicaCount }}
  {{- end }}
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0     # 零停机部署
  template:
    spec:
      containers:
        - name: {{ .Chart.Name }}
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
          resources:
            {{- toYaml .Values.resources | nindent 12 }}
          livenessProbe:
            httpGet:
              path: /health/live
              port: {{ .Values.service.targetPort }}
            initialDelaySeconds: 30
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /health/ready
              port: {{ .Values.service.targetPort }}
            initialDelaySeconds: 10
            periodSeconds: 5
          lifecycle:
            preStop:
              exec:
                command: ["/bin/sh", "-c", "sleep 10"]  # 排空连接
      terminationGracePeriodSeconds: 60
      topologySpreadConstraints:
        - maxSkew: 1
          topologyKey: topology.kubernetes.io/zone
          whenUnsatisfiable: DoNotSchedule
          labelSelector:
            matchLabels:
              {{- include "my-service.selectorLabels" . | nindent 14 }}

值管理

# values.yaml (默认值)
image:
  repository: registry.company.com/my-service
  pullPolicy: IfNotPresent

replicaCount: 2
resources:
  requests: {cpu: 100m, memory: 256Mi}
  limits: {cpu: 500m, memory: 512Mi}

autoscaling:
  enabled: false
  minReplicas: 2
  maxReplicas: 10
  targetCPUUtilizationPercentage: 70

---
# values-production.yaml
replicaCount: 4
resources:
  requests: {cpu: 500m, memory: 512Mi}
  limits: {cpu: 2000m, memory: 2Gi}

autoscaling:
  enabled: true
  minReplicas: 4
  maxReplicas: 20

基于 ArgoCD 的 GitOps

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: my-service-production
  namespace: argocd
spec:
  project: production
  source:
    repoURL: https://github.com/company/k8s-configs
    targetRevision: main
    path: services/my-service
    helm:
      valueFiles:
        - values.yaml
        - values-production.yaml
  destination:
    server: https://kubernetes.default.svc
    namespace: production
  syncPolicy:
    automated:
      prune: true      # 删除已移除的资源
      selfHeal: true   # 还原手动更改
    syncOptions:
      - CreateNamespace=true
    retry:
      limit: 5
      backoff:
        duration: 5s
        factor: 2
        maxDuration: 3m

使用 Helmfile 进行多图表编排

# helmfile.yaml
environments:
  staging:
    values: [environments/staging.yaml]
  production:
    values: [environments/production.yaml]

releases:
  - name: my-service
    chart: ./charts/my-service
    values:
      - values/{{ .Environment.Name }}.yaml

  - name: postgresql
    chart: bitnami/postgresql
    version: "12.5.x"
    installed: {{ eq .Environment.Name "staging" }}  # 仅在 staging 环境安装

Helm 图表即基础设施即代码。请详尽记录 values.yaml，并使用 helm lint 和 helm template 进行测试。

→ 使用 Base64 转换器 工具对 Kubernetes 密钥进行编码。