在k8s集群上安装jenkins
1. jenkins-service-account.yml
# In GKE need to get RBAC permissions first with
# kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin [--user=<user-name>|--group=<group-name>]
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: jenkins
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: jenkins
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: jenkins
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: jenkins
subjects:
- kind: ServiceAccount
name: jenkins
2. jenkins.yaml
apiVersion: apps/v1beta1
kind: StatefulSet
metadata:
name: jenkins
labels:
name: jenkins
spec:
serviceName: jenkins
replicas: 1
updateStrategy:
type: RollingUpdate
template:
metadata:
name: jenkins
labels:
name: jenkins
spec:
terminationGracePeriodSeconds: 10
serviceAccountName: jenkins
imagePullSecrets:
- name: registry-pull-secret
containers:
- name: jenkins
image: reg.cecii.cn/test/jenkins:lts-alpine
imagePullPolicy: Always
ports:
- containerPort: 8080
- containerPort: 50000
resources:
limits:
cpu: 1
memory: 1Gi
requests:
cpu: 0.5
memory: 500Mi
env:
- name: LIMITS_MEMORY
valueFrom:
resourceFieldRef:
resource: limits.memory
divisor: 1Mi
- name: JAVA_OPTS
# value: -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap -XX:MaxRAMFraction=1 -XshowSettings:vm -Dhudson.slaves.NodeProvisioner.initialDelay=0 -Dhudson.slaves.NodeProvisioner.MARGIN=50 -Dhudson.slaves.NodeProvisioner.MARGIN0=0.85
value: -Xmx$(LIMITS_MEMORY)m -XshowSettings:vm -Dhudson.slaves.NodeProvisioner.initialDelay=0 -Dhudson.slaves.NodeProvisioner.MARGIN=50 -Dhudson.slaves.NodeProvisioner.MARGIN0=0.85
livenessProbe:
httpGet:
path: /login
port: 8080
initialDelaySeconds: 60
timeoutSeconds: 5
readinessProbe:
httpGet:
path: /login
port: 8080
initialDelaySeconds: 60
timeoutSeconds: 5
#securityContext:
# fsGroup: 1000
---
apiVersion: v1
kind: Service
metadata:
name: jenkins
annotations:
# ensure the client ip is propagated to avoid the invalid crumb issue (k8s <1.7)
# service.beta.kubernetes.io/external-traffic: OnlyLocal
spec:
#type: LoadBalancer
type: NodePort
selector:
name: jenkins
# k8s 1.7+
# externalTrafficPolicy: Local
ports:
-
name: http
port: 80
targetPort: 8080
protocol: TCP
nodePort: 30001
-
name: agent
port: 50000
protocol: TCP
3. registry-pull-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: registry-pull-secret
namespace: default
data:
.dockerconfigjson: sdfsdfsdfsdgewoJCSJyZWcuY2VjaWasdasda7CgkJCSasdaXRoasdasRxZFc0NlNIVmhibWRxZFc0eE1qTT0iCgkJfQoJfSwKCSJIdHRwSasda6IHsKCQkiasdBZ2VudCI6ICJEasdsaZW50LzE4LjA5LjasdaIKCX0KfQ==
type: kubernetes.io/dockerconfigjson
- 该授权文件为拉取私有镜像仓库文件
- 按照命名空间隔离,不同的命名空间都需授权
- dockerconfigjson获取方式:在你已登录过私有镜像仓库的机器上,cat ~/.docker/config.json |base64 -w0
4.jenkins:lts-alpine镜像制作
Dockerfile文件如下
FROM jenkins/jenkins:lts-alpine
USER root