01-在k8s集群上安装jenkins

1. jenkins-service-account.yml

# In GKE need to get RBAC permissions first with
# kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin [--user=<user-name>|--group=<group-name>]

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: jenkins

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: jenkins
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
  resources: ["pods/exec"]
  verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
  resources: ["pods/log"]
  verbs: ["get","list","watch"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get"]

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: jenkins
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: jenkins
subjects:
- kind: ServiceAccount
  name: jenkins

2. jenkins.yaml

apiVersion: apps/v1beta1
kind: StatefulSet
metadata:
  name: jenkins
  labels:
    name: jenkins
spec:
  serviceName: jenkins
  replicas: 1
  updateStrategy:
    type: RollingUpdate
  template:
    metadata:
      name: jenkins
      labels:
        name: jenkins
    spec:
      terminationGracePeriodSeconds: 10
      serviceAccountName: jenkins
      imagePullSecrets:
        - name: registry-pull-secret
      containers:
        - name: jenkins
          image: reg.cecii.cn/test/jenkins:lts-alpine
          imagePullPolicy: Always
          ports:
            - containerPort: 8080
            - containerPort: 50000
          resources:
            limits:
              cpu: 1
              memory: 1Gi
            requests:
              cpu: 0.5
              memory: 500Mi
          env:
            - name: LIMITS_MEMORY
              valueFrom:
                resourceFieldRef:
                  resource: limits.memory
                  divisor: 1Mi
            - name: JAVA_OPTS
              # value: -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap -XX:MaxRAMFraction=1 -XshowSettings:vm -Dhudson.slaves.NodeProvisioner.initialDelay=0 -Dhudson.slaves.NodeProvisioner.MARGIN=50 -Dhudson.slaves.NodeProvisioner.MARGIN0=0.85
              value: -Xmx$(LIMITS_MEMORY)m -XshowSettings:vm -Dhudson.slaves.NodeProvisioner.initialDelay=0 -Dhudson.slaves.NodeProvisioner.MARGIN=50 -Dhudson.slaves.NodeProvisioner.MARGIN0=0.85
          livenessProbe:
            httpGet:
              path: /login
              port: 8080
            initialDelaySeconds: 60
            timeoutSeconds: 5
          readinessProbe:
            httpGet:
              path: /login
              port: 8080
            initialDelaySeconds: 60
            timeoutSeconds: 5
      #securityContext:
      #  fsGroup: 1000

---
apiVersion: v1
kind: Service
metadata:
  name: jenkins
  annotations:
    # ensure the client ip is propagated to avoid the invalid crumb issue (k8s <1.7)
    # service.beta.kubernetes.io/external-traffic: OnlyLocal
spec:
  #type: LoadBalancer
  type: NodePort
  selector:
    name: jenkins
  # k8s 1.7+
  # externalTrafficPolicy: Local
  ports:
    -
      name: http
      port: 80
      targetPort: 8080
      protocol: TCP
      nodePort: 30001
    -
      name: agent
      port: 50000
      protocol: TCP

3. registry-pull-secret.yaml

apiVersion: v1
kind: Secret
metadata:
  name: registry-pull-secret
  namespace: default
data:
  .dockerconfigjson: sdfsdfsdfsdgewoJCSJyZWcuY2VjaWasdasda7CgkJCSasdaXRoasdasRxZFc0NlNIVmhibWRxZFc0eE1qTT0iCgkJfQoJfSwKCSJIdHRwSasda6IHsKCQkiasdBZ2VudCI6ICJEasdsaZW50LzE4LjA5LjasdaIKCX0KfQ==
type: kubernetes.io/dockerconfigjson

• 该授权文件为拉取私有镜像仓库文件
• 按照命名空间隔离，不同的命名空间都需授权
• dockerconfigjson获取方式：在你已登录过私有镜像仓库的机器上，cat ~/.docker/config.json |base64 -w0
  

4.jenkins:lts-alpine镜像制作

Dockerfile文件如下

FROM jenkins/jenkins:lts-alpine
USER root