基于kubernetes平台的CICD持续集成
文章目录
文章目录
1.基于k8s集群的Jenkins持续集成
Jenkins更新传统LNMT项目流程很简单,Jenkins也只需要部署在物理服务器即可实现项目版本的持续更新迭代
如果项目是部署在k8s集群,Jenkins还在物理机上部署的话,项目更新流程将会变得繁琐,大致流程:首先Jenkins将项目编译成war包,然后将war在一台物理机上运行,如果运行成功,再调用另一个Jenkins任务,这个Jenkins任务主要的作用就是将war包和ROOT目录copy到初始镜像中,当镜像构建完毕后,将镜像推送至harbor平台,再由运维拿着镜像版本放在k8s里去升级。
如果Jenkins只是单单部署在一台物理机上,某台Jenkins挂掉后,整个CI/CD平台将无法更新迭代,这是一个很严重的后果,如果将Jenkins部署在k8s平台,借助k8s pod自愈功能,Jenkins挂掉的情况几乎不会发生。
Jenkins部署在k8s环境之后,通过建立RBAC授权机制,可以实现Jenkins一键更新迭代到k8s环境,无需在使用物理机环境那么繁琐的步骤
当Jenkins与kubernetes集成后的更新流程:
1)Jenkins从gitlab上拉取开发提交的代码
2)Jenkins调用maven进行编译项目
3)Jenkins调用docker将写好dockerfile构建成镜像
4)将镜像推送至harbor仓库
5)Jenkins调用k8s将镜像部署在k8s环境
2.将Jenkins部署在k8s集群
部署思路:
1.由于Jenkins要更新项目到各个namespace,因此需要做RBAC授权,准备一个ServiceAccount,直接将ServiceAccount绑定到cluster-admin集群角色上,使Jenkins拥有对所有namespace下的项目有操作权限。
2.Jenkins部署采用statefulset控制器,并配合StorageClass动态将Jenkins数据进行持久化。
3.准备svc资源,将Jenkins的8080/50000端口进行暴露。
2.1.编写Jenkins namespace文件
[root@k8s-master1 jenkins]\# cat jenkins-namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
name: jenkins
2.2.编写Jenkins rbac授权文件
创建一个serviceaccount账号Jenkins,直接将sa账号与cluster-admin集群角色进行绑定
[root@k8s-master1 jenkins]\# cat jenkins-rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: jenkins
namespace: jenkins
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: jenkins-crb
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: jenkins
namespace: jenkins
2.3.编写Jenkins statefulset资源文件
Jenkins也会产生数据,因此采用statefulset部署有状态的服务,并配合StorageClass动态创建存储系统
[root@k8s-master1 jenkins]\# cat jenkins-statefulset.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: jenkins-master
namespace: jenkins
spec:
replicas: 1
serviceName: jenkins
selector:
matchLabels:
app: jenkins-master
template:
metadata:
labels:
app: jenkins-master
spec:
serviceAccount: jenkins
initContainers:
- name: jenkins-chown
image: harbor.jiangxl.com/jenkins/busybox:1.30
command: ["sh","-c","chown -R 1000:1000 /var/jenkins_home"]
securityContext:
privileged: true
volumeMounts:
- name: jenkins-data
mountPath: /var/jenkins_home
containers:
- name: jenkins-master
image: harbor.jiangxl.com/jenkins/jenkinsci-blueocean:1.24.6
env:
- name: JAVA_OPTS
value: "-Xms4096m -Xmx5120m -Duser.timezone=Asia/Shanghai -Dhudson.model.DirectoryBrowserSupport.CSP="
ports:
- name: http
containerPort: 8080
- name: slave
containerPort: 50000
volumeMounts:
- name: jenkins-data
mountPath: /var/jenkins_home
volumeClaimTemplates:
- metadata:
name: jenkins-data
spec:
storageClassName: jenkins-storageclass
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi
2.4.编写Jenkins StorageClass资源文件
[root@k8s-master1 jenkins]\# cat jenkins-storageclass.yaml
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: jenkins-storageclass
provisioner: nfs-storage-01
reclaimPolicy: Retain
2.5.编写Jenkins svc资源文件
[root@k8s-master1 jenkins]\# cat jenkins-svc.yaml
apiVersion: v1
kind: Service
metadata:
labels:
app: jenkins-master
name: jenkins-svc
namespace: jenkins
spec:
ports:
- name: http
port: 8080
targetPort: 8080
nodePort: 38080
- name: slave
port: 50000
targetPort: 50000
nodePort: 50000
selector:
app: jenkins-master
type: NodePort
2.6.准备Jenkins镜像并推送至harbor
[root@k8s-master1 jenkins]\# docker pull jenkinsci/blueocean:1.24.6
[root@k8s-master1 jenkins]\# docker tag jenkinsci/blueocean:1.24.6 harbor.jiangxl.com/jenkins/jenkinsci-blueocean:1.24.6
[root@k8s-master1 jenkins]\# docker push harbor.jiangxl.com/jenkins/jenkinsci-blueocean:1.24.6
2.7.创建所有资源并查看资源的状态
1.创建所有资源
[root@k8s-master1 jenkins]\# kubectl apply -f ./
namespace/jenkins created
serviceaccount/jenkins created
clusterrolebinding.rbac.authorization.k8s.io/jenkins-crb created
statefulset.apps/jenkins-master created
storageclass.storage.k8s.io/jenkins-storageclass created
service/jenkins-svc created
2.查看资源状态
[root@k8s-master1 jenkins]\# kubectl get pod,statefulset,svc,storageclass,sa -n jenkins
NAME READY STATUS RESTARTS AGE
pod/jenkins-master-0 1/1 Running 0 31m
NAME READY AGE
statefulset.apps/jenkins-master 1/1 31m
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/jenkins-svc NodePort 10.101.2.5 <none> 8080:38080/TCP,50000:50000/TCP 31m
NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE
storageclass.storage.k8s.io/jenkins-storageclass nfs-storage-01 Retain Immediate false 31m
NAME SECRETS AGE
serviceaccount/jenkins 1 31m
3.查看pvc,已经动态创建
[root@k8s-master1 jenkins]\# kubectl get pvc -n jenkins
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
jenkins-data-jenkins-master-0 Bound pvc-3f49831b-7faa-456e-9a2f-65b6085933de 10Gi RWX jenkins-storageclass 32m
2.8.页面安装Jenkins
访问集群节点任意ip+38080端口
访问看到如下页面说明Jenkins还在启动中,当日志输出到下图样子时,刷新Jenkins即可进入系统,复制日志中password解锁J