基於kubernetes+docker+jenkins的DevOps實踐
之前自己的項目開發就搭了個cicd的環境,那時候是在本就小的可憐的服務器上搭了一套 jenkins + docker registry + docker
見之前的筆記 docker學習下面
總的差不多這樣:
之後對kubernetes的接觸後,就在之前的基礎上加入kubernetes,其實也就是在服務器拉取鏡像docker run的時候改變爲通知kubernetes的apiServer對提前配置好的項目配置文件xx.yaml進行更新kubectl appply -f xx.yaml,它會對配置裏的鏡像拉取在多個pod裏運行,當然還需要對應的service,如果需要暴露給外部還可以添個ingress。
一個小服務器加本地一個閒置從機撐進去這麼多東西很顯然爆了,於是把jenkins , docker registry拆出來,用上了公共的ali雲服務CodePipeline,容器鏡像服務。
這裏記錄一下。
docker搭建
kubernetes搭建
之前寫的kubernetes學習下面有
使用ali雲CodePipeline替代jenkins創建任務
配置->項目名稱:最好爲github上代碼的demo項目名稱,這裏以bootshiro爲例
配置->源碼管理->Git:URL爲github上的項目clone url,下面默認master分支
配置->構建觸發器->填寫代碼分支:eg:master 點擊生成觸發器地址留下備用(github webhook配置會用到)
配置->構建項目類型可選maven項目 node python等(按自己需求改編譯打包冊測試腳本)
eg: maven項目 編譯打包: mvn package -B -DskipTests 用例測試: mvn test
配置->鏡像構建和發佈: 這裏使用ali雲的免費docker鏡像倉庫
鏡像版本號最好用jenkins環境變量標記,registry地址證書等就是自己開通的ali雲registry地址和賬戶,docker路徑是相對於當前代碼倉庫的Dcokerfile文件路徑,用這個Dockefile文件來生成鏡像。
eg: bootshiro的Dockefile
#VERSION 1.1.0
#基礎鏡像爲openjdk:12-alpine
FROM openjdk:12-alpine
#簽名
MAINTAINER tomsun28 "[email protected]"
RUN rm -rf /opt/running/bootshiro*
ADD ./target/bootshiro.jar /opt/running/bootshiro.jar
EXPOSE 8080
WORKDIR /opt/running/
CMD ["java", "-jar", "bootshiro.jar","--spring.profiles.active=prod"]
配置->部署Kubernetes(新): 這裏配置對搭建好的k8s環境的apiServer連接,之後好使用apiServer對kubernetes操作
認證方式:選擇認證證書
API服務器地址:爲apiServer通訊地址
證書:使用docker授權模式,客戶端Key(key.pem)和客戶端證書(cert.pem)在/etc/kubernetes/admin.conf,服務端CA證書(ca.pem)在/etc/kubernetes/pki/ca.crt
部署配置文件:爲k8s部署這個項目的配置文件位置,也是以當前項目代碼倉庫爲相對路徑,eg :bootshiro.yaml
# ----------------------bootshiro--------------------- #
# ------bootshiro deployment------ #
kind: Deployment
apiVersion: apps/v1beta2
metadata:
name: bootshiro-deployment
labels:
app: bootshiro
spec:
replicas: 1
selector:
matchLabels:
app: bootshiro
template:
metadata:
labels:
app: bootshiro
spec:
containers:
- name: nginx
image: registry.cn-hangzhou.aliyuncs.com/tomsun28/bootshiro:${BUILD_NUMBER}
ports:
- containerPort: 8080
---
# -------nginx-service--------- #
apiVersion: v1
kind: Service
metadata:
name: bootshiro-service
spec:
# type: NodePort
ports:
- name: server
port: 8080
targetPort: 8080
selector:
app: bootshiro
# !----------------------bootshiro--------------------- #
這裏配置部署文件創建了一個pod實例,創建了與其想對應的service在集羣內部暴露服務。
如果部署的應用需要對集羣外提供服務,這裏還要創建對應的暴露服務的方式,如ingress, nodeport等
- -
到此cicd就差不多了,我們開發代碼push到github倉庫上,跟着DevOps流程走,最後項目就會自己運行到kubernetes集羣裏面了,pod掛了或者從機掛了,k8s會重新啓保證設定數量的pod。
使用ingress對集羣外暴露服務
這裏使用的是traefik-ingress,在kubernetes中部署traefik有官方部署手冊,基本按着走一遍就能部署上去了。
整合部署的traefik.yaml:
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: kube-system
---
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
name: traefik-ingress-controller
namespace: kube-system
labels:
k8s-app: traefik-ingress-lb
spec:
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
containers:
- image: traefik
name: traefik-ingress-lb
ports:
- name: http
containerPort: 80
hostPort: 80
- name: admin
containerPort: 8080
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
args:
- --api
- --kubernetes
- --logLevel=INFO
---
apiVersion: v1
kind: Service
metadata:
name: traefik-web-ui
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- name: web
port: 80
targetPort: 8080
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-web-ui
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik
traefik.frontend.rule.type: PathPrefixStrip
spec:
rules:
- host: tom.usthe.com
http:
paths:
- path: /ingress
backend:
serviceName: traefik-web-ui
servicePort: web使用traefik來暴露service:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: chess
namespace: default
annotations:
kubernetes.io/ingress.class: traefik
traefik.frontend.rule.type: PathPrefixStrip
spec:
rules:
- host: tom.usthe.com
http:
paths:
- path: /usthe
backend:
serviceName: usthe-service
servicePort: http
- path: /nginx
backend:
serviceName: nginx
servicePort: http
轉載請註明 from tomsun28