上文讲了在 kubernetes 内部署 jenkins 和执行任务,但是如果执行多个关联任务也就是我们常常说的流水线就需要使用到插件 pipeline的能力,本文讲用一个示例进行说明。
pipeline
准备
在harbor(部署可参考https://chenjie.info/2664) ,创建chenjie 这个项目
gitlab(部署可参考https://chenjie.info/2729)
安装插件
git
Pipeline Stage View
coredns配置
增加域名解析方便对gitlab harbor的访问
kubectl edit cm coredns -n kube-system
如果apiserver 配置了域名也需加入方便后续有在slave pod 中kubectl 等操作
如果集群使用了nodelocaldns
kubectl edit cm -n kube-system nodelocaldns需要修改.:53中forward 和上面区块中的保持一致,以保证集群pod DNS解析都会走coredns
执行流水线
创建流水线任务devops-demo
这里的secret token在gitlab的项目中webhook中https://gitlab.chenjie.info/chenjie/devops-demo/-/hooks/1/edit配置
https://jenkins.chenjie.info/project/devops-demo
在gitlab使用root账户确保webhook可访问外部
https://gitlab.chenjie.info/admin/application_settings/network
在webhook中https://gitlab.chenjie.info/chenjie/devops-demo/-/hooks/1/edit
可以点击test 确保返回码200
创建流水线中所需的凭证
https://jenkins.chenjie.info/manage/credentials/
上传kubeconfig
https://gitlab.chenjie.info/chenjie/devops-demo/-/blob/main/Jenkinsfile git项目源代码https://github.com/jaychenthinkfast/devops-demo 需要克隆到本地gitlab 按需修改Jenkinsfile
def label = "slave-${UUID.randomUUID().toString()}"
def helmLint(String chartDir) {
println "校验 chart 模板"
sh "helm lint ${chartDir}"
}
def helmDeploy(Map args) {
if (args.debug) {
println "Debug 应用"
sh "helm upgrade --dry-run --debug --install ${args.name} ${args.chartDir} -f ${args.valuePath} --set image.tag=${args.imageTag} --namespace ${args.namespace}"
} else {
println "部署应用"
sh "helm upgrade --install ${args.name} ${args.chartDir} -f ${args.valuePath} --set image.tag=${args.imageTag} --namespace ${args.namespace}"
echo "应用 ${args.name} 部署成功. 可以使用 helm status ${args.name} 查看应用状态"
}
}
podTemplate(label: label, containers: [
containerTemplate(name: 'golang', image: 'golang:1.14.2-alpine3.11', command: 'cat', ttyEnabled: true),
containerTemplate(name: 'docker', image: 'docker:latest', command: 'cat', ttyEnabled: true),
containerTemplate(name: 'helm', image: 'cnych/helm', command: 'cat', ttyEnabled: true),
containerTemplate(name: 'kubectl', image: 'cnych/kubectl', command: 'cat', ttyEnabled: true)
], serviceAccount: 'jenkins', envVars: [
envVar(key: 'DOCKER_HOST', value: 'tcp://docker-dind:2375'),
envVar(key: 'GIT_SSL_NO_VERIFY', value: 'true')
]) {
node(label) {
def myRepo = checkout scm
// 获取 git commit id 作为镜像标签
def imageTag = sh(script: "git rev-parse --short HEAD", returnStdout: true).trim()
// 仓库地址
def registryUrl = "harbor.chenjie.info"
def imageEndpoint = "chenjie/devops-demo"
// 镜像
def image = "${registryUrl}/${imageEndpoint}:${imageTag}"
stage('单元测试') {
echo "测试阶段"
}
stage('代码编译打包') {
try {
container('golang') {
echo "2.代码编译打包阶段"
sh """
export GOPROXY=https://goproxy.cn
GOOS=linux GOARCH=amd64 go build -v -o demo-app
"""
}
} catch (exc) {
println "构建失败 - ${currentBuild.fullDisplayName}"
throw(exc)
}
}
stage('构建 Docker 镜像') {
withCredentials([[$class: 'UsernamePasswordMultiBinding',
credentialsId: 'docker-auth',
usernameVariable: 'DOCKER_USER',
passwordVariable: 'DOCKER_PASSWORD']]) {
container('docker') {
echo "3. 构建 Docker 镜像阶段"
sh """
cat /etc/resolv.conf
docker login ${registryUrl} -u ${DOCKER_USER} -p ${DOCKER_PASSWORD}
docker build -t ${image} .
docker push ${image}
"""
}
}
}
stage('运行 Helm') {
withCredentials([file(credentialsId: 'kubeconfig', variable: 'KUBECONFIG')]) {
container('helm') {
sh "mkdir -p ~/.kube && cp ${KUBECONFIG} ~/.kube/config"
echo "4.开始 Helm 部署"
def userInput = input(
id: 'userInput',
message: '选择一个部署环境',
parameters: [
[
$class: 'ChoiceParameterDefinition',
choices: "Dev\nQA\nProd",
name: 'Env'
]
]
)
echo "部署应用到 ${userInput} 环境"
// 选择不同环境下面的 values 文件
if (userInput == "Dev") {
// deploy dev stuff
} else if (userInput == "QA"){
// deploy qa stuff
} else {
// deploy prod stuff
}
helmDeploy(
debug : false,
name : "devops-demo",
chartDir : "./helm",
namespace : "kube-ops",
valuePath : "./helm/my-values.yaml",
imageTag : "${imageTag}"
)
}
}
}
stage('运行 Kubectl') {
withCredentials([file(credentialsId: 'kubeconfig', variable: 'KUBECONFIG')]) {
container('kubectl') {
sh "mkdir -p ~/.kube && cp ${KUBECONFIG} ~/.kube/config"
echo "5.查看应用"
sh "kubectl get all -n kube-ops -l app=devops-demo"
}
}
}
stage('快速回滚?') {
withCredentials([file(credentialsId: 'kubeconfig', variable: 'KUBECONFIG')]) {
container('helm') {
sh "mkdir -p ~/.kube && cp ${KUBECONFIG} ~/.kube/config"
def userInput = input(
id: 'userInput',
message: '是否需要快速回滚?',
parameters: [
[
$class: 'ChoiceParameterDefinition',
choices: "Y\nN",
name: '回滚?'
]
]
)
if (userInput == "Y") {
sh "helm rollback devops-demo --namespace kube-ops"
}
}
}
}
}
}按需修改 helm/my-values.yaml
image:
repository: harbor.chenjie.info/chenjie/devops-demo
tag: latest
pullPolicy: IfNotPresent
ingress:
enabled: true
ingressClassName: traefik
path: /
hosts:
- devops-demo.chenjie.info
resources:
limits:
cpu: 50m
memory: 128Mi
requests:
cpu: 50m
memory: 128Mi执行视图
控制台输出
Started by GitLab push by jie chen
Obtained Jenkinsfile from git https://gitlab.chenjie.info/chenjie/devops-demo.git
[Pipeline] Start of Pipeline
[Pipeline] podTemplate
[Pipeline] {
[Pipeline] node
Created Pod: kubernetes kube-ops/slave-b4aa2b40-c1fd-46d0-a380-9063044f3c0a-190t5-czqw2
Still waiting to schedule task
Waiting for next available executor on ‘slave-b4aa2b40-c1fd-46d0-a380-9063044f3c0a-190t5-czqw2’
Agent slave-b4aa2b40-c1fd-46d0-a380-9063044f3c0a-190t5-czqw2 is provisioned from template slave-b4aa2b40-c1fd-46d0-a380-9063044f3c0a-190t5
---
apiVersion: "v1"
kind: "Pod"
metadata:
annotations:
buildUrl: "http://jenkins.kube-ops.svc.cluster.local:8080/job/devops-demo/13/"
runUrl: "job/devops-demo/13/"
labels:
jenkins: "slave"
jenkins/label-digest: "cfc390563aba22bb76c772551ce54f921748bba3"
jenkins/label: "slave-b4aa2b40-c1fd-46d0-a380-9063044f3c0a"
name: "slave-b4aa2b40-c1fd-46d0-a380-9063044f3c0a-190t5-czqw2"
namespace: "kube-ops"
spec:
containers:
- command:
- "cat"
env:
- name: "DOCKER_HOST"
value: "tcp://docker-dind:2375"
- name: "GIT_SSL_NO_VERIFY"
value: "true"
image: "golang:1.14.2-alpine3.11"
imagePullPolicy: "IfNotPresent"
name: "golang"
resources: {}
tty: true
volumeMounts:
- mountPath: "/home/jenkins/agent"
name: "workspace-volume"
readOnly: false
- command:
- "cat"
env:
- name: "DOCKER_HOST"
value: "tcp://docker-dind:2375"
- name: "GIT_SSL_NO_VERIFY"
value: "true"
image: "cnych/kubectl"
imagePullPolicy: "IfNotPresent"
name: "kubectl"
resources: {}
tty: true
volumeMounts:
- mountPath: "/home/jenkins/agent"
name: "workspace-volume"
readOnly: false
- command:
- "cat"
env:
- name: "DOCKER_HOST"
value: "tcp://docker-dind:2375"
- name: "GIT_SSL_NO_VERIFY"
value: "true"
image: "cnych/helm"
imagePullPolicy: "IfNotPresent"
name: "helm"
resources: {}
tty: true
volumeMounts:
- mountPath: "/home/jenkins/agent"
name: "workspace-volume"
readOnly: false
- command:
- "cat"
env:
- name: "DOCKER_HOST"
value: "tcp://docker-dind:2375"
- name: "GIT_SSL_NO_VERIFY"
value: "true"
image: "docker:latest"
imagePullPolicy: "IfNotPresent"
name: "docker"
resources: {}
tty: true
volumeMounts:
- mountPath: "/home/jenkins/agent"
name: "workspace-volume"
readOnly: false
- env:
- name: "JENKINS_SECRET"
value: "********"
- name: "JENKINS_TUNNEL"
value: "jenkins.kube-ops.svc.cluster.local:50000"
- name: "GIT_SSL_NO_VERIFY"
value: "true"
- name: "JENKINS_AGENT_NAME"
value: "slave-b4aa2b40-c1fd-46d0-a380-9063044f3c0a-190t5-czqw2"
- name: "DOCKER_HOST"
value: "tcp://docker-dind:2375"
- name: "JENKINS_NAME"
value: "slave-b4aa2b40-c1fd-46d0-a380-9063044f3c0a-190t5-czqw2"
- name: "JENKINS_AGENT_WORKDIR"
value: "/home/jenkins/agent"
- name: "JENKINS_URL"
value: "http://jenkins.kube-ops.svc.cluster.local:8080/"
image: "jenkins/inbound-agent:3107.v665000b_51092-5"
name: "jnlp"
resources:
requests:
memory: "256Mi"
cpu: "100m"
volumeMounts:
- mountPath: "/home/jenkins/agent"
name: "workspace-volume"
readOnly: false
nodeSelector:
kubernetes.io/os: "linux"
restartPolicy: "Never"
serviceAccountName: "jenkins"
volumes:
- emptyDir:
medium: ""
name: "workspace-volume"
Running on slave-b4aa2b40-c1fd-46d0-a380-9063044f3c0a-190t5-czqw2 in /home/jenkins/agent/workspace/devops-demo
[Pipeline] {
[Pipeline] checkout
Selected Git installation does not exist. Using Default
The recommended git tool is: NONE
using credential gitlab-auth
Cloning the remote Git repository
Avoid second fetch
skipping resolution of commit remotes/origin/main, since it originates from another repository
Checking out Revision d51ddaf8850b77223936a1bfa5bc8c924230a61e (origin/main)
Cloning repository https://gitlab.chenjie.info/chenjie/devops-demo.git
> git init /home/jenkins/agent/workspace/devops-demo # timeout=10
Fetching upstream changes from https://gitlab.chenjie.info/chenjie/devops-demo.git
> git --version # timeout=10
> git --version # 'git version 2.30.2'
using GIT_ASKPASS to set credentials gitlab认证信息
> git fetch --tags --force --progress -- https://gitlab.chenjie.info/chenjie/devops-demo.git +refs/heads/*:refs/remotes/origin/* # timeout=10
> git config remote.origin.url https://gitlab.chenjie.info/chenjie/devops-demo.git # timeout=10
> git config --add remote.origin.fetch +refs/heads/*:refs/remotes/origin/* # timeout=10
> git rev-parse origin/main^{commit} # timeout=10
> git config core.sparsecheckout # timeout=10
> git checkout -f d51ddaf8850b77223936a1bfa5bc8c924230a61e # timeout=10
Commit message: "Merge branch 'main-patch-e6a1' into 'main'"
> git rev-list --no-walk 73cbe663553ee0782bc122466f4aa90299ee92d4 # timeout=10
[Pipeline] sh
+ git rev-parse --short HEAD
[Pipeline] stage
[Pipeline] { (单元测试)
[Pipeline] echo
测试阶段
[Pipeline] }
[Pipeline] // stage
[Pipeline] stage
[Pipeline] { (代码编译打包)
[Pipeline] container
[Pipeline] {
[Pipeline] echo
2.代码编译打包阶段
[Pipeline] sh
+ export 'GOPROXY=https://goproxy.cn'
+ GOOS=linux GOARCH=amd64 go build -v -o demo-app
go: downloading github.com/sirupsen/logrus v1.4.2
go: downloading github.com/gin-gonic/gin v1.4.0
go: downloading golang.org/x/sys v0.0.0-20190422165155-953cdadca894
go: downloading github.com/gin-contrib/sse v0.0.0-20190301062529-5545eab6dad3
go: downloading github.com/mattn/go-isatty v0.0.7
go: downloading gopkg.in/go-playground/validator.v8 v8.18.2
go: downloading github.com/golang/protobuf v1.3.1
go: downloading gopkg.in/yaml.v2 v2.2.2
go: downloading github.com/ugorji/go v1.1.4
github.com/gin-gonic/gin/internal/json
github.com/golang/protobuf/proto
gopkg.in/go-playground/validator.v8
gopkg.in/yaml.v2
golang.org/x/sys/unix
github.com/gin-contrib/sse
github.com/ugorji/go/codec
github.com/mattn/go-isatty
github.com/sirupsen/logrus
github.com/gin-gonic/gin/binding
github.com/gin-gonic/gin/render
github.com/gin-gonic/gin
dronek8s
[Pipeline] }
[Pipeline] // container
[Pipeline] }
[Pipeline] // stage
[Pipeline] stage
[Pipeline] { (构建 Docker 镜像)
[Pipeline] withCredentials
Masking supported pattern matches of $DOCKER_PASSWORD
[Pipeline] {
[Pipeline] container
[Pipeline] {
[Pipeline] echo
3. 构建 Docker 镜像阶段
[Pipeline] sh
Warning: A secret was passed to "sh" using Groovy String interpolation, which is insecure.
Affected argument(s) used the following variable(s): [DOCKER_PASSWORD]
See https://jenkins.io/redirect/groovy-string-interpolation for details.
+ cat /etc/resolv.conf
nameserver 169.254.25.10
search kube-ops.svc.cluster.local svc.cluster.local cluster.local
options ndots:5
+ docker login harbor.chenjie.info -u admin -p ****
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
+ docker build -t harbor.chenjie.info/chenjie/devops-demo:d51ddaf .
#1 [internal] load .dockerignore
#1 transferring context: 2B done
#1 DONE 0.0s
#2 [internal] load build definition from Dockerfile
#2 transferring dockerfile: 445B done
#2 DONE 0.0s
#3 [internal] load metadata for dockerproxy.com/library/alpine:3.16.2
#3 DONE 1.6s
#4 [1/4] FROM dockerproxy.com/library/alpine:3.16.2@sha256:65a2763f593ae85fab3b5406dc9e80f744ec5b449f269b699b5efd37a07ad32e
#4 DONE 0.0s
#5 [internal] load build context
#5 transferring context: 16.94MB 0.1s done
#5 DONE 0.1s
#6 [2/4] WORKDIR /home
#6 CACHED
#7 [3/4] RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.ustc.edu.cn/g' /etc/apk/repositories && apk update && apk upgrade && apk add ca-certificates && update-ca-certificates && apk add --update tzdata && rm -rf /var/cache/apk/*
#7 CACHED
#8 [4/4] COPY demo-app /home/
#8 CACHED
#9 exporting to image
#9 exporting layers done
#9 writing image sha256:f2006adc0c3229418b34f903bfe94e3ae2d43e6aac944d89f1e872a7e63bba44 done
#9 naming to harbor.chenjie.info/chenjie/devops-demo:d51ddaf done
#9 DONE 0.0s
WARNING: buildx: git was not found in the system. Current commit information was not captured by the build
+ docker push harbor.chenjie.info/chenjie/devops-demo:d51ddaf
The push refers to repository [harbor.chenjie.info/chenjie/devops-demo]
024c0e2103c3: Preparing
52f64311adb3: Preparing
5f70bf18a086: Preparing
994393dc58e7: Preparing
5f70bf18a086: Layer already exists
52f64311adb3: Layer already exists
994393dc58e7: Layer already exists
024c0e2103c3: Layer already exists
d51ddaf: digest: sha256:45e19b9e01c42494e51156f979d4ccabb48e4e6cdecda82cf098bfd9020a83e2 size: 1156
[Pipeline] }
[Pipeline] // container
[Pipeline] }
[Pipeline] // withCredentials
[Pipeline] }
[Pipeline] // stage
[Pipeline] stage
[Pipeline] { (运行 Helm)
[Pipeline] withCredentials
Masking supported pattern matches of $KUBECONFIG
[Pipeline] {
[Pipeline] container
[Pipeline] {
[Pipeline] sh
Warning: A secret was passed to "sh" using Groovy String interpolation, which is insecure.
Affected argument(s) used the following variable(s): [KUBECONFIG]
See https://jenkins.io/redirect/groovy-string-interpolation for details.
+ mkdir -p /root/.kube
+ cp **** /root/.kube/config
[Pipeline] echo
4.开始 Helm 部署
[Pipeline] input
Input requested
Approved by admin
[Pipeline] echo
部署应用到 Dev 环境
[Pipeline] echo
部署应用
[Pipeline] sh
+ helm upgrade --install devops-demo ./helm -f ./helm/my-values.yaml --set 'image.tag=d51ddaf' --namespace kube-ops
Release "devops-demo" has been upgraded. Happy Helming!
NAME: devops-demo
LAST DEPLOYED: Fri Apr 28 12:37:06 2023
NAMESPACE: kube-ops
STATUS: deployed
REVISION: 2
TEST SUITE: None
NOTES:
1. Get the application URL by running these commands:
http://devops-demo.chenjie.info/
[Pipeline] echo
应用 devops-demo 部署成功. 可以使用 helm status devops-demo 查看应用状态
[Pipeline] }
[Pipeline] // container
[Pipeline] }
[Pipeline] // withCredentials
[Pipeline] }
[Pipeline] // stage
[Pipeline] stage
[Pipeline] { (运行 Kubectl)
[Pipeline] withCredentials
Masking supported pattern matches of $KUBECONFIG
[Pipeline] {
[Pipeline] container
[Pipeline] {
[Pipeline] sh
Warning: A secret was passed to "sh" using Groovy String interpolation, which is insecure.
Affected argument(s) used the following variable(s): [KUBECONFIG]
See https://jenkins.io/redirect/groovy-string-interpolation for details.
+ mkdir -p /root/.kube
+ cp **** /root/.kube/config
[Pipeline] echo
5.查看应用
[Pipeline] sh
+ kubectl get all -n kube-ops -l 'app=devops-demo'
NAME READY STATUS RESTARTS AGE
pod/devops-demo-7fcdf94969-8w6c7 0/1 ContainerCreating 0 1s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/devops-demo ClusterIP 10.233.24.229 80/TCP 3h40m
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/devops-demo 0/1 1 0 3h40m
NAME DESIRED CURRENT READY AGE
replicaset.apps/devops-demo-7fcdf94969 1 1 0 1
[Pipeline] }
[Pipeline] // container
[Pipeline] }
[Pipeline] // withCredentials
[Pipeline] }
[Pipeline] // stage
[Pipeline] stage
[Pipeline] { (快速回滚?)
[Pipeline] withCredentials
Masking supported pattern matches of $KUBECONFIG
[Pipeline] {
[Pipeline] container
[Pipeline] {
[Pipeline] sh
Warning: A secret was passed to "sh" using Groovy String interpolation, which is insecure.
Affected argument(s) used the following variable(s): [KUBECONFIG]
See https://jenkins.io/redirect/groovy-string-interpolation for details.
+ mkdir -p /root/.kube
+ cp **** /root/.kube/config
[Pipeline] input
Input requested
Approved by admin
[Pipeline] }
[Pipeline] // container
[Pipeline] }
[Pipeline] // withCredentials
[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // node
[Pipeline] }
[Pipeline] // podTemplate
[Pipeline] End of Pipeline
Finished: SUCCESS 解析devops-demo.chenjie.info 到traefik 所在节点ip 即可访问该服务
curl http://devops-demo.chenjie.info
{"msg":"this is pipeline test by chenjie.info"}