k8s1.16.0-k8s的jenkins部署java项目到k8s集群cicd(ci成,cd手动部署的)
注意: 本文档只是实现了ci,cd是通过ci生成的镜像,再手工再k8s-master执行的部署(只因pod部署的jenkins连接k8s的认证不知怎么操作,若jenkins是单独部署在k8s-master机器上,能直接在master执行kubectl命令就没这个问题了)
1.规划:
192.168.171.128 master mysql nfs
192.168.171.129 node1
192.168.171.130 node2
192.168.171.131 githabor docker-habor
2.在192.168.171.131上: 安装githarbor docker-harbor
1)在192.168.171.131上安装docker-ce19.03
[root@localhost ~]# ls
docker19.03-ce_lixian.tar.gz
[root@localhost ~]# tar -zxf docker19.03-ce_lixian.tar.gz
[root@localhost ~]# ls
docker19.03-ce_lixian docker19.03-ce_lixian.tar.gz
[root@localhost ~]# cd docker19.03-ce_lixian
[root@localhost docker19.03-ce_lixian]# ls
containerd.io-1.2.6-3.3.el7.x86_64.rpm docker-ce-19.03.2-3.el7.x86_64.rpm docker-ce-cli-19.03.2-3.el7.x86_64.rpm
[root@localhost docker19.03-ce_lixian]# yum -y localinstall *.rpm
[root@localhost docker19.03-ce_lixian]# systemctl start docker
[root@localhost docker19.03-ce_lixian]# systemctl enable docker
[root@localhost docker19.03-ce_lixian]# docker info
Client:
Debug Mode: false
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 0
Server Version: 19.03.2
[root@localhost docker19.03-ce_lixian]# cd
2)安装docker-compose,harbor依赖于compose
[root@localhost ~]# rz
[root@localhost ~]# ls
docker19.03-ce_lixian docker19.03-ce_lixian.tar.gz docker-compose-bin.tar.gz
[root@localhost ~]# chmod +x docker-compose
[root@localhost ~]# mv docker-compose /usr/bin/
[root@localhost ~]# docker-compose -v
docker-compose version 1.21.0, build 5920eb0
3)安装docker-harbor1.7.5 推荐2核4G
[root@localhost ~]# rz
[root@localhost ~]# ls
docker19.03-ce_lixian docker19.03-ce_lixian.tar.gz docker-compose-bin.tar.gz harbor-offline-installer-v1.7.5.tgz
[root@localhost ~]# tar -zxf harbor-offline-installer-v1.7.5.tgz
[root@localhost ~]# ls
docker19.03-ce_lixian docker19.03-ce_lixian.tar.gz docker-compose-bin.tar.gz harbor harbor-offline-installer-v1.7.5.tgz
[root@localhost ~]# cd harbor
[root@localhost harbor]# ls
common docker-compose.clair.yml docker-compose.yml harbor.v1.7.5.tar.gz LICENSE prepare
docker-compose.chartmuseum.yml docker-compose.notary.yml harbor.cfg install.sh open_source_license
[root@localhost harbor]# vim harbor.cfg
hostname = 192.168.171.131 #设置为使用ip访问
harbor_admin_password = Harbor12345 #默认登录密码
[root@localhost harbor]# ./prepare #准备安装环境脚本
[root@localhost harbor]# ./install.sh #安装harbor 安装完后,会自动启动下面容器:
[root@localhost harbor]# docker-compose ps
Name Command State Ports
----------------------------------------------------------------------------------------------------------------------------------------------
harbor-adminserver /harbor/start.sh Up (healthy)
harbor-core /harbor/start.sh Up (healthy)
harbor-db /entrypoint.sh postgres Up (healthy) 5432/tcp
harbor-jobservice /harbor/start.sh Up
harbor-log /bin/sh -c /usr/local/bin/ ... Up (health: starting) 127.0.0.1:1514->10514/tcp
harbor-portal nginx -g daemon off; Up (healthy) 80/tcp
nginx nginx -g daemon off; Up (healthy) 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp, 0.0.0.0:80->80/tcp
redis docker-entrypoint.sh redis ... Up 6379/tcp
registry /entrypoint.sh /etc/regist ... Up (healthy) 5000/tcp
registryctl /harbor/start.sh Up (healthy)
[root@localhost harbor]# cd
浏览器访问docker-harbor http://192.168.171.131/
输入默认用户名和密码: admin/Harbor12345,登录后,如下:
创建一个公用的仓库即可,因为下面pipeline代码中会推送到该仓库中。
4)安装git代码版本仓库(和gitlab差不多,比gitlab简单轻量)
[root@localhost ~]# yum -y install git
设置git代码仓库管理用户和密码:git/123
[root@localhost ~]# useradd git
[root@localhost ~]# echo "123" |passwd --stdin git
[root@localhost ~]# su - git
[git@localhost ~]$ mkdir demo.git #创建一个空的仓库
[git@localhost ~]$ ls
demo.git
[git@localhost ~]$ cd demo.git/
[git@localhost demo.git]$ ls
[git@localhost demo.git]$ git --bare init #初始化仓库
[git@localhost demo.git]$ ls
branches config description HEAD hooks info objects refs
5)随便找个客户端测试git版本管理仓库,以master作为git客户端测试:
[root@master ~]# yum -y install git #安装git客户端
[root@master ~]# git clone [email protected]:/home/git/demo.git
[email protected]'s password: 123
warning: You appear to have cloned an empty repository. #提示为空,因为仓库里没有东西
[root@master ~]# ls demo/
[root@master ~]# cd demo/
[root@master demo]# ls
[root@master demo]# echo 123 >a.txt
[root@master demo]# cat a.txt
123
[root@master demo]# git config --global user.email "[email protected]"
[root@master demo]# git config --global user.name "Your Name"
[root@master demo]# git add .
[root@master demo]# git commit -m "test"
[root@master demo]# git remote -v #查看远程仓库别名设置
origin [email protected]:/home/git/demo.git (fetch)
origin [email protected]:/home/git/demo.git (push)
[root@master demo]# git push origin master
[email protected]'s password: 123
Counting objects: 3, done.
Writing objects: 100% (3/3), 205 bytes | 0 bytes/s, done.
Total 3 (delta 0), reused 0 (delta 0)
To [email protected]:/home/git/demo.git
* [new branch] master -> master
验证推送仓库成功,将现有的仓库删除,重新clone远程仓库,有新代码即可,如下:
[root@master demo]# cd ..
[root@master ~]# rm -rf demo/
[root@master ~]# git clone [email protected]:/home/git/demo.git
Cloning into 'demo'...
[email protected]'s password: 123
[root@master ~]# cd demo/
[root@master demo]# ls
a.txt
[root@master demo]# cat a.txt
123
[root@master demo]# cd ..
客户端免交互拉取代码配置:在客户端上生成秘钥对,将公钥发给git服务端即可。
[root@master ~]# ssh-keygen 一路回车
[root@master ~]# ls /root/.ssh/
id_rsa id_rsa.pub known_hosts
[root@master ~]# ssh-copy-id [email protected]
[email protected]'s password:123
[root@master ~]# rm -rf demo/
[root@master ~]# git clone [email protected]:/home/git/demo.git #可以免交互拉取git仓库代码
[root@master ~]# ls demo/
a.txt
[root@master ~]# cat demo/a.txt
123
2.在k8s集群中部署jenkins
[root@k8s-master ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-node1 Ready <none> 57d v1.16.0
k8s-node2 Ready <none> 57d v1.16.0
jenkins数据需要持久化且共享存储,因为不知道会把jenkins分配到哪个节点,或者运行jenkins的节点挂了漂移到另一个节点时,都需要共享数据,所以,需要搭建nfs
1)在192.168.171.128-master上安装nfs:
[root@k8s-master ~]# yum -y install nfs-utils #客户端和服务端都需要安装(k8s集群机器也安装)
[root@k8s-master ~]# vim /etc/exports
/home/jenkins *(no_root_squash,rw)
/home/maven *(no_root_squash,rw)
[root@k8s-master ~]# mkdir /home/jenkins -p
[root@k8s-master ~]# mkdir /home/maven -p
[root@k8s-master ~]# exportfs -rv
[root@k8s-master ~]# systemctl restart nfs
[root@k8s-master ~]# systemctl enable nfs
2)K8s中部署jenkins: (以deployment方式部署,共享存储nfs和pv)
[root@k8s-master ~]# ls jenkins_yaml_k8s1.16.tar.gz
jenkins_yaml_k8s1.16.tar.gz
[root@k8s-master ~]# tar -zxf jenkins_yaml_k8s1.16.tar.gz
[root@k8s-master ~]# cd jenkins_yaml
[root@k8s-master jenkins_yaml]# ls
default-sa.yaml deploy.yaml pv.yaml sa.yaml
[root@k8s-master jenkins_yaml]# cat default-sa.yaml
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: default-role
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: default-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: default-role
subjects:
- kind: ServiceAccount
name: default
namespace: default
[root@k8s-master jenkins_yaml]# cat sa.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: jenkins-master
namespace: default
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: jenkins-master
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: jenkins-master
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: jenkins-master
subjects:
- kind: ServiceAccount
name: jenkins-master
namespace: default
[root@k8s-master jenkins_yaml]# cat pv.yaml
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: jenkins-master-vol
spec:
capacity:
storage: 5Gi
accessModes:
- ReadWriteMany
nfs:
path: /home/jenkins
server: 192.168.171.128
persistentVolumeReclaimPolicy: Recycle
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: maven-repository
spec:
capacity:
storage: 5Gi
accessModes:
- ReadWriteMany
nfs:
path: /home/maven
server: 192.168.171.128
persistentVolumeReclaimPolicy: Recycle
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: jenkins-master-claim
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 5Gi
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: maven-repository-claim
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 5Gi
[root@k8s-master jenkins_yaml]# cat deploy.yaml
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: jenkins-master
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
name: jenkins-master
template:
metadata:
labels:
name: jenkins-master
spec:
securityContext:
fsGroup: 1000
containers:
- name: jenkins-master
image: k8s-jenkins-master:2.164.3
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8080
name: http
- containerPort: 50000
name: agent
volumeMounts:
- name: jenkins-master-vol
mountPath: /var/jenkins_home
- name: maven-repository
mountPath: /opt/maven/repository
- name: docker
mountPath: /usr/bin/docker
- name: docker-sock
mountPath: /var/run/docker.sock
volumes:
- name: jenkins-master-vol
persistentVolumeClaim:
claimName: jenkins-master-claim
- name: maven-repository
persistentVolumeClaim:
claimName: maven-repository-claim
- name: docker
hostPath:
path: /usr/bin/docker
- name: docker-sock
hostPath:
path: /var/run/docker.sock
serviceAccount: "jenkins-master"
imagePullSecrets:
- name: harborsecret
---
apiVersion: v1
kind: Service
metadata:
name: jenkins-master
spec:
type: NodePort
ports:
- port: 8080
name: http
targetPort: 8080
nodePort: 30006
- port: 50000
name: agent
#nodePort: 30007
targetPort: 50000
selector:
name: jenkins-master
[root@k8s-master jenkins_yaml]# ls /opt/k8s-jenkins-master_2.164.3.tar #上传基础jenkins的镜像
[root@k8s-master jenkins_yaml]# docker load -i /opt/k8s-jenkins-master_2.164.3.tar #其他各个节点也都load一下
[root@k8s-master jenkins_yaml]# docker images |grep jenkins
k8s-jenkins-master 2.164.3 e0da318a8e6e 2 minites ago 1.16GB
[root@k8s-master jenkins_yaml]# kubectl apply -f .
[root@k8s-master jenkins_yaml]# kubectl get pod,svc -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
pod/jenkins-master-78577cdf6c-clcdd 1/1 Running 0 28m 10.244.1.46 k8s-node2 <none> <none>
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
service/jenkins-master NodePort 10.0.0.64 <none> 8080:30006/TCP,50000:32224/TCP 15h name=jenkins-master
service/kubernetes ClusterIP 10.0.0.1 <none> 443/TCP 60d <none>
[root@k8s-master jenkins_yaml]# kubectl get pv,pvc
NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS REASON AGE
persistentvolume/jenkins-master-vol 5Gi RWX Recycle Bound default/maven-repository-claim 20h
persistentvolume/maven-repository 5Gi RWX Recycle Bound default/jenkins-master-claim 20h
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
persistentvolumeclaim/jenkins-master-claim Bound maven-repository 5Gi RWX 20h
persistentvolumeclaim/maven-repository-claim Bound jenkins-master-vol 5Gi RWX 20h
[root@master ~]# kubectl logs -f jenkins-master-78577cdf6c-clcdd
......
Jenkins initial setup is required. An admin user has been created and a password generated.
Please use the following password to proceed to installation:
b04b5b8345344783a9a32237aeeb0373
This may also be found at: /var/jenkins_home/secrets/initialAdminPassword
[root@k8s-master jenkins_yaml]# kubectl exec -it jenkins-master-78577cdf6c-clcdd bash
root@jenkins-master-78577cdf6c-clcdd:/# ping www.baidu.com
PING www.a.shifen.com (61.135.169.125) 56(84) bytes of data.
64 bytes from 61.135.169.125 (61.135.169.125): icmp_seq=1 ttl=127 time=49.5 ms
root@jenkins-master-78577cdf6c-clcdd:/# ping kubernetes
PING kubernetes.default.svc.cluster.local (10.0.0.1) 56(84) bytes of data.
64 bytes from kubernetes.default.svc.cluster.local (10.0.0.1): icmp_seq=1 ttl=64 time=0.175 ms
64 bytes from kubernetes.default.svc.cluster.local (10.0.0.1): icmp_seq=2 ttl=64 time=0.061 ms
浏览器访问jenkins: http://192.168.171.130:30006
下面路径是之前的jenkins截图,
路径实际应该在: /var/jenkins_home/secrets/initialAdminPassword
点击选择插件来安装,如下:
先不安装任何插件,后面再安装,如下:
创建第一个管理员用户,admin/123456
将插件管理处的高级处https改为http(为了提高安装插件速度)——点击check now,有时候可能需要等一段时间,再选择可用插件,安装相关使用插件即可,如下:
将https改为http——点击check now,有时候可能需要等一段时间,再选择可用插件,安装相关使用插件即可。
3.安装jenkins中的相关插件
1)下面安装git插件: (最好先上传git相关难安装的插件,再用平台页面安装git插件)如下:
安装git相关难安装的插件,如下:
选择好插件后,点击upload上传后会自动安装该上传插件,如下:
上面报错是因为安装git插件时候因为依赖关系,有先后顺序,这个不影响,哪个没有安装,再重新下载相关插件,重新安装即可,直到全部安装完成即可。
同理,将git相关依赖的难安装的插件,先手工离线安装,可以看到git插件已经安装完成,如果没有安装完成,然后再用该平台安装git插件:在available出选择Git plugin勾选并安装即可。
2)安装kubernetes插件:
也是先手动上传安装难安装的依赖插件,如下:
所有相关依赖难安插件安装完成后,如下:
上面报错是因为安装git插件时候因为依赖关系,有先后顺序,这个不影响,哪个没有安装,再重新下载相关插件,重新安装即可,直到全部安装完成即可。
在installed中可以看到已经安装好kubernetes 插件:
如果没有安装好,就在available中选择Kubernetes plugin再进行安装一下即可。
3)安装pipeline插件: 也是先手动上传安装难安装的依赖插件,如下:
所有相关依赖难安插件安装完成后,如下:因为可能依赖关系顺序不同,下面有的有报错,后面安装后又将报错的重新安装了一下,成功。
安装完成后,在install中可以看到pipeline的相关安装,但是Pipeline还没有安装,需要在平台上available中勾选Pipeline再进行安装,如下:
安装完成后,在installed中可以看到Pipeline,如下:
4).安装jenkins将资源部署在k8s平台的插件: Kubernetes_Continuos_Deploy插件:
如果两个依赖插件都安装后,还没有安装好,就在aviable中选择下面插件再进行安装。如下:
4.配置jenkins和kubernetes集成:(配置jenkins能连接kubernetes集群)
点击系统管理——系统设置——拉到最底部,有一个cloud,点击add a new cloud,选择kubernetes,如下:
如下:配置kubernetes地址:https://kubernetes.default (dns解析的service名称和命名空间)
配置jenkins地址:http://jenkins.default (dns解析的service名称和命名空间) 点击save保存
5.在jenkins中创建一个测试的pipeline项目实现能代码拉取:
点击创建一个流水线任务,如下:
点击ok,如下:
拉到最下面:
选择相应的项目即可生成对应的pipeline的模板脚本,在模板基础上修改即可。
点击Pipeline Syntax可查看相应的pipeline的相应模块的语法编写,如查看:如何拉取编译代码的语法,点击Pipeline Syntax,如下:
选择git,如下:
[root@k8s-master ~]# cat demo/.git/config |grep git
url = [email protected]:/home/git/demo.git
[root@k8s-master ~]# ls /root/.ssh/
id_rsa id_rsa.pub known_hosts
[root@k8s-master ~]# ssh-copy-id [email protected] #生成秘钥对,将公钥配置在git服务端
[root@k8s-master ~]# cat /root/.ssh/id_rsa #将私钥添加到jenkins中,实现免交互拉取代码
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEA1MVh7Da458+hMKQyYit1oc00OCUMwO7r4CIE2RhTd9WkPfu7
9C1is1+FWC/TabVpS3p6Qrt4Up2Wc6Ry/Hx8coKDQkuXEg0fBESNprh7t0n9s4Jf
CfM3P9xDGnIiA9/M4qahu2xq3ZsN9f6/TJUhXL2oOsrq4KPJHH07sT7lp0+08MeM
1c97Rckwd//urQwGC4tdZFTJ9XDVq4S7E0XlKqWQ6NZoorTIj6+w/d1gurZDijQ6
1ry42WDA+JmfmHpQpgmFcc288L/sZgNzeaUWd720Z3KRe5WWM7/YQ8kNrTrBsL7E
SHFbdBcFlKKSdNI19wddRi2lF4AocmN+RuFoPwIDAQABAoIBAEnNHSYd5Q0jC7of
egprIKY60z4WO9JADTj1E9FpiqoqRInrY0pS48VsAIiSLjagYiF4Hig/doDRgHok
NG43j8L4WicIqSHtwzBrxuZpXyA4XfOB6Q0+e49/CxeFNx845YxIWBj2hirPuYv2
DMy3fZb5gfzCna3FoeBr3+Se+HGLpjIUwSXGC/NWHAhYNdqWcHlOSqv8+/sgZ02X
v8BN460ZG+ee+ZUcvrYYbBYOCJgQqY76ihgfLH2MorFvJ5DtGvuYCFlWrbUSxON0
XeKeprP6wXDXtcpVSSdGLvNBIoesCZhVQava0gyNZ0BksUR+5yJQYgH+gEbRP6MA
rjEumiECgYEA8DTolQvNS+Kgb6gVYslmm0LX9ju1izboHQOqoQGaWtG+0NvWXkHQ
pZ1n2JM9z3l8f8gYXog65JO8GgZ5pj5MztFGFbSKzMSwrrLelnKOlBa1iS3607AZ
Lt0Ve4zTRcPXDzvq+wtmtKjNEkArOOlGmjLbU0FQZsbla1tD2SM8Fn0CgYEA4sKv
UTklzC3YiEBCf2zDygPzdaNVO9wroKsbIk/cao5F1RRPcbbnbUlSC+B8iU2N5LyF
njPTRD/0YcaiU+UjmRE6Io8ZgYpWNmCPNBG2gAHJcqxHVOc+vZi2GCM0x/KYV6Nf
lpfwrujYevHzKg11OXX5/RvgmKnepC086XQ5qmsCgYBIdR1HgHTgFC+jHse8sdYC
taohe6dqpBhmUCnTQYGHLcfqhrXmXuIKYy3lFZ1KjXHxtbEsKtnhA3N1QkjFzfsr
U9NZTsmjtR06xXgBV/MMVsFR7Q3Bd1hRW51UVImSfN3NmZxrN+g2TMj3XWXsV+nV
L8wbFBOlvQ+NT81qnYdNnQKBgHjz2WncrrGbHq2GgTHQxRpjQyBTb+pPBSJdQkrq
CCr6GnuOqtV/9y+O9WmKY0Mlj/MbL7Zz9FOqPWNN/VX8miFSVA0NAVDchiHZHWlr
rUnYKii1hhLeidO9uhtj5Apm9yV/6kO8ZdAWOSpTFh4vMYDl0eNVVFZ5/VzbGGt5
6CxjAoGAbZJXbZaIzWjnCb0TvDCb7Ird8M+Ej3eHb6/+EB3YNq01Tv+Z8yOj7sp6
X0GHewSVYXLlmXELL6Ws00s9iYywBksg/AgbFh7K9bboz2oPmHENMQedkf1QuQ9m
j/o/AqYPhjqv5TQ38IrczbPFxiHHK6Zy4yKIX3oZMh+oHAtK5Rk=
-----END RSA PRIVATE KEY-----
点击生成脚本,即可得到下面的脚本内容,使用内容填写到pipeline的脚本中即可。
一般也不会出现上面报错,如果上面报错是因为jenkins容器中没有安装git客户端,解决:
[root@k8s-master ~]# kubectl exec -it jjenkin的pod bash
[root@jenkins-0 tomcat]# yum -y install git
脚本内容:git credentialsId: '8ce9e95b-c0a1-4af6-9a86-9b54500745b4', url: '[email protected]:/home/git/demo.git'
将脚本内容填写如pipeline的脚本中,实现拉取测试的代码步骤,如下:
node {
stage('拉取代码') {
git credentialsId: '8ce9e95b-c0a1-4af6-9a86-9b54500745b4', url: '[email protected]:/home/git/demo.git'
sh 'ls'
}
stage('测试构建') {
echo 'goujian chenggong'
}
}
点击save,保存后,点击立即构建,如下:
6.在jenkins中创建一个pipeline项目实现CICD:(只做到了CI,CD未做,因为部署到k8s时连接k8s的kubeconfig凭据id不知道怎么添加认证)
1)上传java-demo代码:
[root@k8s-master ~]# ls java-demo.tar.gz
java-demo.tar.gz
[root@k8s-master ~]# tar -zxf java-demo.tar.gz
[root@k8s-master ~]# cd java-demo
[root@k8s-master java-demo]# ls
db deploy.yml LICENSE pom.xml README.md src
[root@k8s-master java-demo]# cat src/main/resources/application.yml
server:
port: 8080
spring:
datasource:
url: jdbc:mysql://192.168.171.128:3306/test?characterEncoding=utf-8
username: demo
password: 123456
driver-class-name: com.mysql.jdbc.Driver
freemarker:
allow-request-override: false
cache: true
check-template-location: true
charset: UTF-8
content-type: text/html; charset=utf-8
expose-request-attributes: false
expose-session-attributes: false
expose-spring-macro-helpers: false
suffix: .ftl
template-loader-path:
- classpath:/templates/
[root@k8s-master java-demo]# ls db/
tables_ly_tomcat.sql
2)master上安装mysql并导入sql文件:
[root@k8s-master ~]# yum -y install mariadb mariadb-server
[root@k8s-master ~]# systemctl start mariadb
[root@k8s-master ~]# systemctl enable mariadb
[root@k8s-master ~]# mysql 安装启动mariadb后,不需密码即可登录
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| test |
+--------------------+
MariaDB [(none)]> quit
接下来进行MariaDB的相关简单配置,使用命令: mysql_secure_installation
[root@k8s-master ~]# mysql_secure_installation #简单安全安装配置,回车
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none): 回车,输入当前密码,无,直接回车即可
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
Set root password? [Y/n] y
New password: 输入要设置的root密码: 123
Re-enter new password: 确认root的密码: 123
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment. #下面一路都是y
Remove anonymous users? [Y/n] y 是否删除匿名用户,回车
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] y 是否禁止root远程登录,回车
... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] y 是否删除test数据库,回车
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] y 是否重新加载权限表,回车
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
[root@k8s-master ~]# mysql -uroot -p123 #使用设置的密码登录mysql
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
+--------------------+
MariaDB [(none)]> create database test;
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| test |
+--------------------+
MariaDB [(none)]> source /root/java-demo/db/tables_ly_tomcat.sql;
MariaMariaDB [test]> show tables;
+----------------+
| Tables_in_test |
+----------------+
| user |
+----------------+
MariaDB [(none)]> grant all on test.* to demo@'%' identified by '123456'; #再授权一个能远程连接mysql的root密码
3)将项目代码提交的git仓库中:
在git机器上创建项目仓库:
[root@localhost ~]# su - git
[git@localhost ~]$ mkdir java-demo.git
[git@localhost ~]$ cd java-demo.git/
[git@localhost java-demo.git]$ ls
[git@localhost java-demo.git]$ git --bare init
Initialized empty Git repository in /home/git/java-demo.git/
[git@localhost java-demo.git]$ ls
branches config description HEAD hooks info objects refs
将master上上传的项目代码提交的git仓库中:
[root@k8s-master ~]# cd java-demo
[root@k8s-master java-demo]# cat .git/config
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
[remote "origin"]
url = [email protected]:/home/git/java-demo.git
fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
remote = origin
merge = refs/heads/master
[root@k8s-master java-demo]# ls
db deploy.yml LICENSE pom.xml README.md src
[root@k8s-master java-demo]# git add .
[root@k8s-master java-demo]# git commit -m "test"
[root@k8s-master java-demo]# git remote -v
origin [email protected]:/home/git/java-demo.git (fetch)
origin [email protected]:/home/git/java-demo.git (push)
[root@k8s-master java-demo]# git push origin master
4)配置jenkins连接docker-harbor和githarbor的认证并自动生成一个id值,作为绑定,在pipeliene中用该id做访问认证
(1)Jenkins中生成连接到docker-harbor的id:
Jenkins中保存连接到docker-harbor的用户名和密码到jenkins中,并返回一个id供pipeline使用:
点击凭据——系统——全局凭据,点击添加凭据,
输入docker-harbor的用户名和密码admin/Harbor12345,id一会保存后会自动生成一个id,将该id粘贴到pipeline脚本中作为认证harbor的id
记录下jenkins登录认证docker-harbor的id: f9cd4ec2-138b-44b8-97f9-d28ed495e620
(2)找到Jenkins中生成连接到git的id:(之前测试拉取git代码时候连接git的凭据id),供pipeline脚本连接git认证使用
连接git的id为: 8ce9e95b-c0a1-4af6-9a86-9b54500745b4
(3)将凭据绑定在变量中: pipeline中第3步骤构建时候,将用户名
在pipeline语法中生成:将变量和凭据绑定:
上面解释: 变量username和变量password通过harbor-auth这个凭据来生成,点击生成语法后结果为: password用passwordVariable来保存,username用usernameVariable来保存。
这样就可以通过变量username和password来使用凭据harbor-auth能登录认证docker-harbor了。
4)Jenkins构建任务时,手动设置拉取代码的分支控制:pipeline中分支变量,是通过手动传入的分支控制的
选择pipeline的相关任务,如下:
在配置中,点击参数化构建过程,选择字符参数,如下:
定义pipeline脚本中的变量Branch和其值master,即可手工传入或选择默认的分支master,再在下面编写pipeline的ci流程脚本:
pipeline的脚本内容如下:
// 公共
def registry = "192.168.171.131"
// 项目
def project = "welcome"
def app_name = "demo"
def image_name = "${registry}/${project}/${app_name}:${BUILD_NUMBER}"
def git_address = "[email protected]:/home/git/java-demo.git"
// 认证
def secret_name = "registry-pull-secret"
def docker_registry_auth = "f9cd4ec2-138b-44b8-97f9-d28ed495e620"
def git_auth = "8ce9e95b-c0a1-4af6-9a86-9b54500745b4"
def k8s_auth = "e692ef4e-eb69-45a3-b976-0ffe60abaf68"
node {
// 第一步
stage('拉取代码'){
checkout([$class: 'GitSCM', branches: [[name: '${Branch}']], userRemoteConfigs: [[credentialsId: "${git_auth}", url: "${git_address}"]]])
}
// 第二步
stage('代码编译'){
sh "mvn clean package -Dmaven.test.skip=true"
sh "ls"
}
// 第三步
stage('构建镜像'){
withCredentials([usernamePassword(credentialsId: "${docker_registry_auth}", passwordVariable: 'password', usernameVariable: 'username')]) {
sh """
echo '
FROM lizhenliang/tomcat
RUN rm -rf /usr/local/tomcat/webapps/*
ADD target/*.war /usr/local/tomcat/webapps/ROOT.war
' > Dockerfile
ls
ls target
docker build -t ${image_name} .
docker login -u ${username} -p '${password}' ${registry}
docker push ${image_name}
"""
}
}
// 第四步
stage('部署到K8S平台'){
//模拟部署到k8s,因为k8s的认证kubeconfig和绑定凭据不知道怎么生成和添加,下面暂时用不了
sh "echo deploy to k8s success"
// sed -i 's#\$IMAGE_NAME#${image_name}#' deploy.yml
// sed -i 's#\$SECRET_NAME#${secret_name}#' deploy.yml
// """
// kubernetesDeploy configs: 'deploy.yml', kubeconfigId: "${k8s_auth}"
}
}
点击save,如下:
点击立即构建,如下:
选择要部署的分支:master,点击Build,如下:
查看日志:
7.将ci阶段构建生成的镜像手动在k8s-master中将应用部署到k8s平台:
1)从上面日志中可以看到:ci生成的镜像是: 192.168.171.131/welcome/demo:2
到docker-harbor仓库中查看:
2)使用ci构建的镜像部署项目到k8s平台:
[root@k8s-master ~]# ls java-demo/deploy.yml
java-demo/deploy.yml
[root@k8s-master ~]# vim java-demo/deploy.yml (无状态,且代码都打包都镜像中了,不需要共享存储)
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: web
spec:
replicas: 3
selector:
matchLabels:
app: java-demo
template:
metadata:
labels:
app: java-demo
spec:
imagePullSecrets:
- name: registry-pull-secret
#- name: $SECRET_NAME
containers:
- name: tomcat
image: 192.168.171.131/welcome/demo:2
#image: $IMAGE_NAME
ports:
- containerPort: 8080
name: web
livenessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 60
timeoutSeconds: 5
failureThreshold: 12
readinessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 60
timeoutSeconds: 5
failureThreshold: 12
---
apiVersion: v1
kind: Service
metadata:
name: web
spec:
type: NodePort
selector:
app: java-demo
ports:
- protocol: TCP
port: 80
targetPort: 8080
nodePort: 30009
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: web
spec:
rules:
- host: java.example.com
http:
paths:
- path: /
backend:
serviceName: web
servicePort: 80
上面有一个secret:需要将docker-harbor的用户名和密码以secret方式挂载到里面实现harbor认证
[root@k8s-master ~]# kubectl create secret docker-registry registry-pull-secret --docker-username=admin --docker-password=Harbor12345 [email protected] --docker-server=192.168.171.131 #指定docker-harbor的地址创建secret
[root@k8s-master ~]# kubectl get secret |grep registry
registry-pull-secret kubernetes.io/dockerconfigjson 1 15s
[root@k8s-master ~]# kubectl apply -f java-demo/deploy.yml
[root@k8s-master ~]# kubectl get pod,svc -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
pod/jenkins-master-78577cdf6c-clcdd 1/1 Running 0 4h11m 10.244.1.46 k8s-node2 <none> <none>
pod/web-9c888f756-5vdjv 1/1 Running 0 2m17s 10.244.0.68 k8s-node1 <none> <none>
pod/web-9c888f756-82tvd 1/1 Running 0 2m17s 10.244.1.47 k8s-node2 <none> <none>
pod/web-9c888f756-92npj 1/1 Running 0 2m17s 10.244.1.48 k8s-node2 <none> <none>
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
service/jenkins-master NodePort 10.0.0.64 <none> 8080:30006/TCP,50000:32224/TCP 19h name=jenkins-master
service/kubernetes ClusterIP 10.0.0.1 <none> 443/TCP 60d <none>
service/web NodePort 10.0.0.223 <none> 80:30009/TCP 2m17s app=java-demo
部署好应用后访问:http://192.168.171.129:30009/ 或:http://192.168.171.130:30009/