如何搭建自己的CI/CD平台:Gitlab+Jenkins+Docker+Harbor+K8s集群搭建CICD平台(持续集成部署Hexo博客Demo)

精选原创

聊聊CICD的环境搭建以及一个基于Hexo的博客系统在CICD流程中的配置Demo
很早就想着写这样一篇博文,但是没有时间,之前写了一半,正好春节假期把剩下的一般写完.
本文属于Devpos实战类文章，基本没有理论，所有，小伙伴需要对devops有些基本的了解，
博文中讲的CICD属于Devops的一部分
当然小伙伴们也可以找一些云服务商提供的商业的Depops平台去学习，一般有免费的体验，比如华为云的软开云平台。
博文涉及内容:

Gitlab+Jenkins+Docker+Harbor+K8S集群 的CICD搭建教程
在搭建好的CICD平台上持续集成部署hexo博客系统，Demo有些简陋，仅用于学习。

其中Gitlab+Jenkins +Harbor都是通过容器化部署
篇幅有限，关于CD环境k8s集群这里用之前部署好的，并且已经做了kubeconfig证书,关于这方便感兴趣小伙伴可以看看我之前的文章
下面为涉及到的机器：

用到的机器
	192.168.26.1	本地物理机:
Gitlab+Jenkins+Docker	192.168.26.55	虚机：liruilongs.github.io
docker镜像仓库:harbor	192.168.26.56	虚机：vms56.liruilongs.github.io
k8s集群-master节点	192.168.26.81	虚机：vms81.liruilongs.github.io
k8s集群-node节点	192.168.26.82	虚机：vms82.liruilongs.github.io
k8s集群-node节点	192.168.26.83	虚机：vms83.liruilongs.github.io

这里客户机用本地的IDE持续编码，然后push代码到gitlab，gitlab中的web钩子触发jenkins中配置好的构建触发器，通过shell命令拉取gitlab仓库中的代码，然后通过拉取的应用源码和Dockerfile文件来构建应用镜像，构建完成后将应用镜像push到harbor私有镜像仓库，然后通过shell命令的方式在jenkins中用kubelet客户端将镜像从私有仓库拉取到k8s集群并更新其deploy中的镜像,默认deploy更新副本的方式为滚动更新，整个流程中，只有客户机push代码是手手动的方式，其他全是自动

如何搭建自己的CI/CD平台:Gitlab+Jenkins+Docker+Harbor+K8s集群搭建CICD平台(持续集成部署Hexo博客Demo)_jenkins

上帝借由各种途径使人变得孤独，好让我们可以走向自己。 ——赫尔曼·黑塞《德米安》

一、CICD服务器环境搭建

CI即为持续集成(Continue Integration,简称CI)，用通俗的话讲，就是持续的整合版本库代码编译后制作应用镜像。建立有效的持续集成环境可以减少开发过程中一些不必要的问题、提高代码质量、快速迭代等,

常用的工具和平台有:

Jenkins:基于Java开发的一种持续集成工具,用于监控持续重复的工作,旨在提供一个开放易用的软件平台,使软件的持续集成变成可能。
Bamboo: 是一个企业级商用软件,可以部署在大规模生产环境中。

CD即持续交付Continuous Delivery和持续部署Continuous Deployment，用通俗的话说，即可以持续的部署到生产环境给客户使用，这里分为两个阶段，持续交付我理解为满足上线条件的过程，但是没有上线，持续部署，即为上线应用的过程

关于CD环境，我们使用以前搭建好的K8s集群，K8s集群可以实现应用的健康检测，动态扩容，滚动更新等优点，关于K8s集群的搭建，小伙伴可以看看我的其他文章

我们来搭建CI服务器:操作服务器： liruilongs.github.io：192.168.26.55

docker 环境安装

拉取镜像，启动并设置开机自启

┌──[[email protected]]-[~]
└─$ yum -y install docker-ce
┌──[[email protected]]-[~]
└─$ systemctl enable docker --now

配置docker加速器

sudo mkdir -p /etc/docker
sudo tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors": ["https://2tefyfv7.mirror.aliyuncs.com"]
}
EOF
sudo systemctl daemon-reload
sudo systemctl restart docker

1.安装GitLab 并配置

GitLab 不多介绍。一个基于Git的版本控制平台，,提供了Git仓库管理、代码审查、问题跟踪、活动反馈和wiki，当然同时也提供了

┌──[[email protected]]-[~]
└─$ docker pull beginor/gitlab-ce

如何搭建自己的CI/CD平台:Gitlab+Jenkins+Docker+Harbor+K8s集群搭建CICD平台(持续集成部署Hexo博客Demo)_云原生_02

创建共享卷目录

┌──[[email protected]]-[~]
└─$ mkdir -p /data/gitlab/etc/ /data/gitlab/log /data/gitlab/data
┌──[[email protected]]-[~]
└─$ chmod 777 /data/gitlab/etc/ /data/gitlab/log /data/gitlab/data

创建 gitlab 容器

┌──[[email protected]]-[~]
└─$ docker run -itd --name=gitlab --restart=always --privileged=true -p 8443:443 -p 80:80 -p 222:22 -v /data/gitlab/etc:/etc/gitlab -v /data/gitlab/log:/var/log/gitlab -v /data/gitlab/data:/var/opt/gitlab beginor/gitlab-ce
acc95b2896e8475915275d5eb77c7e63f63c31536432b68508f2f216d4fec634
┌──[[email protected]]-[~]
└─$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
acc95b2896e8 beginor/gitlab-ce "/assets/wrapper" 53 seconds ago Up 51 seconds (health: starting) 0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:222->22/tcp, :::222->22/tcp, 0.0.0.0:8443->443/tcp, :::8443->443/tcp gitlab
┌──[[email protected]]-[~]
└─$
┌──[[email protected]]-[~]
└─$#

切记:这里的端口要设置成80，要不push项目会提示没有报错，如果宿主机端口被占用，需要把这个端口腾出来

关闭容器修改配置文件

┌──[[email protected]]-[~]
└─$ docker stop gitlab
gitlab

external_url 'http://192.168.26.55’

┌──[[email protected]]-[~]
└─$ cat /data/gitlab/etc/gitlab.rb | grep external_url
##! For more details on configuring external_url see:
# external_url 'GENERATED_EXTERNAL_URL'
# registry_external_url 'https://registry.gitlab.example.com'
# pages_external_url "http://pages.example.com/"
# gitlab_pages['artifacts_server_url'] = nil # Defaults to external_url + '/api/v4'
# mattermost_external_url 'http://mattermost.example.com'
┌──[[email protected]]-[~]
└─$ sed -i "/external_url 'GENERATED_EXTERNAL_URL'/a external_url\t'http://192.168.26.55' " /data/gitlab/etc/gitlab.rb
┌──[[email protected]]-[~]
└─$ cat /data/gitlab/etc/gitlab.rb | grep external_url
##! For more details on configuring external_url see:
# external_url 'GENERATED_EXTERNAL_URL'
external_url 'http://192.168.26.55'
# registry_external_url 'https://registry.gitlab.example.com'
# pages_external_url "http://pages.example.com/"
# gitlab_pages['artifacts_server_url'] = nil # Defaults to external_url + '/api/v4'
# mattermost_external_url 'http://mattermost.example.com'
┌──[[email protected]]-[~]
└─$

gitlab_rails[‘gitlab_ssh_host’] = '192.168.26.55’

┌──[[email protected]]-[~]
└─$ cat /data/gitlab/etc/gitlab.rb | grep gitlab_ssh_host
# gitlab_rails['gitlab_ssh_host'] = 'ssh.host_example.com'
┌──[[email protected]]-[~]
└─$ sed -i "/gitlab_ssh_host/a gitlab_rails['gitlab_ssh_host'] = '192.168.26.55' " /data/gitlab/etc/gitlab.rb
┌──[[email protected]]-[~]
└─$ cat /data/gitlab/etc/gitlab.rb | grep gitlab_ssh_host
# gitlab_rails['gitlab_ssh_host'] = 'ssh.host_example.com'
gitlab_rails['gitlab_ssh_host'] = '192.168.26.55'
┌──[[email protected]]-[~]
└─$

gitlab_rails[gitlab_shell_ssh_port] = 222

┌──[[email protected]]-[~]
└─$ cat /data/gitlab/etc/gitlab.rb | grep gitlab_shell_ssh
# gitlab_rails['gitlab_shell_ssh_port'] = 22
┌──[[email protected]]-[~]
└─$ sed -i "/gitlab_shell_ssh_port/a gitlab_rails['gitlab_shell_ssh_port'] = 222" /data/gitlab/etc/gitlab.rb
┌──[[email protected]]-[~]
└─$ cat /data/gitlab/etc/gitlab.rb | grep gitlab_shell_ssh
# gitlab_rails['gitlab_shell_ssh_port'] = 22
gitlab_rails[gitlab_shell_ssh_port] = 222
┌──[[email protected]]-[~]
└─$

┌──[[email protected]]-[~]
└─$ vim /data/gitlab/data/gitlab-rails/etc/gitlab.yml
┌──[[email protected]]-[~]
└─$
##############################
gitlab:
## Web server settings (note: host is the FQDN, do not include http://)
host: 192.168.26.55
port: 80
https: false

修改完配置文件之后。直接启动容器

┌──[[email protected]]-[~]
└─$ docker start gitlab

在宿主机所在的物理机访问，http://192.168.26.55/ ，会自动跳转到修改密码(root用户),如果密码设置的没有满足一定的复杂性，则会报500，需要从新设置

登录进入仪表盘

然后我们简单测试一下，push一个项目上去,这里的项目是一个基于hexo的博客系统

项目成功上传Gitlab

2.安装配置远程镜像仓库harbor

下面我们要配置私有的docker镜像仓库，用到的机器为：

操作服务器:vms56.liruilongs.github.io:192.168.26.56

这里仓库我们选择harbor，因为有web页面，当然也可以使用 registry

harbor的配置

harbor的安装使用步骤

安装并启动docker并安装docker-compose

上传harbor的离线包

导入harbor的镜像

编辑harbor.yml

修改hostname 为自己的主机名,不用证书需要注释掉https

harbor_admin_password 登录密码

安装compose

运行脚本 ./install.sh

在浏览器里输入IP访问

docker login IP --家目录下会有一个.docker文件夹

下面我们开始安装

首先需要设置selinux、防火墙

┌──[[email protected]]-[~]
└─#getenforce
Disabled

┌──[[email protected]]-[~]
└─#systemctl disable firewalld.service --now
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.

安装并启动docker并安装docker-compose，关于docker-compose，这里不用了解太多，一个轻量的docker编排工具

┌──[[email protected]]-[~]
└─#yum install -y docker-ce
┌──[[email protected]]-[~]
└─#yum install -y docker-compose

解压harbor 安装包：harbor-offline-installer-v2.0.6.tgz，导入相关镜像

┌──[[email protected]]-[/]
└─#ls
bin dev harbor-offline-installer-v2.0.6.tgz lib machine-id mnt proc run srv tmp var
boot etc home lib64 media opt root sbin sys usr
┌──[[email protected]]-[/]
└─#tar zxvf harbor-offline-installer-v2.0.6.tgz
harbor/harbor.v2.0.6.tar.gz
harbor/prepare
harbor/LICENSE
harbor/install.sh
harbor/common.sh
harbor/harbor.yml.tmpl
┌──[[email protected]]-[/]
└─#docker load -i harbor/harbor.v2.0.6.tar.gz

修改配置文件

┌──[[email protected]]-[/]
└─#cd harbor/
┌──[[email protected]]-[/harbor]
└─#ls
common.sh harbor.v2.0.6.tar.gz harbor.yml.tmpl install.sh LICENSE prepare
┌──[[email protected]]-[/harbor]
└─#cp harbor.yml.tmpl harbor.yml
┌──[[email protected]]-[/harbor]
└─#ls
common.sh harbor.v2.0.6.tar.gz harbor.yml harbor.yml.tmpl install.sh LICENSE prepare
┌──[[email protected]]-[/harbor]
└─#vim harbor.yml
┌──[[email protected]]-[/harbor]
└─#

harbor.yml：设置IP和用户名密码

4 # DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
5 hostname: 192.168.26.56
6
7 # http related config
.......
12 # https related config
13 #https:
14 # https port for harbor, default is 443
15 # port: 443
16 # The path of cert and key files for nginx
17 # certificate: /your/certificate/path
18 # private_key: /your/private/key/path
....
33 # Remember Change the admin password from UI after launching Harbor.
34 harbor_admin_password: Harbor12345
35
36 # Harbor DB configuration

./prepare && ./install.sh

┌──[[email protected]]-[/harbor]
└─#./prepare
prepare base dir is set to /harbor
WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /data/secret/keys/secretkey
Successfully called func: create_root_cert
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir

┌──[[email protected]]-[/harbor]
└─#./install.sh

[Step 0]: checking if docker is installed ...

Note: docker version: 20.10.9

[Step 1]: checking docker-compose is installed ...

Note: stopping existing Harbor instance ...
Removing harbor-jobservice ... done
Removing nginx ... done
Removing harbor-core ... done
Removing registry ... done
Creating harbor-log ... done
Removing harbor-portal ... done
Removing redis ... done
Removing network harbor_harbor

Creating registry ... done
Creating harbor-core ... done
Creating network "harbor_harbor" with the default driver
Creating nginx ... done
Creating redis ...
Creating registry ...
Creating harbor-portal ...
Creating registryctl ...
Creating harbor-db ...
Creating harbor-core ...
Creating harbor-jobservice ...
Creating nginx ...
✔ ----Harbor has been installed and started successfully.----
┌──[[email protected]]-[/harbor]
└─#

查看相关的镜像

┌──[[email protected]]-[/harbor]
└─#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS
PORTS NAMES
0efcf7b83dcf goharbor/nginx-photon:v2.0.6 "nginx -g 'daemon of…" 16 minutes ago Up 16 minutes (healthy) 0.0.0.0:80->8080/tcp, :::80->8080/tcp nginx
ee9d418c7cee goharbor/harbor-jobservice:v2.0.6 "/harbor/entrypoint.…" 16 minutes ago Up 16 minutes (healthy) harbor-jobservice
6052c481dbd0 goharbor/harbor-core:v2.0.6 "/harbor/entrypoint.…" 16 minutes ago Up 16 minutes (healthy) harbor-core
001ff83b037d goharbor/harbor-db:v2.0.6 "/docker-entrypoint.…" 17 minutes ago Up 16 minutes (healthy) 5432/tcp harbor-db
2ebc81356ef1 goharbor/harbor-registryctl:v2.0.6 "/home/harbor/start.…" 17 minutes ago Up 16 minutes (healthy) registryctl
6ca721c0fa75 goharbor/harbor-portal:v2.0.6 "nginx -g 'daemon of…" 17 minutes ago Up 16 minutes (healthy) 8080/tcp harbor-portal
2b06e2cf91ab goharbor/registry-photon:v2.0.6 "/home/harbor/entryp…" 17 minutes ago Up 16 minutes (healthy) 5000/tcp registry
2292a20780e2 goharbor/redis-photon:v2.0.6 "redis-server /etc/r…" 17 minutes ago Up 16 minutes (healthy) 6379/tcp redis
a0e3e49cf9db goharbor/harbor-log:v2.0.6 "/bin/sh -c /usr/loc…" 17 minutes ago Up 17 minutes (healthy) 127.0.0.1:1514->10514/tcp harbor-log
┌──[[email protected]]-[/harbor]
└─#

访问测试

harbor

CI服务器的docker配置

这里因为我们要在192.168.26.55(CI服务器)上push镜像到192.168.26.56(私仓)，所有需要修改CI服务器上的Docker配置。添加仓库地址

操作服务器： liruilongs.github.io：192.168.26.55

┌──[[email protected]]-[~]
└─$ cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://2tefyfv7.mirror.aliyuncs.com"]
}
┌──[[email protected]]-[~]
└─$ vim /etc/docker/daemon.json

修改后的配置文件

┌──[[email protected]]-[~]
└─$ cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://2tefyfv7.mirror.aliyuncs.com"],
"insecure-registries": ["192.168.26.56"]

}

加载使其生效

┌──[[email protected]]-[~]
└─$ systemctl daemon-reload
┌──[[email protected]]-[~]
└─$ systemctl restart docker
┌──[[email protected]]-[~]

CI机器简单测试一下

┌──[[email protected]]-[~]
└─$ docker login 192.168.26.56
Authenticating with existing credentials...
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
┌──[[email protected]]-[~]
└─$ docker tag busybox 192.168.26.56/demo/busybox
┌──[[email protected]]-[~]
└─$ docker push 192.168.26.56/demo/busybox
Using default tag: latest
The push refers to repository [192.168.26.56/demo/busybox]
cfd97936a580: Pushed
latest: digest: sha256:febcf61cd6e1ac9628f6ac14fa40836d16f3c6ddef3b303ff0321606e55ddd0b size: 527
┌──[[email protected]]-[~]
└─$

push一个镜像，可以在私仓的web页面查看

harbor

到这里。我们配置了镜像仓库

3.安装配置jenkins

操作服务器： liruilongs.github.io：192.168.26.55

镜像jenkins拉取

┌──[[email protected]]-[~]
└─$ docker pull jenkins/jenkins:centos7-jdk8
。。。。。。
┌──[[email protected]]-[~]
└─$ docker history jenkins/jenkins:centos7-jdk8
IMAGE CREATED CREATED BY SIZE COMMENT
de64a05279ba 5 days ago LABEL org.opencontainers.image.vendor=Jenkin… 0B buildkit.dockerfile.v0
<missing> 5 days ago COPY install-plugins.sh /usr/local/bin/insta… 10.6kB buildkit.dockerfile.v0
。。。。。。。。。。
<missing> 5 days ago ARG JENKINS_HOME=/var/jenkins_home 0B buildkit.dockerfile.v0
<missing> 5 days ago ARG agent_port=50000 0B buildkit.dockerfile.v0
<missing> 5 days ago ARG http_port=8080 0B buildkit.dockerfile.v0
<missing> 5 days ago ARG gid=1000 0B buildkit.dockerfile.v0
<missing> 5 days ago ARG uid=1000 0B buildkit.dockerfile.v0
<missing> 5 days ago ARG group=jenkins 0B buildkit.dockerfile.v0
<missing> 5 days ago ARG user=jenkins 0B buildkit.dockerfile.v0
<missing> 5 days ago RUN |5 TARGETARCH=amd64 COMMIT_SHA=0b797f024… 10.4MB buildkit.dockerfile.v0
<missing> 5 days ago COPY git_lfs_pub.gpg /tmp/git_lfs_pub.gpg # … 62.5kB buildkit.dockerfile.v0
<missing> 5 days ago ARG GIT_LFS_VERSION=3.0.1 0B buildkit.dockerfile.v0
<missing> 5 days ago ARG COMMIT_SHA 0B buildkit.dockerfile.v0
<missing> 5 days ago ARG TARGETARCH 0B buildkit.dockerfile.v0
<missing> 5 days ago RUN |2 TARGETARCH=amd64 COMMIT_SHA=0b797f024… 426MB buildkit.dockerfile.v0
<missing> 5 days ago ARG COMMIT_SHA 0B buildkit.dockerfile.v0
<missing> 5 days ago ARG TARGETARCH 0B buildkit.dockerfile.v0
<missing> 5 days ago ENV LANG=en_US.UTF-8 LANGUAGE=en_US:en LC_AL… 0B buildkit.dockerfile.v0
<missing> 7 weeks ago /bin/sh -c #(nop) CMD ["/bin/bash"] 0B
<missing> 7 weeks ago /bin/sh -c #(nop) LABEL org.label-schema.sc… 0B
<missing> 7 weeks ago /bin/sh -c #(nop) ADD file:b3ebbe8bd304723d4… 204MB
┌──[[email protected]]-[~]
└─$

创建共享卷，修改所属组和用户,和容器里相同

这里为什么要改成 1000，是因为容器里是以 jenkins 用户的身份去读写数据，而在容器里jenkins 的 uid 是 1000，

┌──[[email protected]]-[~]
└─$ mkdir /jenkins && chown 1000:1000 /jenkins
┌──[[email protected]]-[~]
└─$ # 这里为什么要改成 1000，是因为容器里是以 jenkins 用户的身份去读写数据，而在容器里jenkins 的 uid 是 1000，

创建创建 jenkins 容器

┌──[[email protected]]-[~]
└─$ cat jenkins.docker.sh
docker run -dit -p 8080:8080 -p 50000:50000 --name jenkins --privileged=true --restart=always -v /jenkins:/var/jenkins_home jenkins/jenkins:centos7-jdk8
┌──[[email protected]]-[~]
└─$ docker run -dit -p 8080:8080 -p 50000:50000 --name jenkins --privileged=true --restart=always -v /jenkins:/var/jenkins_home jenkins/jenkins:centos7-jdk8
39afa098c8a56973ce1559d374b058b8e6091175b5b783d613a9f2e356827684
┌──[[email protected]]-[~]
└─$ docker ps | grep jenkins
39afa098c8a5 jenkins/jenkins:centos7-jdk8 "/sbin/tini -- /usr/…" 3 minutes ago Up 2 minutes 0.0.0.0:8080->8080/tcp, :::8080->8080/tcp, 0.0.0.0:50000->50000/tcp, :::50000->50000/tcp jenkins

访问jenkins

先打开浏览器打开这个页面，让其初始化一下，直到看到界面

因为要修改 jenkins 的配置，所以此时关闭 jenkins 容器

┌──[[email protected]]-[~]
└─$ docker stop jenkins
jenkins

更换国内清华大学镜像,Jenkins下载插件特别慢，更换国内的清华源的镜像地址会快不少

┌──[[email protected]]-[~]
└─$ cat /jenkins/hudson.model.UpdateCenter.xml
<?xml version='1.1' encoding='UTF-8'?>
<sites>
<site>
<id>default</id>
<url>https://updates.jenkins.io/update-center.json</url>
</site>
</sites>
┌──[[email protected]]-[~]
└─$

┌──[[email protected]]-[~]
└─$ sed -i 's#updates.jenkins.io/update-center.json#mirrors.tuna.tsinghua.edu.cn/jenkins/updates/update-center.json#g ' /jenkins/hudson.model.UpdateCenter.xml
┌──[[email protected]]-[~]
└─$ cat /jenkins/hudson.model.UpdateCenter.xml
<?xml version='1.1' encoding='UTF-8'?>
<sites>
<site>
<id>default</id>
<url>https://mirrors.tuna.tsinghua.edu.cn/jenkins/updates/update-center.json</url>
</site>
</sites>┌──[[email protected]]-[~]
└─$

"http://www.google.com/" 替换为 "http://www.baidu.com/"

yum -y install jq
┌──[[email protected]]-[~]
└─$ cat /jenkins/updates/default.json | jq '.connectionCheckUrl'
"http://www.google.com/"
┌──[[email protected]]-[~]
└─$ cat /jenkins/updates/default.json | jq 'keys'
[
"connectionCheckUrl",
"core",
"deprecations",
"generationTimestamp",
"id",
"plugins",
"signature",
"updateCenterVersion",
"warnings"
]
┌──[[email protected]]-[~]
└─$ sed -i s#http://www.google.com/#http://www.baidu.com/#g /jenkins/updates/default.json

替换后查看

┌──[[email protected]]-[~]
└─$ cat /jenkins/updates/default.json | jq '.connectionCheckUrl'
"http://www.baidu.com/"
┌──[[email protected]]-[~]
└─$ cat /jenkins/updates/default.json | jq 'keys'
[
"connectionCheckUrl",
"core",
"deprecations",
"generationTimestamp",
"id",
"plugins",
"signature",
"updateCenterVersion",
"warnings"
]
┌──[[email protected]]-[~]
└─$

重启docker，获取登录密匙

┌──[[email protected]]-[~]
└─$ docker start jenkins
jenkins
┌──[[email protected]]-[~]
└─$
┌──[[email protected]]-[~]
└─$ cat /jenkins/secrets/initialAdminPassword
be15eaabc4c946de913dd5af8636cae9

需要修改jenkins绑定的docker的启动参数，ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2376 -H fd:// --containerd=/run/containerd/containerd.sock

修改镜像库启动参数后需要重启docker

┌──[[email protected]]-[~]
└─#systemctl daemon-reload
┌──[[email protected]]-[~]
└─#systemctl restart docker

安装 docker 插件

jenkins相关配置，这里的配置照着图片就好，需要配置一个docker集群供jenkins来根据Dockerfile构建镜像并push到私仓，这里docker集群即为CI服务器的docker

如何搭建自己的CI/CD平台:Gitlab+Jenkins+Docker+Harbor+K8s集群搭建CICD平台(持续集成部署Hexo博客Demo)_云原生_17

如何搭建自己的CI/CD平台:Gitlab+Jenkins+Docker+Harbor+K8s集群搭建CICD平台(持续集成部署Hexo博客Demo)_云原生_18

如何搭建自己的CI/CD平台:Gitlab+Jenkins+Docker+Harbor+K8s集群搭建CICD平台(持续集成部署Hexo博客Demo)_jenkins_19

如何搭建自己的CI/CD平台:Gitlab+Jenkins+Docker+Harbor+K8s集群搭建CICD平台(持续集成部署Hexo博客Demo)_ci/cd_20

如何搭建自己的CI/CD平台:Gitlab+Jenkins+Docker+Harbor+K8s集群搭建CICD平台(持续集成部署Hexo博客Demo)_kubernetes_21

如何搭建自己的CI/CD平台:Gitlab+Jenkins+Docker+Harbor+K8s集群搭建CICD平台(持续集成部署Hexo博客Demo)_ci/cd_22

如何搭建自己的CI/CD平台:Gitlab+Jenkins+Docker+Harbor+K8s集群搭建CICD平台(持续集成部署Hexo博客Demo)_devops_23

如何搭建自己的CI/CD平台:Gitlab+Jenkins+Docker+Harbor+K8s集群搭建CICD平台(持续集成部署Hexo博客Demo)_jenkins_24

如何搭建自己的CI/CD平台:Gitlab+Jenkins+Docker+Harbor+K8s集群搭建CICD平台(持续集成部署Hexo博客Demo)_ci/cd_25

如何搭建自己的CI/CD平台:Gitlab+Jenkins+Docker+Harbor+K8s集群搭建CICD平台(持续集成部署Hexo博客Demo)_云原生_26

如何搭建自己的CI/CD平台:Gitlab+Jenkins+Docker+Harbor+K8s集群搭建CICD平台(持续集成部署Hexo博客Demo)_云原生_27

修改镜像库启动参数，ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2376 -H fd:// --containerd=/run/containerd/containerd.sock

如何搭建自己的CI/CD平台:Gitlab+Jenkins+Docker+Harbor+K8s集群搭建CICD平台(持续集成部署Hexo博客Demo)_kubernetes_28

如何搭建自己的CI/CD平台:Gitlab+Jenkins+Docker+Harbor+K8s集群搭建CICD平台(持续集成部署Hexo博客Demo)_jenkins_29

关联docker和jenkins

如何搭建自己的CI/CD平台:Gitlab+Jenkins+Docker+Harbor+K8s集群搭建CICD平台(持续集成部署Hexo博客Demo)_devops_30

jenkins 安全设置

后面 gitlab 要和 jenkins 进行联动，所以必须要需要对 jenkins 的安全做一些设置，依次点击系统管理-全局安全配置-授权策略，勾选"匿名用户具有可读权限"

添加 JVM 运行参数 -Dhudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION=true 运行跨站请求访问

┌──[[email protected]]-[~]
└─$ docker exec -u root -it jenkins bash
[root@39afa098c8a5 /]# ls
anaconda-post.log bin dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var
[root@39afa098c8a5 /]# vi /usr/local/bin/jenkins.sh
[root@39afa098c8a5 /]# exit
exit
┌──[[email protected]]-[~]
└─$

下载kubectl客户端工具

这里的话我们要通过jenkins上的kubectl客户端连接k8s,所以我们需要安装一个k8s的客户端kubectl，下载k8s客户端

wget https://storage.googleapis.com/kubernetes-release/release/v1.22.2/bin/linux/amd64/kubectl

┌──[[email protected]]-[~]
└─$ yum install -y kubectl-1.22.2-0 --disableexcludes=kubernetes

拷贝 kubeconfig 文件

然后拷贝kubeconfig 证书,k8s集群中查看证书位置,这里的证书是之前创建好的,小伙伴可以看看我之前的文章

┌──[[email protected]]-[~]
└─$ scp [email protected]:/root/ansible/k8s-rbac-create/kc1 .
Warning: Permanently added '192.168.26.81' (ECDSA) to the list of known hosts.
[email protected]'s password:
kc1 100% 5566 108.7KB/s 00:00

拷贝证书和k8s集群客户端工具到jenkins容器内

┌──[[email protected]]-[~]
└─$ docker cp kc1 jenkins:/
┌──[[email protected]]-[~]
└─$ docker cp kubectl jenkins:/
┌──[[email protected]]-[~]
└─$

kubectl命令测试

┌──[[email protected]]-[~]
└─$ docker exec -u root -it jenkins bash
[root@39afa098c8a5 /]# ls
anaconda-post.log bin dev etc home kc1 kubectl lib lib64 media mnt opt proc root run sbin srv sys tmp usr var
[root@39afa098c8a5 /]# ./kubectl --kubeconfi=kc1 get pods -A
Error: unknown flag: --kubeconfi
See 'kubectl get --help' for usage.
[root@39afa098c8a5 /]# ./kubectl --kubeconfig=kc1 get pods -A
Error from server (Forbidden): pods is forbidden: User "liruilong" cannot list resource "pods" in API group "" at the cluster scope

发现没有权限，这里我们为了方便，直接赋予集群中的cluster-admin角色

┌──[[email protected]]-[~/ansible/k8s-rbac-create]
└─$kubectl create clusterrolebinding test --clusterrole=cluster-admin --user=liruilong
clusterrolebinding.rbac.authorization.k8s.io/test created
┌──[[email protected]]-[~/ansible/k8s-rbac-create]
└─$

命令测试没有问题

[root@39afa098c8a5 /]# ./kubectl --kubeconfig=kc1 get nodes
NAME STATUS ROLES AGE VERSION
vms81.liruilongs.github.io Ready control-plane,master 51d v1.22.2
vms82.liruilongs.github.io NotReady <none> 51d v1.22.2
vms83.liruilongs.github.io NotReady <none> 51d v1.22.2
[root@39afa098c8a5 /]#

二、hexo博客系统CICD实战

4. k8s集群中配置hexo生产环境高可用

我们要部署Nginx来运行hexo博客系统，hexo编译完后为一堆静态文件，所以我们需要创建一个svc和一个deploy，使用SVC提供服务，使用deploy提供服务能力,使用Nginx+hexo的静态文件构成的镜像

apiVersion: apps/v1
kind: Deployment
metadata:
creationTimestamp: null
labels:
app: nginx
name: nginxdep
spec:
replicas: 2
selector:
matchLabels:
app: nginx
strategy: {}
template:
metadata:
creationTimestamp: null
labels:
app: nginx
spec:
containers:
- image: blog
name: web
resources:
requests:
cpu: 100m
restartPolicy: Always

deployments创建

这里我们先用一个Nginx镜像来代替hexo博客的镜像

┌──[[email protected]]-[~/ansible/k8s-deploy-create]
└─$kubectl apply -f nginx.yaml
deployment.apps/nginxdep created

查看deployments和pod

┌──[[email protected]]-[~/ansible/k8s-deploy-create]
└─$kubectl get deployments.apps | grep nginxdep
nginxdep 2/2 2 2 109s
┌──[[email protected]]-[~/ansible/k8s-deploy-create]
└─$kubectl get pods -o wide | grep web
┌──[[email protected]]-[~/ansible/k8s-deploy-create]
└─$kubectl get pods -o wide | grep nginxdep
nginxdep-645bf755b9-2w8jv 1/1 Running 0 2m22s 10.244.171.164 vms82.liruilongs.github.io <none> <none>
nginxdep-645bf755b9-jfqxj 1/1 Running 0 2m22s 10.244.171.157 vms82.liruilongs.github.io <none> <none>
┌──[[email protected]]-[~/ansible/k8s-deploy-create]
└─$

service创建

┌──[[email protected]]-[~/ansible/k8s-deploy-create]
└─$kubectl expose deploy nginxdep --port=8888 --target-port=80 --type=NodePort
service/nginxdep exposed
┌──[[email protected]]-[~/ansible/k8s-deploy-create]
└─$kubectl get svc -o wide | grep nginxdep
nginxdep NodePort 10.106.217.50 <none> 8888:31964/TCP 16s app=nginx

访问测试没有问题，之后我们配置好jenkins上的触发器，直接替换就OK

┌──[[email protected]]-[~/ansible/k8s-deploy-create]
└─$curl 127.0.0.1:31964
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>
┌──[[email protected]]-[~/ansible/k8s-deploy-create]
└─$

5.k8s集群配置私仓地址

我们通过kubectl set命令更新deploy的镜像时，获取的镜像是通过私仓获取的，所以需要在启动参数添加私仓地址

ExecStart=/usr/bin/dockerd --insecure-registry 192.168.26.56 -H fd:// --containerd=/run/containerd/containerd.sock

这里所有的节点都需要设置后重启docker

┌──[[email protected]]-[~/ansible/k8s-deploy-create]
└─$vim /usr/lib/systemd/system/docker.service
┌──[[email protected]]-[~/ansible/k8s-deploy-create]
└─$systemctl daemon-reload ;systemctl restart docker &
[1] 23273
┌──[[email protected]]-[~/ansible/k8s-deploy-create]
└─$ssh [email protected]
Last login: Sun Jan 16 06:09:07 2022 from 192.168.26.1
┌──[[email protected]]-[~]
└─$vim /usr/lib/systemd/system/docker.service
┌──[[email protected]]-[~]
└─$systemctl daemon-reload ;systemctl restart docker &
[1] 26843
┌──[[email protected]]-[~]
└─$exit
登出
Connection to 192.168.26.82 closed.

6.jenkins配置CICD流程

访问jenkins，接下来才是重点，我们要的jenkins上配置整个CICD流程，从而实现自动化

如何搭建自己的CI/CD平台:Gitlab+Jenkins+Docker+Harbor+K8s集群搭建CICD平台(持续集成部署Hexo博客Demo)_kubernetes_35

如何搭建自己的CI/CD平台:Gitlab+Jenkins+Docker+Harbor+K8s集群搭建CICD平台(持续集成部署Hexo博客Demo)_云原生_36

如何搭建自己的CI/CD平台:Gitlab+Jenkins+Docker+Harbor+K8s集群搭建CICD平台(持续集成部署Hexo博客Demo)_kubernetes_37

这里的Token我们设置为：4bf636c8214b7ff0a0fb，同时需要记住访问方式：JENKINS_URL/job/liruilong-cicd/build?token=TOKEN_NAME

构建触发器选择shell构建：克隆代码

如何搭建自己的CI/CD平台:Gitlab+Jenkins+Docker+Harbor+K8s集群搭建CICD平台(持续集成部署Hexo博客Demo)_jenkins_38

如何搭建自己的CI/CD平台:Gitlab+Jenkins+Docker+Harbor+K8s集群搭建CICD平台(持续集成部署Hexo博客Demo)_kubernetes_39

选择镜像构建

如何搭建自己的CI/CD平台:Gitlab+Jenkins+Docker+Harbor+K8s集群搭建CICD平台(持续集成部署Hexo博客Demo)_kubernetes_40

构建镜像并push私仓

如何搭建自己的CI/CD平台:Gitlab+Jenkins+Docker+Harbor+K8s集群搭建CICD平台(持续集成部署Hexo博客Demo)_云原生_41

这里切记需要添加私仓的认证信息，即上面设置的用户名和密码

如何搭建自己的CI/CD平台:Gitlab+Jenkins+Docker+Harbor+K8s集群搭建CICD平台(持续集成部署Hexo博客Demo)_云原生_42

选择shell构建，更新镜像

如何搭建自己的CI/CD平台:Gitlab+Jenkins+Docker+Harbor+K8s集群搭建CICD平台(持续集成部署Hexo博客Demo)_ci/cd_44

相关的文本信息

cd ~
rm -rf blog
git clone http://192.168.26.55/root/blog.git

/var/jenkins_home/blog/

192.168.26.56/library/blog:${BUILD_NUMBER}

export KUBECONFIG=/kc1;
/kubectl set image deployment/nginxdep *="192.168.26.56/library/blog:${BUILD_NUMBER}" -n kube-system

7.配置 gitlab 和 jenkins 的联动

访问gitlab配置联动

点击增加web钩子

/view/all/job/liruilong-cicd/build?token=

到这里,联动已经配置完成

8.编写Dockerfile文件，更新代码测试

下面我们编译一下hexo，生成public的一个文件夹,然后上传gitlab

PS F:\blogger> hexo g
.....
PS F:\blogger> git add .\public\
PS F:\blogger> git commit -m "编译代码"
PS F:\blogger> git push

同时需要编写Dockerfile文件来创建镜像

FROM docker.io/library/nginx:latest
MAINTAINER liruilong
ADD ./public/ /usr/share/nginx/html/
EXPOSE 80
CMD ["nginx", "-g","daemon off;"]

PS F:\blogger> git add .
PS F:\blogger> git commit -m "Dockcerfile文件编写"
[master 217e0ed] Dockcerfile文件编写
1 file changed, 1 deletion(-)
PS F:\blogger> git push
Enumerating objects: 5, done.
Counting objects: 100% (5/5), done.
Delta compression using up to 8 threads
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 307 bytes | 307.00 KiB/s, done.
Total 3 (delta 2), reused 0 (delta 0)
To http://192.168.26.55/root/blog.git
6690612..217e0ed master -> master
PS F:\blogger>

jenkins输出

如何搭建自己的CI/CD平台:Gitlab+Jenkins+Docker+Harbor+K8s集群搭建CICD平台(持续集成部署Hexo博客Demo)_kubernetes_52

Started by remote host 192.168.26.1
Running as SYSTEM
Building in workspace /var/jenkins_home/workspace/liruilong-cicd
[liruilong-cicd] $ /bin/sh -xe /tmp/jenkins6108687102523328796.sh
+ cd /var/jenkins_home
+ rm -rf blog
+ git clone http://192.168.26.55/root/blog.git
Cloning into 'blog'...
Docker Build
Docker Build: building image at path /var/jenkins_home/blog
Step 1/5 : FROM docker.io/library/nginx:latest

---> f8f4ffc8092c

Step 2/5 : MAINTAINER liruilong

---> Running in e341b5562b64

Removing intermediate container e341b5562b64

---> 4e9f5aa47ab5

Step 3/5 : ADD ./public/ /usr/share/nginx/html/

---> 3956cff32507

Step 4/5 : EXPOSE 80

---> Running in b4c27124989d

Removing intermediate container b4c27124989d

---> ba9d1764d764

Step 5/5 : CMD ["nginx", "-g","daemon off;"]

---> Running in 61dca01a4883

Removing intermediate container 61dca01a4883

---> 2aadc5732a60

Successfully built 2aadc5732a60

Tagging built image with 192.168.26.56/library/blog:41
Docker Build Response : 2aadc5732a60
Pushing [192.168.26.56/library/blog:41]
The push refers to repository [192.168.26.56/library/blog]
89570901cdea: Preparing
65e1ea1dc98c: Preparing
88891187bdd7: Preparing
6e109f6c2f99: Preparing
0772cb25d5ca: Preparing
525950111558: Preparing
476baebdfbf7: Preparing
525950111558: Waiting
476baebdfbf7: Waiting
88891187bdd7: Layer already exists
6e109f6c2f99: Layer already exists
65e1ea1dc98c: Layer already exists
0772cb25d5ca: Layer already exists
89570901cdea: Pushing [> ] 301.6kB/28.75MB
89570901cdea: Pushing [==> ] 1.193MB/28.75MB
476baebdfbf7: Layer already exists
525950111558: Layer already exists
89570901cdea: Pushing [======> ] 3.917MB/28.75MB
89570901cdea: Pushing [==========> ] 5.996MB/28.75MB
89570901cdea: Pushing [==============> ] 8.097MB/28.75MB
89570901cdea: Pushing [==================> ] 10.76MB/28.75MB
89570901cdea: Pushing [=====================> ] 12.57MB/28.75MB
89570901cdea: Pushing [========================> ] 13.8MB/28.75MB
89570901cdea: Pushing [=========================> ] 14.71MB/28.75MB
89570901cdea: Pushing [===========================> ] 15.59MB/28.75MB
89570901cdea: Pushing [=============================> ] 16.79MB/28.75MB
89570901cdea: Pushing [===============================> ] 18.27MB/28.75MB
89570901cdea: Pushing [=================================> ] 19.45MB/28.75MB
89570901cdea: Pushing [===================================> ] 20.34MB/28.75MB
89570901cdea: Pushing [=====================================> ] 21.55MB/28.75MB
89570901cdea: Pushing [=======================================> ] 22.44MB/28.75MB
89570901cdea: Pushing [=========================================> ] 23.64MB/28.75MB
89570901cdea: Pushing [==========================================> ] 24.52MB/28.75MB
89570901cdea: Pushing [============================================> ] 25.42MB/28.75MB
89570901cdea: Pushing [==============================================> ] 26.61MB/28.75MB
89570901cdea: Pushing [===============================================> ] 27.19MB/28.75MB
89570901cdea: Pushing [=================================================> ] 28.69MB/28.75MB
89570901cdea: Pushing [==================================================>] 29.32MB
89570901cdea: Pushed
41: digest: sha256:c90b64945a8d063f7bcdcc39f00f91b6d83acafcd6b2ec6aba5b070474bafc37 size: 1782
Cleaning local images [2aadc5732a60]
Docker Build Done
[liruilong-cicd] $ /bin/sh -xe /tmp/jenkins246013519648603221.sh
+ export KUBECONFIG=/kc1
+ KUBECONFIG=/kc1
+ /kubectl set image deployment/nginxdep '*=192.168.26.56/library/blog:41' -n kube-system
deployment.apps/nginxdep image updated
Finished: SUCCESS

9.访问hexo博客系统

┌──[[email protected]]-[~/ansible/k8s-deploy-create]
└─$kubectl get deployments.apps | grep nginxdep
nginxdep 2/2 2 2 30h
┌──[[email protected]]-[~/ansible/k8s-deploy-create]
└─$kubectl get pods -o wide | grep nginxdep
nginxdep-bddfd9b5f-94d88 1/1 Running 0 110s 10.244.171.142 vms82.liruilongs.github.io <none> <none>
nginxdep-bddfd9b5f-z57qc 1/1 Running 0 35m 10.244.171.177 vms82.liruilongs.github.io <none> <none>
┌──[[email protected]]-[~/ansible/k8s-deploy-create]
└─$kubectl get svc -o wide | grep nginxdep
nginxdep NodePort 10.106.217.50 <none> 8888:31964/TCP 30h app=nginx
┌──[[email protected]]-[~/ansible/k8s-deploy-create]
└─$kubectl describe pods nginxdep-bddfd9b5f-94d88
Name: nginxdep-bddfd9b5f-94d88
Namespace: kube-system
Priority: 0
Node: vms82.liruilongs.github.io/192.168.26.82
Start Time: Fri, 04 Feb 2022 03:11:14 +0800
Labels: app=nginx
pod-template-hash=bddfd9b5f
Annotations: cni.projectcalico.org/podIP: 10.244.171.142/32
cni.projectcalico.org/podIPs: 10.244.171.142/32
Status: Running
IP: 10.244.171.142
IPs:
IP: 10.244.171.142
Controlled By: ReplicaSet/nginxdep-bddfd9b5f
Containers:
web:
Container ID: docker://669f48cb626d5067f40bb1aaa378268a7ee9879488b0b298a86271957c162316
Image: 192.168.26.56/library/blog:41
Image ID: docker-pullable://192.168.26.56/library/blog@sha256:c90b64945a8d063f7bcdcc39f00f91b6d83acafcd6b2ec6aba5b070474bafc37
Port: <none>
Host Port: <none>
State: Running
Started: Fri, 04 Feb 2022 03:11:15 +0800
Ready: True
Restart Count: 0
Requests:
cpu: 100m
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-trn5n (ro)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
kube-api-access-trn5n:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
ConfigMapOptional: <nil>
DownwardAPI: true
QoS Class: Burstable
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 4m10s default-scheduler Successfully assigned kube-system/nginxdep-bddfd9b5f-94d88 to vms82.liruilongs.github.io
Normal Pulling 4m9s kubelet Pulling image "192.168.26.56/library/blog:41"
Normal Pulled 4m9s kubelet Successfully pulled image "192.168.26.56/library/blog:41" in 67.814838ms
Normal Created 4m9s kubelet Created container web
Normal Started 4m9s kubelet Started container web

访问hexo博客系统

如何搭建自己的CI/CD平台:Gitlab+Jenkins+Docker+Harbor+K8s集群搭建CICD平台(持续集...