创建docker 认证

一 首先在初始化的时候需要注意

apiserver-cert-extra-sans 这个是指定外网地址
apiserver-advertise-address 这个是内网地址

1 初始化加上公网ip,这样可以让外部的jenkins与他进行通信

kubeadm init --apiserver-advertise-address=172.29.251.182 --image-repository registry.aliyuncs.com/google_containers --kubernetes-version v1.15.0 --service-cidr=10.1.0.0/16 --pod-network-cidr=10.244.0.0/16 --apiserver-cert-extra-sans 公网IP

二 根据jenkins所安装的环境或机器,所对应的pipeline脚本也不一样

1 如果jenkins安装在k8s之外,并且不能进行内网通信

serverUrl 这里要指定外网ip

// 公共镜像地址
def registry = "registry.cn-beijing.aliyuncs.com/settlement-test"
// 项目
def project = "settlement"

def image_name = "${registry}/${project}:${BUILD_NUMBER}"
def settlement_git = "https://gitee.com/huningfei/settlement.git"
def settlementCore_git="https://gitee.com/huningfei/settlementCore.git"
// 认证
def secret_name = "registry-harbor"
def docker_registry_auth = "e8b4e1e8-edf9-429e-9f9c-d09305f02b15"
def git_auth = "e043a097-5ad8-4ec4-a2d9-df27e8debfc4"



  node(){
      // 第一步
      stage('拉取代码'){
          
        
         checkout([$class: 'GitSCM', branches: [[name: '${Branch}']], userRemoteConfigs: [[credentialsId: "${git_auth}", url: "${settlement_git}"]]])
      }
      // 第二步
      stage('代码编译'){
          sh "mvn clean install -Dmaven.test.skip=true"
         
          
      }
      // 第三步
      stage('构建镜像'){
          withCredentials([usernamePassword(credentialsId: "${docker_registry_auth}", passwordVariable: 'password', usernameVariable: 'username')]) {
            sh """
              echo '
                FROM java:8
                WORKDIR /root/.jenkins/jobs/docker-pipline
                COPY target/settlement.jar  /settlement.jar
                CMD java -jar /settlement.jar --spring.profiles.active=prod  
              ' > Dockerfile
              docker build -t ${image_name} .
              docker login -u ${username} -p '${password}' registry.cn-beijing.aliyuncs.com
              docker push ${image_name}
            """
            }
      }
      // 第四步
      stage('部署到K8S平台'){
          
                kubeconfig(caCertificate: '''-----BEGIN CERTIFICATE-----
MIICyDCCAbCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
cm5ldGVzMB4XDTIxMDEwNjA3MDEyNloXDTMxMDEwNDA3MDEyNlowFTETMBEGA1UE
AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALWI
dIY+9KSZw3EuzxL9RtMhW3Cl9tglXmEFTS2wcTq+5ZojhviinFUAj+mlHmENa4O2
i0NijDu0EWb5LH+WQQdBJil1Kih99k3I2ZP0zWai25+eFtwZcdKIofrJY5riFCpw
eyZBeH/29XBAHiVNR/P5Thu9Gf1OF1t/KCaCBNM23kcf+hL4Npgtu3opS3CWX0c0
fEzlaq78KRW9tlLx0bk3oqQbGUPBKyTu61c418HusMCvaVSuOxIRE8HVm+haO/sk
xESiCywWGPNTVaoJ5r9fjpvC/KkxWqw2mlZWeO2snpcFS5vO4nyoYV2kQlCukuOC
juOyMWXlnia5PNUHx8ECAwEAAaMjMCEwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB
/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAFna95fMTMtbEHo0FSInYfM/s835
zbmMCiXL2PcpPGIt2tSOwBLHC/EGS/0lmPA6RVP21mUAkBnb2ZzOnn87FFlTV++X
MTsfn7fVWf5CQk9xqWamGqNmSlgPiLQQUyQ71SnPjDPBmcQLTqr1EsFIMLwelhsB
qDYlfF11l3cu4T3usL1AQPRj+qKYch5J2qWHDJ/7l9DJ/0YimGxk2madRGuD43u3
GcJHWA+lwk6RfYt0usR5MJhRRORzmlIoibZDwUwR6Ihanat0dngPQGPsHKUVyNFq
dU0L9XCuXF4QYB8O7DZiuz6Y8SrwRtnNZhf5LhRrljySE7O7bU3i5NREi5A=
-----END CERTIFICATE-----''', credentialsId: '72520351-5755-4e6c-a62e-403ca44315ef', serverUrl: 'https://182.92.204.13:6443') {
    // some block
 
    sh "sed -i 's#\$IMAGE_NAME#${image_name}#' deploy.yaml"
    sh "sed -i 's#\$SECRET_NAME#${secret_name}#' deploy.yaml"
    sh 'kubectl apply -f deploy.yaml'
}
     

  
   


        }
  }

2 第二种情况是jenkins安装在k8s之内,或者是master,node节点,可以和master进行内网通信

// 公共镜像地址
def registry = "registry.cn-beijing.aliyuncs.com/settlement-test"
// 项目
def project = "settlement"

def image_name = "${registry}/${project}:${BUILD_NUMBER}"
def settlement_git = "https://gitee.com/huningfei/settlement.git"
def settlementCore_git="https://gitee.com/huningfei/settlementCore.git"
// 认证
def secret_name = "registry-harbor"
def docker_registry_auth = "2c991e24-dd31-4083-b469-1da9c05579f2"
def git_auth = "e043a097-5ad8-4ec4-a2d9-df27e8debfc4"
def k8s_auth = "4bb069f6-36ce-4257-bef3-1c3b2c86ceee"


  node(){
      // 第一步
      stage('拉取代码'){
          
        
         checkout([$class: 'GitSCM', branches: [[name: '${Branch}']], userRemoteConfigs: [[credentialsId: "${git_auth}", url: "${settlement_git}"]]])
      }
      // 第二步
      stage('代码编译'){
          sh "mvn clean install -Dmaven.test.skip=true"
         
          
      }
      // 第三步
      stage('构建镜像'){
          withCredentials([usernamePassword(credentialsId: "${docker_registry_auth}", passwordVariable: 'password', usernameVariable: 'username')]) {
            sh """
              echo '
                FROM java:8
                WORKDIR /root/.jenkins/jobs/docker-pipline
                COPY target/settlement.jar  /settlement.jar
                CMD java -jar /settlement.jar --spring.profiles.active=prod  
              ' > Dockerfile
              docker build -t ${image_name} .
              docker login -u ${username} -p '${password}' registry.cn-beijing.aliyuncs.com
              docker push ${image_name}
            """
            }
      }
      // 第四步
      stage('部署到K8S平台'){
          

    sh "sed -i 's#\$IMAGE_NAME#${image_name}#' deploy.yml"
    sh "sed -i 's#\$SECRET_NAME#${secret_name}#' deploy.yml"
    sh 'kubectl apply -f deploy.yml'

    

        }
  }

三 创建docker-secret认证

如果你的仓库是私有仓库,当k8s在创建镜像的时候,会提示没用登陆,或者没用权限,但是你手动是可以拉取的。

registry-harbor 是secret的名字

kubectl create secret docker-registry registry-harbor --namespace=default \
    --docker-server=registry.cn-beijing.aliyuncs.com --docker-username=52gsh \
    --docker-password=passwordxxxxx

创建完之后,查看

jenkins k8s的区别 jenkins整合k8s_运维

四 jenkins上添加凭据

0 添加jenkins连接k8s-api的凭据

添加方法,具体见 ( 设置jenkins去连接k8s api)从这部分开始看

只有添加了这个,才可以向下进行。

1 添加jenkins运行kubectl命令的权限

首先去/root/.kube 打开config这个文件,找到下面的

jenkins k8s的区别 jenkins整合k8s_jenkins_02

然后echo xxxxx | base64 -d > /tmp/ca.crt

然后把秘钥放到这个框里面

jenkins k8s的区别 jenkins整合k8s_容器_03

点击下面的 generate pieline script 就会生成部署的语句。

2 添加gitlab和dockhub的凭据,这两个凭据都是用户名和密码的方式,不做详细描述

五 构建,并查看svc情况

查看svc是否正确,只有Endpoints:后面出现ip和端口才代表最终成功

[root@k8s-master01 k8s]# kubectl describe svc/settlement-svc 
Name:                     settlement-svc
Namespace:                default
Labels:                   <none>
Annotations:              kubectl.kubernetes.io/last-applied-configuration:
                            {"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"name":"settlement-svc","namespace":"default"},"spec":{"ports":[{"nodePor...
Selector:                 app=settlement
Type:                     NodePort
IP:                       10.1.0.122
Port:                     <unset>  8083/TCP
TargetPort:               8083/TCP
NodePort:                 <unset>  30907/TCP
Endpoints:                10.244.1.2:8083,10.244.2.14:8083
Session Affinity:         None
External Traffic Policy:  Cluster
Events:                   <none>

六 deploy.yml文件

把pod的8083端口映射到node节点的30907,最后可以通过nodeip加端口方式访问。

apiVersion: apps/v1
kind: Deployment
metadata:
  name: settlement
spec:
  replicas: 2
  selector:
   matchLabels:
    app: settlement
  template:
    metadata:
      labels:
        app: settlement
    spec:
      imagePullSecrets:
      - name: $SECRET_NAME 

      containers:
      - name: settlement
        image: $IMAGE_NAME 
        ports:
        - containerPort: 8083
          name: settlement
        livenessProbe:
          httpGet:
            path: /
            port: 8083
          initialDelaySeconds: 60
          timeoutSeconds: 5
          failureThreshold: 12
        readinessProbe:
          httpGet:
            path: /
            port: 8083
          initialDelaySeconds: 60
          timeoutSeconds: 5
          failureThreshold: 12


---
apiVersion: v1
kind: Service
metadata:
  name: settlement-svc
spec:
  type: NodePort
  selector:
    app: settlement
  ports:
    - protocol: TCP
      port: 8083
      targetPort: 8083
      nodePort: 30907