创建docker 认证
一 首先在初始化的时候需要注意
apiserver-cert-extra-sans 这个是指定外网地址
apiserver-advertise-address 这个是内网地址
1 初始化加上公网ip,这样可以让外部的jenkins与他进行通信
kubeadm init --apiserver-advertise-address=172.29.251.182 --image-repository registry.aliyuncs.com/google_containers --kubernetes-version v1.15.0 --service-cidr=10.1.0.0/16 --pod-network-cidr=10.244.0.0/16 --apiserver-cert-extra-sans 公网IP
二 根据jenkins所安装的环境或机器,所对应的pipeline脚本也不一样
1 如果jenkins安装在k8s之外,并且不能进行内网通信
serverUrl 这里要指定外网ip
// 公共镜像地址
def registry = "registry.cn-beijing.aliyuncs.com/settlement-test"
// 项目
def project = "settlement"
def image_name = "${registry}/${project}:${BUILD_NUMBER}"
def settlement_git = "https://gitee.com/huningfei/settlement.git"
def settlementCore_git="https://gitee.com/huningfei/settlementCore.git"
// 认证
def secret_name = "registry-harbor"
def docker_registry_auth = "e8b4e1e8-edf9-429e-9f9c-d09305f02b15"
def git_auth = "e043a097-5ad8-4ec4-a2d9-df27e8debfc4"
node(){
// 第一步
stage('拉取代码'){
checkout([$class: 'GitSCM', branches: [[name: '${Branch}']], userRemoteConfigs: [[credentialsId: "${git_auth}", url: "${settlement_git}"]]])
}
// 第二步
stage('代码编译'){
sh "mvn clean install -Dmaven.test.skip=true"
}
// 第三步
stage('构建镜像'){
withCredentials([usernamePassword(credentialsId: "${docker_registry_auth}", passwordVariable: 'password', usernameVariable: 'username')]) {
sh """
echo '
FROM java:8
WORKDIR /root/.jenkins/jobs/docker-pipline
COPY target/settlement.jar /settlement.jar
CMD java -jar /settlement.jar --spring.profiles.active=prod
' > Dockerfile
docker build -t ${image_name} .
docker login -u ${username} -p '${password}' registry.cn-beijing.aliyuncs.com
docker push ${image_name}
"""
}
}
// 第四步
stage('部署到K8S平台'){
kubeconfig(caCertificate: '''-----BEGIN CERTIFICATE-----
MIICyDCCAbCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
cm5ldGVzMB4XDTIxMDEwNjA3MDEyNloXDTMxMDEwNDA3MDEyNlowFTETMBEGA1UE
AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALWI
dIY+9KSZw3EuzxL9RtMhW3Cl9tglXmEFTS2wcTq+5ZojhviinFUAj+mlHmENa4O2
i0NijDu0EWb5LH+WQQdBJil1Kih99k3I2ZP0zWai25+eFtwZcdKIofrJY5riFCpw
eyZBeH/29XBAHiVNR/P5Thu9Gf1OF1t/KCaCBNM23kcf+hL4Npgtu3opS3CWX0c0
fEzlaq78KRW9tlLx0bk3oqQbGUPBKyTu61c418HusMCvaVSuOxIRE8HVm+haO/sk
xESiCywWGPNTVaoJ5r9fjpvC/KkxWqw2mlZWeO2snpcFS5vO4nyoYV2kQlCukuOC
juOyMWXlnia5PNUHx8ECAwEAAaMjMCEwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB
/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAFna95fMTMtbEHo0FSInYfM/s835
zbmMCiXL2PcpPGIt2tSOwBLHC/EGS/0lmPA6RVP21mUAkBnb2ZzOnn87FFlTV++X
MTsfn7fVWf5CQk9xqWamGqNmSlgPiLQQUyQ71SnPjDPBmcQLTqr1EsFIMLwelhsB
qDYlfF11l3cu4T3usL1AQPRj+qKYch5J2qWHDJ/7l9DJ/0YimGxk2madRGuD43u3
GcJHWA+lwk6RfYt0usR5MJhRRORzmlIoibZDwUwR6Ihanat0dngPQGPsHKUVyNFq
dU0L9XCuXF4QYB8O7DZiuz6Y8SrwRtnNZhf5LhRrljySE7O7bU3i5NREi5A=
-----END CERTIFICATE-----''', credentialsId: '72520351-5755-4e6c-a62e-403ca44315ef', serverUrl: 'https://182.92.204.13:6443') {
// some block
sh "sed -i 's#\$IMAGE_NAME#${image_name}#' deploy.yaml"
sh "sed -i 's#\$SECRET_NAME#${secret_name}#' deploy.yaml"
sh 'kubectl apply -f deploy.yaml'
}
}
}
2 第二种情况是jenkins安装在k8s之内,或者是master,node节点,可以和master进行内网通信
// 公共镜像地址
def registry = "registry.cn-beijing.aliyuncs.com/settlement-test"
// 项目
def project = "settlement"
def image_name = "${registry}/${project}:${BUILD_NUMBER}"
def settlement_git = "https://gitee.com/huningfei/settlement.git"
def settlementCore_git="https://gitee.com/huningfei/settlementCore.git"
// 认证
def secret_name = "registry-harbor"
def docker_registry_auth = "2c991e24-dd31-4083-b469-1da9c05579f2"
def git_auth = "e043a097-5ad8-4ec4-a2d9-df27e8debfc4"
def k8s_auth = "4bb069f6-36ce-4257-bef3-1c3b2c86ceee"
node(){
// 第一步
stage('拉取代码'){
checkout([$class: 'GitSCM', branches: [[name: '${Branch}']], userRemoteConfigs: [[credentialsId: "${git_auth}", url: "${settlement_git}"]]])
}
// 第二步
stage('代码编译'){
sh "mvn clean install -Dmaven.test.skip=true"
}
// 第三步
stage('构建镜像'){
withCredentials([usernamePassword(credentialsId: "${docker_registry_auth}", passwordVariable: 'password', usernameVariable: 'username')]) {
sh """
echo '
FROM java:8
WORKDIR /root/.jenkins/jobs/docker-pipline
COPY target/settlement.jar /settlement.jar
CMD java -jar /settlement.jar --spring.profiles.active=prod
' > Dockerfile
docker build -t ${image_name} .
docker login -u ${username} -p '${password}' registry.cn-beijing.aliyuncs.com
docker push ${image_name}
"""
}
}
// 第四步
stage('部署到K8S平台'){
sh "sed -i 's#\$IMAGE_NAME#${image_name}#' deploy.yml"
sh "sed -i 's#\$SECRET_NAME#${secret_name}#' deploy.yml"
sh 'kubectl apply -f deploy.yml'
}
}
三 创建docker-secret认证
如果你的仓库是私有仓库,当k8s在创建镜像的时候,会提示没用登陆,或者没用权限,但是你手动是可以拉取的。
registry-harbor 是secret的名字
kubectl create secret docker-registry registry-harbor --namespace=default \
--docker-server=registry.cn-beijing.aliyuncs.com --docker-username=52gsh \
--docker-password=passwordxxxxx
创建完之后,查看
四 jenkins上添加凭据
0 添加jenkins连接k8s-api的凭据
添加方法,具体见 ( 设置jenkins去连接k8s api)从这部分开始看
只有添加了这个,才可以向下进行。
1 添加jenkins运行kubectl命令的权限
首先去/root/.kube 打开config这个文件,找到下面的
然后echo xxxxx | base64 -d > /tmp/ca.crt
然后把秘钥放到这个框里面
点击下面的 generate pieline script 就会生成部署的语句。
2 添加gitlab和dockhub的凭据,这两个凭据都是用户名和密码的方式,不做详细描述
五 构建,并查看svc情况
查看svc是否正确,只有Endpoints:后面出现ip和端口才代表最终成功
[root@k8s-master01 k8s]# kubectl describe svc/settlement-svc
Name: settlement-svc
Namespace: default
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"name":"settlement-svc","namespace":"default"},"spec":{"ports":[{"nodePor...
Selector: app=settlement
Type: NodePort
IP: 10.1.0.122
Port: <unset> 8083/TCP
TargetPort: 8083/TCP
NodePort: <unset> 30907/TCP
Endpoints: 10.244.1.2:8083,10.244.2.14:8083
Session Affinity: None
External Traffic Policy: Cluster
Events: <none>
六 deploy.yml文件
把pod的8083端口映射到node节点的30907,最后可以通过nodeip加端口方式访问。
apiVersion: apps/v1
kind: Deployment
metadata:
name: settlement
spec:
replicas: 2
selector:
matchLabels:
app: settlement
template:
metadata:
labels:
app: settlement
spec:
imagePullSecrets:
- name: $SECRET_NAME
containers:
- name: settlement
image: $IMAGE_NAME
ports:
- containerPort: 8083
name: settlement
livenessProbe:
httpGet:
path: /
port: 8083
initialDelaySeconds: 60
timeoutSeconds: 5
failureThreshold: 12
readinessProbe:
httpGet:
path: /
port: 8083
initialDelaySeconds: 60
timeoutSeconds: 5
failureThreshold: 12
---
apiVersion: v1
kind: Service
metadata:
name: settlement-svc
spec:
type: NodePort
selector:
app: settlement
ports:
- protocol: TCP
port: 8083
targetPort: 8083
nodePort: 30907