内容简介:本文风哥教程参考Linux官方文档、Red Hat Enterprise Linux官方文档、Ansible Automation Platform官方文档、Docker官方文档、Kubernetes官方文档和Podman官方文档等内容,详细介绍了相关技术的配置和使用方法。
本文档介绍Kubernetes CI/CD流水线实战案例。
风哥提示:
Part01-CI/CD流水线架构
1.1 流水线设计
[root@k8s-master ~]# cat > /root/fgedu-cicd-pipeline.txt << 'EOF' FGEDU CI/CD流水线项目 ===================== 1. 流水线组件 - GitLab: 代码仓库 - Harbor: 镜像仓库 - Jenkins: CI服务器 - ArgoCD: CD工具 2. 流水线阶段 - 代码检查: SonarQube - 单元测试: JUnit - 构建镜像: Docker Build - 镜像扫描: Trivy - 部署应用: kubectl/Helm 3. 环境管理 - 开发环境: dev - 测试环境: test - 预发环境: staging - 生产环境: prod 4. 质量控制 - 代码覆盖率 - 安全扫描 - 性能测试 EOF
Part02-部署Harbor镜像仓库
2.1 Harbor安装
[root@k8s-master ~]# kubectl create namespace harbor
namespace/harbor created
# 使用Helm安装Harbor
[root@k8s-master ~]# helm repo add harbor https://helm.goharbor.io
“harbor” has been added to your repositories
[root@k8s-master ~]# cat > harbor-values.yaml << 'EOF' expose: type: nodePort nodePort: ports: http: nodePort: 30002 https: nodePort: 30003 externalURL: http://192.168.1.100:30002 harborAdminPassword: "Harbor12345" persistence: enabled: true resourcePolicy: "keep" persistentVolumeClaim: registry: size: 50Gi chartmuseum: size: 10Gi trivy: size: 5Gi chartmuseum: enabled: true trivy: enabled: true EOF [root@k8s-master ~]# helm install harbor harbor/harbor -n harbor -f harbor-values.yaml NAME: harbor LAST DEPLOYED: Sat Apr 4 22:00:00 2026 NAMESPACE: harbor STATUS: deployed REVISION: 1 NOTES: Please wait for several minutes for Harbor deployment to complete. Then you should be able to visit the Harbor portal at http://192.168.1.100:30002 # 查看Harbor状态 [root@k8s-master ~]# kubectl get pods -n harbor NAME READY STATUS RESTARTS AGE harbor-core-abc12-xyz789 1/1 Running 0 5m harbor-registry-abc12-xyz789 1/1 Running 0 5m harbor-portal-abc12-xyz789 1/1 Running 0 5m harbor-jobservice-abc12-xyz789 1/1 Running 0 5m harbor-trivy-abc12-xyz789 1/1 Running 0 5m harbor-chartmuseum-abc12-xyz789 1/1 Running 0 5m # 配置Docker信任Harbor [root@k8s-master ~]# cat > /etc/docker/daemon.json << 'EOF' { "insecure-registries": ["192.168.1.100:30002"] } EOF [root@k8s-master ~]# systemctl restart docker # 登录Harbor [root@k8s-master ~]# docker login 192.168.1.100:30002 -u admin -p Harbor12345 WARNING! Using --password via the CLI is insecure. Use --password-stdin. Login Succeeded
Part03-配置Jenkins
3.1 部署Jenkins
[root@k8s-master ~]# cat > jenkins.yaml << 'EOF' apiVersion: v1 kind: PersistentVolumeClaim metadata: name: jenkins-pvc namespace: harbor spec: accessModes: - ReadWriteOnce resources: requests: storage: 20Gi storageClassName: fgedu-nfs-storage --- apiVersion: apps/v1 kind: Deployment metadata: name: jenkins namespace: harbor spec: replicas: 1 selector: matchLabels: app: jenkins template: metadata: labels: app: jenkins spec: containers: - name: jenkins image: jenkins/jenkins:lts ports: - containerPort: 8080 - containerPort: 50000 volumeMounts: - name: jenkins-home mountPath: /var/jenkins_home resources: requests: cpu: 500m memory: 1Gi limits: cpu: 2000m memory: 4Gi volumes: - name: jenkins-home persistentVolumeClaim: claimName: jenkins-pvc --- apiVersion: v1 kind: Service metadata: name: jenkins namespace: harbor spec: type: NodePort ports: - port: 8080 targetPort: 8080 nodePort: 30080 - port: 50000 targetPort: 50000 nodePort: 30500 selector: app: jenkins EOF [root@k8s-master ~]# kubectl apply -f jenkins.yaml persistentvolumeclaim/jenkins-pvc created deployment.apps/jenkins created service/jenkins created # 获取Jenkins初始密码 [root@k8s-master ~]# kubectl exec -it jenkins-abc12-xyz789 -n harbor -- cat /var/jenkins_home/secrets/initialAdminPassword abc123def456789012345678901234 # 创建Jenkins Pipeline配置 [root@k8s-master ~]# cat > jenkins-pipeline.groovy << 'EOF' pipeline { agent { kubernetes { yaml ''' apiVersion: v1 kind: Pod spec: containers: - name: docker image: docker:latest command: ['cat'] tty: true volumeMounts: - name: docker-sock mountPath: /var/run/docker.sock - name: kubectl image: bitnami/kubectl:latest command: ['cat'] tty: true volumes: - name: docker-sock hostPath: path: /var/run/docker.sock ''' } } environment { REGISTRY = '192.168.1.100:30002' IMAGE_NAME = 'fgedu/app' KUBE_NAMESPACE = 'fgedu-prod' } stages { stage('Checkout') { steps { checkout scm } } stage('Build') { steps { container('docker') { sh ''' docker build -t $REGISTRY/$IMAGE_NAME:$BUILD_NUMBER . docker tag $REGISTRY/$IMAGE_NAME:$BUILD_NUMBER $REGISTRY/$IMAGE_NAME:latest ''' } } } stage('Scan') { steps { container('docker') { sh ''' trivy image --exit-c学习交流加群风哥QQ113257174ode 1 --severity HIGH,CRITICAL $REGISTRY/$IMAGE_NAME:$BUILD_NUMBER ''' } } } stage('Push') { steps { container('docker') { withCredentials([usernamePassword(credentialsId: 'harbor-creds', usernameVariable: 'USER', passwordVariable: 'PASS')]) { sh ''' docker login $REGISTRY -u $USER -p $PASS docker push $REGISTRY/$IMAGE_NAME:$BUILD_NUMBER docker push $REGISTRY/$IMAGE_NAME:latest ''' } } } } stage('Deploy') { steps { container('kubectl') { sh ''' kubectl set image deployment/fgedu-app fgedu-app=$REGISTRY/$IMAGE_NAME:$BUILD_NUMBER -n $KUBE_NAMESPACE kubectl rollout status deployment/fgedu-app -n $KUBE_NAMESPACE ''' } } } } post { success { echo 'Deployment successful!' } failure { echo 'Deployment failed!' } } } EOF
Part04-GitOps部署
4.1 ArgoCD配置
[root@k8s-master ~]# cat > fgedu-gitops-app.yaml << 'EOF' apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: fgedu-app namespace: argocd spec: project: default source: repoURL: https://git.fgedu.net.cn/fgedu/k8s-apps.git targetRevision: main path: apps/fgedu-app directory: recurse: true destination: server: https://kubernetes.default.svc namespace: fgedu-prod syncPolicy: automated: prune: true selfHeal: true allowEmpty: false syncOptions: - CreateNamespace=true - PrunePropagationPolicy=foreground - PruneLast=true retry: limit: 5 backoff: duration: 5s factor: 2 maxDuration: 3m EOF [root@k8s-master ~]# kubectl apply -f fgedu-gitops-app.yaml application.argoproj.io/fgedu-app created # 查看应用状态 [root@k8s-master ~]# kubectl get application -n argocd NAME SYNC STATUS HEALTH STATUS fgedu-app Synced Healthy # 创建应用配置仓库 [root@k8s-master ~]# mkdir -p /root/gitops-repo/apps/fgedu-app [root@k8s-master ~]# cat > /root/gitops-repo/apps/fgedu-app/kustomization.yaml << 'EOF' apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - de更多学习教程公众号风哥教程itpux_comployment.yaml - service.yaml - configmap.yaml commonLabels: app: fgedu-app env: production images: - name: fgedu/app学习交流加群风哥微信: itpux-com newName: 192.168.1.100:30002/fgedu/app newTag: latest EOF [root@k8s-master ~]# cat > /root/gitops-repo/apps/fgedu-app/deployment.yaml << 'EOF' apiVersion: apps/v1 kind: Deployment metadata: name: fgedu-app spec: replicas: 3 selector: matchLabels: app: fgedu-app template: metadata: labels: app: fgedu-app spec: containers: - name: fgedu-app image: fgedu/app:latest ports: - containerPort: 8080 resources: requests: cpu: 100m memory: 128Mi limits: cpu: 500m memory: 512Mi livenessProbe: httpGet: path: /health port: 8080 initialDelaySeconds: 30 periodSeconds: 10 readinessProbe: httpGet: path: /ready port: 8080 initialDelaySeconds: 5 periodSeconds: 5 EOF # 手动同步应用 [root@k8s-master ~]# argocd app sync fgedu-app TIMESTAMP GROUP KIND NAMESPACE NAME STATUS HEALTH HOOK MESSAGE 2026-04-04T22:30:00+08:00 apps Deployment fgedu-prod fgedu-app Running Healthy deployment.apps/fgedu-app configured 2026-04-04T22:30:00+08:00 Service fgedu-prod fgedu-app Healthy service/fgedu-app configured
- 使用GitOps管理应用配置
- 配置自动化测试流程
- 使用镜像扫描保证安全
- 配置多环境部署策略
- 设置回滚机制
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
