K8S集群中部署jenkins
本文介紹在k8s環境中進行jenkins server的部署和配置。Jenkins是一個開源的、功能強大的持續集成和持續構建工具,采用master和salve架構,我們通過將jenkins集成環境部署在k8s集群中,可以實現jenkins slave按需創建、動態的伸縮。同時也提供了在k8s環境中應用的持續部署解決方案。
一、準備docker鏡像文件
1、編譯jenkins server docker鏡像,默認的jenkis鏡像已包含jdk,版本為1.8.0_171
# cat dockerfile FROM jenkins MAINTAINER [email protected] ENV MAVEN_HOME /usr/local/maven ENV JAVA_HOME /usr/local/java ENV CLASSPATH=.:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar ENV PATH ${JAVA_HOME}/bin:${MAVEN_HOME}/bin:${PATH} COPY apache-maven-3.5.4 /usr/local/maven USER root RUN mkdir -p /usr/local/maven/repository && ln -s /usr/java/jdk1.8.0_171 /usr/local/java
# docker build -t harbor.59iedu.com/fjhb/jenkins:2018-08-12-v1 .
# docker push harbor.59iedu.com/fjhb/jenkins:2018-08-12-v1
2、編譯jenkins slave鏡像
可以根據實際情況配置maven內網私服nexus,私服可以避免編譯過程中通過公網下載依賴的jar包,配置私服需要把對應的setting.xml文件打包到apache-maven-3.5.4/conf目錄下;
libltdl.so.7文件的獲取路徑為操作系統路徑/usr/lib64/libltdl.so.7(實際上是個軟鏈接,需要copy出來重命名)
# cat Dockerfile FROM openshift/base-centos7 MAINTAINER [email protected] COPY apache-maven-3.5.4 /usr/local/maven COPY jdk1.8.0_171 /usr/local/java COPY kubectl /usr/local/bin/kubectl COPY libltdl.so.7 /usr/lib64/libltdl.so.7 COPY slave.jar /usr/share/jenkins/slave.jar COPY jenkins-slave /usr/local/bin/jenkins-slave ENV HOME /home/jenkins ENV AGENT_WORKDIR=/home/jenkins/agent ENV JAVA_HOME /usr/local/java ENV MAVEN_HOME /usr/local/maven/ ENV CLASSPATH .:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar ENV PATH ${JAVA_HOME}/bin:${MAVEN_HOME}/bin:${PATH} ENV MAVEN_CONFIG "$USER_HOME_DIR/.m2" RUN chmod 755 /usr/share/jenkins && chmod 644 /usr/share/jenkins/slave.jar RUN mkdir -p /home/jenkins/.jenkins && mkdir -p ${AGENT_WORKDIR} && yum -y install git subversion sshpass VOLUME /home/jenkins/.jenkins VOLUME ${AGENT_WORKDIR} WORKDIR /home/jenkins USER root ENTRYPOINT ["jenkins-slave"]
# docker build -t harbor.59iedu.com/fjhb/jenkins-slave-toolkit:2018-08-10-v1 .
# docker push harbor.59iedu.com/fjhb/jenkins-slave-toolkit:2018-08-10-v1
二、創建jenkins server
1、創建pv和pvc
# cat pv.yaml
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: jenkins-master-vol
spec:
capacity:
storage: 5Gi
accessModes:
- ReadWriteMany
nfs:
path: /home/jenkins
server: 192.168.115.6
persistentVolumeReclaimPolicy: Recycle
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: maven-repository
spec:
capacity:
storage: 5Gi
accessModes:
- ReadWriteMany
nfs:
path: /home/maven
server: 192.168.115.6
persistentVolumeReclaimPolicy: Recycle
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: jenkins-master-claim
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 5Gi
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: maven-repository-claim
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 5Gi2、創建deployment和service
# cat deploy.yaml
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: jenkins-master
spec:
template:
metadata:
labels:
name: jenkins-master
spec:
securityContext:
fsGroup: 1000
containers:
- name: jenkins-master
image: harbor.59iedu.com/fjhb/jenkins:2018-08-12-v1
imagePullPolicy: Always
ports:
- containerPort: 8080
name: http
- containerPort: 50000
name: agent
volumeMounts:
- name: jenkins-master-vol
mountPath: /var/jenkins_home
- name: maven-repository
mountPath: /opt/maven/repository
- name: docker
mountPath: /usr/bin/docker
- name: docker-sock
mountPath: /var/run/docker.sock
volumes:
- name: jenkins-master-vol
persistentVolumeClaim:
claimName: jenkins-master-claim
- name: maven-repository
persistentVolumeClaim:
claimName: maven-repository-claim
- name: docker
hostPath:
path: /usr/bin/docker
- name: docker-sock
hostPath:
path: /var/run/docker.sock
serviceAccount: "jenkins-master"
imagePullSecrets:
- name: harborsecret
---
apiVersion: v1
kind: Service
metadata:
name: jenkins-master
spec:
type: NodePort
ports:
- port: 8080
name: http
targetPort: 8080
nodePort: 8452
- port: 50000
name: agent
nodePort: 50000
targetPort: 50000
selector:
name: jenkins-master3、rbac授權
# cat sa.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: jenkins-master
namespace: default
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: jenkins-master
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: jenkins-master
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: jenkins-master
subjects:
- kind: ServiceAccount
name: jenkins-master
namespace: default4、default sa的rbac授權
# cat default-sa.yaml
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: default-role
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: default-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: default-role
subjects:
- kind: ServiceAccount
name: default
namespace: default
三、初始化jenkins server
1、通過秘鑰解鎖jenkins(本文為了方便局域網其他主機訪問,在vmware上配置了nat規則)
2、配置代理
3、安裝插件
4、創建管理員賬號
四、配置jenkins server
1、系統管理 —— 系統設置 —— 新增一個雲”kubernetes”
Kubernetes URL: 輸入api-server的地址
Jenkins URL: 輸入jenkins server的服務名,端口8080
Jenkins Tunnel: 指的是slave連接master的端口,默認是50000
上圖pod的模板名稱為jenkins-slave,Container的模板名稱為jnlp。這裏有非常重要的兩點要註意:
當Container的模板名稱為jnlp的時候,jenkins-slave才會使用下面配置的docker鏡像來啟動pod,如果不為jnlp,則會使用默認的鏡像jenkins/jnlp-slave:alpine
當使用自定義的docker鏡像來啟動jenkins slave pod的時候,下面的command to run(默認值是 sh -c)和arguments to pass to the command(默認值是cat)兩個值需要清空。否則會出現jenkins slave jnlp連接不上master的情況,嘗試100次連接之後銷毀pod,然後再創建一個pod繼續嘗試連接,無限循環。
2、系統管理 —— Configure Global Security
確認jnlp agent的端口默認為50000,如果有修改,要保障這裏的配置及前面部署deployment、service的端口配置、前文的雲環境Jenkins Tunnel設置保持一致
3、系統管理 —— Global Tool Configuration
在這裏設置對應的工具及環境變量,為了避免不必要的問題,前面通過dockerfile把jenkins server 和jenkins slave的環境變量調整成一致, java目錄通過軟連接的方式實現。
4、系統管理 —— 管理插件
推薦安裝的幾個插件:maven、 gitlab 、subversion、pipeline、Kubernetes Continuous Deploy、Publish Over SSH
完成插件安裝後需要對jenkins server進行重啟操作,可以點擊“系統管理 ”——“準備關機”來完成重啟操作,至此我們就完成了jenkins server在k8s環境中的部署和配置工作,下文開始介紹使用jenkins完成項目構建和發布。
K8S集群中部署jenkins