Jenkins部署
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
| apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
deployment.kubernetes.io/revision: "5"
description: ""
creationTimestamp: "2024-07-04T03:16:31Z"
generation: 14
labels:
appgroup: ""
version: v1
name: jenkins-prod
namespace: jenkins
resourceVersion: "942871743"
uid: cbd5e9cc-ade3-4758-9819-341c54e27e9b
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: jenkins-prod
version: v1
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
app: jenkins-prod
version: v1
spec:
containers:
- env:
- name: PAAS_APP_NAME
value: jenkins-prod
- name: PAAS_NAMESPACE
value: jenkins
- name: PAAS_PROJECT_ID
value: 0d3e63479d00f4472f71c010ea9e185c
- name: TZ
value: Asia/Shanghai
image: harbor.devops.kaishustory.com/kubesphere/jenkins:2.459
imagePullPolicy: IfNotPresent
name: jenkins-prod
resources:
limits:
cpu: "4"
memory: 4Gi
requests:
cpu: "1"
memory: 1Gi
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/jenkins_home
name: vol-172008326291832657
dnsPolicy: ClusterFirst
imagePullSecrets:
- name: default-secret
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
tolerations:
- effect: NoSchedule
key: jenkins
operator: Exists
volumes:
- hostPath:
path: /mnt/paas/jenkins/data
type: ""
name: vol-172008326291832657
---
apiVersion: v1
kind: Service
metadata:
creationTimestamp: "2024-07-04T03:16:31Z"
labels:
app: jenkins-prod
version: v1
name: jenkins-prod
namespace: jenkins
resourceVersion: "941708556"
uid: 27936243-c4fb-4afd-ad70-63863fba18b6
spec:
clusterIP: 10.245.248.119
clusterIPs:
- 10.245.248.119
internalTrafficPolicy: Cluster
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- name: cce-service-0
port: 8080
protocol: TCP
targetPort: 8080
- name: cce-service-1
port: 50000
protocol: TCP
targetPort: 50000
selector:
app: jenkins-prod
version: v1
sessionAffinity: None
type: ClusterIP
|
Apisix 域名代理
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
name: jenkins.kaishujia.com
namespace: jenkins
spec:
http:
- backends:
- serviceName: jenkins-prod
servicePort: 8080
match:
hosts:
- jenkins.kaishujia.com
paths:
- /*
websocket: true
name: jenkins-prod
|
阿里云域名解析
访问jenkins
用户名: admin cat /var/jenkins_home/secrets/initialAdminPassword 获取密码
配置凭据
| 用户名 |
密码 |
类型 |
备注 |
| deploy |
1234567890 |
用户密码 |
gitlab认证 |
| harbor |
Kaishu2099= |
用户密码 |
Docker hub认证 |
| ks-ops-cmdb |
c2f69d0d229d305f7b357de0ecf9f8ff55f847d5 |
用户密码 |
cmdb认证 |
| global-kubernetes-test |
|
Secret file |
test环境k8s config |
| global-kubernetes-gamma |
|
Secret file |
gamma环境k8s config |
| global-kubernetes-prod |
|
Secret file |
prod环境k8s config |
| global-kubernetes-devops |
|
Secret file |
devops环境k8s config |
安装插件
- Blue Ocean jenkins更好看的ui
- Git Parameter 参数化构建获取git分支
- Active Choices 参数化构建支持调用自定义的groovy脚本
- **Extended Choice Parameter ** 参数化构建支持调用自定义的groovy脚本 功能更强大
- build user vars 能够获取更多关于构建者相关的信息
- Build Name and Description Setter 构建历史列表栏 可以自定义显示一些值
- Rebuilder 快速获取上次的参数化构建选中的值
- Pipeline: Stage View 显示pipeline的每个阶段的视图
- Kubernetes 连接k8s的插件
- Kubernetes CLI pipeline中基于配置文件连接k8s的插件
- docker docker api
- Docker Pipeline pipeline中调用 docker api
- Locale jenkins汉化
- **Figlet Buildstep ** 自定义字体
- **HTTP Request ** http调用请求
- Hidden Parameter 隐藏插件
- Role-based Authorization Strategy 权限控制管理
- **LDAP ** Jenkins接入LDAP对用户做认证
- Lark Notice Plugin 飞书通知
- Pipeline Utility Steps 格式化json、yaml的方法
配置插件
Kubernetes
Cloud devops详细配置
pod模板详细配置
- 名称和标签列表保持统一, pipeline基于标签调度创建构建的容器
- 容器相关配置
- Maven容器 用于编译java代码
- Jnlp容器是jenkins 容器化的slave
- Python容器 连接apisix对deployment的灰度配置
- nfs目录挂载 用于缓存maven的目录 利于maven的编译加速
- Image Pull Secret 用于下载镜像的认证
- Raw YAML for the Pod 规则是将 maven的配置文件只挂载到maven容器中 连接内网nexus
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| spec:
containers:
- name: "maven"
volumeMounts:
- name: config-volume
mountPath: /opt/apache-maven-3.5.3/conf/settings.xml
subPath: settings.xml
volumes:
- name: config-volume
configMap:
name: devops-maven-setting
items:
- key: MavenSetting
path: settings.xml
securityContext:
fsGroup: 1000
|
**Role-based Authorization Strategy **
Dashboard 系统管理 全局安全配置 授权策略设置为插件授权
Global roles
这里新建一个全局角色 为: developer 给读权限
Item roles
为每个目录都创建一个角色权限,方便后面关联用户、组的时候 进行分配(只给了 job的查看、构建、取消的权限)
Global roles
为用户: guopeihua 关联 developer角色 继承这个角色的权限
**Item roles **
为用户: guopeihua 关联item role 为test-backend 就会拥有role下的job权限
验证
admin视图
guopeihua视图
LDAP配置
- root DN ldap的跟查询路径
- User search base 基础的人员查询路径
- User search filter 人员查询规则 按照指定字段
- Manager DN 超级管理员信息
- Manager Password 超级管理员密码
- Display Name LDAP attribute jenkins右上角显示的名称 displayname在ldap中 是用户的中文名称
- Email Address LDAP attribute 用户的邮箱
LDAP详细配置截图
验证
用户名密码验证通过后 会返回该用户在ldap中的所在组
Lark Notice Plugin 飞书通知
参考文档: https://721806280.github.io/lark-notice-plugin-doc/guide/feature/lark/pipeline.html
安装完后 系统管理 有一个飞书的模块 在里面可以新增机器人 基于飞书函数发送消息 以下为代码示例
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
| pipeline {
agent any
stages {
stage('text'){
steps {
echo '发送文本消息...'
}
post {
success {
lark (
robot: 'f72aa1bb-0f0b-47c7-8387-272d266dc25c',
type: 'TEXT',
text: [
"新更新提醒",
'<at user_id="all">所有人</at>'
]
)
}
}
}
}
}
|