Jenkins 添加 K8S 集群
Jenkins 添加 K8S 集群
依赖
K8S集群和StorageClass
部署 Jenkins 服务
- 创建 PVC
# jenkins.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: jenkins-pvc
namespace: devops
spec:
storageClassName: nfs-client-storageclass
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 100Gi
- 创建
Jenkins服务
# jenkins.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: jenkins
namespace: devops
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: jenkins
rules:
- apiGroups: ["extensions", "apps"]
resources: ["deployments", "ingresses"]
verbs: ["create", "delete", "get", "list", "watch", "patch", "update"]
- apiGroups: [""]
resources: ["services"]
verbs: ["create", "delete", "get", "list", "watch", "patch", "update"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: [""]
resources: ["pods/log", "events"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: jenkins
namespace: devops
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: jenkins
subjects:
- kind: ServiceAccount
name: jenkins
namespace: devops
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: jenkins
namespace: devops
spec:
selector:
matchLabels:
app: jenkins
template:
metadata:
labels:
app: jenkins
spec:
serviceAccount: jenkins
# initContainers:
# - name: fix-permissions
# image: busybox:1.35.0
# command: ["sh", "-c", "chown -R 1000:1000 /var/jenkins_home"]
# securityContext:
# privileged: true
# volumeMounts:
# - name: jenkinshome
# mountPath: /var/jenkins_home
containers:
- name: jenkins
image: jenkins/jenkins:2.346.3-2-lts
imagePullPolicy: IfNotPresent
env:
- name: JAVA_OPTS
value: -Dhudson.model.DownloadService.noSignatureCheck=true
ports:
- containerPort: 8080
name: web
protocol: TCP
- containerPort: 50000
name: agent
protocol: TCP
resources:
limits:
cpu: 30000m
memory: 4096Mi
requests:
cpu: 1500m
memory: 2048Mi
readinessProbe:
httpGet:
path: /login
port: 8080
initialDelaySeconds: 60
timeoutSeconds: 5
failureThreshold: 12
volumeMounts:
- name: jenkinshome
mountPath: /var/jenkins_home
volumes:
- name: jenkinshome
persistentVolumeClaim:
claimName: jenkins-pvc
---
apiVersion: v1
kind: Service
metadata:
name: jenkins
namespace: devops
labels:
app: jenkins
spec:
selector:
app: jenkins
ports:
- name: web
port: 8080
targetPort: web
---
apiVersion: v1
kind: Service
metadata:
name: jenkins-agent
namespace: devops
labels:
app: jenkins
spec:
selector:
app: jenkins
ports:
- name: agent
port: 50000
targetPort: agent
nodePort: 49999
type: NodePort
Jenkins 服务添加 K8S 集群
安装 kubernetes 插件
安装
kubernetes插件, 点击Manage Jenkins->Manage Plugins->Available->Kubernetes勾选安装即可
添加 Jenkins 所在 K8S 集群
点击 Manage Jenkins -> Manage nodes and clouds -> configureClouds -> 配置集群
- 名称:当前集群的名称,后续
pipeline流水线中的标签选择 Kubernetes地址:当前这个集群对应的Kubernetes地址Kubernetes命名空间:启动Slave节点的名称空间- 连接测试:测试是否能连接集群,配置是否正确
Jenkins地址:Jenkins控制器服务器的URL <Jenkins 部署在此 K8S 集群中,使用内部 svc 地址即可>Jenkins通道:Slave节点启动后和Master节点通信地址 <Jenkins 部署在此 K8S 集群中,使用内部 svc 地址即可>- 容器数量:运行同时运行的任务数量
添加其他 K8S 集群
Jenkins服务部署在K8S-1集群,下面添加K8S-2集群
点击 Manage Jenkins -> Manage nodes and clouds -> configureClouds -> 配置集群
- 名称:当前集群的名称,后续
pipeline流水线中的标签选择 Kubernetes地址:当前这个集群对应的Kubernetes地址 <此地址需要Jenkins服务Pod能正常访问>Kubernetes服务证书key:当前这个集群 服务证书key- 禁用
HTTPS证书检查:禁用检查,一般K8S集群证书是自己签发的不授信任的证书 Kubernetes命名空间:启动Slave节点的名称空间- 凭据:连接当前集群的凭据,需要添加到
Jenkins账号密码中 - 连接测试:测试是否能连接集群,配置是否正确
Jenkins地址:Jenkins控制器服务器的URL <此地址需要K8S-2集群Node节点能访问>Jenkins通道:Slave节点启动后和Master节点通信地址 <此地址需要K8S-2集群Node节点能访问>- 容器数量:运行同时运行的任务数量
Kubernetes 服务证书 key
- 查看其他
K8S集群的/root/.kube/config文件
# cat /root/.kube/config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5akNDQWJLZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQ0FYRFRJeE1EZ3dOakE1TWpjeU5sb1lEekl4TWpFd056RXpNRGt5TnpJMldqQVZNUk13RVFZRApWUVFERXdwcmRXSmxjbTVsZEdWek1JSUJJakFOQmdrcWhraUc5dzBCmhETzR1VnF2bQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCjcxTFRoMGJPdlZkN3pIUjdoeVBmUHJQUFFDUTlXYmcyVG8vWlNxbEdqdllaQkM1aE8zazR0SGJyeFZwUllKVHMKcUxwQUtJSGN5MUlUUzhhak50aFZ3Y3plZHpmUFR6RDQvSVpVajQySW5NT003b05YQ01pva0tTdEkSTI0bitGZDNiVGVnVQo3Y3pva0tTdEJhMVUvdXJkY0NQKzdmVkmhETzR1VnF2bhtUnd2Q01mZjlJdXdsMHJFY29sL2ExUUdwZ0pLcTFHZFF2NkorN0tGCmg1OW5qVE9jYU81WEdzN0lXWUlVODJITDlnOEh5TzlvS3k3NzArVWg5VGxkVjI2aWZTQm13eDF4WWZaUjQxNysKM25XVXZ1bTc4S0ZyUlU1dktMTkkwYW9rNm91VEVXNDlYcE1ROGIzVWVWeDZiS2RnMENNQW9RUlQ2aTJRc3VVKwpDQnRBOXpsbmwwSWw5VjJXSnZiT3J3SURBUUFCb3lNd0lUQU9CZ05WSFE4QkFmOEVCQU1DQXFRd0R3WURWUjBUCkFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFKa28veVVxQWl0Y2JGdlpBL0Ipva0HRwYWwKTjJmaThQSEt4eFV0MU1VQitCeDl6UlNGTUQzdlRHNC8xOStBd0loaDVLdnl3TzlHTlVRWFNITDdmL1BIWXg4UQpWV0QzQ1d6YzlMR2FZamN0RFoxSXdDT3M5NGxjWjZPNndXdTJ5NEdHVjY4V29jMENrS2k0QXRrZFR6eTFBRXNCCi9ZUmQ2V25ORVFuRnlmWkJaQ0MwRmVXcUhXRVpDOENPV3NYUVl5Skhxc2txNDdLR2ttWXBHek0vYzZIa3U3MmQKYXd5dm56cCszWGE0bVY4SXZkUzRlZ2llTHg4Zkk0bVlpTVh6UU13TThibE5uUFJkS1cxellkN3VaV2UyT2hSRQo3a2FEY3pEN2VLK0o3WXAyQkkrcVVQNpva0tTdEzVITGxyS1NDTjlRckNJYmhETzR1VnF2bkNWT2tJbEthelhjOXFmUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
server: https://10.10.10.100:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM5RENDQWR5123123Z0lJQ2RGQTdlQ2NpOGN3RFFZSktvWklodmNOQVFFTEJRmdOVkhTQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWdGdzB5TVRBNE1EWXdPVEkzTWpaYUdBOHlNVEl4TURjeE16QTVNamN5T0ZvdwpOREVYTUJVR0ExVUVDaE1PYzNsemRHVnRmdOVkhTPbTFoYzNSbGNuTXhHVmdOVkhTEFYQmdOVkJBTVRFR3QxWW1WeWJtVjBaWE10CllXUnRhVzR3Z2dFmdOVkhTaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRE10QWhLODFEN2lzS00KcHhKeDlZaUd0N1Jpcm1HS2dnQ0d4YzRNWmV1aTRoS2lpSHNYVVFRWDl5cTBncmliUjhVcUZHQ1doUHFWaWVJNwptemw0C9nckJnZFRKNFBIT2RqT21ZTjNhqQU5CZaytWalhGZlU5amxJcjZuZApmdOVkhTQWHdVUzZON2JTbFIvNWhWRFlyYnprQkQvNE1Ja3VDZlRQVDV0T2RGZ2NXV0ZvZ2VyMVIwQXRIektVNm8wbTJlCitMUFlBczFQQWdNQkFBRmdOVkhT2pKekFsTUE0R0ExVWREd0mdOVkhTVCL3dRRUF3SUZvREFUQmdOVkhTVUVEREFLQmdnckJnRUYVGCjdOakV6ckxDYjBWanVLM0tHMFJtQkpacmFsRTQ2bUZpOHF6SzY0UEphV3V3K2t1akNwa2FZdWVYVER4aVZiM0EKekJpWjM3YnY2dFN0cjlvMGtHUzYvOTRuT1N0Z1JmMzdPMEhsOUV0SFMvbGNWZURiYWJHeUV0K0MvRmkwdDZiRwpST1XJ3cFBXa0JiRo3K2Y1M0RSQWE4VTUrmdOVkhTWWduWjRqbkZGNE1kaVI4Z3BXRUcrTXJ3cFBXa0JiRlBJeHRiak5nNHl2RGdHMmQ3CjdCQzh4MzdTUVF0d0FvdGgwMndoVjY1NDZlYzZtc2xISHhscTNrYUZVamVWQzNyNEt4QldSZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBekxRSVN2TlErNHJDaktjU2NmV0locmUwWXE1aGlvSUFoc1hPREdYcm91SVNvb2g3CkYxRUVGL2NxdElLNG0wZkZLaFJnbG9UNmxZbmlPNXM1ZU83R29hK2l2akY3ZnRZQmdXVk5BODJWVkd6WkV6ZWMKK2MwaTd3ZGk4YTJJdEM2bDBIQ3lUdEVHUVB6VXVvdHJGcFJabU5Vdms4b3FiTXA5eDhKN0ErdWJLOVhXakYxZgorM1UveGZnVTR4K29aRWlRTXJGRHAxaUN5OTk2azlyVFMyenVwMnY5dGwyNDBVT1BIbEg4QVh0SitwaXJmd1hVCnllRHh6bll6cG1EZDJwUGxZMXhYMVBZNVNLK3AzVDE4RkV1amUyMHBVZitZVlEySzNBUUVBekxRSI4NUFRLytEFBS0NBUQ0pMZ24wejAKK2JUblJZSEZsaGFJSHE5VWRBTFI4eWxPcU5KdG52aXoyQUxOVHdJREFRQUJBb0lCQURiR3dpVlVRTXBlMGpxVApCb09LSVhOek93amhBdWJ1YkxlanZNUmlqWkJ6a0dyL3ZIaDd6RzJoVFVNcWE3M1prYS8xN2ZhNU5OakpJY216CmVzaWFsSHAxcGtYZ3RkdzE1Z2MFBS0NBUUVBekxRSVN2TlErNHJDakNBUUVBekxRStjU2NmV0locmUwWXE1aGlvSUFoc1hPREdYcm91SVNvb2g3CkYxRUVGL2NxdElLNG0wZkZLaFJnbG9UNmxZbmlPNXM1ZU83R29hK2l2akY3ZnRZQmdXVk5BODJWVkd6WkV6ZWMKK2MwFBS0NBUaTd3ZGk4YTJJdEM2bDBIQ3lUNBUUPMER4Uld6NExXOGZ4dGRrQ1NFBS0NBU2NVV4SFBPeAp6cUk5SkYxN3dkYlhRQkRDNnhXemk2eVBUQ0ZTWERjeEhqdzFEV1Buc2FsTjRRb0pPRkRWNGVYSy9zWi9EODg3CnZ5eTNZdmZsVUFjL2txMTlxVytGTkdBMmUzTmYyamNCZ01XMG4wVHliNFBkTkFCSUJBWWsyUHNDZ1lFQTBqdlgKNkRMS2xtRFBS0NBUnp2cG95YUMxVnF1RGgwL25rbWhUbGZ3SXlRYWYvWlAwa0hEYjJ0UHJvb3VWTTdMWlBvSjBjRUVjYgo4TFRkUU5OYktHOVl3T25mNUdzamlsNzN1NmdYUVlvUnRyQVJac0ZwTnFtaXZRSlorY0hOMWlVbkFBS0NBUtnbVpKNjV5CmdZNWZESytyQVI5aXdSU1Z2SKTlllT2d1K3hkMlBHRAoyNmlJVnJFQzBVemtnRlNqNTJkbWdITzdCVjRobEtHU3Q5S3d3WXoxNVkvaFhiMGtKOHY0clQxUFpqWWhMc3hDCjdGVTl3ejBDZ1lFQXEybVhwSklyZWRrZXVKclk2VHR0NmxVWE9Zei8wWE1aV1Bqd2hacXpUYy9waDNMY0VnVlcKcE9jdWU0b1g3Z2V0azFvSUt4bHk0bVI2SWdXZENWc2x0ek56S3h0dEZqRzBtZlhmSHRYTHc0d1BSdDFqa21jbApTRWNZVFVXcmVNa1B4SFFaWm1MVnBZRGpRUEJ4RllIQWRXZXp2eXRIMUU3U1RNV0hSZmZSMzJJPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
- 获取
/root/.kube/config中certificate-authority-data的内容并转化成base64 encoded文件
# echo LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5akNDQWJLZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQ0FYRFRJeE1EZ3dOakE1TWpjeU5sb1lEekl4TWpFd056RXpNRGt5TnpJMldqQVZNUk13RVFZRApWUVFERXdwcmRXSmxjbTVsZEdWek1JSUJJakFOQmdrcWhraUc5dzBCmhETzR1VnF2bQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCjcxTFRoMGJPdlZkN3pIUjdoeVBmUHJQUFFDUTlXYmcyVG8vWlNxbEdqdllaQkM1aE8zazR0SGJyeFZwUllKVHMKcUxwQUtJSGN5MUlUUzhhak50aFZ3Y3plZHpmUFR6RDQvSVpVajQySW5NT003b05YQ01pva0tTdEkSTI0bitGZDNiVGVnVQo3Y3pva0tTdEJhMVUvdXJkY0NQKzdmVkmhETzR1VnF2bhtUnd2Q01mZjlJdXdsMHJFY29sL2ExUUdwZ0pLcTFHZFF2NkorN0tGCmg1OW5qVE9jYU81WEdzN0lXWUlVODJITDlnOEh5TzlvS3k3NzArVWg5VGxkVjI2aWZTQm13eDF4WWZaUjQxNysKM25XVXZ1bTc4S0ZyUlU1dktMTkkwYW9rNm91VEVXNDlYcE1ROGIzVWVWeDZiS2RnMENNQW9RUlQ2aTJRc3VVKwpDQnRBOXpsbmwwSWw5VjJXSnZiT3J3SURBUUFCb3lNd0lUQU9CZ05WSFE4QkFmOEVCQU1DQXFRd0R3WURWUjBUCkFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFKa28veVVxQWl0Y2JGdlpBL0Ipva0HRwYWwKTjJmaThQSEt4eFV0MU1VQitCeDl6UlNGTUQzdlRHNC8xOStBd0loaDVLdnl3TzlHTlVRWFNITDdmL1BIWXg4UQpWV0QzQ1d6YzlMR2FZamN0RFoxSXdDT3M5NGxjWjZPNndXdTJ5NEdHVjY4V29jMENrS2k0QXRrZFR6eTFBRXNCCi9ZUmQ2V25ORVFuRnlmWkJaQ0MwRmVXcUhXRVpDOENPV3NYUVl5Skhxc2txNDdLR2ttWXBHek0vYzZIa3U3MmQKYXd5dm56cCszWGE0bVY4SXZkUzRlZ2llTHg4Zkk0bVlpTVh6UU13TThibE5uUFJkS1cxellkN3VaV2UyT2hSRQo3a2FEY3pEN2VLK0o3WXAyQkkrcVVQNpva0tTdEzVITGxyS1NDTjlRckNJYmhETzR1VnF2bkNWT2tJbEthelhjOXFmUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K | base64 -d > ./ca.crt
- 将
ca.crt的内容填写到Kubernetes服务证书key
凭据配置
- 获取
/root/.kube/config中client-certificate-data和client-key-data的内容并转化成base64 encoded文件
# echo LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM5RENDQWR5123123Z0lJQ2RGQTdlQ2NpOGN3RFFZSktvWklodmNOQVFFTEJRmdOVkhTQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWdGdzB5TVRBNE1EWXdPVEkzTWpaYUdBOHlNVEl4TURjeE16QTVNamN5T0ZvdwpOREVYTUJVR0ExVUVDaE1PYzNsemRHVnRmdOVkhTPbTFoYzNSbGNuTXhHVmdOVkhTEFYQmdOVkJBTVRFR3QxWW1WeWJtVjBaWE10CllXUnRhVzR3Z2dFmdOVkhTaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRE10QWhLODFEN2lzS00KcHhKeDlZaUd0N1Jpcm1HS2dnQ0d4YzRNWmV1aTRoS2lpSHNYVVFRWDl5cTBncmliUjhVcUZHQ1doUHFWaWVJNwptemw0C9nckJnZFRKNFBIT2RqT21ZTjNhqQU5CZaytWalhGZlU5amxJcjZuZApmdOVkhTQWHdVUzZON2JTbFIvNWhWRFlyYnprQkQvNE1Ja3VDZlRQVDV0T2RGZ2NXV0ZvZ2VyMVIwQXRIektVNm8wbTJlCitMUFlBczFQQWdNQkFBRmdOVkhT2pKekFsTUE0R0ExVWREd0mdOVkhTVCL3dRRUF3SUZvREFUQmdOVkhTVUVEREFLQmdnckJnRUYVGCjdOakV6ckxDYjBWanVLM0tHMFJtQkpacmFsRTQ2bUZpOHF6SzY0UEphV3V3K2t1akNwa2FZdWVYVER4aVZiM0EKekJpWjM3YnY2dFN0cjlvMGtHUzYvOTRuT1N0Z1JmMzdPMEhsOUV0SFMvbGNWZURiYWJHeUV0K0MvRmkwdDZiRwpST1XJ3cFBXa0JiRo3K2Y1M0RSQWE4VTUrmdOVkhTWWduWjRqbkZGNE1kaVI4Z3BXRUcrTXJ3cFBXa0JiRlBJeHRiak5nNHl2RGdHMmQ3CjdCQzh4MzdTUVF0d0FvdGgwMndoVjY1NDZlYzZtc2xISHhscTNrYUZVamVWQzNyNEt4QldSZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K | base64 -d > ./client.crt
# echo LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBekxRSVN2TlErNHJDaktjU2NmV0locmUwWXE1aGlvSUFoc1hPREdYcm91SVNvb2g3CkYxRUVGL2NxdElLNG0wZkZLaFJnbG9UNmxZbmlPNXM1ZU83R29hK2l2akY3ZnRZQmdXVk5BODJWVkd6WkV6ZWMKK2MwaTd3ZGk4YTJJdEM2bDBIQ3lUdEVHUVB6VXVvdHJGcFJabU5Vdms4b3FiTXA5eDhKN0ErdWJLOVhXakYxZgorM1UveGZnVTR4K29aRWlRTXJGRHAxaUN5OTk2azlyVFMyenVwMnY5dGwyNDBVT1BIbEg4QVh0SitwaXJmd1hVCnllRHh6bll6cG1EZDJwUGxZMXhYMVBZNVNLK3AzVDE4RkV1amUyMHBVZitZVlEySzNBUUVBekxRSI4NUFRLytEFBS0NBUQ0pMZ24wejAKK2JUblJZSEZsaGFJSHE5VWRBTFI4eWxPcU5KdG52aXoyQUxOVHdJREFRQUJBb0lCQURiR3dpVlVRTXBlMGpxVApCb09LSVhOek93amhBdWJ1YkxlanZNUmlqWkJ6a0dyL3ZIaDd6RzJoVFVNcWE3M1prYS8xN2ZhNU5OakpJY216CmVzaWFsSHAxcGtYZ3RkdzE1Z2MFBS0NBUUVBekxRSVN2TlErNHJDakNBUUVBekxRStjU2NmV0locmUwWXE1aGlvSUFoc1hPREdYcm91SVNvb2g3CkYxRUVGL2NxdElLNG0wZkZLaFJnbG9UNmxZbmlPNXM1ZU83R29hK2l2akY3ZnRZQmdXVk5BODJWVkd6WkV6ZWMKK2MwFBS0NBUaTd3ZGk4YTJJdEM2bDBIQ3lUNBUUPMER4Uld6NExXOGZ4dGRrQ1NFBS0NBU2NVV4SFBPeAp6cUk5SkYxN3dkYlhRQkRDNnhXemk2eVBUQ0ZTWERjeEhqdzFEV1Buc2FsTjRRb0pPRkRWNGVYSy9zWi9EODg3CnZ5eTNZdmZsVUFjL2txMTlxVytGTkdBMmUzTmYyamNCZ01XMG4wVHliNFBkTkFCSUJBWWsyUHNDZ1lFQTBqdlgKNkRMS2xtRFBS0NBUnp2cG95YUMxVnF1RGgwL25rbWhUbGZ3SXlRYWYvWlAwa0hEYjJ0UHJvb3VWTTdMWlBvSjBjRUVjYgo4TFRkUU5OYktHOVl3T25mNUdzamlsNzN1NmdYUVlvUnRyQVJac0ZwTnFtaXZRSlorY0hOMWlVbkFBS0NBUtnbVpKNjV5CmdZNWZESytyQVI5aXdSU1Z2SKTlllT2d1K3hkMlBHRAoyNmlJVnJFQzBVemtnRlNqNTJkbWdITzdCVjRobEtHU3Q5S3d3WXoxNVkvaFhiMGtKOHY0clQxUFpqWWhMc3hDCjdGVTl3ejBDZ1lFQXEybVhwSklyZWRrZXVKclk2VHR0NmxVWE9Zei8wWE1aV1Bqd2hacXpUYy9waDNMY0VnVlcKcE9jdWU0b1g3Z2V0azFvSUt4bHk0bVI2SWdXZENWc2x0ek56S3h0dEZqRzBtZlhmSHRYTHc0d1BSdDFqa21jbApTRWNZVFVXcmVNa1B4SFFaWm1MVnBZRGpRUEJ4RllIQWRXZXp2eXRIMUU3U1RNV0hSZmZSMzJJPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= | base64 -d > ./client.key
- 生成
Client P12认证文件cert.pfx并下载至本地
# openssl pkcs12 -export -out ./cert.pfx -inkey ./client.key -in ./client.crt -certfile ./ca.crt
Enter Export Password:
Verifying - Enter Export Password:
# ll
total 20K
-rw-r--r-- 1 root root 1.3K Apr 4 17:49 ca.crt
-rw-r--r-- 1 root root 3.5K Apr 4 17:50 cert.pfx
-rw-r--r-- 1 root root 1.4K Apr 4 17:49 client.crt
-rw-r--r-- 1 root root 1.7K Apr 4 17:49 client.key
-rw-r--r-- 1 root root 246 Apr 4 17:51 password.txt
# cat password.txt
# openssl pkcs12 -export -out cert.pfx -inkey client.key -in client.crt -certfile ca.crt
# 命令生成的 cert.pfx 文件需要提供给 jenkins 使用,方便 dev-jenkins 调用 test k8s 环境,部署服务。
# 文件密码: evescn
自定义一个
Password并记住,上传cert.pfx文件到凭据中需要使用
- 点击
Manage Jenkins->Manage Credentials添加凭据
- 配置凭据
测试
配置 RBAC
jenkins流水线运行,使用了一个devops的serviceAccount,需要配置
apiVersion: v1
kind: ServiceAccount
metadata:
name: devops
namespace: devops
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: devops
rules:
- apiGroups:
- "*"
resources:
- "*"
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: devops
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: devops
subjects:
- kind: ServiceAccount
name: devops
namespace: devops
测试 Jenkins 所在 K8S 集群
- 流水线
def label = "slave-${UUID.randomUUID().toString()}"
// 此次构建基础信息输出
currentBuild.description = "dev"
// 启用 podTemplate
podTemplate(
label: label,
// 添加 k8s 集群配置的 名称
cloud: "k8s-dev",
containers: [
containerTemplate(name: 'code', image: 'maven:3.3.1-jdk-8', command: 'cat', runAsUser: '1000', runAsGroup: '1000', ttyEnabled: true),
containerTemplate(name: 'docker', image: 'docker:23.0.1', command: 'cat', ttyEnabled: true),
containerTemplate(name: 'helm', image: 'cnych/helm', command: 'cat', ttyEnabled: true),
containerTemplate(name: 'kubectl', image: 'cnych/kubectl', command: 'cat', ttyEnabled: true)
],
serviceAccount: 'devops',
) {
node(label) {
stage('1、 拉取代码') {
container('kubectl') {
echo "拉取代码"
}
}
stage('2、 代码检查') {
container('kubectl') {
echo "代码检查"
}
}
stage('3、 代码构建') {
container('code') {
echo "代码构建"
}
}
stage('4、 构建推送镜像') {
container('docker') {
echo "代码构建"
}
}
stage('5、 代码发布') {
container('helm') {
echo "代码构建"
}
}
}
}
测试 其他 K8S 集群
- 流水线
def label = "slave-${UUID.randomUUID().toString()}"
// 此次构建基础信息输出
currentBuild.description = "dev"
// 启用 podTemplate
podTemplate(
label: label,
// 添加 k8s 集群配置的 名称,和上面的配置对比,就此处不同
cloud: "k8s-test",
containers: [
containerTemplate(name: 'code', image: 'maven:3.3.1-jdk-8', command: 'cat', runAsUser: '1000', runAsGroup: '1000', ttyEnabled: true),
containerTemplate(name: 'docker', image: 'docker:23.0.1', command: 'cat', ttyEnabled: true),
containerTemplate(name: 'helm', image: 'cnych/helm', command: 'cat', ttyEnabled: true),
containerTemplate(name: 'kubectl', image: 'cnych/kubectl', command: 'cat', ttyEnabled: true)
],
serviceAccount: 'devops',
) {
node(label) {
stage('1、 拉取代码') {
container('kubectl') {
echo "拉取代码"
}
}
stage('2、 代码检查') {
container('kubectl') {
echo "代码检查"
}
}
stage('3、 代码构建') {
container('code') {
echo "代码构建"
}
}
stage('4、 构建推送镜像') {
container('docker') {
echo "代码构建"
}
}
stage('5、 代码发布') {
container('helm') {
echo "代码构建"
}
}
}
}
