应用部署:堡垒机部署
# 使用提供的软件包配置Yum源,通过地址将jumpserver.tar.gz软件包下载至Jumpserver节点的/root目录下
[root@jumpserver ~]# tar -zxvf jumpserver.tar.gz -C /opt/
[root@jumpserver ~]# cp /opt/local.repo /etc/yum.repos.d/
[root@jumpserver ~]# tar -zxvf /opt/jumpserverrepo
[root@jumpserver ~]# yum clean all && yum makecache
# 安装Python数据库
[root@jumpserver ~]# yum install python2 -y
[root@jumpserver opt]# mv docker-compose /usr/local/bin/docker-compose
[root@jumpserver opt]# chmod +x docker-compose
[root@jumpserver opt]# ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
# 安装Jumpserver服务
# 创建Jumpserver服务组件目录
[root@jumpserver opt]#docker build -t jumpserver/jms_mysql:v1.0 -f Dockerfile-mysql .
[root@jumpserver opt]#docker build -t jumpserver/jms_redis:v1.0 -f Dockerfile-redis .
[root@jumpserver opt]#docker build -t jumpserver/jms_core:v1.0 -f Dockerfile-core .
[root@jumpserver opt]#docker build -t jumpserver/jms_koko:v1.0 -f Dockerfile-koko .
[root@jumpserver opt]#docker build -t jumpserver/jms_guacamole:v1.0 -f Dockerfile-guacamole .
[root@jumpserver opt]#docker build -t jumpserver/jms_nginx:v1.0 -f Dockerfile-nginx .
[root@localhost opt]# docker-compose up -d
curl -sSL https://resource.fit2cloud.com/jumpserver/jumpserver/releases/latest/download/quick_start.sh | bash2.2.6 安装 GitLab 环境
新建命名空间 kube-ops,将 GitLab 部署到该命名空间下,然后完成 GitLab 服务的配置。
上传CICD-Runner.tar.gz包
[root@k8s-master-node1 ~]#tar -zxvf CICD-Runner.tar.gz
[root@k8s-master-node1 ~]#cd cicd-runner/
[root@k8s-master-node1 cicd-runner]# docker load -i images/image.tar
[root@k8s-master-node1 cicd-runner]# kubectl create ns kube-ops
namespace/kube-ops created
[root@k8s-master-node1 cicd-runner]# vim gitlab.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
creationTimestamp: null
labels:
app: gitlab
name: gitlab
namespace: kube-ops
spec:
replicas: 1
selector:
matchLabels:
app: gitlab
#strategy: {}
template:
metadata:
#creationTimestamp: null
labels:
app: gitlab
spec:
containers:
- image: yidaoyun/gitlab-ce:v1.0
imagePullPolicy: IfNotPresent
name: gitlab-ce
ports:
- containerPort: 80
env:
- name: GITLAB_ROOT_PASSWORD
value: 'admin123456'
[root@k8s-master-node1 cicd-runner]# kubectl apply -f gitlab.yaml
deployment.apps/gitlab created
[root@k8s-master-node1 cicd-runner]# kubectl get pod -n kube-ops
NAME READY STATUS RESTARTS AGE
gitlab-df897d46d-vcjf6 1/1 Running 0 7s
[root@k8s-master-node1 cicd-runner]# vim gitlab.yaml
apiVersion: v1
kind: Service
metadata:
creationTimestamp: null
labels:
app: gitlab
name: gitlab
namespace: kube-ops
spec:
ports:
- port: 80
protocol: TCP
nodePort: 30880
selector:
app: gitlab
type: NodePort
[root@k8s-master-node1 cicd-runner]# kubectl apply -f gitlab.yaml
service/gitlab created
[root@k8s-master-node1 cicd-runner]# kubectl get svc -n kube-ops
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
gitlab NodePort 10.96.133.116 <none> 80:30880/TCP 14s2.2.7 部署 GitLab Runner(x)
将 GitLab Runner 部署到 kube-ops 命名空间下,并完成 GitLab Runner 在 GitLab 中的注册。
百度打开192.168.59.200:30880
root admin123456
#在这里获取部署runner的URL和令牌 48XdJ5KYGoJPYjaa71gi
[root@k8s-master-node1 cicd-runner]# cd manifests/
[root@k8s-master-node1 manifests]# vim runner-configmap.yaml
apiVersion: v1
data:
REGISTER_NON_INTERACTIVE: "true"
REGISTER_LOCKED: "false"
METRICS_SERVER: "0.0.0.0:9100"
CI_SERVER_URL: "http://192.168.59.200:30880"
RUNNER_REQUEST_CONCURRENCY: "4"
RUNNER_EXECUTOR: "kubernetes"
KUBERNETES_NAMESPACE: "kube-ops"
KUBERNETES_PRIVILEGED: "true"
KUBERNETES_CPU_LIMIT: "1"
[root@k8s-master-node1 manifests]#echo -n "48XdJ5KYGoJPYjaa71gi" | base64
NDhYZEo1S1lHb0pQWWphYTcxZ2k=
# 进入添加labels字段即可
[root@k8s-master-node1 manifests]# vim runner-statefulset.yaml
apiVersion: v1
data:
GITLAB_CI_TOKEN: NDhYZEo1S1lHb0pQWWphYTcxZ2k=
kind: Secret
metadata:
name: gitlab-ci-runner
namespace: kube-ops
labels:
app: gitlab-ci-runner
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: gitlab-ci-runner
namespace: kube-ops
labels:
app: gitlab-ci-runner
spec:
serviceName: gitlab-ci-runner
updateStrategy:
type: RollingUpdate
replicas: 2
selector:
matchLabels:
app: gitlab-ci-runner
template:
metadata:
labels:
app: gitlab-ci-runner
spec:
securityContext:
runAsNonRoot: true # 则容器会以非 root 用户身份运行
runAsUser: 999
supplementalGroups: [999]
containers:
- image: yidaoyun/gitlab-runner:v1.0
imagePullPolicy: IfNotPresent
name: gitlab-runner
ports:
- containerPort: 9100
command:
- /scripts/run.sh
envFrom:
- configMapRef:
name: gitlab-ci-runner-cm
- secretRef:
name: gitlab-ci-token
env:
- name: RUNNER_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
volumeMounts:
- name: gitlab-ci-runner-scripts
mountPath: /scripts
readOnly: true # 将卷只读挂载到容器内
volumes:
- name: gitlab-ci-runner-scripts
projected:
sources:
- configMap:
name: gitlab-ci-runner-scripts
items:
- key: run.sh
path: run.sh
mode: 0775
restartPolicy: Always
# 依次启动
[root@k8s-master-node1 manifests]# kubectl apply -f runner-configmap.yaml
configmap/gitlab-ci-runner-cm created
[root@k8s-master-node1 manifests]# kubectl apply -f runner-scripts-configmap.yaml
configmap/gitlab-ci-runner-scripts created
[root@k8s-master-node1 manifests]# kubectl apply -f runner-statefulset.yaml
secret/gitlab-ci-token created
statefulset.apps/gitlab-ci-runner created
[root@k8s-master-node1 manifests]# kubectl get pod -n kube-ops
NAME READY STATUS RESTARTS AGE
gitlab-ci-runner-0 1/1 Running 0 14s
gitlab-ci-runner-1 1/1 Running 0 12s
gitlab-df897d46d-vcjf6 1/1 Running 0 16h2.2.8 配置 GitLab
在 GitLab 中新建公开项目并导入离线项目包,然后将 Kubernetes 集群添加 到 GitLab 中。
[root@k8s-master-node1 cicd-runner]# cd springcloud/
[root@k8s-master-node1 springcloud]# git config --global user.name "Administrator"
[root@k8s-master-node1 springcloud]# git config --global user.email "admin@example.com"
[root@k8s-master-node1 springcloud]# git remote remove origin
[root@k8s-master-node1 springcloud]# git remote add origin http://192.168.59.200:30880/root/springcloud.git
[root@k8s-master-node1 springcloud]# git add .
warning: You ran 'git add' with neither '-A (--all)' or '--ignore-removal',
whose behaviour will change in Git 2.0 with respect to paths you removed.
Paths like '.gitlab-ci.yml' that are
removed from your working tree are ignored with this version of Git.
* 'git add --ignore-removal <pathspec>', which is the current default,
ignores paths you removed from your working tree.
* 'git add --all <pathspec>' will let you also record the removals.
Run 'git status' to check the paths you removed from your working tree.
[root@k8s-master-node1 springcloud]# git commit -m "Initial commit"
[master db17cb0] Initial commit
1 file changed, 2 insertions(+)
[root@k8s-master-node1 springcloud]# git push -u origin master
Username for 'http://10.24.206.143:30880': root # gitlab用户
Password for 'http://root@10.24.206.143:30880':(admin123456) # gitlab密码
Counting objects: 1355, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (1000/1000), done.
Writing objects: 100% (1355/1355), 4.05 MiB | 0 bytes/s, done.
Total 1355 (delta 269), reused 1348 (delta 266)
remote: Resolving deltas: 100% (269/269), done.
To http://10.24.206.143:30880/root/springcloud.git
* [new branch] master -> master
Branch master set up to track remote branch master from origin.
# 获取CA证书
[root@k8s-master-node1 springcloud]# cat /etc/kubernetes/pki/ca.crt
-----BEGIN CERTIFICATE-----
MIIC/jCCAeagAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
cm5ldGVzMB4XDTI0MDIyNTAzNDAxNloXDTM0MDIyMjAzNDAxNlowFTETMBEGA1UE
AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJUJ
Ps6NpgvLNhrdFFyAO3P8IRwNJM25ijz3rtdO46a1dXXsWN6nVBzmXcYr7QkK9l1V
/X5o8dxS46LXVbwO5gtOtO6Zu0NO55msTVw+HEHoPj2fh9s1tN4WCmtaCzHLz7Cg
w90ze4/SdVx60t58xjzo9vEr6lCb3A39Qqh7DUCyu6J9XuhsjdCx+nPZv6rrKqm1
Fnq4bx4zc4WAfoT4pQ21EQnlLfzKsI34FZjEFXKYSZn+94XXouY5E3Z+DSp9QJOf
/FJtQ5w5f+/58U5s1ja/iEnBOUupn+f5oKbzZHJbk5prPA+vzOce8hQ4+LUcnoJk
fxrTK6KHi5UMQQOtjTMCAwEAAaNZMFcwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB
/wQFMAMBAf8wHQYDVR0OBBYEFHY2aLho7/Eab1m6sJgCq4l/fwDfMBUGA1UdEQQO
MAyCCmt1YmVybmV0ZXMwDQYJKoZIhvcNAQELBQADggEBAG91Daj4DylMJPkF1kba
QsbC6w45gI0A8wqL5dF4Y6FyPNMwUO28t8WBvcsiZ34u5Z67bDx9joYme/0kf/0k
D5w1uBewNt0ronpeTYDsOq+yILRyY5XEY3CdKTXzkst0BkMjttfTHKHOfDy+/Omp
eDtIKopp/BcyRYEQih7Givp1ITqhBQQm8kp6TAU2m0QrtlhebN6349LGOz2CxoQs
p0YikqnEoFjaFSvn40vI6ttdek3cyQAEoNTTQ+zwz80IXCt3ODk1qBYRZdc10aXL
szNtZ0MN2vbKRsJjmvihWBEmjO58DyV/H2ebXMKStBzbK5v4mjKW1Jg9ilra6fGS
H8I=
-----END CERTIFICATE-----
# 获取令牌
[root@k8s-master-node1 springcloud]# kubectl describe secrets -n kube-system default-token-h8h7n
Name: default-token-tgz8r
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: default
kubernetes.io/service-account.uid: d4111b82-49c8-481b-83ff-ff2619eb3d1b
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1099 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IjN0Z3RzNDdfT3FGc0pHalJKWi1ZcHZ5TTF4cDB6X2duLWxhanViVkJXLVUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkZWZhdWx0LXRva2VuLXRnejhyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImRlZmF1bHQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJkNDExMWI4Mi00OWM4LTQ4MWItODNmZi1mZjI2MTllYjNkMWIiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06ZGVmYXVsdCJ9.RfWmtTwtY-WOXIibVOOsRjcvJRktI9O0pFOpR-VtjfJKVAuwwjxinQC8LaGvFZK9kooTvf1GKA261awk45uj-hZjN7T2rK9glea-D8YqwFRR5y7G6uU_SCqho2h1qC6T6ax30XCMuVgWe5RuvG0rXB1qnT72vy72K2iSCb9M7SuuqI-kElvf5M1l0zmrvN9xCvKebVtwt2hIuMAJW2fgNhiEMmHaXPVmVUYr_G5jrtP73HoDclGC2i2elJAySJXek7pxyzmaOlP7jWXYhaXjiU5BvX_PSUfLSt2PVpOEANNUyBowfZkOhIyoc0QQSd7-Wi0gx3Sd9hMwH7LXHRmt-w-
将获取的信息分别填入
2.2.9 构建 CI/CD
在项目中编写流水线脚本,然后触发自动构建,要求完成构建代码、构建镜 像、推送镜像 Harbor、并发布服务到 Kubernetes 集群。
将tcp://localhost:2375改为tcp://docker-dind:2375
[root@k8s-master-node1 springcloud]# kubectl edit -n kube-system cm coredns53后面添加一个gitlab
添加映射
[root@k8s-master-node1 ~]# cat /etc/hosts
192.168.100.23 apiserver.cluster.local # 选择这一行登录harbor仓库
[root@k8s-master-node1 springcloud]# docker login 192.168.59.200
Username: admin
Password: (Harbor12345)
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
[root@k8s-master-node1 springcloud]# cd ..
[root@k8s-master-node1 cicd-runner]# vim Dockerfile
FROM nginx:latest
RUN echo "Hello Golang In Gitlab CI,go1.10.3,/bin/app" >> /usr/share/nginx/html/index.html
[root@k8s-master-node1 cicd-runner]# docker build -t 10.24.206.143/library/springcloud:master -f Dockerfile .
Sending build context to Docker daemon 2.892GB
Step 1/2 : FROM nginx:latest
---> de2543b9436b
Step 2/2 : RUN echo "Hello Golang In Gitlab CI,go1.10.3,/bin/app" >> /usr/share/nginx/html/index.html
---> Running in a5b69ead6f7f
Removing intermediate container a5b69ead6f7f
---> 193d60448c3d
Successfully built 193d60448c3d
Successfully tagged 10.24.206.143/library/springcloud:master
[root@k8s-master-node1 cicd-runner]# docker push 10.24.206.143/library/springcloud:master
The push refers to repository [10.24.206.143/library/springcloud]
09c5777979b4: Pushed
a059c9abe376: Pushed
09be960dcde4: Pushed
18be1897f940: Pushed
dfe7577521f0: Pushed
d253f69cb991: Pushed
fd95118eade9: Pushed
master: digest: sha256:95218b2f4822bdbe6f937c74b3fe7879998385cd04d74c241e5706294239ee29 size: 177
[root@k8s-master-node1 cicd-runner]# kubectl create ns gitlab
namespace/gitlab created使用刚刚生成的镜像
[root@k8s-master-node1 cicd-runner]# vim deploymeng.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
creationTimestamp: null
labels:
app: gitlab-k8s-demo-dev
name: gitlab-k8s-demo-dev
namespace: gitlab
spec:
replicas: 2
selector:
matchLabels:
app: gitlab-k8s-demo-dev
strategy: {}
template:
metadata:
creationTimestamp: null
labels:
app: gitlab-k8s-demo-dev
spec:
containers:
- image: 10.24.206.143/library/springcloud:master
name: springcloud
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80apiVersion: v1
kind: Service
metadata:
name: gitlab-k8s-demo-dev
namespace: gitlab
spec:
ports:
- port: 80
nodePort: 30800
selector:
app: gitlab-k8s-demo-dev
type: NodePort
[root@k8s-master-node1 cicd-runner]# kubectl apply -f deploymeng.yaml
deployment.apps/gitlab-k8s-demo-dev created
service/gitlab-k8s-demo-dev configured
[root@k8s-master-node1 cicd-runner]# kubectl get deployments.apps -n gitlab
NAME READY UP-TO-DATE AVAILABLE AGE
gitlab-k8s-demo-dev 2/2 2 2 2m11s
[root@k8s-master-node1 cicd-runner]# kubectl get pod -n gitlab
NAME READY STATUS RESTARTS AGE
gitlab-k8s-demo-dev-76c8494bdd-hcwwd 1/1 Running 0 101s
gitlab-k8s-demo-dev-76c8494bdd-hfm2n 1/1 Running 0 101s
[root@k8s-master-node1 cicd-runner]# kubectl get svc -n gitlab
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
gitlab-k8s-demo-dev NodePort 10.96.99.185 <none> 80:30800/TCP 31m