交付jenkins到k8s集群 ### 1、镜像准备 ``` docker pull jenkins/jenkins:2.190.3 docker tag 22b8b9a84dbe harbor.od.com/public/jenkins:v2.190.3 docker push harbor.od.com/public/jenkins:v2.190.3 ``` 为了适应我们的环境，我们的jenkins不能直接使用，需要进行配置： mkdir -p /data/dockerfile/jenkins/ cd /data/dockerfile/jenkins cat /data/dockerfile/jenkins/Dockerfile ``` FROM harbor.od.com/public/jenkins:v2.190.3 #定义启动jenkins的用户 USER root #修改时区 改成东八区 RUN /bin/cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime &&\ echo 'Asia/Shanghai' >/etc/timezone #加载用户密钥，dubbo服务拉取代码使用的ssh ADD id_rsa /root/.ssh/id_rsa #加载宿主机的docker配置文件,登录远程仓库的认证信息加载到容器里面。 ADD config.json /root/.docker/config.json #在jenkins容器内安装docker 客户端,jenkins要执行docker build,docker引擎用的是宿主机的docker引擎 ADD get-docker.sh /get-docker.sh #跳过 ssh时候输入 yes 步骤,并执行安装docker RUN echo " StrictHostKeyChecking no" >> /etc/ssh/ssh_config &&\ /get-docker.sh ``` 首先创建密钥：**邮箱请根据自己的邮箱自行修改** ``` ssh-keygen -t rsa -b 2048 -C "xxx@xxx.com" -N "" -f /root/.ssh/id\_rsa ``` 将私钥加载到jenkins，将公钥配置到git仓库中，否则不能拉取代码：   接下来创建Dockerfile中需要的文件： ``` cp /root/.ssh/id_rsa ./ cp /root/.docker/config.json ./ curl -fsSL get.docker.com -o get-docker.sh chmod u+x get-docker.sh ``` 创建运维私有仓库，打开我们的harbor.od.com创建一个infra的私有仓库   然后build镜像 ``` docker build . -t harbor.od.com/infra/jenkins:v2.190.3 ```  build完以后将镜像上传到我们的私有仓库： ``` docker push harbor.od.com/infra/jenkins:v2.190.3 ```  为jenkins创建名称空间： ``` kubectl create ns infra ``` 创建一条secret，用于访问我们的私有仓库infra：（任意一台node上执行） ``` kubectl create secret docker-registry harbor --docker-server=harbor.od.com --docker-username=admin --docker-password=Harbor12345 -n infra ```  解释一下上面的命令：创建一条secret，资源类型是docker-registry，名字是 harbor，docker-server=harbor.od.com ，docker-username=admin ，docker-password=Harbor12345 -n 指定私有仓库名称infra ### 2、共享存储部署 在运维主机和所有的node节点安装： ``` yum install nfs-utils -y ``` 使用HDSS-7200作为服务端： ``` vi /etc/exports /data/nfs-volume 10.4.7.0/24(rw,no_root_squash) mkdir -p /data/nfs-volume/jenkins_home ``` 启动服务 ``` systemctl start nfs systemctl enable nfs ``` ### 3、准备jenkins资源配置清单： cd /data/k8s-yaml/ mkdir jenkins cd jenkins cat dp.yaml ``` kind: Deployment apiVersion: extensions/v1beta1 metadata: name: jenkins namespace: infra labels: name: jenkins spec: replicas: 1 selector: matchLabels: name: jenkins template: metadata: labels: app: jenkins name: jenkins spec: volumes: - name: data nfs: server: hdss7-200 path: /data/nfs-volume/jenkins_home - name: docker hostPath: path: /run/docker.sock type: '' containers: - name: jenkins image: harbor.od.com/infra/jenkins:v2.190.3 imagePullPolicy: IfNotPresent ports: - containerPort: 8080 protocol: TCP env: - name: JAVA_OPTS value: -Xmx512m -Xms512m volumeMounts: - name: data mountPath: /var/jenkins_home - name: docker mountPath: /run/docker.sock imagePullSecrets: - name: harbor securityContext: runAsUser: 0 strategy: type: RollingUpdate rollingUpdate: maxUnavailable: 1 maxSurge: 1 revisionHistoryLimit: 7 progressDeadlineSeconds: 600 ``` cat svc.yaml ``` kind: Service apiVersion: v1 metadata: name: jenkins namespace: infra spec: ports: - protocol: TCP port: 80 targetPort: 8080 selector: app: jenkins ``` cat ingress.yaml ``` kind: Ingress apiVersion: extensions/v1beta1 metadata: name: jenkins namespace: infra spec: rules: - host: jenkins.od.com http: paths: - path: / backend: serviceName: jenkins servicePort: 80 ``` 配置dns解析 vi /var/named/od.com.zone ``` jenkins A 10.4.7.10 ``` systemctl restart named 检查jenkins需要持久化的数据是否保存下来了  Jenkins密码位置： cat /data/nfs-volume/jenkins_home/secrets/initialAdminPassword Jenkins安全的优化配置  替换Jenkins更新源，安装插件 ``` cd /data/nfs-volume/jenkins_home/updates sed -i 's/http:\/\/updates.jenkins-ci.org\/download/https:\/\/mirrors.tuna.tsinghua.edu.cn\/jenkins/g' default.json sed -i 's/http:\/\/www.google.com/https:\/\/www.baidu.com/g' default.json ``` 搜索蓝海插件并安装：blue ocean 安装完成以后：  因为镜像自己做的验证一下镜像情况 docker exec -it 8ff92f08e3aa /bin/bash 是否是root用户 whoami 时区是否是东八区 date 是否使用宿主机docker引擎,在容器内查看宿主机上的docker资源情况 docker ps 是否能访问harbor私有仓库 ：原因是我们挂载了宿主机的docker config.json docker login harbor.od.com