Kubernetes自动化运维与CI/CD集成构建高效的持续交付流水线一、CI/CD概述CI/CD持续集成/持续交付是一种自动化软件交付的方法论在Kubernetes环境中集成CI/CD可以实现应用的自动化构建、测试和部署。1.1 CI/CD流程代码提交 → CI构建 → 测试 → 镜像推送 → CD部署 → 验证 ↓ ↓ ↓ ↓ ↓ Git仓库 Jenkins SonarQube Harbor Kubernetes1.2 工具链选择环节工具说明源码管理Git、GitHub、GitLab代码版本控制持续集成Jenkins、GitLab CI、GitHub Actions自动化构建测试代码质量SonarQube代码质量检测镜像管理Harbor、Docker Hub容器镜像仓库持续部署Argo CD、Flux CDGitOps部署二、Jenkins集成Kubernetes2.1 Jenkins部署apiVersion: v1 kind: ServiceAccount metadata: name: jenkins namespace: jenkins --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: jenkins namespace: jenkins subjects: - kind: ServiceAccount name: jenkins roleRef: kind: Role name: jenkins apiGroup: rbac.authorization.k8s.io --- apiVersion: apps/v1 kind: Deployment metadata: name: jenkins namespace: jenkins spec: replicas: 1 selector: matchLabels: app: jenkins template: metadata: labels: app: jenkins spec: serviceAccountName: jenkins containers: - name: jenkins image: jenkins/jenkins:lts ports: - containerPort: 8080 - containerPort: 50000 volumeMounts: - name: jenkins-home mountPath: /var/jenkins_home volumes: - name: jenkins-home persistentVolumeClaim: claimName: jenkins-pvc2.2 Jenkins Pipeline配置pipeline { agent { kubernetes { yaml apiVersion: v1 kind: Pod spec: containers: - name: docker image: docker:latest command: - cat tty: true volumeMounts: - name: docker-sock mountPath: /var/run/docker.sock - name: kubectl image: bitnami/kubectl:latest command: - cat tty: true volumes: - name: docker-sock hostPath: path: /var/run/docker.sock } } stages { stage(Checkout) { steps { git branch: main, url: https://github.com/example/app.git } } stage(Build) { steps { sh docker build -t my-app:${BUILD_NUMBER} . } } stage(Test) { steps { sh docker run my-app:${BUILD_NUMBER} npm test } } stage(Push) { steps { sh docker push registry.example.com/my-app:${BUILD_NUMBER} } } stage(Deploy) { steps { sh kubectl set image deployment/my-app appregistry.example.com/my-app:${BUILD_NUMBER} } } } }三、GitLab CI集成3.1 GitLab CI配置image: docker:latest services: - docker:dind stages: - build - test - deploy build: stage: build script: - docker build -t registry.example.com/my-app:$CI_COMMIT_SHA . - docker push registry.example.com/my-app:$CI_COMMIT_SHA test: stage: test script: - docker run registry.example.com/my-app:$CI_COMMIT_SHA npm test deploy: stage: deploy script: - apk add --no-cache curl - curl -LO https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl - chmod x kubectl - ./kubectl set image deployment/my-app appregistry.example.com/my-app:$CI_COMMIT_SHA only: - main3.2 GitLab Runner配置apiVersion: v1 kind: ConfigMap metadata: name: gitlab-runner-config namespace: gitlab data: config.toml: | concurrent 4 [[runners]] name Kubernetes Runner url https://gitlab.example.com/ token runner-token executor kubernetes [runners.kubernetes] namespace gitlab image alpine:latest privileged true四、GitHub Actions集成4.1 GitHub Actions配置name: CI/CD Pipeline on: push: branches: [ main ] jobs: build: runs-on: ubuntu-latest steps: - uses: actions/checkoutv3 - name: Build Docker image run: docker build -t registry.example.com/my-app:${{ github.sha }} . - name: Push Docker image run: | echo ${{ secrets.DOCKER_PASSWORD }} | docker login registry.example.com -u ${{ secrets.DOCKER_USERNAME }} --password-stdin docker push registry.example.com/my-app:${{ github.sha }} deploy: needs: build runs-on: ubuntu-latest steps: - uses: actions/checkoutv3 - name: Set up Kubectl uses: azure/setup-kubectlv3 with: version: latest - name: Deploy to Kubernetes run: | echo ${{ secrets.KUBE_CONFIG }} | base64 -d kubeconfig kubectl --kubeconfigkubeconfig set image deployment/my-app appregistry.example.com/my-app:${{ github.sha }}五、Argo CD配置5.1 Argo CD部署apiVersion: argoproj.io/v1alpha1 kind: ArgoCD metadata: name: argocd namespace: argocd spec: server: route: enabled: true repo: url: https://github.com/example/gitops-repo5.2 Argo CD应用配置apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: my-app namespace: argocd spec: project: default source: repoURL: https://github.com/example/gitops-repo targetRevision: HEAD path: apps/my-app destination: server: https://kubernetes.default.svc namespace: default syncPolicy: automated: prune: true selfHeal: true六、Flux CD配置6.1 Flux CD安装flux bootstrap github \ --ownermy-github-username \ --repositoryfleet-infra \ --branchmain \ --path./clusters/my-cluster \ --personal6.2 Flux CD KustomizationapiVersion: kustomize.toolkit.fluxcd.io/v1beta2 kind: Kustomization metadata: name: my-app namespace: flux-system spec: interval: 10m0s path: ./apps/my-app prune: true sourceRef: kind: GitRepository name: flux-system healthChecks: - apiVersion: apps/v1 kind: Deployment name: my-app namespace: default七、代码质量检测7.1 SonarQube集成apiVersion: apps/v1 kind: Deployment metadata: name: sonarqube namespace: sonarqube spec: replicas: 1 selector: matchLabels: app: sonarqube template: metadata: labels: app: sonarqube spec: containers: - name: sonarqube image: sonarqube:latest ports: - containerPort: 9000 volumeMounts: - name: sonarqube-data mountPath: /opt/sonarqube/data volumes: - name: sonarqube-data persistentVolumeClaim: claimName: sonarqube-pvc7.2 SonarQube扫描配置stage(SonarQube Analysis) { steps { withSonarQubeEnv(SonarQube) { sh mvn sonar:sonar -Dsonar.projectKeymy-app -Dsonar.host.urlhttp://sonarqube:9000 } } }八、镜像安全扫描8.1 Trivy集成apiVersion: batch/v1 kind: CronJob metadata: name: image-scan namespace: security spec: schedule: 0 3 * * * jobTemplate: spec: template: spec: containers: - name: trivy image: aquasec/trivy:latest command: - /bin/sh - -c - trivy image --severity HIGH,CRITICAL --exit-code 1 registry.example.com/my-app:latest restartPolicy: OnFailure九、部署验证9.1 健康检查集成apiVersion: apps/v1 kind: Deployment metadata: name: my-app spec: template: spec: containers: - name: app image: my-app:latest livenessProbe: httpGet: path: /health port: 8080 initialDelaySeconds: 30 periodSeconds: 10 readinessProbe: httpGet: path: /ready port: 8080 initialDelaySeconds: 5 periodSeconds: 59.2 部署验证脚本#!/bin/bash # 等待Deployment就绪 kubectl rollout status deployment/my-app # 检查Pod状态 kubectl get pods -l appmy-app # 验证服务 curl -f http://my-app:8080/health || exit 1十、总结Kubernetes自动化运维与CI/CD集成可以实现自动化构建代码提交自动触发构建流程自动化测试集成代码质量和安全检测自动化部署GitOps实现持续交付部署验证自动验证部署结果建议根据团队需求选择合适的CI/CD工具链并结合GitOps实现可追溯、可回滚的部署流程。参考资料Jenkins Kubernetes插件Argo CD官方文档Flux CD官方文档GitLab CI文档
