iProbe/Docs
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

添加 CloudNative/Kubernetes/Docs/cicd/k8s-containerd中部署jenkins方案 .md

Browse source
This commit is contained in:
iProbe 2024-10-16 18:19:21 +08:00
parent e7db21b8ef
commit 36f0769997
1 changed files with 87 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

87
CloudNative/Kubernetes/Docs/cicd/k8s-containerd中部署jenkins方案 .md Normal file
View file

@ -0,0 +1,87 @@
## k8s中部署jenkins方案
小标题容器运行时为containerd的k8s中部署jenkins或容器运行时由docker变更为containerd的方案说明
### 一、环境介绍
1、k8s版本v1.23.0
2、k8s集群容器运行时docker
3、jenkins版本2.414.1
### 二、背景及方案说明
背景:
- 因安全需要k8s集群需要升级到1.24或以上版本但1.24及以上版本的k8s已删除对docker的直接支持因此需要变更容器运行时为containerd。而原有jenkins是基于docker做的项目部署方案。因此需要修改基础镜像以支持containerd。
方案:
- 1、jenkins server只做调度具体编译工作由agent节点完成因此jenkins server不需要处理切换runtime时会自动切换。
- 2、agent镜像基于官方的inbound-agent镜像并添加了kubectl,docker工具用于构建推送镜像并修改k8s中的负载的image因此需要变更为添加kubectl,nerdctl,buildctl工具的镜像。
- 3、因为项目使用的代码语言不同因此需要基于基础agent的镜像添加不同语言的编译环境。如java,python,golang,nodejs等。
### 三、工具
- 1. nerdctl: 与docker cli兼容的containerd工具。[访问链接](https://github.com/containerd/nerdctl)
- 2. buildctl: buildkitd客户端工具用于构建镜像。若不需要构建镜像可以不装。[访问链接](https://github.com/moby/buildkit)
- 3. kubectl: k8s客户端工具用于管理k8s集群。[访问链接](https://kubernetes.io/docs/tasks/tools/)
- 4. 参考文档: [k8s中部署buildkit](https://github.com/moby/buildkit/tree/master/examples/kubernetes)<a id="doc"></a>
### 四、jenkins agent镜像制作
1、agent基础镜像制作
```bash
# ibound-agent镜像已推送到镜像仓库kubectl,nerdctl,buildctl工具已下载到本地
cat > Dockerfile <<EOF
FROM swr.cn-east-3.myhuaweicloud.com/turingsyn/jenkins/inbound-agent:jdk17-20230925
# root
USER root
ADD bin/buildctl kubectl nerdctl /usr/bin/
RUN cd /usr/bin && chmod +x kubectl buildctl nerdctl
# jenkins
USER jenkins
EOF
docker build . -t swr.cn-east-3.myhuaweicloud.com/turingsyn/jenkins/inbound-agent:jdk17-nerdctl-buildctl-kubectl
docker push swr.cn-east-3.myhuaweicloud.com/turingsyn/jenkins/inbound-agent:jdk17-nerdctl-buildctl-kubectl
```
2、gradle编译环境镜像制作
```bash
# gradle-8.4-all已下载到本地
cat > Dockerfile <<EOF
FROM swr.cn-east-3.myhuaweicloud.com/turingsyn/jenkins/inbound-agent:jdk17-nerdctl-buildctl-kubectl
USER root
ADD gradle-8.4.tar.gz /usr/local
RUN ln -s /usr/local/gradle-8.4 /usr/local/gradle
ENV PATH /usr/local/gradle/bin:$PATH
# jenkins
USER jenkins
EOF
docker build . -t swr.cn-east-3.myhuaweicloud.com/turingsyn/jenkins/inbound-agent:jdk17-nerdctl-buildctl-kubectl-gradle84
docker push swr.cn-east-3.myhuaweicloud.com/turingsyn/jenkins/inbound-agent:jdk17-nerdctl-buildctl-kubectl-gradle84
```
3、nodejs编译环境镜像制作
```bash
# node-v20.15.0-linux-x64.tar.xz已下载到本地
cat > Dockerfile <<EOF
FROM swr.cn-east-3.myhuaweicloud.com/turingsyn/jenkins/inbound-agent:jdk17-nerdctl-buildctl-kubectl
USER root
ADD node-v20.15.0-linux-x64.tar.xz /usr/local
RUN ln -s /usr/local/node-v20.15.0-linux-x64 /usr/local/node
ENV PATH /usr/local/node/bin:$PATH
RUN npm config set registry https://registry.npmmirror.com &&\
npm install pnpm -g
USER jenkins
RUN pnpm config set registry https://registry.npmmirror.com
EOF
docker build . -t wr.cn-east-3.myhuaweicloud.com/turingsyn/jenkins/inbound-agent:jdk17-nerdctl-buildctl-kubectl-node20
docker push wr.cn-east-3.myhuaweicloud.com/turingsyn/jenkins/inbound-agent:jdk17-nerdctl-buildctl-kubectl-node20
```
其他语言编译环境镜像制作方式类似,不再赘述。
### 五、jenkins 配置k8s Cloud
Cloud中原有的其他配置不变【Pod Template details】中修改原有镜像为对应的agent镜像如swr.cn-east-3.myhuaweicloud.com/turingsyn/jenkins/inbound-agent:jdk17-nerdctl-buildctl-kubectl-node20然后参考[文档](#doc)中deployment-rootless的配置主要为了使用tcp://127.0.0.1:1234连接到buildkitd添加新的【Container Template】。
主要有以下配置项:
- 1、命令参数--addr unix:///run/user/1000/buildkit/buildkitd.sock --addr tcp://0.0.0.0:1234 --oci-worker-no-process-sandbox
- 2、高级配置中【Run As User ID】1000
- 3、高级配置中【Run As Group ID】1000
- 4、高级配置中【健康检查】-【Exec action】buildctl debug workers
- 5、卷选择【Empty Dir Volume】/home/user/.local/share/buildkit
- 6、注解container.apparmor.security.beta.kubernetes.io/buildkitd=unconfined
### 六、job配置
原有的docker相关操作需要替换。
其中:
- 1、`sudo docker login -u [user] -p [password] [registry]`替换为`nerdctl login -u [user] -p [password] [registry]`
- 2、`sudo docker build . -t [image]``sudo docker push [image]`替换为`buildctl --addr tcp://127.0.0.1:1234 build --frontend dockerfile.v0 --local context=. --local dockerfile=. --output type=image,name=[image],push=true`