镜像准备

jenkins镜像

  • 自定义dockerfile
# mkdir /data/dockerfile/jenkins/ -p    
# cd /data/dockerfile/jenkins/
# vim Dockerfile
FROM jenkins/jenkins:2.276
USER root
RUN /bin/cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && echo 'Asia/Shanghai' >/etc/timezone
ADD config.json /root/.docker/config.json
ADD get-docker.sh /get-docker.sh
RUN echo "deb https://mirrors.aliyun.com/kubernetes/apt/ kubernetes-xenial main" >>/etc/apt/sources.list.d/kubernetes.list
RUN apt-get install -y apt-transport-https
RUN curl -s https://mirrors.aliyun.com/kubernetes/apt/doc/apt-key.gpg | apt-key add -
RUN echo " StrictHostKeyChecking no" >> /etc/ssh/ssh_config && /get-docker.sh --mirror Aliyun
RUN apt-get install -y kubectl

这个Dockerfile里我们主要做了以下几件事

  • 设置容器用户为root

  • 设置容器内的时区

  • 加入了登录自建harbor仓库的auth文件

  • 安装一个docker的客户端

  • 安装kubectl

  • 下载docker客户端脚本及拷贝登录harbor的auth文件

# curl -fsSL get.docker.com -o get-docker.sh
# chmod +x get-docker.sh
# cp /root/.docker/config.json .
  • build镜像
# docker build . -t harbor.od.com/infra/jenkins:v2.276
# docker push harbor.od.com/infra/jenkins:v2.276
  • 创建名称空间
# kubectl create ns demo
namespace/demo created
  • 创建secret
# kubectl create secret docker-registry harbor --docker-server=harbor.od.com --docker-username=admin --docker-password=Harbor12345 -n demo
secret/harbor created

创建共享存储

  • 创建nfs
# yum install nfs-utils -y     每个节点安装nfs
  • 创建挂载目录
# mkdir /data/nfs/jenkins -p
# vim /etc/exports
/data/nfs 10.33.166.0/24(rw,async,no_root_squash,no_all_squash)
  • 启动服务
# systemctl start rpcbind nfs
# systemctl enable rpcbind nfs
Created symlink from /etc/systemd/system/multi-user.target.wants/nfs-server.service to /usr/lib/systemd/system/nfs-server.service.
# showmount -e 10.166.33.107
Export list for 10.166.33.107:
/data/nfs 10.33.166.0/24

准备配置清单

# mkdir /data/k8s-yaml/jenkins && mkdir /data/nfs/jenkins_home && mkdir /data/nfs/jenkins-repostory && cd /data/k8s-yaml/jenkins
  • rbac授权
# vim rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: jenkins
namespace: demo
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: jenkins
namespace: demo
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: jenkins
namespace: demo
  • deployment
kind: Deployment
apiVersion: apps/v1
metadata:
name: jenkins
namespace: demo
labels:
name: jenkins
spec:
replicas: 1
selector:
matchLabels:
name: jenkins
template:
metadata:
labels:
app: jenkins
name: jenkins
spec:
volumes:
- name: data
nfs:
server: 10.166.33.107
path: /nfs/volume/jenkins-home
- name: repository
nfs:
server: 10.166.33.107
path: /nfs/volume/jenkins-repostory
- name: docker
hostPath:
path: /run/docker.sock
type: ''
containers:
- name: jenkins
image: 'harbor.od.com/infra/jenkins:2.276'
ports:
- containerPort: 8080
protocol: TCP
env:
# jvm参数及关闭CSPF跨域请求
- name: JAVA_OPTS
value: '-Xmx2048m -Xms2048m -Dhudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION=true'
resources: {}
volumeMounts:
- name: data
mountPath: /var/jenkins_home
- name: repository
mountPath: /root/.m2/repository
- name: docker
mountPath: /run/docker.sock
imagePullPolicy: IfNotPresent
restartPolicy: Always
terminationGracePeriodSeconds: 30
serviceAccountName: jenkins
serviceAccount: jenkins
securityContext:
runAsUser: 0
imagePullSecrets:
- name: harbor
schedulerName: default-scheduler
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 25%
maxSurge: 1
minReadySeconds: 10
revisionHistoryLimit: 7
progressDeadlineSeconds: 600
  • service
# vim service.yaml
kind: Service
apiVersion: v1
metadata:
name: jenkins
namespace: demo
spec:
ports:
- protocol: TCP
port: 80
targetPort: 8080
selector:
app: jenkins

ingress

# vim ingress.yaml
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
name: jenkins
namespace: demo
spec:
rules:
- host: jenkins.od.com
http:
paths:
- path: /
backend:
serviceName: jenkins
servicePort: 80

创建资源清单

# kubectl apply -f http://k8s-yaml.od.com/jenkins/volume.yaml
persistentvolume/jenkins-volume created
persistentvolumeclaim/jenkins-volume created
# kubectl apply -f rbac.yaml
serviceaccount/jenkins created
clusterrolebinding.rbac.authorization.k8s.io/jenkins created
# kubectl apply -f http://k8s-yaml.od.com/jenkins/deployment.yaml
deployment.extensions/jenkins created
# kubectl apply -f http://k8s-yaml.od.com/jenkins/service.yaml
service/jenkins created
# kubectl apply -f http://k8s-yaml.od.com/jenkins/ingress.yaml
ingress.extensions/jenkins created

web访问

密码文件

# cat /data/nfs/jenkins_home/secrets/initialAdminPassword
a19ad09de32b415cb0da32bded04f67f

插件下载加速

选择系统管理 => 插件管理 => 高级 => 升级站点(覆盖默认文件)
https://mirrors.tuna.tsinghua.edu.cn/jenkins/updates/update-center.json

调整安全规则

  • 选择系统管理 => 全局安全配置 => 授权策略 => 选择匿名用户具有可读权限

  • 选择系统管理 => 选择全局安全配置 => 跨站请求伪造保护 => 取消启用代理兼容

安装插件

  • 选择系统管理 => 插件管理 => 可选插件 => Blue Ocean
  • 选择系统管理 => 插件管理 => 可选插件 => Build Timestamp
  • 选择系统管理 => 插件管理 => 可选插件 => Kubernetes CLI
  • 选择系统管理 => 插件管理 => 可选插件 => Kubernetes Client API
  • 选择系统管理 => 插件管理 => 可选插件 => Kubernetes Credentials
  • 选择系统管理 => 插件管理 => 可选插件 => Kubernetes