gitlab创建OAuth应用

创建一个GitLab OAuth应用程序。使用者密钥和使用者密钥用于授权访问GitLab资源

  • 授权回调URL必须与以下格式和路径匹配,并且必须使用确切的服务器方案和主机

填写名称(name),回调地址(Redirect URI),勾选api与read_user权限

  • 配置gitlab出站请求

gitlab 10.6 版本以后为了安全,不允许向本地网络发送webhook请求,如果想向本地网络发送webhook请求,则需要使用管理员帐号登录配置OutBound Request

使用管理员账号登录 setting => network => Outbound requests

Expand-勾选Allow requests to the local network from web hooks and services

  • 创建共享秘密

创建一个共享密钥,以验证runner与drone服务器之间的通信

# openssl rand -hex 16
d065db69f7dcc35bd6a0658a9e8b4201

安装drone-server

  • pvc.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: drone-data
namespace: demo
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
storageClassName: nfs
  • deploy.yaml
kind: Deployment
metadata:
name: drone-server
namespace: demo
labels:
app: drone
type: server
spec:
replicas: 1
selector:
matchLabels:
app: drone
type: server
template:
metadata:
namespace: drones
creationTimestamp: null
labels:
app: drone
type: server
spec:
volumes:
- name: drone-data
persistentVolumeClaim:
claimName: drone-data
containers:
- name: drone-server
image: 'drone/drone:1.10.1'
ports:
- containerPort: 80
protocol: TCP
env:
- name: DRONE_GITLAB_CLIENT_ID # Gitlab Application ID
value: e4ea12c994c9084290a2237f8076db98bc5476058d70a699d01057c391e6e2f7
- name: DRONE_GITLAB_CLIENT_SECRET # Gitlab Secret
value: 575dabd93c02c09b95625fc4d11ae28d5e7f63d461c7b457a84d3a939c82339c
- name: DRONE_RPC_SECRET # 使用openssl rand -hex 16 创建的一个共享密钥,以验证runner与drone-server之间的通信
value: d065db69f7dcc35bd6a0658a9e8b4201
- name: DRONE_GITLAB_SERVER # Gitlab服务器地址
value: 'http://10.166.33.116:19980'
- name: DRONE_SERVER_HOST # drone-server 服务地址
value: '10.166.33.107:54839'
- name: DRONE_SERVER_PROTO # drone-server 协议,设置http或https
value: http
- name: DRONE_GITLAB # 使用gitlab
value: 'true'
- name: DRONE_USER_CREATE # 给gitlab用户授权为管理员
value: 'username:root,admin:true'
- name: DRONE_AGENTS_ENABLED # 是否开启身份验证
value: 'true'
- name: DRONE_LOGS_TRACE # 打开日志
value: 'true'
volumeMounts:
- name: drone-data
mountPath: /data
imagePullPolicy: IfNotPresent
restartPolicy: Always
imagePullSecrets:
- name: harbor
---
# The service
apiVersion: v1
kind: Service
metadata:
name: drone-server-service
namespace: demo
spec:
type: NodePort
selector:
app: drone
type: server
ports:
- port: 80
targetPort: 80
nodePort: 54839

安装drone-runner

drone启动并运行后,您将需要安装runner程序以执行构建管道

  • rabc.yaml

Kubernetes runner程序使用集群内ServiceAccount与Kubernetes API进行通信。在部署到集群时,请确保Kubernetes runner程序与ServiceAccount关联

apiVersion: v1
kind: ServiceAccount
metadata:
name: drone
namespace: demo
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: demo
name: drone
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- delete
- apiGroups:
- ""
resources:
- pods
- pods/log
verbs:
- get
- create
- delete
- list
- watch
- update

---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: drone
namespace: demo
subjects:
- kind: ServiceAccount
name: drone
namespace: demo
roleRef:
kind: Role
name: drone
apiGroup: rbac.authorization.k8s.io
  • deploy.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: drone-runner
namespace: demo
labels:
app.kubernetes.io/name: drone
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: drone
template:
metadata:
labels:
app.kubernetes.io/name: drone
spec:
imagePullSecrets:
- name: harbor
serviceAccountName: drone
serviceAccount: drone
containers:
- name: runner
image: drone/drone-runner-kube:latest
ports:
- containerPort: 3000
env:
- name: DRONE_RPC_HOST # drone-server 服务地址
value: '10.166.33.107:54839'
- name: DRONE_RPC_PROTO # drone-server 服务协议
value: http
- name: DRONE_RPC_SECRET # 使用openssl rand -hex 16 创建的一个共享密钥,以验证runner与drone-server之间的通信
value: d065db69f7dcc35bd6a0658a9e8b4201

Drone使用

  • 认证

首先,在浏览器中导航到您的Drone服务器URL。如果您尚未通过身份验证,Drone会将您重定向到GitHub进行登录。
登录后,您将被重定向回您的Drone仪表板。如果这是您第一次使用Drone,则在Drone将您的存储库列表与GitHub同步时,您的仪表板将空几秒钟

  • 启用存储库

搜索您的存储库,然后单击“启用”按钮。单击启用按钮,将向您的存储库添加一个Webhook,以便在每次推送代码时通知Drone。请注意,您必须对存储库具有管理员权限才能启用

代码仓库:https://github.com/wq-h/demo-2048.git


  • 配置pipeline

您需要通过.drone.yml在git存储库的根目录中创建一个文件来配置管道。在此文件中,我们定义了每次收到Webhook时都要执行的一系列步骤

kind: pipeline
type: kubernetes
name: demo-2048

# 跳过验证证书,根据实际情况要或不要,github不需要
clone:
skip_verify: true

# 选择pipeline跑在demo命名空间里
metadata:
namespace: demo

# node选择
node_selector:
kubernetes.io/hostname: slave-14

# 挂载本地目录
volumes:
- name: cache
host:
path: /data/cache

# 第一阶段:构建代码
steps:
- name: build code
image: maven:3.6-jdk-8
# 在容器里执行的shell命令列表
commands:
- mvn clean install -DskipTests=true
- cd target && jar -xf 2048.war
- ls -l
# 在容器里挂载目录
volumes:
- name: cache
path: /root/.m2

# 第二阶段: 构建镜像&推送镜像
- name: build image & push
image: plugins/docker # docker插件
settings:
# 镜像仓库组名称
repo: 10.166.33.110/demo/demo-2048
# 镜像仓库名称
registry: 10.166.33.110
# 在web界面中设置的密钥
username:
from_secret: harbor_username
password:
from_secret: harbor_password
# 镜像tag定义
tags:
- ${DRONE_BRANCH}-${DRONE_COMMIT}-${DRONE_BUILD_NUMBER}
# 启用非ssl加密
insecure: true
# 构建镜像的dockerfile文件
dockerfile: ./Dockerfiles/Dockerfile

# 第三阶段: 服务滚动更新
- name: k8s-deploy
# Kubernetes插件
image: danielgormly/drone-plugin-kube:0.2.0
settings:
build_tag: ${DRONE_BRANCH}-${DRONE_COMMIT}-${DRONE_BUILD_NUMBER}
# yaml模板
template: template/demo-2048.yaml
# apiserver地址
server: https://10.166.33.111:6443
# Kubernetes服务帐户令牌 'kubectl get secret -nkube-system|grep token'
token:
from_secret: k8s_token
# K8s CA证书的Base-64编码的字符串
ca:
from_secret: k8s_ca

# 第四阶段: 邮件通知
- name: email
# 邮件插件
image: drillster/drone-email:latest
settings:
# 只发送给邮件收件人
recipients_only: true
# 邮件收件列表
recipients: [weiqun_h@163.com]
# 设置主题
subject: "Drone build: [{{ build.status }}] {{ repo.name }} ({{ repo.branch }}) #{{ build.number }}"
# 邮件服务器主机
host: smtp.exmail.qq.com
# 邮件服务器端口
port: 465
# 从该地址发送通知
from: weiqun.he@tenxcloud.com
# 用户名
username:
from_secret: email_user
# 密码
password:
from_secret: email_password
# 当流水线执行成功时失败是发送
when:
status: [ success, failure ]

# 通过分支限制pipeline执行
trigger:
branch:
- drone
  • 根据应用类型创建资源模板
kind: Deployment
metadata:
name: demo-2048
namespace: demo
labels:
app: demo-2048
name: demo-2048
spec:
replicas: 1
selector:
matchLabels:
app: demo-2048
name: demo-2048
template:
metadata:
labels:
app: demo-2048
name: demo-2048
spec:
containers:
- name: demo-2048
image: >-
10.166.33.110/demo/demo-2048:{{build_tag}}
ports:
- containerPort: 8080
protocol: TCP
resources:
limits:
cpu: 128m
memory: 256Mi
requests:
cpu: 128m
memory: 128Mi
imagePullPolicy: IfNotPresent
restartPolicy: Always
imagePullSecrets:
- name: harbor

secret 配置

pipeline执行结果

邮件通知