Drone 是用 Go 语言编写的基于 Docker 构建的开源轻量级 CI/CD 工具,可以和 Gitlab 集成使用。本文主要记录安装 Drone 的过程,并集成 Gitlab。
创建证书
参考 使用Cert Manager配置Let’s Encrypt证书 这篇完整,创建一个godaddy证书的签发机构:
cat << EOF | kubectl create -f -apiVersion: cert-manager.io/v1alpha2kind: ClusterIssuermetadata:name: javachen-space-letsencrypt-prodspec:acme:server: https://acme-v02.api.letsencrypt.org/directoryemail: junecloud@163.comprivateKeySecretRef:name: javachen-space-letsencrypt-prodsolvers:- selector:dnsNames:- '*.javachen.space'dns01:webhook:groupName: acme.javachen.spacesolverName: godaddyconfig:authApiKey: e4hN4QrFgzdo_RHXe1ef2qpBPmiJPD2ZUcWauthApiSecret: QsHuDdnnCbzp5DmEQzq4tsproduction: truettl: 600EOF
创建一个命名空间:
kubectl create namespace drone
创建一个证书:
cat << EOF | kubectl create -f -apiVersion: cert-manager.io/v1alpha2kind: Certificatemetadata:name: drone-javachen-space-certnamespace: dronespec:secretName: drone-javachen-space-certrenewBefore: 240hdnsNames:- "*.javachen.space"issuerRef:name: javachen-space-letsencrypt-prodkind: ClusterIssuerEOF
查看证书状态:
kubectl get secret,Certificate -n dronekubectl describe secret drone-javachen-space-cert -n dronekubectl describe certificate drone-javachen-space-cert -n dronekubectl describe order drone-javachen-space-cert-2742582754 -n dronekubectl describe Challenge drone-javachen-space-cert-695846883-0 -n drone
安装Drone
查找chart
这里使用我修改过的chart:
git clone https://github.com/javachen/chartscd charts
根据chart中 values.yaml文件创建drone-gitlab-values.yaml:
cat <<EOF > drone-gitlab-values.yamlingress:enabled: trueannotations:kubernetes.io/ingress.class: nginxnginx.ingress.kubernetes.io/ssl-redirect: "true"nginx.ingress.kubernetes.io/proxy-body-size: 10mhosts:- drone.javachen.spacetls:- secretName: drone-javachen-space-certhosts:- drone.javachen.spacesourceControl:provider: gitlabgitlab:clientID: 3a3c6b5d37b6557168759389080d331fed992218b9b8cac8b2bc6516b292429bclientSecretKey: clientSecretclientSecretValue: eb60347cffd7614eef2dba4abbd5783779647be2aed4a3fd78eae31ee1480138server: http://gitlab.javachen.spaceserver:host: drone.javachen.spaceprotocol: httpsadminUser: adminalwaysAuth: trueenvSecrets:drone-gitlab-login-secrets:- DRONE_GIT_USERNAME- DRONE_GIT_PASSWORDkubernetes:enabled: true#env:# DRONE_LOGS_DEBUG: "false"# DRONE_DATABASE_DRIVER: "mysql"# DRONE_DATABASE_DATASOURCE: "root:123456@tcp(192.168.1.100:3306)/drone?parseTime=true"persistence:enabled: truestorageClass: ceph-rbdsize: 5GiEOF
注意:
1、nginx.ingress.kubernetes.io/proxy-body-size: 10m 设置上传文件大小
2、drone-gitlab-login-secrets 是设置获取gitlab仓库代码的用户名和密码的secret。创建过程如下:
#假设登陆用户名和密码都为adminecho -n "admin" | base64cat << EOF | kubectl create -f -apiVersion: v1kind: Secretmetadata:name: drone-gitlab-login-secretsnamespace: dronetype: Opaquedata:DRONE_GIT_USERNAME: YWRtaW4=DRONE_GIT_PASSWORD: YWRtaW4=EOF
3、http://gitlab.javachen.space 是gitlab服务的地址,clientID 和 clientSecretValue 是在gitlab中创建一个应用,设置重定向地址:https://drone.javachen.space/hook ,得到的clientID 和 clientSecretValue
4、这里设置了persistence为启用,并且存储类为 ceph-rbd ,这个需要提前创建,可以参考我安装harbor的文章。
5、你也可以去掉上面的注释,设置drone使用mysql数据库。
使用helm3安装drone:
helm install drone \--namespace drone \-f drone-gitlab-values.yaml \./drone
查看状态:
kubectl get all -n drone
浏览器输入 https://drone.javachen.space/ ,会跳转到 Gitlab 进行授权,接下来就可以同步仓库。
安装Drone CLI
安装drone cli:
curl -L https://github.com/drone/drone-cli/releases/latest/download/drone_linux_amd64.tar.gz | tar zxsudo install -t /usr/local/bin drone
卸载Drone
helm del drone -n dronekubectl delete pod,service,deploy,ingress,secret,pvc --all -n drone kubectl delete secret,certificate drone-javachen-space-cert -n drone
drone安装成功后,在 https://drone.javachen.space/account 上获取 Drone 的TOKEN,查看drone信息:
export DRONE_SERVER= https://drone.javachen.space/account export DRONE_TOKEN=0FJZSq9dYtAnOvyXlL3Os6aIoBPtxRaadrone info
上面会输出登陆gitlab的用户名和密码。
drone 还提供了一些方法,例如可以创建 secret,参考 https://github.com/hectorqin/drone-kubectl 这个插件,假设 drone 从gitlab同步了一个仓库 叫做 chenzj/test,则可以通过下面命令创建几个Secret:
DEFAULT_SECRET=`kubectl get secret -n drone|grep drone-deploy-token|awk '{print $1}'`KUBERNETES_SERVER=`kubectl config view|grep server|awk '{print $2}'`KUBERNETES_CERT=`kubectl get secret -n drone ${DEFAULT_SECRET} -o jsonpath="{.data.ca\.crt}"`KUBERNETES_TOKEN=`kubectl get secret -n drone ${DEFAULT_SECRET} -o jsonpath="{.data.token}" | base64 --decode`export DRONE_SERVER= https://drone.javachen.space/accountexport DRONE_TOKEN=0FJZSq9dYtAnOvyXlL3Os6aIoBPtxRaadrone infodrone secret add chenzj/test --name KUBERNETES_SERVER --data ${KUBERNETES_SERVER} --allow-pull-requestdrone secret add chenzj/test --name KUBERNETES_CERT --data ${KUBERNETES_CERT} --allow-pull-requestdrone secret add chenzj/test --name KUBERNETES_TOKEN --data ${KUBERNETES_TOKEN} --allow-pull-request
执行完成之后,在drone页面的 chenzj/test 仓库 SETTINGS 里面可以看到上面创建的三个 secret。
然后,就可以在.drone.yaml中使用插件:
- name: deployimage: quay.io/hectorqin/drone-kubectlsettings:kubernetes_template: k8s/test/deployment.yamlkubernetes_namespace: testenvironment:KUBERNETES_SERVER:from_secret: KUBERNETES_SERVERKUBERNETES_CERT:from_secret: KUBERNETES_CERTKUBERNETES_TOKEN:from_secret: KUBERNETES_TOKENdepends_on:- buildwhen:event:- push- tag
当然,还需要创建 RBAC :
cat << EOF | kubectl create -f -apiVersion: v1kind: ServiceAccountmetadata:name: drone-deploynamespace: drone---apiVersion: rbac.authorization.k8s.io/v1beta1kind: ClusterRolemetadata:name: drone-deployrules:- apiGroups: ["","*"]resources: ["*"]verbs: ["*"]---apiVersion: rbac.authorization.k8s.io/v1beta1kind: ClusterRoleBindingmetadata:name: drone-deploysubjects:- kind: ServiceAccountname: drone-deploynamespace: droneroleRef:kind: ClusterRolename: drone-deployapiGroup: rbac.authorization.k8s.ioEOF
若有收获,就点个赞吧
0 人点赞
