CI/CD 持续集成与持续部署

Souloss

公告

欢迎来到我的博客！这是一条示例公告

Learn More

标签

Souloss

公告

欢迎来到我的博客！这是一条示例公告

Learn More

标签

Souloss

公告

欢迎来到我的博客！这是一条示例公告

Learn More

标签

580 字

2 分钟

CI/CD 持续集成与持续部署

2024-02-03

运维

工程实践

/

Kubernetes

/

Docker

某电商团队每周二凌晨手动部署，一次上线要三名运维加班到天亮，还时不时因为漏步骤导致线上故障。引入 CI/CD（Continuous Integration/Continuous Deployment，持续集成与持续部署） 后，代码合并到主分支即可自动完成构建、测试、发布，部署时间从 4 小时缩短到 15 分钟。

一、CI/CD 概述#

1. 持续集成流程#

graph TB subgraph "持续集成流程" A["代码提交"] --> B["编译构建"] B --> C["单元测试"] C --> D["静态分析"] D --> E["打包制品"] E --> F["集成测试"] end

阶段	工具	耗时目标
编译构建	Maven/Gradle/npm	< 5 分钟
单元测试	JUnit/Pytest	< 10 分钟
静态分析	SonarQube	< 5 分钟
打包制品	Docker/jar	< 5 分钟

2. 持续部署流程#

graph LR A["代码提交"] --> B["镜像构建"] B --> C["测试环境部署"] C --> D["自动化测试"] D --> E["预生产部署"] E --> F["生产部署"]

二、GitHub Actions#

GitHub Actions 是 GitHub 内置的 CI/CD 平台，通过 YAML 文件定义工作流，与代码仓库深度集成，无需额外部署服务。

1. 基础配置#

1
name: CI Pipeline
2

3
on:
4
  push:
5
    branches: [main, develop]
6
  pull_request:
7
    branches: [main]
8

9
jobs:
10
  build:
11
    runs-on: ubuntu-latest
12
    steps:
13
      - uses: actions/checkout@v4
14

15
      - name: Set up JDK 17
16
        uses: actions/setup-java@v4
17
        with:
18
          java-version: "17"
19
          distribution: "temurin"
20

21
      - name: Build with Maven
22
        run: mvn clean package -DskipTests
23

24
      - name: Run Tests
25
        run: mvn test
26

27
      - name: SonarQube Scan
28
        uses: sonarsource/sonarqube-scan-action@master
29
        env:
30
          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
31
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

2. 多环境部署#

1
name: Deploy to Environments
2

3
on:
4
  push:
5
    branches: [main]
6

7
jobs:
8
  deploy-staging:
9
    runs-on: ubuntu-latest
10
    environment: staging
11
    steps:
12
      - uses: actions/checkout@v4
13

14
      - name: Deploy to Staging
15
        run: |
16
          kubectl config use-context staging
17
          kubectl apply -f k8s/
18

19
      - name: Smoke Test
20
        run: |
21
          curl -f https://staging.example.com/health
22

23
  deploy-production:
24
    runs-on: ubuntu-latest
25
    needs: deploy-staging
26
    environment: production
27
    steps:
28
      - uses: actions/checkout@v4
29

30
      - name: Deploy to Production
31
        run: |
32
          kubectl config use-context production
33
          kubectl apply -f k8s/

三、Jenkins 流水线#

Jenkins 是历史最悠久的开源 CI/CD 服务器，通过 Jenkinsfile 声明式或脚本式语法定义流水线，插件生态极为丰富。

1. Jenkinsfile 声明式流水线#

1
// Jenkinsfile
2
pipeline {
3
    agent any
4

5
    environment {
6
        DOCKER_IMAGE = "myapp:${BUILD_NUMBER}"
7
        REGISTRY = "registry.example.com"
8
    }
9

10
    stages {
11
        stage('Build') {
12
            steps {
13
                sh 'mvn clean package -DskipTests=false'
14
            }
15
        }
16

17
        stage('Test') {
18
            parallel {
19
                stage('Unit Tests') {
20
                    steps {
21
                        sh 'mvn test'
22
                    }
23
                }
24
                stage('Integration Tests') {
25
                    steps {
26
                        sh 'mvn verify -DskipUnitTests'
27
                    }
28
                }
29
            }
30
        }
31

32
        stage('Security Scan') {
33
            steps {
34
                sh 'trivy image --severity HIGH,CRITICAL ${REGISTRY}/${DOCKER_IMAGE}'
35
            }
36
        }
37

38
        stage('Build Image') {
39
            steps {
40
                sh '''
41
                    docker build -t ${REGISTRY}/${DOCKER_IMAGE} .
42
                    docker push ${REGISTRY}/${DOCKER_IMAGE}
43
                '''
44
            }
45
        }
46

47
        stage('Deploy to Staging') {
48
            steps {
49
                sh '''
50
                    kubectl config use-context staging
51
                    kubectl set image deployment/myapp myapp=${REGISTRY}/${DOCKER_IMAGE}
52
                '''
53
            }
54
        }
55

56
        stage('Smoke Test') {
57
            steps {
58
                sh 'curl -f https://staging.example.com/health || exit 1'
59
            }
60
        }
61

62
        stage('Deploy to Production') {
63
            when {
64
                branch 'main'
65
            }
66
            steps {
67
                input message: 'Approve deployment?', ok: 'Deploy'
68
                sh '''
69
                    kubectl config use-context production
70
                    kubectl set image deployment/myapp myapp=${REGISTRY}/${DOCKER_IMAGE}
71
                '''
72
            }
73
        }
74
    }
75

76
    post {
77
        always {
78
            cleanWs()
79
        }
80
        failure {
81
            slackSend channel: '#alerts', message: "Build ${BUILD_NUMBER} failed"
82
        }
83
    }
84
}

2. 流水线最佳实践#

1
// Jenkinsfile 最佳实践
2
pipeline {
3
    options {
4
        buildDiscarder(logRotator(numToKeepStr: '10'))
5
        timeout(time: 30, unit: 'MINUTES')
6
        disableConcurrentBuilds()
7
    }
8

9
    parameters {
10
        string(name: 'DEPLOY_ENV', defaultValue: 'staging',
11
                description: 'Deployment environment')
12
        booleanParam(name: 'RUN_SONAR', defaultValue: true,
13
                description: 'Run SonarQube scan')
14
    }
15

16
    environment {
17
        APP_NAME = 'myapp'
18
        REGISTRY = 'registry.example.com'
19
    }
20
}

四、制品管理#

1. Docker 镜像管理#

Docker 镜像是云原生时代最主流的制品格式，多阶段构建可以显著减小镜像体积。

1
# Dockerfile 多阶段构建
2
# 构建阶段
3
FROM maven:3.9-eclipse-temurin-17 AS builder
4
WORKDIR /app
5
COPY pom.xml .
6
RUN mvn dependency:go-offline
7
COPY src ./src
8
RUN mvn clean package -DskipTests
9

10
# 运行阶段
11
FROM eclipse-temurin:17-jre-alpine
12
WORKDIR /app
13

14
# 从构建阶段复制
15
COPY --from=builder /app/target/*.jar app.jar
16

17
# 安全配置
18
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
19
USER appuser
20

21
# 健康检查
22
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
23
    CMD wget -qO- http://localhost:8080/health || exit 1
24

25
ENTRYPOINT ["java", "-jar", "app.jar"]

2. Helm Chart 管理#

Helm 是 Kubernetes 的包管理器，通过 Chart 模板化定义应用的部署配置，支持参数化和版本管理。

1
apiVersion: v2
2
name: myapp
3
description: My Application Helm Chart
4
version: 1.0.0
5
appVersion: "1.0.0"
6

7
---
8

9
replicaCount: 3
10

11
image:
12
  repository: registry.example.com/myapp
13
  pullPolicy: IfNotPresent
14
  tag: "latest"
15

16
service:
17
  type: ClusterIP
18
  port: 8080
19

20
ingress:
21
  enabled: true
22
  className: nginx
23
  annotations:
24
    cert-manager.io/cluster-issuer: letsencrypt-prod
25
  hosts:
26
    - host: myapp.example.com
27
      paths:
28
        - path: /
29
          pathType: Prefix
30
  tls:
31
    - secretName: myapp-tls
32
      hosts:
33
        - myapp.example.com
34

35
resources:
36
  limits:
37
    cpu: 1000m
38
    memory: 1Gi
39
  requests:
40
    cpu: 100m
41
    memory: 256Mi
42

43
autoscaling:
44
  enabled: true
45
  minReplicas: 2
46
  maxReplicas: 10
47
  targetCPUUtilizationPercentage: 70

五、GitOps 部署#

GitOps 是一种以 Git 仓库为唯一事实来源的部署范式，所有基础设施和应用配置都通过 Git 提交来驱动变更。

1. ArgoCD 部署#

ArgoCD 是 Kubernetes 原生的 GitOps 持续交付工具，自动监控 Git 仓库并与集群状态同步。

1
# ArgoCD Application
2
apiVersion: argoproj.io/v1alpha1
3
kind: Application
4
metadata:
5
  name: myapp
6
  namespace: argocd
7
spec:
8
  project: default
9
  source:
10
    repoURL: https://github.com/org/myapp
11
    targetRevision: HEAD
12
    path: deploy/helm
13
    helm:
14
      valueFiles:
15
        - values.yaml
16
      parameters:
17
        - name: image.tag
18
          value: latest
19
  destination:
20
    server: https://kubernetes.default.svc
21
    namespace: production
22
  syncPolicy:
23
    automated:
24
      prune: true
25
      selfHeal: true
26
      allowEmpty: false
27
    syncOptions:
28
      - CreateNamespace=true
29
    retry:
30
      limit: 5
31
      backoff:
32
        duration: 5s
33
        factor: 2
34
        maxDuration: 3m

2. 部署策略#

Canary（金丝雀） 部署是一种渐进式发布策略，先将新版本路由少量流量，确认无异常后再逐步扩大比例。

1
# 金丝雀部署
2
apiVersion: argoproj.io/v1alpha1
3
kind: Rollout
4
metadata:
5
  name: myapp-rollout
6
spec:
7
  replicas: 10
8
  strategy:
9
    canary:
10
      steps:
11
        - setWeight: 10
12
        - pause: { duration: 10m }
13
        - setWeight: 30
14
        - pause: { duration: 10m }
15
        - setWeight: 50
16
        - pause: { duration: 10m }
17
        - setWeight: 80
18
        - pause: { duration: 10m }
19
        - setWeight: 100
20
      canaryMetadata:
21
        labels:
22
          role: canary
23
      stableMetadata:
24
        labels:
25
          role: stable
26
      canaryService:
27
        name: myapp-canary
28
      stableService:
29
        name: myapp-stable

六、总结#

阶段	关键实践
持续集成	频繁提交、自动化测试、快速构建
持续部署	渐进式部署、回滚机制
制品管理	镜像签名、版本控制、安全扫描
GitOps	声明式配置、自动化同步

graph LR A["代码提交"] --> B["CI 流水线"] B --> C["制品仓库"] C --> D["CD 流水线"] D --> E["Kubernetes"] E -->|同步| A