我们的一些应用程序托管在 Kubernetes 集群中,我们使用 GitLab Continuous Integration (CI) 来自动化部署,并使用 Helm 2 来部署我们的应用程序。Helm charts 允许存储 Kubernetes 对象 YAML 文件的模板,这些模板带有变量,这些变量可以通过在部署期间使用 chart 时传递的命令行参数以编程方式设置。这允许我们将关键的 secrets 存储在 GitLab 保护的环境变量或 Hashicorp Vault 中,并在 CI 部署作业中使用它们。
我们的部署作业使用一个 Bash 脚本来运行部署过程。这个 Bash 脚本提供了一些在 CI/CD 环境中非常有价值的功能。
- 它方便在 CI/CD 环境之外使用。GitLab CI 和其他 CI 系统将作业步骤存储为 CI 文本文件(例如 .gitlab-ci.yml)的 “script” 部分中的可执行 shell 代码行。虽然这对于确保基本的可执行步骤可以在没有外部依赖项的情况下存储很有用,但它阻止了开发人员在测试或手动部署场景中使用相同的代码。此外,Bash 系统的许多高级功能不能轻易地在这些 script 部分中使用。
- 它方便对重要的部署过程进行单元测试。没有任何 CI 系统提供一种测试部署逻辑是否按预期执行的方法。精心构建的 Bash 脚本可以使用 BATS 进行单元测试。
- 它方便重用脚本中的各个函数。最后一部分使用了一个 guard clause,if [[ "${BASH_SOURCE[0]}" == "${0}" ]],这防止了在脚本未被执行时调用 run_main 函数。这允许脚本被 sourced,然后允许用户使用其中的许多有用的单个函数。这对于正确的 BATS 测试至关重要。
- 它使用环境变量来保护敏感信息,并使脚本可以在许多项目和项目应用程序环境之间重用。当 GitLab CI runner 运行时,GitLab CI 使许多这些环境变量可用。在 GitLab CI 外部使用脚本之前,必须手动设置这些变量。
该脚本执行将应用程序的 Helm chart 部署到 Kubernetes 所需的所有任务,并使用 kubectl 和 Helm 等待部署就绪。Helm 使用本地 Tiller 安装运行,而不是在 Kubernetes 集群中运行 Tiller。Kubernetes HELM_USER 和 HELM_PASSWORD 用于登录 Kubernetes CLUSTER_SERVER 和 PROJECT_NAMESPACE。Tiller 启动,Helm 以 client-only 模式初始化,并且它的 repo 被更新。模板使用 Helm 进行 lint 检查,以确保没有意外提交语法错误。然后,模板以声明模式部署,使用 helm upgrade --install。Helm 使用 --wait flag 等待部署就绪。
该脚本确保在部署期间设置某些模板变量,并允许在 GitLab CI PROJECT_SPECIFIC_DEPLOY_ARGS 环境变量中指定特殊的项目特定变量。部署中所需的所有环境变量都在脚本执行的早期进行检查,如果缺少任何变量,脚本将以非零退出状态退出。
这个脚本已在多个 GitLab CI 托管的项目中使用。它帮助我们专注于我们的代码,而不是每个项目中的部署逻辑。
脚本
#!/bin/bash
# MIT License
#
# Copyright (c) 2019 Darin London
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
log_level_for()
{
case "${1}" in
"error")
echo 1
;;
"warn")
echo 2
;;
"debug")
echo 3
;;
"info")
echo 4
;;
*)
echo -1
;;
esac
}
current_log_level()
{
log_level_for "${LOG_LEVEL}"
}
error()
{
[ $(log_level_for "error") -le $(current_log_level) ] && echo "${1}" >&2
}
warn()
{
[ $(log_level_for "warn") -le $(current_log_level) ] && echo "${1}" >&2
}
debug()
{
[ $(log_level_for "debug") -le $(current_log_level) ] && echo "${1}" >&2
}
info()
{
[ $(log_level_for "info") -le $(current_log_level) ] && echo "${1}" >&2
}
check_required_environment() {
local required_env="${1}"
for reqvar in $required_env
do
if [ -z "${!reqvar}" ]
then
error "missing ENVIRONMENT ${reqvar}!"
return 1
fi
done
}
check_default_environment() {
local required_env="${1}"
for varpair in $required_env
do
local manual_environment=$(echo "${varpair}" | cut -d':' -f1)
local default_if_not_set=$(echo "${varpair}" | cut -d':' -f2)
if [ -z "${!manual_environment}" ] && [ -z "${!default_if_not_set}" ]
then
error "missing default ENVIRONMENT, set ${manual_environment} or ${default_if_not_set}!"
return 1
fi
done
}
dry_run() {
[ ${DRY_RUN} ] && info "skipping for dry run" && return
return 1
}
init_tiller() {
info "initializing local tiller"
dry_run && return
export TILLER_NAMESPACE=$PROJECT_NAMESPACE
export HELM_HOST=localhost:44134
# https://rimusz.net/tillerless-helm/
# run tiller locally instead of in the cluster
tiller --storage=secret &
export TILLER_PID=$!
sleep 1
kill -0 ${TILLER_PID}
if [ $? -gt 0 ]
then
error "tiller not running!"
return 1
fi
}
init_helm() {
info "initializing helm"
dry_run && return
helm init --client-only
if [ $? -gt 0 ]
then
error "could not initialize helm"
return 1
fi
}
init_helm_with_tiller() {
init_tiller || return 1
init_helm || return 1
info "updating helm client repository information"
dry_run && return
helm repo update
if [ $? -gt 0 ]
then
error "could not update helm repository information"
return 1
fi
}
decommission_tiller() {
if [ -n "${TILLER_PID}" ]
then
kill ${TILLER_PID}
if [ $? -gt 0 ]
then
return
fi
fi
}
check_required_deploy_arg_environment() {
[ -z "${PROJECT_SPECIFIC_DEPLOY_ARGS}" ] && return
for reqvar in ${PROJECT_SPECIFIC_DEPLOY_ARGS}
do
if [ -z ${!reqvar} ]
then
error "missing Deployment ENVIRONMENT ${reqvar} required!"
return 1
fi
done
}
project_specific_deploy_args() {
[ -z "${PROJECT_SPECIFIC_DEPLOY_ARGS}" ] && echo "" && return
extraArgs=''
for deploy_arg_key in ${PROJECT_SPECIFIC_DEPLOY_ARGS}
do
extraArgs="${extraArgs} --set $(echo "${deploy_arg_key}" | sed 's/__/\./g' | tr '[:upper:]' '[:lower:]')=${!deploy_arg_key}"
done
echo "${extraArgs}"
}
check_required_cluster_login_environment() {
check_required_environment "HELM_TOKEN HELM_USER PROJECT_NAMESPACE CLUSTER_SERVER" || return 1
}
cluster_login() {
info "authenticating ${HELM_USER} in ${PROJECT_NAMESPACE}"
dry_run && return
kubectl config set-cluster ci_kube --server="${CLUSTER_SERVER}" || return 1
kubectl config set-credentials "${HELM_USER}" --token="${HELM_TOKEN}" || return 1
kubectl config set-context ${PROJECT_NAMESPACE}-deploy --cluster=ci_kube --namespace=${PROJECT_NAMESPACE} --user=${HELM_USER} || return 1
kubectl config use-context ${PROJECT_NAMESPACE}-deploy || return 1
}
lint_template() {
info "linting template"
dry_run && return
helm lint ${CI_PROJECT_DIR}/helm-chart/${CI_PROJECT_NAME}
}
check_required_image_pull_environment() {
if [ "${CI_PROJECT_VISIBILITY}" == "public" ]
then
check_required_environment "CI_REGISTRY CI_DEPLOY_USER CI_DEPLOY_PASSWORD" || return 1
fi
}
image_pull_settings() {
if [ "${CI_PROJECT_VISIBILITY}" == "public" ]
then
echo ""
else
echo "--set registry.root=${CI_REGISTRY} --set registry.secret.username=${CI_DEPLOY_USER} --set registry.secret.password=${CI_DEPLOY_PASSWORD}"
fi
}
deployment_name() {
if [ -n "${DEPLOYMENT_NAME}" ]
then
echo "${DEPLOYMENT_NAME}"
else
echo "${CI_ENVIRONMENT_SLUG}-${CI_PROJECT_NAME}"
fi
}
deploy_template() {
info "deploying $(deployment_name) from template"
if dry_run
then
info "helm upgrade --force --recreate-pods --debug --set image.repository=${CI_REGISTRY_IMAGE}/${CI_PROJECT_NAME} --set image.tag=${CI_COMMIT_SHORT_SHA} --set environment=${CI_ENVIRONMENT_NAME} --set-string git_commit=${CI_COMMIT_SHORT_SHA} --set git_ref=${CI_COMMIT_REF_SLUG} --set ci_job_id=${CI_JOB_ID} $(environment_url_settings) $(image_pull_settings) $(project_specific_deploy_args) --wait --install $(deployment_name) ${CI_PROJECT_DIR}/helm-chart/${CI_PROJECT_NAME}"
else
helm upgrade --force --recreate-pods --debug \
--set image.repository="${CI_REGISTRY_IMAGE}/${CI_PROJECT_NAME}" \
--set image.tag="${CI_COMMIT_SHORT_SHA}" \
--set environment="${CI_ENVIRONMENT_NAME}" \
--set-string git_commit="${CI_COMMIT_SHORT_SHA}" \
--set git_ref="${CI_COMMIT_REF_SLUG}" \
--set ci_job_id="${CI_JOB_ID}" \
$(image_pull_settings) \
$(project_specific_deploy_args) \
--wait \
--install $(deployment_name) ${CI_PROJECT_DIR}/helm-chart/${CI_PROJECT_NAME}
fi
}
get_pods() {
kubectl get pods -l ci_job_id="${CI_JOB_ID}"
}
watch_deployment() {
local watch_deployment=$(deployment_name)
if [ -n "${WATCH_DEPLOYMENT}" ]
then
watch_deployment="${WATCH_DEPLOYMENT}"
fi
info "waiting until deployment ${watch_deployment} is ready"
dry_run && return
kubectl rollout status deployment/${watch_deployment} -w || return 1
sleep 5
get_pods || return 1
# see what has been deployed
kubectl describe deployment -l app=${CI_PROJECT_NAME},environment=${CI_ENVIRONMENT_NAME},git_commit=${CI_COMMIT_SHORT_SHA} || return 1
if [ -n "${CI_ENVIRONMENT_URL}" ]
then
kubectl describe service -l app=${CI_PROJECT_NAME},environment=${CI_ENVIRONMENT_NAME} || return 1
kubectl describe route -l app=${CI_PROJECT_NAME},environment=${CI_ENVIRONMENT_NAME} || return 1
fi
}
run_main() {
check_required_environment "CI_PROJECT_NAME CI_PROJECT_DIR CI_COMMIT_REF_SLUG CI_REGISTRY_IMAGE CI_ENVIRONMENT_NAME CI_JOB_ID CI_COMMIT_SHORT_SHA" || return 1
check_default_environment "WATCH_DEPLOYMENT:CI_ENVIRONMENT_SLUG" || return 1
check_required_deploy_arg_environment || return 1
check_required_cluster_login_environment || return 1
check_required_image_pull_environment || return 1
cluster_login
if [ $? -gt 0 ]
then
error "could not login kubectl"
return 1
fi
init_helm_with_tiller
if [ $? -gt 0 ]
then
error "could not initialize helm"
return 1
fi
lint_template
if [ $? -gt 0 ]
then
error "linting failed"
return 1
fi
deploy_template
if [ $? -gt 0 ]
then
error "could not deploy template"
return 1
fi
watch_deployment
if [ $? -gt 0 ]
then
error "could not watch deployment"
return 1
fi
decommission_tiller
info "ALL Complete!"
return
}
if [[ "${BASH_SOURCE[0]}" == "${0}" ]]
then
run_main
if [ $? -gt 0 ]
then
exit 1
fi
fi
评论已关闭。