Configuring and Managing CI/CD Toolchains - Mastering DevOps Automation Tools
2025/8/31大约 5 分钟
配置与管理 CI/CD 工具链
CI/CD 工具链概述
CI/CD 工具链是实现持续集成和持续部署的核心基础设施,它由多个工具组件组成,协同工作以自动化软件交付流程。Docker 作为容器化平台,与主流 CI/CD 工具深度集成,为工具链提供了标准化的运行环境。
工具链核心组件
源代码管理:
- Git(GitHub、GitLab、Bitbucket)
- 代码审查和协作
构建工具:
- Jenkins、GitLab CI、GitHub Actions
- 自动化构建和测试
容器化平台:
- Docker、Kubernetes
- 标准化部署环境
部署平台:
- 云平台(AWS、Azure、GCP)
- 容器编排平台
Jenkins 配置与管理
Jenkins 安装与配置
# jenkins-docker.Dockerfile
FROM jenkins/jenkins:lts
# 安装推荐插件
RUN jenkins-plugin-cli --plugins \
docker-plugin \
docker-workflow \
git \
github \
pipeline-stage-view
# 复制配置文件
COPY plugins.txt /usr/share/jenkins/ref/plugins.txt
RUN jenkins-plugin-cli --plugin-file /usr/share/jenkins/ref/plugins.txt
# 复制初始化脚本
COPY init.groovy.d/* /usr/share/jenkins/ref/init.groovy.d/# plugins.txt
docker-plugin:1.2.2
docker-workflow:1.26
git:4.7.1
github:1.33.1
pipeline-stage-view:2.19Jenkins Pipeline 配置
// Jenkinsfile
pipeline {
agent any
tools {
maven 'Maven 3.8.1'
nodejs 'NodeJS 14'
}
environment {
DOCKER_REGISTRY = 'registry.example.com'
DOCKER_IMAGE = 'myapp'
DOCKER_TAG = "${env.BUILD_NUMBER}"
}
stages {
stage('Checkout') {
steps {
checkout scm
}
}
stage('Build') {
steps {
sh 'npm ci'
sh 'npm run build'
}
}
stage('Test') {
steps {
sh 'npm test'
}
post {
always {
publishTestResults testResultsPattern: 'test-results/**/*.xml'
publishCoverage adapters: [istanbulAdapter(mergeToOneReport: true, path: 'coverage/clover.xml')]
}
}
}
stage('Build Docker Image') {
steps {
script {
docker.build("${DOCKER_REGISTRY}/${DOCKER_IMAGE}:${DOCKER_TAG}")
}
}
}
stage('Security Scan') {
steps {
script {
docker.image("${DOCKER_REGISTRY}/${DOCKER_IMAGE}:${DOCKER_TAG}").inside {
sh 'npm audit'
}
}
}
}
stage('Push Docker Image') {
steps {
script {
docker.withRegistry("https://${DOCKER_REGISTRY}", 'docker-registry-credentials') {
docker.image("${DOCKER_REGISTRY}/${DOCKER_IMAGE}:${DOCKER_TAG}").push()
docker.image("${DOCKER_REGISTRY}/${DOCKER_IMAGE}:${DOCKER_TAG}").push('latest')
}
}
}
}
stage('Deploy to Staging') {
when {
branch 'main'
}
steps {
sh 'kubectl set image deployment/myapp myapp=${DOCKER_REGISTRY}/${DOCKER_IMAGE}:${DOCKER_TAG}'
}
}
}
post {
success {
slackSend channel: '#ci-cd', message: "Build ${env.JOB_NAME} - ${env.BUILD_NUMBER} succeeded!"
}
failure {
slackSend channel: '#ci-cd', message: "Build ${env.JOB_NAME} - ${env.BUILD_NUMBER} failed!"
}
}
}Jenkins Docker Agent 配置
// 使用 Docker Agent
pipeline {
agent {
docker {
image 'node:14'
args '-u root:root'
}
}
stages {
stage('Test') {
steps {
sh 'npm test'
}
}
}
}// 动态 Docker Agent
pipeline {
agent any
stages {
stage('Build') {
agent {
docker {
image 'maven:3.8.1-openjdk-11'
}
}
steps {
sh 'mvn clean package'
}
}
stage('Test') {
agent {
docker {
image 'node:14'
}
}
steps {
sh 'npm test'
}
}
}
}GitLab CI 配置与管理
GitLab Runner 配置
# config.toml
concurrent = 4
check_interval = 0
[session_server]
session_timeout = 1800
[[runners]]
name = "docker-runner"
url = "https://gitlab.example.com/"
token = "TOKEN"
executor = "docker"
[runners.custom_build_dir]
[runners.cache]
[runners.cache.s3]
[runners.cache.gcs]
[runners.cache.azure]
[runners.docker]
tls_verify = false
image = "alpine:latest"
privileged = true
disable_entrypoint_overwrite = false
oom_kill_disable = false
disable_cache = false
volumes = ["/cache"]
shm_size = 0GitLab CI 高级配置
# .gitlab-ci.yml
stages:
- build
- test
- security
- deploy
variables:
DOCKER_DRIVER: overlay2
DOCKER_TLS_CERTDIR: "/certs"
CONTAINER_IMAGE: $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
before_script:
- docker info
build:
stage: build
image: docker:latest
services:
- docker:dind
script:
- docker build --pull -t $CONTAINER_IMAGE .
- docker push $CONTAINER_IMAGE
only:
- main
tags:
- docker
unit_test:
stage: test
image: node:14
script:
- npm ci
- npm run test:unit
artifacts:
reports:
junit: test-results/unit.xml
cobertura: coverage/unit/cobertura-coverage.xml
coverage: '/Lines\s*:\s*(\d+\.\d+)%/'
only:
- main
tags:
- node
integration_test:
stage: test
image: docker:latest
services:
- docker:dind
script:
- docker-compose -f docker-compose.test.yml up -d
- docker run --network container:integration_test_app_1 $CONTAINER_IMAGE npm run test:integration
after_script:
- docker-compose -f docker-compose.test.yml down -v
only:
- main
tags:
- docker
security_scan:
stage: security
image: docker:latest
services:
- docker:dind
script:
- docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy:latest --exit-code 1 --severity HIGH,CRITICAL $CONTAINER_IMAGE
only:
- main
tags:
- docker
- security
deploy_staging:
stage: deploy
image: bitnami/kubectl:latest
script:
- kubectl set image deployment/myapp myapp=$CONTAINER_IMAGE
environment:
name: staging
url: https://staging.example.com
only:
- main
tags:
- kubernetes
deploy_production:
stage: deploy
image: bitnami/kubectl:latest
script:
- kubectl set image deployment/myapp myapp=$CONTAINER_IMAGE
environment:
name: production
url: https://example.com
when: manual
only:
- main
tags:
- kubernetesGitHub Actions 配置与管理
GitHub Actions 基础配置
# .github/workflows/ci.yml
name: CI/CD Pipeline
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main ]
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
- name: Log in to the Container registry
uses: docker/login-action@v1
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@v3
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
- name: Build and push Docker image
uses: docker/build-push-action@v2
with:
context: .
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}GitHub Actions 高级配置
# .github/workflows/advanced-ci.yml
name: Advanced CI/CD Pipeline
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main ]
jobs:
test:
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [14.x, 16.x]
os: [ubuntu-latest, windows-latest]
steps:
- uses: actions/checkout@v2
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v2
with:
node-version: ${{ matrix.node-version }}
- name: Cache node modules
uses: actions/cache@v2
env:
cache-name: cache-node-modules
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- name: Install dependencies
run: npm ci
- name: Run tests
run: npm test
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v1
with:
file: ./coverage/lcov.info
flags: unittests
name: codecov-umbrella
build:
needs: test
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main'
steps:
- uses: actions/checkout@v2
- name: Set up QEMU
uses: docker/setup-qemu-action@v1
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
- name: Login to DockerHub
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@v3
with:
images: myapp/app
- name: Build and push
uses: docker/build-push-action@v2
with:
context: .
platforms: linux/amd64,linux/arm64
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
deploy:
needs: build
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main'
steps:
- name: Deploy to Kubernetes
uses: actions-hub/kubectl@master
env:
KUBE_CONFIG: ${{ secrets.KUBE_CONFIG }}
with:
args: set image deployment/myapp myapp=${{ steps.meta.outputs.tags }}
- name: Verify deployment
uses: actions-hub/kubectl@master
env:
KUBE_CONFIG: ${{ secrets.KUBE_CONFIG }}
with:
args: rollout status deployment/myapp容器化 CI/CD 工具
自建 CI/CD 平台
# custom-ci.Dockerfile
FROM node:14
# 安装 CI/CD 工具
RUN npm install -g @gitbeaker/cli
RUN apt-get update && apt-get install -y curl git
# 安装 Kubernetes CLI
RUN curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
RUN install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
# 安装 Docker CLI
RUN apt-get install -y docker.io
WORKDIR /app
COPY . .
CMD ["node", "ci-runner.js"]CI/CD 工具监控
# docker-compose.monitoring.yml
version: '3.8'
services:
jenkins:
image: jenkins/jenkins:lts
ports:
- "8080:8080"
volumes:
- jenkins_home:/var/jenkins_home
environment:
- JAVA_OPTS=-Djenkins.install.runSetupWizard=false
gitlab-runner:
image: gitlab/gitlab-runner:alpine
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- gitlab_runner_config:/etc/gitlab-runner
prometheus:
image: prom/prometheus
ports:
- "9090:9090"
volumes:
- ./prometheus.yml:/etc/prometheus/prometheus.yml
- prometheus_data:/prometheus
grafana:
image: grafana/grafana
ports:
- "3000:3000"
volumes:
- grafana_data:/var/lib/grafana
depends_on:
- prometheus
volumes:
jenkins_home:
gitlab_runner_config:
prometheus_data:
grafana_data:安全配置
凭证管理
# 凭证安全配置
pipeline {
agent any
environment {
DOCKER_REGISTRY_PASSWORD = credentials('docker-registry-password')
AWS_ACCESS_KEY = credentials('aws-access-key')
AWS_SECRET_KEY = credentials('aws-secret-key')
}
stages {
stage('Deploy') {
steps {
withCredentials([string(credentialsId: 'kubernetes-config', variable: 'KUBECONFIG')]) {
sh 'kubectl --kubeconfig=$KUBECONFIG apply -f k8s/deployment.yaml'
}
}
}
}
}安全扫描集成
security_scan:
stage: security
image: docker:latest
services:
- docker:dind
script:
- docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy:latest --exit-code 1 --severity HIGH,CRITICAL $CONTAINER_IMAGE
- docker run --rm -v /var/run/docker.sock:/var/run/docker.sock anchore/grype:latest $CONTAINER_IMAGE
only:
- main最佳实践
工具链标准化
# 标准化构建环境
FROM node:14-alpine AS base
# 安装通用工具
RUN apk add --no-cache \
curl \
git \
bash \
openssh
# 设置工作目录
WORKDIR /app
# 复制依赖文件
FROM base AS dependencies
COPY package*.json ./
RUN npm ci --only=production
# 构建阶段
FROM base AS build
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build
# 运行阶段
FROM base AS runtime
COPY --from=dependencies /app/node_modules ./node_modules
COPY --from=build /app/dist ./dist
EXPOSE 3000
CMD ["node", "dist/index.js"]配置即代码
# infrastructure/ci-cd-config.yaml
jenkins:
plugins:
- docker-plugin
- git-plugin
- pipeline-plugin
jobs:
- name: myapp-ci
pipeline: |
pipeline {
agent any
stages {
stage('Build') {
steps {
sh 'docker build -t myapp .'
}
}
}
}
gitlab:
runners:
- name: docker-runner
executor: docker
tags: [docker, linux]灾难恢复
#!/bin/bash
# backup-ci-cd.sh
# 备份 Jenkins 配置
docker exec jenkins-container tar -czf - /var/jenkins_home > jenkins-backup-$(date +%Y%m%d).tar.gz
# 备份 GitLab Runner 配置
docker exec gitlab-runner-container cat /etc/gitlab-runner/config.toml > gitlab-runner-config-$(date +%Y%m%d).toml
# 备份 GitHub Actions 配置
git add .github/workflows/
git commit -m "Backup GitHub Actions workflows"
git push origin config-backup通过本节内容,我们深入了解了如何配置和管理主流的 CI/CD 工具链,包括 Jenkins、GitLab CI 和 GitHub Actions 的详细配置方法,以及容器化 CI/CD 工具的部署和安全配置。掌握这些技能将帮助您构建高效、安全的自动化软件交付流程。