DevOps infrastructure configuration: Jenkins docking with K8S

Preface

When we build K8S's devops pipeline based on Jenkins, a very important step is to connect Jenkins and K8S, so that we can make full use of the features of Jenkins and K8S [pod slave] to complete the operation of the pipeline. This article mainly records how to configure Jenkins and K8S. Interconnection with K8S cluster

1. Create kubernetes cloud

Tip: Because token credentials are required during the creation process, you can refer to 步骤1.2.4the first step to create

1.1 Enter Configure Clouds

Depending on the version of Jenkins, the path to enter Configure Clouds is different, but basically you can enter through [Manage Jenkins]–>[Manage Nodes and Clouds] or [Manage Nodes]–>[Configure Clouds]

1.2 ConfigurationKubernetes Cloud details

There are three main places that require custom modifications:

1.2.1 Kubernetes address:

The default is https://kubernetes.default, it’s okay, I’m used to writing it all. Of course, if Jenkins is deployed outside the K8S cluster, you need to write the real address of the K8S apis-server.

1.2.2 Disable HTTPS certificate checking

If you feel unsafe, you can configure it by yourself according to online tutorials, but if you are in an intranet cluster, there will basically be no external threats.

1.2.3 Kubernetes namespace

This is the namespace used to run pod slave

1.2.4 Credentials

It is equivalent to the permission credentials for you to connect to the K8S cluster and operate within the cluster. There are many configuration methods. Here, choose the serviceaccount method.

rbac authorizes
Jenkins to operate k8s through kubernetes-plugin, and rbac authorization needs to be performed in k8s in advance. Here we bind the cluster-admin role to it for the convenience of management. Of course, the usage rights can also be further narrowed . This is determined by each company's management system.

(1)Create serviceaccounts

kubectl create sa devops-jenkins

(2) Bind jenkins to cluster-admin

kubectl create clusterrolebinding devops-jenkins-role-binding --clusterrole cluster-admin --serviceaccount=devops:devops-jenkins

(3) When kubernetes-plugin connects to k8s, it does not use serviceaccount directly, but through token. Therefore, we need to obtain the token corresponding to serviceaccount: jenkins .

View sa

[root@master pkg]# kubectl get sa -n devops
NAME             SECRETS   AGE
default          1         7d18h
devops-jenkins   1         7d2h
jenkins          1         7d18h

View secret

[root@master pkg]# kubectl describe sa devops-jenkins -n devops
Name:                devops-jenkins
Namespace:           devops
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   devops-jenkins-token-7wnbx
Tokens:              devops-jenkins-token-7wnbx
Events:              <none>

Get token

[root@master pkg]# kubectl describe secrets devops-jenkins-token-7wnbx -n devops
Name:         devops-jenkins-token-7wnbx
Namespace:    devops
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: devops-jenkins
              kubernetes.io/service-account.uid: bd379a1d-7e8f-4e4c-aa92-76383c1397ba

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1099 bytes
namespace:  6 bytes
token:      eyJhbGciO...  ###这里就是所需的token

Create jenkins credentials using the obtained token

2.Storage kubeconfig

In the devops of the K8S cluster, we often execute the build and deployment process in a temporary pod, the so-called slave pod. Therefore, during the deployment process, the kubeconfig of the target cluster needs to be passed to the slave pod, so that it can be directly Execute kubectl apply deploy.yaml --kubeconfig=config in the pod

2.1 Install Config File Provider Plugin

Simply search and install by name in the Plugin Manager

2.2 Configure kubeconfig

Go to Manage Jenkins–>Managed files–>Add a new Config

and select Custom file. The ID can be configured by yourself or use the default, and then click Next

to obtain kubeconfig from the K8S cluster.

cat /root/.kube/config

After copying the complete contents of the config file, paste it into the Content box and submit it. Then you

can see the file we just configured on the main page of the managed file.

2.3 Generate jenkinsfile script

We use the tool [pipeline syntax] that comes with Jenkins to automatically generate the calling command.

        stage('deploy to test') {
    
    
            when {
    
    
                branch 'test'
            }
            steps {
    
    
                input(id: 'deploy-to-test', message: 'deploy to test?')
                container("maven") {
    
    
                    script{
    
    
                        configFileProvider([configFile(fileId: 'f087251c-7058-458d-b26f-8512f3cf3d56', targetLocation: 'dev.kubeconfig')]) {
    
    
                            sh '''
                            kubectl get node --kubeconfig=dev.kubeconfig
                            '''
                        }
                    }
                }
            }
        }