安装Jenkins
helm repo add jenkins https://charts.jenkins.io
helm repo update
# 当前版本
jenkins-5.1.18.tgz
瘦身后的 values.yaml
nameOverride:
fullnameOverride:
namespaceOverride:
clusterZone: "cluster.local"
kubernetesURL: "https://kubernetes.default"
credentialsId:
renderHelmLabels: true
controller:
componentName: "jenkins-controller"
image:
registry: "docker.io"
repository: "jenkins/jenkins"
tag:
tagLabel: jdk17
pullPolicy: "Always"
imagePullSecretName:
lifecycle: {}
disableRememberMe: false
numExecutors: 0
executorMode: "NORMAL"
customJenkinsLabels: []
hostNetworking: false
admin:
username: "admins"
password:
userKey: jenkins-admin-user
passwordKey: jenkins-admin-password
createSecret: true
existingSecret: ""
jenkinsAdminEmail:
jenkinsHome: "/var/jenkins_home"
jenkinsRef: "/usr/share/jenkins/ref"
jenkinsWar: "/usr/share/jenkins/jenkins.war"
resources:
requests:
cpu: "50m"
memory: "256Mi"
limits:
cpu: "4000m"
memory: "4096Mi"
shareProcessNamespace: false
initContainerResources: {}
initContainerEnvFrom: []
initContainerEnv: []
containerEnvFrom: []
containerEnv: []
javaOpts:
jenkinsOpts:
jenkinsUrlProtocol:
jenkinsUrl:
jenkinsUriPrefix:
usePodSecurityContext: true
runAsUser: 1000
fsGroup: 1000
securityContextCapabilities: {}
podSecurityContextOverride: ~
containerSecurityContext:
runAsUser: 1000
runAsGroup: 1000
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
serviceType: NodePort
clusterIp:
servicePort: 8080
targetPort: 8080
nodePort: 33441
serviceExternalTrafficPolicy:
serviceAnnotations: {}
statefulSetLabels: {}
serviceLabels: {}
podLabels: {}
healthProbes: true
probes:
startupProbe:
failureThreshold: 12
httpGet:
path: '{{ default "" .Values.controller.jenkinsUriPrefix }}/login'
port: http
periodSeconds: 10
timeoutSeconds: 5
livenessProbe:
failureThreshold: 5
httpGet:
path: '{{ default "" .Values.controller.jenkinsUriPrefix }}/login'
port: http
periodSeconds: 10
timeoutSeconds: 5
initialDelaySeconds:
readinessProbe:
failureThreshold: 3
httpGet:
path: '{{ default "" .Values.controller.jenkinsUriPrefix }}/login'
port: http
periodSeconds: 10
timeoutSeconds: 5
initialDelaySeconds:
podDisruptionBudget:
enabled: false
apiVersion: "policy/v1beta1"
annotations: {}
labels: {}
maxUnavailable: "0"
agentListenerEnabled: true
agentListenerPort: 50001
agentListenerHostPort:
agentListenerNodePort: 50001
agentListenerExternalTrafficPolicy:
agentListenerLoadBalancerSourceRanges:
- 0.0.0.0/0
disabledAgentProtocols:
- JNLP-connect
- JNLP2-connect
csrf:
defaultCrumbIssuer:
enabled: true
proxyCompatability: true
agentListenerServiceType: "NodePort"
agentListenerServiceAnnotations: {}
agentListenerLoadBalancerIP:
legacyRemotingSecurityEnabled: false
loadBalancerSourceRanges:
- 0.0.0.0/0
loadBalancerIP:
jmxPort:
extraPorts: []
installPlugins:
- kubernetes:4219.v40ff98cfb_d6f
- workflow-aggregator:596.v8c21c963d92d
- git:5.2.2
- configuration-as-code:1807.v0175eda_00a_20
installLatestPlugins: true
installLatestSpecifiedPlugins: false
additionalPlugins: []
initializeOnce: false
overwritePlugins: false
overwritePluginsFromImage: true
projectNamingStrategy: standard
enableRawHtmlMarkupFormatter: false
markupFormatter: plainText
scriptApproval: []
initScripts: {}
initConfigMap:
existingSecret:
additionalExistingSecrets: []
additionalSecrets: []
secretClaims: []
cloudName: "kubernetes"
JCasC:
defaultConfig: false
overwriteConfiguration: false
configUrls: []
configScripts: {}
security:
apiToken:
creationOfLegacyTokenEnabled: false
tokenGenerationOnCreationEnabled: false
usageStatisticsEnabled: true
securityRealm: |-
local:
allowsSignup: false
enableCaptcha: false
users:
- id: "${chart-admin-username}"
name: "Jenkins Admin"
password: "${chart-admin-password}"
authorizationStrategy: |-
loggedInUsersCanDoAnything:
allowAnonymousRead: false
customInitContainers: []
sidecars:
configAutoReload:
enabled: false
image:
registry: docker.io
repository: kiwigrid/k8s-sidecar
tag: 1.27.1
imagePullPolicy: IfNotPresent
resources: {}
scheme: http
skipTlsVerify: false
reqRetryConnect: 10
sleepTime:
envFrom: []
env: {}
sshTcpPort: 1044
folder: "/var/jenkins_home/casc_configs"
containerSecurityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
additionalSidecarContainers: []
schedulerName: ""
nodeSelector: {}
tolerations: []
terminationGracePeriodSeconds:
terminationMessagePath:
terminationMessagePolicy:
affinity: {}
priorityClassName:
podAnnotations: {}
statefulSetAnnotations: {}
updateStrategy: {}
ingress:
enabled: false
paths: []
apiVersion: "extensions/v1beta1"
labels: {}
annotations: {}
path:
hostName:
resourceRootUrl:
tls: []
secondaryingress:
enabled: false
paths: []
apiVersion: "extensions/v1beta1"
labels: {}
annotations: {}
hostName:
tls:
backendconfig:
enabled: false
apiVersion: "extensions/v1beta1"
name:
labels: {}
annotations: {}
spec: {}
route:
enabled: false
labels: {}
annotations: {}
path:
hostAliases: []
prometheus:
enabled: false
serviceMonitorAdditionalLabels: {}
serviceMonitorNamespace:
scrapeInterval: 60s
scrapeEndpoint: /prometheus
alertingrules: []
alertingRulesAdditionalLabels: {}
prometheusRuleNamespace: ""
relabelings: []
metricRelabelings: []
googlePodMonitor:
enabled: false
scrapeInterval: 60s
scrapeEndpoint: /prometheus
testEnabled: true
httpsKeyStore:
enable: false
jenkinsHttpsJksSecretName: ""
jenkinsHttpsJksSecretKey: "jenkins-jks-file"
jenkinsHttpsJksPasswordSecretName: ""
jenkinsHttpsJksPasswordSecretKey: "https-jks-password"
disableSecretMount: false
httpPort: 8081
path: "/var/jenkins_keystore"
fileName: "keystore.jks"
password: "password"
jenkinsKeyStoreBase64Encoded:
agent:
enabled: false
defaultsProviderTemplate: ""
jenkinsUrl:
jenkinsTunnel:
kubernetesConnectTimeout: 5
kubernetesReadTimeout: 15
maxRequestsPerHostStr: "32"
retentionTimeout: 5
waitForPodSec: 600
namespace:
podLabels: {}
jnlpregistry:
image:
repository: "jenkins/inbound-agent"
tag: "3248.v65ecb_254c298-1"
workingDir: "/home/jenkins/agent"
nodeUsageMode: "NORMAL"
customJenkinsLabels: []
imagePullSecretName:
componentName: "jenkins-agent"
websocket: false
directConnection: false
privileged: false
runAsUser:
runAsGroup:
hostNetworking: false
resources:
requests:
cpu: "512m"
memory: "512Mi"
limits:
cpu: "512m"
memory: "512Mi"
livenessProbe: {}
alwaysPullImage: false
restrictedPssSecurityContext: false
podRetention: "Never"
showRawYaml: true
volumes: []
workspaceVolume: {}
envVars: []
secretEnvVars: []
nodeSelector: {}
command:
args: "${computer.jnlpmac} ${computer.name}"
sideContainerName: "jnlp"
TTYEnabled: false
containerCap: 10
podName: "default"
idleMinutes: 0
yamlTemplate: ""
yamlMergeStrategy: "override"
connectTimeout: 100
annotations: {}
additionalContainers: []
disableDefaultAgent: false
podTemplates: {}
additionalAgents: {}
additionalClouds: {}
persistence:
enabled: true
existingClaim:
storageClass: openebs-hostpath
annotations: {}
labels: {}
accessMode: "ReadWriteOnce"
size: "8Gi"
dataSource: {}
subPath:
volumes: []
mounts: []
networkPolicy:
enabled: false
apiVersion: networking.k8s.io/v1
internalAgents:
allowed: true
podLabels: {}
namespaceLabels: {}
externalAgents:
ipCIDR:
except: []
rbac:
create: true
readSecrets: false
serviceAccount:
create: true
name:
annotations: {}
extraLabels: {}
imagePullSecretName:
serviceAccountAgent:
create: false
name:
annotations: {}
extraLabels: {}
imagePullSecretName:
checkDeprecation: true
awsSecurityGroupPolicies:
enabled: false
policies:
- name: ""
securityGroupIds: []
podSelector: {}
helmtest:
bats:
image:
registry: "docker.io"
repository: "bats/bats"
tag: "1.11.0"
安装完之后 配置EKS
我的是在tools命名空间下
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: tools-admin
namespace: tools
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pod-creator
namespace: tools
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["create", "get", "list", "watch", "delete", "update"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tools-admin-rolebinding
namespace: tools
subjects:
- kind: ServiceAccount
name: tools-admin
namespace: tools
roleRef:
kind: Role
name: pod-creator
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: tools-admin-crb
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: tools-admin
namespace: tools
---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
annotations:
kubernetes.io/service-account.name: tools-admin
name: tools-admin-token
namespace: tools
获取你的token
echo -e "\033[31m$(kubectl -n tools get secret $(kubectl -n tools get secret tools-admin-token | grep tools-admin-token | awk '{print $1}') -o go-template='{{.data.token}}' | base64 -d)\033[0m"
登录Jenkins 配置eks的token
最后pipeline如下
pipeline {
agent {
kubernetes {
inheritFrom 'kubernetes'
}
}
stages {
stage('Get Code') {
steps {
git branch: 'main', url: 'http://192.168.0.33:22045/admins/test.git'
}
}
stage('Test-docker....') {
steps {
container('test'){
withKubeConfig(credentialsId: 'k8s-eks',
serverUrl: 'https://01922.gr7.ap-northeast-1.eks.amazonaws.com') {
sh 'kubectl delete -f pods.yaml'
sh 'kubectl get pods'
}
}
}
}
}
}
运行日志
