DevOps CI/CD 流水线设计
本文介绍如何基于 GitOps 理念设计企业级 CI/CD 流水线,实现从代码提交到生产部署的全自动化交付流程。
🎯 GitOps 理念
GitOps 是一种基于 Git 的运维方法论,核心原则:
- 声明式:系统状态通过代码声明
- 版本化:所有变更通过 Git 版本控制
- 自动化:自动应用期望状态
- 持续协调:持续监控和同步实际状态
🏗️ 流水线架构
整体架构
开发人员 → Git 仓库 → CI 流水线 → 镜像仓库 → CD 流水线 → Kubernetes 集群
组件说明
- Git 仓库:代码和配置的唯一事实源
- CI 流水线:代码构建、测试、镜像构建
- 镜像仓库:容器镜像存储和版本管理
- CD 流水线:自动部署到 Kubernetes 集群
🔧 CI 流水线配置
GitLab CI 示例
stages:
- build
- test
- deploy
variables:
IMAGE_NAME: registry.example.com/app:${CI_COMMIT_SHORT_SHA}
build:
stage: build
image: docker:latest
services:
- docker:dind
script:
- docker build -t $IMAGE_NAME .
- docker login -u $REGISTRY_USER -p $REGISTRY_PASS registry.example.com
- docker push $IMAGE_NAME
test:
stage: test
image: $IMAGE_NAME
script:
- npm run test
- npm run lint
deploy:
stage: deploy
image: bitnami/kubectl:latest
script:
- kubectl set image deployment/app app=$IMAGE_NAME
only:
- main
Jenkins Pipeline 示例
pipeline {
agent any
environment {
IMAGE_NAME = "registry.example.com/app:${BUILD_NUMBER}"
}
stages {
stage('Build') {
steps {
sh 'docker build -t ${IMAGE_NAME} .'
}
}
stage('Test') {
steps {
sh 'docker run ${IMAGE_NAME} npm test'
}
}
stage('Push') {
steps {
withCredentials([usernamePassword(credentialsId: 'registry-creds',
usernameVariable: 'REGISTRY_USER', passwordVariable: 'REGISTRY_PASS')]) {
sh '''
docker login -u ${REGISTRY_USER} -p ${REGISTRY_PASS} registry.example.com
docker push ${IMAGE_NAME}
'''
}
}
}
stage('Deploy') {
steps {
sh "kubectl set image deployment/app app=${IMAGE_NAME}"
}
}
}
}
🚀 CD 流水线配置
ArgoCD Application
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: app-production
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/organization/app-config.git
targetRevision: main
path: overlays/production
destination:
server: https://kubernetes.default.svc
namespace: production
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
Helm Chart 结构
helm-chart/
├── Chart.yaml
├── values.yaml
├── templates/
│ ├── deployment.yaml
│ ├── service.yaml
│ ├── ingress.yaml
│ └── configmap.yaml
└── overlays/
├── dev/
│ └── values.yaml
├── staging/
│ └── values.yaml
└── production/
└── values.yaml
📋 质量门禁
自动化测试
test:
stage: test
image: node:18
script:
- npm install
- npm run test:unit
- npm run test:integration
- npm run test:e2e
coverage: '/All files[^|]*\|[^|]*\s+([\d\.]+)/'
artifacts:
reports:
coverage_report:
coverage_format: cobertura
path: coverage/cobertura-coverage.xml
代码质量检查
code-quality:
stage: test
image: sonarsource/sonar-scanner-cli
script:
- sonar-scanner
-Dsonar.projectKey=${CI_PROJECT_NAME}
-Dsonar.sources=src
-Dsonar.host.url=${SONAR_HOST}
-Dsonar.login=${SONAR_TOKEN}
🔒 安全扫描
镜像漏洞扫描
security-scan:
stage: security
image: aquasec/trivy:latest
script:
- trivy image --severity HIGH,CRITICAL $IMAGE_NAME
allow_failure: false
依赖安全检查
dependency-check:
stage: security
image: owasp/dependency-check:latest
script:
- dependency-check --scan . --format XML --out dependency-check-report.xml
artifacts:
reports:
dependency_scanning: dependency-check-report.xml
📊 监控与回滚
部署监控
monitor-deployment:
stage: monitor
image: bitnami/kubectl:latest
script:
- kubectl rollout status deployment/app
- sleep 60
- kubectl get pods -l app=app
自动回滚
rollback:
stage: rollback
image: bitnami/kubectl:latest
script:
- kubectl rollout undo deployment/app
when: on_failure
🎯 最佳实践
- 基础设施即代码:所有配置通过代码管理
- 不可变基础设施:使用容器镜像,避免原地更新
- 自动化测试:建立完整的测试金字塔
- 安全左移:在开发阶段集成安全检查
- 可观测性:部署后监控应用健康状态
- 快速失败:尽早发现问题,快速反馈
📚 参考资源
作者: Pizicaiman
发布时间: 2024-01-10
分类: DevOps, 自动化
标签: DevOps, CI/CD, GitOps, Jenkins, ArgoCD