Kubernetes CI/CD：自动化部署与GitOps实践-洪萨配资

Kubernetes CI/CD：自动化部署与GitOps实践

引言

在Kubernetes环境中，CI/CD和GitOps是实现自动化部署和持续交付的关键。本文将深入探讨如何构建Kubernetes环境下的CI/CD流水线，以及GitOps的最佳实践。

一、CI/CD基础架构

1.1 CI/CD流程

代码提交 ──> CI构建 ──> 镜像推送 ──> CD部署 ──> 验证测试 ──> 生产环境 │ │ ▼ ▼ GitHub/GitLab Kubernetes

1.2 核心组件

组件	作用
版本控制	Git仓库管理代码
CI系统	Jenkins/GitHub Actions/GitLab CI
镜像仓库	Docker Hub/Harbor/GCR
CD工具	Argo CD/Flux/Rollout
测试框架	SonarQube/Codecov

二、GitHub Actions配置

2.1 基础工作流

name: CI/CD Pipeline on: push: branches: [ main ] pull_request: branches: [ main ] jobs: build: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Set up Go uses: actions/setup-go@v5 with: go-version: '1.21' - name: Build run: go build -v ./... - name: Test run: go test -v ./... - name: Lint uses: golangci/golangci-lint-action@v6 with: version: latest deploy: needs: build runs-on: ubuntu-latest if: github.ref == 'refs/heads/main' steps: - uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Login to Docker Hub uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - name: Build and push uses: docker/build-push-action@v5 with: push: true tags: ${{ secrets.DOCKER_USERNAME }}/myapp:${{ github.sha }} - name: Deploy to Kubernetes uses: steebchen/kubectl@v2 with: config: ${{ secrets.KUBE_CONFIG }} command: set image deployment/myapp myapp=${{ secrets.DOCKER_USERNAME }}/myapp:${{ github.sha }}

2.2 多环境部署

name: Multi-Environment Deployment on: push: branches: [ main, staging ] jobs: build: runs-on: ubuntu-latest outputs: image_tag: ${{ steps.build.outputs.tag }} steps: - uses: actions/checkout@v4 - name: Build and push id: build uses: docker/build-push-action@v5 with: push: true tags: myapp:${{ github.sha }} deploy-staging: needs: build runs-on: ubuntu-latest if: github.ref == 'refs/heads/staging' steps: - uses: steebchen/kubectl@v2 with: config: ${{ secrets.KUBE_CONFIG_STAGING }} command: set image deployment/myapp myapp=myapp:${{ needs.build.outputs.image_tag }} deploy-production: needs: [build, deploy-staging] runs-on: ubuntu-latest if: github.ref == 'refs/heads/main' environment: production steps: - uses: steebchen/kubectl@v2 with: config: ${{ secrets.KUBE_CONFIG_PRODUCTION }} command: set image deployment/myapp myapp=myapp:${{ needs.build.outputs.image_tag }}

三、Argo CD实践

3.1 Argo CD安装

apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: myapp namespace: argocd spec: project: default source: repoURL: 'https://github.com/myorg/myapp.git' targetRevision: HEAD path: k8s/manifests destination: server: 'https://kubernetes.default.svc' namespace: production syncPolicy: automated: prune: true selfHeal: true syncOptions: - CreateNamespace=true

3.2 Argo CD Rollout

apiVersion: argoproj.io/v1alpha1 kind: Rollout metadata: name: myapp spec: replicas: 5 selector: matchLabels: app: myapp template: metadata: labels: app: myapp spec: containers: - name: myapp image: myapp:latest ports: - containerPort: 80 strategy: blueGreen: activeService: myapp-active previewService: myapp-preview autoPromotionEnabled: false previewReplicaCount: 2

3.3 Argo CD应用配置

package argocd import ( "context" "fmt" "github.com/argoproj/argo-cd/v2/pkg/apiclient/application" "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1" ) type ArgoCDClient struct { client application.ApplicationServiceClient } func NewArgoCDClient(client application.ApplicationServiceClient) *ArgoCDClient { return &ArgoCDClient{client: client} } func (a *ArgoCDClient) CreateApplication(ctx context.Context, app *v1alpha1.Application) error { _, err := a.client.Create(ctx, &application.ApplicationCreateRequest{ Application: app, Validate: true, }) if err != nil { return fmt.Errorf("failed to create application: %w", err) } return nil } func (a *ArgoCDClient) SyncApplication(ctx context.Context, name string) error { _, err := a.client.Sync(ctx, &application.ApplicationSyncRequest{ Name: name, SyncOptions: []string{ "CreateNamespace=true", "Prune=true", }, }) if err != nil { return fmt.Errorf("failed to sync application: %w", err) } return nil } func (a *ArgoCDClient) GetApplicationStatus(ctx context.Context, name string) (*v1alpha1.Application, error) { app, err := a.client.Get(ctx, &application.ApplicationQuery{ Name: name, }) if err != nil { return nil, fmt.Errorf("failed to get application: %w", err) } return app.Application, nil }

四、GitOps工作流

4.1 GitOps原则

声明式配置：所有配置存储在Git中
版本控制：配置变更有完整的审计日志
自动化同步：Git是唯一的事实来源
可审计：所有变更都可追踪

4.2 GitOps目录结构

. ├── applications/ │ ├── backend/ │ │ ├── deployment.yaml │ │ ├── service.yaml │ │ └── ingress.yaml │ └── frontend/ │ ├── deployment.yaml │ ├── service.yaml │ └── configmap.yaml ├── infrastructure/ │ ├── namespaces.yaml │ ├── serviceaccounts.yaml │ └── networkpolicies.yaml └── charts/ └── myapp/ ├── Chart.yaml ├── values.yaml └── templates/

4.3 Flux CD配置

apiVersion: source.toolkit.fluxcd.io/v1 kind: GitRepository metadata: name: myapp namespace: flux-system spec: interval: 1m url: https://github.com/myorg/myapp.git ref: branch: main secretRef: name: git-credentials --- apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: myapp namespace: flux-system spec: interval: 5m path: ./k8s/production prune: true sourceRef: kind: GitRepository name: myapp validation: client healthChecks: - apiVersion: apps/v1 kind: Deployment name: myapp namespace: production

五、自动化测试与验证

5.1 集成测试

package test import ( "context" "fmt" "testing" "github.com/stretchr/testify/assert" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) func TestDeploymentReady(t *testing.T) { client := setupKubernetesClient() deployments, err := client.AppsV1().Deployments("production").List(context.Background(), metav1.ListOptions{}) assert.NoError(t, err) for _, deploy := range deployments.Items { t.Run(deploy.Name, func(t *testing.T) { assert.Equal(t, int32(3), *deploy.Spec.Replicas, "Replicas mismatch") assert.Equal(t, deploy.Status.Replicas, deploy.Status.AvailableReplicas, "Deployment not ready") }) } } func TestServiceEndpoints(t *testing.T) { client := setupKubernetesClient() services, err := client.CoreV1().Services("production").List(context.Background(), metav1.ListOptions{}) assert.NoError(t, err) for _, svc := range services.Items { t.Run(svc.Name, func(t *testing.T) { assert.Equal(t, corev1.ServiceTypeClusterIP, svc.Spec.Type, "Service type mismatch") assert.NotNil(t, svc.Spec.ClusterIP, "ClusterIP not assigned") }) } }

5.2 性能测试

apiVersion: v1 kind: ConfigMap metadata: name: k6-config data: script.js: | import http from 'k6/http'; import { check, sleep } from 'k6'; export const options = { vus: 100, duration: '30s', }; export default function () { const res = http.get('http://myapp/api/users'); check(res, { 'status was 200': (r) => r.status == 200, 'response time < 500ms': (r) => r.timings.duration < 500, }); sleep(1); }

六、蓝绿部署与金丝雀发布

6.1 蓝绿部署

apiVersion: v1 kind: Service metadata: name: myapp-active spec: selector: app: myapp version: blue ports: - port: 80 --- apiVersion: v1 kind: Service metadata: name: myapp-preview spec: selector: app: myapp version: green ports: - port: 80 --- apiVersion: apps/v1 kind: Deployment metadata: name: myapp-blue spec: replicas: 3 selector: matchLabels: app: myapp version: blue template: metadata: labels: app: myapp version: blue spec: containers: - name: myapp image: myapp:v1.0

6.2 金丝雀发布

apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: myapp-canary annotations: nginx.ingress.kubernetes.io/canary: "true" nginx.ingress.kubernetes.io/canary-weight: "10" spec: rules: - host: example.com http: paths: - path: / pathType: Prefix backend: service: name: myapp-canary port: number: 80