| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400 |
- pipeline {
- agent any
- parameters {
- choice(name: 'env', choices: ['dev', 'test', 'prod'], description: '部署环境')
- string(name: 'NAMESPACE', defaultValue: 'portal-frontend', description: 'K8s 命名空间')
- string(name: 'DOMAIN', defaultValue: '', description: 'Ingress 域名(留空则不创建 Ingress)')
- string(name: 'TLS_SECRET', defaultValue: 'portal-tls', description: 'TLS Secret 名称(仅在 DOMAIN 非空时使用)')
- booleanParam(name: 'FORCE_UPDATE_CONFIG', defaultValue: false, description: '强制更新配置(包括 Deployment 和 Ingress)')
- }
- environment {
- PROJECT_NAME = 'portal-frontend'
- BUILD_DIR = 'dist'
- NODE_ENV = 'production'
- HARBOR_HOST = '8.130.28.21:81'
- KUBECONFIG_PATH = '/root/.kube/config'
- HARBOR_USER = 'admin'
- HARBOR_PASS = 'Hfln@1024'
- HARBOR_RETENTION_ID = '1'
- }
- stages {
- stage('🧬 初始化环境') {
- steps {
- script {
- env.HARBOR_PROJECT = params.env
- env.IMAGE_TAG = "${HARBOR_HOST}/${env.HARBOR_PROJECT}/${PROJECT_NAME}:${BUILD_NUMBER}"
- echo ">>> 环境:${params.env}, Harbor项目:${env.HARBOR_PROJECT}, K8s命名空间:${params.NAMESPACE}"
- if (params.DOMAIN?.trim()) {
- echo ">>> 域名:${params.DOMAIN}, TLS Secret:${params.TLS_SECRET}"
- echo ">>> 将使用 LoadBalancer 类型访问"
- } else {
- echo ">>> 未配置域名,将使用 NodePort 类型访问"
- }
- echo ">>> 强制更新配置:${params.FORCE_UPDATE_CONFIG}"
- }
- }
- }
- stage('📥 拉取代码') {
- steps {
- checkout scm
- echo "✅ 代码拉取成功"
- }
- }
- stage('🔐 配置 Ingress 控制器') {
- when {
- expression { params.DOMAIN?.trim() }
- }
- steps {
- script {
- sh """
- export KUBECONFIG=${KUBECONFIG_PATH}
- echo ">>> 配置 Ingress 控制器为 LoadBalancer 类型..."
- # 检查 Ingress 控制器 Service 类型
- INGRESS_SERVICE_TYPE=\$(kubectl get svc ingress-nginx-controller -n ingress-nginx -o jsonpath='{.spec.type}')
- echo ">>> 当前 Ingress 控制器类型: \${INGRESS_SERVICE_TYPE}"
- if [ "\${INGRESS_SERVICE_TYPE}" != "LoadBalancer" ]; then
- echo ">>> 修改 Ingress 控制器为 LoadBalancer 类型..."
- kubectl patch svc ingress-nginx-controller -n ingress-nginx -p '{"spec":{"type":"LoadBalancer"}}'
- echo ">>> 等待 LoadBalancer 分配外部 IP..."
- kubectl wait --for=condition=Available --timeout=300s svc/ingress-nginx-controller -n ingress-nginx
- # 获取外部 IP
- EXTERNAL_IP=\$(kubectl get svc ingress-nginx-controller -n ingress-nginx -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
- if [ -n "\${EXTERNAL_IP}" ]; then
- echo "✅ Ingress 控制器获得外部 IP: \${EXTERNAL_IP}"
- echo ">>> 请将域名 ${params.DOMAIN} 解析到: \${EXTERNAL_IP}"
- else
- echo "⚠️ LoadBalancer 尚未分配外部 IP,请稍后检查"
- fi
- else
- echo "✅ Ingress 控制器已经是 LoadBalancer 类型"
- EXTERNAL_IP=\$(kubectl get svc ingress-nginx-controller -n ingress-nginx -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
- if [ -n "\${EXTERNAL_IP}" ]; then
- echo ">>> 当前外部 IP: \${EXTERNAL_IP}"
- fi
- fi
- """
- }
- }
- }
- stage('�� 验证 TLS Secret') {
- when {
- expression { params.DOMAIN?.trim() }
- }
- steps {
- script {
- sh """
- export KUBECONFIG=${KUBECONFIG_PATH}
- # 验证 TLS Secret 是否存在
- if ! kubectl get secret ${params.TLS_SECRET} -n ${params.NAMESPACE} >/dev/null 2>&1; then
- echo "❌ TLS Secret '${params.TLS_SECRET}' 在命名空间 '${params.NAMESPACE}' 中不存在!"
- echo "请先创建 TLS Secret:"
- echo "kubectl create secret tls ${params.TLS_SECRET} --cert=fullchain.pem --key=privkey.pem -n ${params.NAMESPACE}"
- exit 1
- fi
- echo "✅ TLS Secret '${params.TLS_SECRET}' 验证成功"
- """
- }
- }
- }
- stage('🔧 构建 Docker 镜像') {
- steps {
- script {
- sh """
- docker login -u ${HARBOR_USER} -p ${HARBOR_PASS} ${HARBOR_HOST}
- docker build --build-arg ENV=${params.env} -t ${IMAGE_TAG} .
- """
- echo "✅ 镜像构建成功:${IMAGE_TAG}"
- }
- }
- }
- stage('🚀 推送镜像到 Harbor') {
- steps {
- script {
- sh """
- docker push ${IMAGE_TAG}
- docker rmi ${IMAGE_TAG}
- """
- echo "✅ 镜像推送并本地清理完成"
- }
- }
- }
- stage(' Kubernetes 部署') {
- steps {
- script {
- def domain = params.DOMAIN?.trim()
- sh """
- export KUBECONFIG=${KUBECONFIG_PATH}
- # 确保命名空间存在
- kubectl get ns ${params.NAMESPACE} >/dev/null 2>&1 || kubectl create ns ${params.NAMESPACE}
- # 如果强制更新配置或 Deployment 不存在,则重新创建
- if [ "${params.FORCE_UPDATE_CONFIG}" = "true" ] || ! kubectl get deployment ${PROJECT_NAME} -n ${params.NAMESPACE} >/dev/null 2>&1; then
- if [ "${params.FORCE_UPDATE_CONFIG}" = "true" ]; then
- echo ">>> 强制更新配置,删除现有资源..."
- kubectl delete deployment ${PROJECT_NAME} -n ${params.NAMESPACE} --ignore-not-found=true
- kubectl delete svc ${PROJECT_NAME} -n ${params.NAMESPACE} --ignore-not-found=true
- kubectl delete svc ${PROJECT_NAME}-nodeport -n ${params.NAMESPACE} --ignore-not-found=true
- kubectl delete ingress ${PROJECT_NAME}-ingress -n ${params.NAMESPACE} --ignore-not-found=true
- fi
- echo ">>> 创建 Deployment..."
- kubectl apply -n ${params.NAMESPACE} -f - <<EOF
- apiVersion: apps/v1
- kind: Deployment
- metadata:
- name: ${PROJECT_NAME}
- spec:
- replicas: 2
- selector:
- matchLabels:
- app: ${PROJECT_NAME}
- template:
- metadata:
- labels:
- app: ${PROJECT_NAME}
- spec:
- containers:
- - name: ${PROJECT_NAME}
- image: ${IMAGE_TAG}
- ports:
- - containerPort: 80
- resources:
- requests:
- memory: "128Mi"
- cpu: "100m"
- limits:
- memory: "256Mi"
- cpu: "200m"
- livenessProbe:
- httpGet:
- path: /
- port: 80
- initialDelaySeconds: 30
- periodSeconds: 10
- readinessProbe:
- httpGet:
- path: /
- port: 80
- initialDelaySeconds: 5
- periodSeconds: 5
- EOF
- # 根据是否配置域名创建不同的 Service
- if [ -n "${domain}" ]; then
- echo ">>> 创建 ClusterIP Service(用于 Ingress)..."
- kubectl apply -n ${params.NAMESPACE} -f - <<EOF
- apiVersion: v1
- kind: Service
- metadata:
- name: ${PROJECT_NAME}
- spec:
- type: ClusterIP
- selector:
- app: ${PROJECT_NAME}
- ports:
- - port: 80
- targetPort: 80
- protocol: TCP
- EOF
- else
- echo ">>> 创建 NodePort Service(用于直接访问)..."
- kubectl apply -n ${params.NAMESPACE} -f - <<EOF
- apiVersion: v1
- kind: Service
- metadata:
- name: ${PROJECT_NAME}-nodeport
- spec:
- type: NodePort
- selector:
- app: ${PROJECT_NAME}
- ports:
- - port: 80
- targetPort: 80
- nodePort: 30085
- protocol: TCP
- EOF
- fi
- # 创建 Ingress(如果提供了域名)
- if [ -n "${domain}" ]; then
- echo ">>> 创建 Ingress..."
- kubectl apply -n ${params.NAMESPACE} -f - <<EOF
- apiVersion: networking.k8s.io/v1
- kind: Ingress
- metadata:
- name: ${PROJECT_NAME}-ingress
- annotations:
- kubernetes.io/ingress.class: nginx
- nginx.ingress.kubernetes.io/ssl-redirect: "true"
- nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
- nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
- nginx.ingress.kubernetes.io/ssl-passthrough: "false"
- nginx.ingress.kubernetes.io/proxy-body-size: "8m"
- nginx.ingress.kubernetes.io/rewrite-target: /
- nginx.ingress.kubernetes.io/ssl-ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384"
- nginx.ingress.kubernetes.io/ssl-protocols: "TLSv1.2 TLSv1.3"
- spec:
- tls:
- - hosts:
- - ${domain}
- secretName: ${params.TLS_SECRET}
- rules:
- - host: ${domain}
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: ${PROJECT_NAME}
- port:
- number: 80
- EOF
- fi
- else
- # 只更新镜像
- echo ">>> Deployment 已存在,仅更新镜像..."
- kubectl set image deployment/${PROJECT_NAME} ${PROJECT_NAME}=${IMAGE_TAG} -n ${params.NAMESPACE}
- echo "✅ 镜像更新完成,Kubernetes 将自动处理滚动更新"
- fi
- # 等待 Deployment 就绪
- # echo ">>> 等待 Deployment 就绪..."
- # kubectl wait --for=condition=available --timeout=300s deployment/${PROJECT_NAME} -n ${params.NAMESPACE}
- # 显示部署状态
- echo ">>> 部署状态:"
- kubectl get all -n ${params.NAMESPACE}
- kubectl get ingress -n ${params.NAMESPACE} || echo ">>> 未配置 Ingress"
- # 根据配置显示访问信息
- if [ -n "${domain}" ]; then
- echo "✅ 应用部署完成!"
- echo "🌐 访问地址:https://${domain}"
- echo " 注意:请确保域名 ${domain} 已正确解析到 Ingress 控制器的外部 IP"
- else
- echo "✅ 应用部署完成!"
- echo "🌐 访问地址:"
- echo " HTTP: http://47.121.135.46:30085"
- echo " HTTPS: https://47.121.135.46:30085"
- echo " 注意:使用 NodePort 方式访问,端口为 30085"
- fi
- """
- }
- }
- }
- stage('🔍 部署验证') {
- steps {
- script {
- def domain = params.DOMAIN?.trim()
- sh """
- export KUBECONFIG=${KUBECONFIG_PATH}
- echo ">>> 验证部署状态..."
- # 检查 Pod 状态
- kubectl get pods -n ${params.NAMESPACE} -l app=${PROJECT_NAME}
- # 检查 Service 状态
- if [ -n "${domain}" ]; then
- kubectl get svc -n ${params.NAMESPACE} ${PROJECT_NAME}
- kubectl get ingress -n ${params.NAMESPACE} ${PROJECT_NAME}-ingress
- kubectl get secret -n ${params.NAMESPACE} ${params.TLS_SECRET}
- else
- kubectl get svc -n ${params.NAMESPACE} ${PROJECT_NAME}-nodeport
- fi
- # 检查 Ingress 控制器状态(如果配置了域名)
- if [ -n "${domain}" ]; then
- echo ">>> Ingress 控制器状态:"
- kubectl get svc ingress-nginx-controller -n ingress-nginx
- fi
- echo "✅ 部署验证完成"
- """
- }
- }
- }
- stage('🧹 清理本地旧镜像(保留最新3个)') {
- steps {
- script {
- def baseImage = "${HARBOR_HOST}/${env.HARBOR_PROJECT}/${PROJECT_NAME}"
- sh """
- docker images ${baseImage} --format "{{.Repository}}:{{.Tag}}" \\
- | grep -v latest \\
- | sort -r -t ':' -k2 \\
- | tail -n +4 \\
- | xargs -r docker rmi || true
- """
- echo "✅ 本地旧镜像清理完成"
- }
- }
- }
- stage(' 清理悬空镜像 <none>') {
- steps {
- script {
- sh """
- docker images -f "dangling=true" -q | xargs -r docker rmi || true
- """
- echo "✅ 悬空镜像(<none>)清理完成"
- }
- }
- }
- stage(' 触发 Harbor 镜像保留策略') {
- steps {
- script {
- sh """
- curl -u ${HARBOR_USER}:${HARBOR_PASS} -X POST \\
- "http://${HARBOR_HOST}/api/v2.0/retentions/${HARBOR_RETENTION_ID}/executions"
- """
- echo "✅ Harbor 镜像保留策略已触发"
- }
- }
- }
- }
- post {
- success {
- echo "✅ 构建 & 部署成功!"
- script {
- if (params.DOMAIN?.trim()) {
- echo "🌐 应用可通过 https://${params.DOMAIN} 访问"
- echo " 请确保域名已解析到 Ingress 控制器的外部 IP"
- } else {
- echo "🌐 应用可通过以下地址访问:"
- echo " HTTP: http://47.121.135.46:30085"
- echo " HTTPS: https://47.121.135.46:30085"
- }
- }
- }
- failure {
- echo "❌ 构建或部署失败,请检查日志"
- }
- always {
- cleanWs()
- }
- }
- }
|
