jenkins部署手册(helm版本)
Jenkins on Kubernetes Helm 部署指南
概述
本文档介绍如何使用 Helm 在 Kubernetes 集群中部署生产就绪的 Jenkins 实例。
前置要求
- Kubernetes 集群 (v1.19+)
- Helm 3.x
- Ingress 控制器 (如 Nginx Ingress)
- 持久化存储 (StorageClass)
部署步骤
1. 添加 Jenkins Helm 仓库
helm repo add jenkinsci https://charts.jenkins.io
helm repo update
2.创建命名空间
kubectl create namespace jenkins
3.创建管理员密码 Secret
#jenkins-admin-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: jenkins-admin-secret
namespace: jenkins # 确保与Jenkins安装在同一个命名空间
type: Opaque
data:
admin-user: YWRtaW4= # Base64编码的 "admin"
admin-password: amVua2luczEyMzQ1 # Base64编码的 "jenkins12345"
应用配置:
kubectl apply -f jenkins-admin-secret.yaml
4.自定义 values 配置
创建 jenkins-values.yaml 文件,内容如下:
# jenkins-values.yaml (Production-Ready)
## 1. 控制器(Jenkins Master)配置
controller:
componentName: "jenkins-controller"
# 使用稳定的LTS版本标签,而非latest
image:
registry: "swr.cn-north-4.myhuaweicloud.com"
repository: "ddn-k8s/docker.io/jenkins/jenkins"
tag: "2.516.3-lts-jdk21" # ✅ 确保此标签存在
pullPolicy: "IfNotPresent" # 生产环境建议IfNotPresent
# 资源限制:根据集群规模调整
resources:
requests:
cpu: "200m"
memory: "512Mi"
limits:
cpu: "2000m"
memory: "4Gi"
# 必须设置管理员密码!从K8s Secret获取,不要明文。
admin:
existingSecret: "jenkins-admin-secret" # 预先创建包含用户名和密码的Secret
userKey: "admin-user"
passwordKey: "admin-password"
# 启用健康检查
healthProbes: true
probes:
# ✅ 新增:启动探针,防止慢启动被杀死
startupProbe:
failureThreshold: 30 # 允许最多5分钟启动时间
periodSeconds: 10
httpGet:
path: /login
port: http
livenessProbe:
failureThreshold: 5
periodSeconds: 10
readinessProbe:
failureThreshold: 3
periodSeconds: 5
# 要安装的核心插件列表
installPlugins:
- kubernetes:4384.v1b_6367f393d9
- workflow-aggregator:608.v67378e9d3db_1
- git:5.8.0
- configuration-as-code:1998.v3e50e6e9d9d3
# ✅ 重要:允许安装最新版本以满足插件间的依赖关系
installLatestPlugins: true
# JCasC (Configuration as Code)
JCasC:
defaultConfig: true
overwriteConfiguration: true
sidecars:
enabled: true
image:
# -- Registry for the image that triggers the reload
registry: swr.cn-north-4.myhuaweicloud.com
# -- Repository of the image that triggers the reload
repository: ddn-k8s/docker.io/kiwigrid/k8s-sidecar
# -- Tag for the image that triggers the reload
tag: 1.30.7
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: "50m"
memory: "64Mi"
limits:
cpu: "100m"
memory: "128Mi"
# 通过Ingress暴露服务
ingress:
enabled: true
apiVersion: "networking.k8s.io/v1" # 使用较新的API版本
annotations:
kubernetes.io/ingress.class: "nginx"
ingressClassName: nginx
hostName: "jenkins.your_domain.com" # 改成你的域名
# 持久化存储配置
persistence:
enabled: true
storageClass: "nfs-sc" # ✅ 强烈建议:替换为高性能SSD存储类
accessMode: ReadWriteOnce
size: 20Gi # 根据需求调整大小
## 2. Agent(构建代理)配置
agent:
enabled: true
image:
registry: "swr.cn-north-4.myhuaweicloud.com" # 只写registry域名
repository: "ddn-k8s/docker.io/jenkins/inbound-agent" # 组织/命名空间/镜像路径
tag: "3327.v868139a_d00e0-6"
resources:
requests:
cpu: "200m"
memory: "512Mi"
limits:
cpu: "1000m"
memory: "2Gi"
# 添加一个常用的Pod模板(例如用于Maven构建)
podTemplates:
maven: |
- name: maven
label: maven
containers:
- name: maven
image: maven:3.9.6-eclipse-temurin-17
command: "cat"
ttyEnabled: true
resourceRequestCpu: "1000m"
resourceRequestMemory: "2Gi"
resourceLimitCpu: "2000m"
resourceLimitMemory: "4Gi"
## 3. RBAC和服务账户配置
rbac:
create: true # 创建必要的RBAC角色
serviceAccount:
create: true
name: "jenkins" # 指定一个明确的名字
annotations: {}
helmtest:
# A testing framework for bash
bats:
# Bash Automated Testing System (BATS)
image:
# -- Registry of the image used to test the framework
registry: "swr.cn-north-4.myhuaweicloud.com"
# -- Repository of the image used to test the framework
repository: "ddn-k8s/docker.io/bats/bats"
# -- Tag of the image to test the framework
tag: "1.12.0"
5.安装 Jenkins
helm upgrade --install jenkins jenkins/jenkins \
--namespace jenkins \
--create-namespace \
--values jenkins-values.yaml \
--version 5.8.99
6.访问 Jenkins
通过浏览器访问配置的域名:https://jenkins.your_domain.com
7.0 CI/CD(tfs举例)
7.1 构建tee镜像
在部署前,建议预先构建一个包含 TEE CLI(Team Explorer Everywhere) 的 Jenkins Agent 镜像,用于从 Azure DevOps Server / TFS 拉取代码。
构建自定义 TEE Agent 镜像(Dockerfile 示例)
# 创建Dockerfile.tee-agent文件
# 使用 Ubuntu 22.04 作为基础镜像
FROM ubuntu:22.04
# 避免交互式安装提示
ENV DEBIAN_FRONTEND=noninteractive
# 安装基础依赖
RUN apt-get update && \
apt-get install -y --no-install-recommends \
openjdk-11-jre-headless \
wget \
unzip \
ca-certificates \
git \
curl \
jq && \
rm -rf /var/lib/apt/lists/*
# 设置 TF CLI 版本
ENV TF_VERSION=14.135.0
ENV TF_HOME=/opt/tf
# 下载并安装 TEE(修复 URL 空格和 v 前缀)
RUN mkdir -p ${TF_HOME} && \
wget -q "https://github.com/microsoft/team-explorer-everywhere/releases/download/${TF_VERSION}/TEE-CLC-${TF_VERSION}.zip" -O /tmp/tee.zip && \
unzip /tmp/tee.zip -d ${TF_HOME} && \
rm /tmp/tee.zip
# 查找并设置 tf 可执行文件权限
RUN find ${TF_HOME}/TEE-CLC-${TF_VERSION} -name "tf" -type f -exec chmod +x {} \; && \
# 验证安装 - 使用正确的版本检查方式
echo "验证 TEE-CLC 安装:" && \
${TF_HOME}/TEE-CLC-${TF_VERSION}/tf | head -2
# 修正 PATH 指向实际 tf 目录
ENV PATH="${TF_HOME}/TEE-CLC-${TF_VERSION}:${PATH}"
# 设置默认编码
ENV LANG=C.UTF-8
# 创建工作目录
WORKDIR /workspace
# 创建非 root 用户并授权所有必要目录
RUN groupadd -r tfuser && \
useradd -r -g tfuser -d /workspace tfuser && \
chown -R tfuser:tfuser /workspace ${TF_HOME}
USER tfuser
# 用于 Jenkins 持久化运行
CMD ["sleep", "infinity"]
构建并推送镜像(示例)
docker build -t your-registry/your-namespace/jenkins-agent-tee:14.135.0 -f Dockerfile.tee-agent .
docker push your-registry/your-namespace/jenkins-agent-tee:14.135.0
7.2 调整podTemplates
# === 关键:定义专用 Pipeline Pod Template ===
podTemplates:
tfs-dotnet-pipeline: |
- name: tfs-dotnet-pipeline
label: tfs-dotnet-pipeline
serviceAccount: jenkins
volumes:
- emptyDirVolume:
mountPath: "/cache"
memory: false
- secretVolume:
mountPath: "/kaniko/.docker"
secretName: docker-registry-secret #需要创建一个secret,供Kaniko pod推送镜像到镜像仓库(如harbor等)
containers:
# ───────────────────────────────
# 第一步:拉取 TFS 代码(使用自建 tf 镜像)
# ───────────────────────────────
- name: tfs
image: your-project/jenkins-agent-tee:1.0:latest # ← 替换为你的实际镜像路径
command: "sleep"
args: "infinity"
ttyEnabled: true
resourceRequestCpu: "200m"
resourceRequestMemory: "128Mi"
resourceLimitCpu: "500m"
resourceLimitMemory: "4Gi"
# ───────────────────────────────
# 第二步:构建并推送 Docker 镜像(Kaniko)
# ───────────────────────────────
- name: kaniko
image: swr.cn-north-4.myhuaweicloud.com/ddn-k8s/gcr.io/kaniko-project/executor:v1.23.2-debug
command: "sleep"
args: "infinity"
ttyEnabled: true
resourceRequestCpu: "200m"
resourceRequestMemory: "128Mi"
resourceLimitCpu: "500m"
resourceLimitMemory: "4Gi"
# ───────────────────────────────
# 第三步:部署到 Kubernetes
# ───────────────────────────────
- name: kubectl
image: swr.cn-north-4.myhuaweicloud.com/ddn-k8s/gcr.io/cloud-builders/kubectl:latest
command: "sleep"
args: "infinity"
ttyEnabled: true
resourceRequestCpu: "200m"
resourceRequestMemory: "128Mi"
resourceLimitCpu: "500m"
resourceLimitMemory: "4Gi"
浙公网安备 33010602011771号