GitLab CI:DevOps平台
GitLab CI:DevOps平台
GitLab CI简介
GitLab CI/CD是GitLab内置的持续集成和交付工具,提供从代码管理到部署的完整DevOps解决方案。
基本配置
.gitlab-ci.yml基础
# .gitlab-ci.yml
stages:
- build
- test
- deploy
variables:
DOCKER_IMAGE: registry.example.com/myapp
build:
stage: build
image: node:18
script:
- npm ci
- npm run build
artifacts:
paths:
- dist/
expire_in: 1 hour
test:
stage: test
image: node:18
script:
- npm ci
- npm test
coverage: '/Lines\s*:\s*(\d+\.?\d*)%/'
deploy:
stage: deploy
image: bitnami/kubectl:latest
script:
- kubectl apply -f k8s/
only:
- main
when: manual
Runner配置
安装Runner
# Linux安装
curl -L --output /usr/local/bin/gitlab-runner \
https://gitlab-runner-downloads.s3.amazonaws.com/latest/binaries/gitlab-runner-linux-amd64
chmod +x /usr/local/bin/gitlab-runner
# 注册Runner
gitlab-runner register \
--non-interactive \
--url "https://gitlab.example.com/" \
--registration-token "PROJECT_TOKEN" \
--executor "docker" \
--docker-image "alpine:latest" \
--description "docker-runner" \
--tag-list "docker,linux" \
--run-untagged="true"
Runner配置文件
# /etc/gitlab-runner/config.toml
concurrent = 4
check_interval = 0
[runners](/notes/runners)
name = "docker-runner"
url = "https://gitlab.example.com/"
token = "TOKEN"
executor = "docker"
[runners.docker]
tls_verify = false
image = "alpine:latest"
privileged = false
disable_entrypoint_overwrite = false
oom_kill_disable = false
disable_cache = false
volumes = ["/cache"]
shm_size = 0
[runners.docker.services]
高级配置
多阶段Pipeline
stages:
- build
- test
- security
- package
- deploy-staging
- integration-test
- deploy-production
variables:
IMAGE: registry.example.com/myapp
build:
stage: build
image: node:18
cache:
key: ${CI_COMMIT_REF_SLUG}
paths:
- node_modules/
script:
- npm ci --cache .npm
- npm run build
test:unit:
stage: test
image: node:18
script:
- npm ci
- npm run test:unit
coverage: '/Lines\s*:\s*(\d+\.?\d*)%/'
artifacts:
reports:
junit: junit.xml
coverage_report:
coverage_format: cobertura
path: coverage/cobertura-coverage.xml
test:integration:
stage: test
services:
- postgres:14
- redis:7
variables:
POSTGRES_DB: test_db
POSTGRES_USER: test
POSTGRES_PASSWORD: test
script:
- npm ci
- npm run test:integration
sast:
stage: security
include:
- template: Security/SAST.gitlab-ci.yml
container_scanning:
stage: security
image:
name: aquasec/trivy:latest
entrypoint: [""]
script:
- trivy image --exit-code 1 --severity HIGH $IMAGE:${CI_COMMIT_SHA}
package:
stage: package
image: docker:latest
services:
- docker:dind
script:
- docker build -t $IMAGE:${CI_COMMIT_SHA} .
- docker push $IMAGE:${CI_COMMIT_SHA}
deploy:staging:
stage: deploy-staging
image: bitnami/kubectl:latest
script:
- kubectl set image deployment/myapp myapp=$IMAGE:${CI_COMMIT_SHA} -n staging
- kubectl rollout status deployment/myapp -n staging
environment:
name: staging
only:
- main
integration:test:
stage: integration-test
image: curlimages/curl:latest
script:
- |
for i in 1 2 3; do
if curl -sf http://staging.myapp.com/health; then
exit 0
fi
sleep 10
done
exit 1
deploy:production:
stage: deploy-production
image: bitnami/kubectl:latest
script:
- kubectl set image deployment/myapp myapp=$IMAGE:${CI_COMMIT_SHA} -n production
environment:
name: production
when: manual
only:
- main
环境和部署
review:
stage: deploy
script:
- kubectl create namespace review-${CI_COMMIT_REF_SLUG} || true
- kubectl set image deployment/myapp myapp=$IMAGE:${CI_COMMIT_SHA} -n review-${CI_COMMIT_REF_SLUG}
environment:
name: review/$CI_COMMIT_REF_SLUG
url: https://review-$CI_COMMIT_REF_SLUG.myapp.com
on_stop: stop_review
only:
- branches
stop_review:
stage: deploy
script:
- kubectl delete namespace review-${CI_COMMIT_REF_SLUG} || true
environment:
name: review/$CI_COMMIT_REF_SLUG
action: stop
when: manual
only:
- branches
缓存和制品
# 缓存配置
cache:
key:
files:
- package-lock.json
paths:
- node_modules/
- .npm/
policy: pull-push
# 制品配置
artifacts:
paths:
- dist/
- build/
expire_in: 1 week
reports:
junit:
- test-results/junit.xml
coverage_report:
coverage_format: cobertura
path: coverage/cobertura-coverage.xml
实践:完整DevOps流程
include:
- template: Security/SAST.gitlab-ci.yml
- template: Security/Secret-Detection.gitlab-ci.yml
stages:
- build
- test
- security
- package
- deploy
variables:
IMAGE: registry.example.com/${CI_PROJECT_PATH}
.build_template: &build_template
image: docker:latest
services:
- docker:dind
before_script:
- echo "$CI_REGISTRY_PASSWORD" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$CI_REGISTRY"
build:
<<: *build_template
stage: build
script:
- docker build --cache-from $IMAGE:latest -t $IMAGE:${CI_COMMIT_SHA} .
- docker tag $IMAGE:${CI_COMMIT_SHA} $IMAGE:latest
- docker push $IMAGE:${CI_COMMIT_SHA}
- docker push $IMAGE:latest
only:
- main
- merge_requests
deploy:staging:
<<: *build_template
stage: deploy
script:
- kubectl set image deployment/myapp myapp=$IMAGE:${CI_COMMIT_SHA} -n staging
environment:
name: staging
only:
- main
deploy:production:
<<: *build_template
stage: deploy
script:
- kubectl set image deployment/myapp myapp=$IMAGE:${CI_COMMIT_SHA} -n production
environment:
name: production
when: manual
only:
- main
常用命令
# 本地运行CI
gitlab-runner exec docker test
# 查看Runner状态
gitlab-runner status
# 查看Runner列表
gitlab-runner list
# 调试Pipeline
gitlab-runner --debug run
总结
GitLab CI/CD提供了从代码到部署的完整解决方案。掌握Pipeline配置、Runner管理和高级功能,可以构建高效的DevOps工作流。