Azure DevOps构建CICD流水线

环境准备

Azure资源

• Azure AKS
• Azure CR
• Azure DevOps

代码准备

.NET Core示例

Dockerfile

#See https://aka.ms/containerfastmode to understand how Visual Studio uses this Dockerfile to build your images for faster debugging.

FROM mcr.microsoft.com/dotnet/aspnet:6.0 AS base
WORKDIR /app
EXPOSE 80

#ENV ConnectionStrings:Default=""
#ENV ConnectionStrings:Log=""

FROM mcr.microsoft.com/dotnet/sdk:6.0 AS build
WORKDIR /src

COPY . .

#RUN dotnet restore

#RUN dotnet build MyProject.API.csproj -c Release -o /app


FROM build AS publish
RUN dotnet publish MyProject.API.csproj -c Release -o /app/publish
COPY MyProject.API.xml /app/publish/MyProject.API.xml
FROM base AS final
WORKDIR /app
COPY --from=publish /app/publish .

ENTRYPOINT ["dotnet", "MyProject.API.dll"]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

deploy.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
	name: awesome-api
spec:
	replicas: 1
	selector:
		matchLabels:
			app: awesome-api
	template:
		metadata:
			labels:
				app: awesome-api
		spec:
			nodeSelector:
				"kubernetes.io/os": linux
			containers:
			- name: awesome-api
				image: dataplatformacr.azurecr.cn/awesomeapi:latest
				env:
				- name: ALLOW_EMPTY_PASSWORD
					value: "yes"

---
apiVersion: v1
kind: Service
metadata:
	name: awesome-api
spec:
	ports:
	- port: 80
	type: LoadBalancer
	selector:
		app: awesome-api
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

Java示例

Dockerfile

FROM java:8
EXPOSE 8080

VOLUME /tmp
ADD target/*.jar  /app.jar
RUN bash -c 'touch /app.jar'
ENTRYPOINT ["java","-jar","-Xms128m","-Xmx300m","/app.jar","--spring.profiles.active=prod"]

1
2
3
4
5
6
7
8

deploy.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: awesomemall-gateway
  namespace: awesomemall
  labels:
    app: awesomemall-gateway
spec:
  replicas: 1
  selector:
    matchLabels:
      app: awesomemall-gateway
  template:
    metadata:
      labels:
        app: awesomemall-gateway
    spec:
      containers:
        - name: awesomemall-gateway
          image: $REGISTRY/$DOCKERHUB_NAMESPACE/$PROJECT_NAME:latest
          imagePullPolicy: "IfNotPresent"
          ports:
            - containerPort: 8080
              protocol: TCP
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
      restartPolicy: Always

---
kind: Service
apiVersion: v1
metadata:
  name: awesomemall-gateway
  namespace: awesomemall
  labels:
    app: awesomemall-gateway
spec:
  ports:
    - name: http
      protocol: TCP
      port: 8080
      targetPort: 8080
  selector:
    app: awesomemall-gateway
  type: NodePort
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

构建CICD流水线

应用授权

注册Azure AD应用

• 打开Azure portal，导航到Azure AD
  

• 选择应用注册，点击新注册
  

• 输入应用名称，点击注册
  

• 创建客户端密码
  

分配应用订阅的参与者角色

• 导航到订阅，选择Access control(IAM)，点击添加按钮，添加角色分配，将此应用分配为订阅的参与者权限
  

配置Service Connection

配置gitee的链接服务

• 导航到Project Settings页面，选择Service Connection选项卡，点击New Service Connection按钮，创建连接服务
  

配置AKS的链接服务

• 点击创建链接服务，选择Azure Resource Manager
  

• 选择Service principal (manual)
  

• 选择Azure Cloud China，输入必要信息
  

• 验证并保存。

创建Pipeline

选择模板

• 导航到Pipeline，点击New Pipeline
  

• 选择手动编辑器方式创建Pipeline，不使用yaml方式

选择代码仓库

• 如果是Azure代码仓库
  

• 如果是gitee代码仓库
  

选择Agent

• 保存默认即可。

构建镜像

• 使用Docker作业来构建一个服务镜像

推送镜像

• 将构建出来的镜像推送到Azure镜像仓库

临时禁用IP地址范围限制

• 临时禁用IP Range限制。

• shell脚本

# Get authorized ip ranges allowed to access API server of AKS cluster
current_authorized_ip=`az aks show -n $(aks.clusterName) -g $(aks.resourceGroupName) --query [apiServerAccessProfile.authorizedIpRanges] -o table|sed -n '3,1p' |sed 's/\s\+/,/g'`
echo ${current_authorized_ip}

# Get self public IP
# self_ip=$(curl ifconfig.co)
# echo "Self public IP address: $self_ip"

# Set current authorized ips as output variable
echo "##vso[task.setvariable variable=authorized_ip;isOutput=true]${current_authorized_ip}"

# Temperarily disable authorized IP ranges
arrIPs=(${current_authorized_ip//,/ })
if [ ${#arrIPs[@]} -gt 0 ];then
echo "Temperarily disable authorized IP ranges..."
az aks update -n $(aks.clusterName) -g $(aks.resourceGroupName) --api-server-authorized-ip-ranges ""
else
echo "Authorized IP is already disabled, skip temperary disable"
fi

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

部署服务

• 更新部署服务。

• Command Arguments

image deploy $(deploymentName) *=xxxazurecr.cn/$(imageNameWithTag)
1

启用IP地址范围限制

• 启用IP Range限制。

• shell 脚本

original_authorized_ip=$(aks.authorized_ip)
echo Original Authorized IP ranges: ${original_authorized_ip}

# Recover authorized IP ranges if need
arrIPs=(${original_authorized_ip//,/ })
if [ ${#arrIPs[@]} -gt 0 ];then
    echo "Recover authorized IP ranges to original configuration ..."
    az aks update -n $(aks.clusterName) -g $(aks.resourceGroupName) --api-server-authorized-ip-ranges ${original_authorized_ip}
else
    echo "Authorized IP ranges is disabled orginally, skip recover step"
fi
1
2
3
4
5
6
7
8
9
10
11

设置CD

• 设置自动触发