如何使用Jenkins将Docker容器从Amazon ECR自动部署到Kubernetes [英] How to auto deploy Docker containers from Amazon ECR to Kubernetes using Jenkins

问题描述

这是我们的环境:

1. 我有一个在Amazon上运行的Kubernetes集群.
2. 在Amazon上运行的Jenkins CI/CD，它连接到私有的GitLab并将我们的服务构建为Docker映像.
3. 存储我们的Docker映像的Amazon ECR.

我的问题:

1. 一旦Jenkins管道将新生成的映像推送到ECR，如何将映像从ECR自动部署到Kubernetes(作为Pod)?
2. 我可以在Jenkins渠道中做到这一点吗?我已经读了很多材料，但是找不到应该怎么做.

还有一个第三方工具，例如 Keel ，但它不支持Amazon ECR( ECR的Webhook问题).

There is also a 3rd party tool like Keel but it doesn't support Amazon ECR (Webhook problem with ECR).

任何帮助将不胜感激.

Any help would be appreciated.

推荐答案

我有类似的工作流程，希望这可以帮助您找到方向.我正在使用用于CI的bitbucket管道，但是我确信Jenkins也可以正常工作.

I have a similar workflow and I hope this helps you get some direction. I am using bitbucket pipeline for CI, but I am sure Jenkins will work fine as well.

这就是我在CI流程中所做的:

This is what I do in my CI flow :

• 构建我的代码并安装依赖项
• 使用唯一标记(commit-id)> my-cntnr:12
创建一个容器
• 推送到ECR
• 适用于my-pod的卷曲Rancher API> set(image:my-cntnr:12)
• Kubernates更新容器并从ECR中拉出带有标签12的容器

• Build my code and install dependencies
• Create a container with a unique tag ( commit-id ) > my-cntnr:12
• Push to ECR
• Curl Rancher API for my-pod > set(image:my-cntnr:12)
• Kubernates updates the pod and pulls the container with tag 12 from ECR

以下是参考脚本:

      - composer install --no-interaction
      - docker build -t cms .
      - docker tag myrepo:latest 123456789.dkr.ecr.my-region.amazonaws.com/myrepo:$BITBUCKET_BUILD_NUMBER
      - aws ecr get-login --no-include-email --region my-region >> login.sh
      - sh login.sh
      - docker push 123456799.dkr.ecr.my-region.amazonaws.com/myrepo:$BITBUCKET_BUILD_NUMBER
      - sh .docker/workload-update.sh // my curl script calling rancher API

注意:由于我使用的是Rancher，因此可以使用Rancher API来更新广告连播和 他们的配置.

note: Since I am using Rancher, I can use Rancher API to update pods and their configuration.

现在，对于Kubernetes的ECR凭证部分，您必须创建一个密钥(仅Kubernetes实体)，此密钥是使用您的AWS ECR详细信息创建的.然后，您可以在pod.yml中将此秘密用作image-pull-secret.这将告诉k8使用密码并从ECR中提取图像

Now for the ECR credentials part for Kubernetes, you have to create a secret ( a Kubernetes only entity), this secret is created using your AWS ECR details. Then you can use this secret in your pod.yml as image-pull-secret. This will tell k8 to use the secret and pull the image from ECR

我有一个简单的脚本可以快速做到这一点.

I have a simple script to quickly do that.

#
# RUN me where kubectl is available,& make sure to replace account,region etc
#
ACCOUNT=123456789
REGION=my-region
SECRET_NAME=${REGION}-ecr-registry
EMAIL=email@email.com ( can be anything)

#
# Fetch token (which will expire in 12 hours)
#

TOKEN=`aws ecr --region=$REGION get-authorization-token --output text --query authorizationData[].authorizationToken | base64 -d | cut -d: -f2`

#
# Create or replace registry secret
#

kubectl delete secret --ignore-not-found $SECRET_NAME
kubectl create secret docker-registry $SECRET_NAME \
 --docker-server=https://${ACCOUNT}.dkr.ecr.${REGION}.amazonaws.com \
 --docker-username=AWS \
 --docker-password="${TOKEN}" \
 --docker-email="${EMAIL}"

这就是您可以在pod.yml中使用它的方式

And this is how you can use it in your pod.yml

apiVersion: v1
kind: Pod                                            
metadata:
  name: my-app   
  labels:
    app: my-app                              
spec:                                                
  containers:
    - image: 123456789.dkr.ecr.my-region.amazonaws.com/my-repo
      name: -cntnr                            
      ports:
        - containerPort: 8080    
  imagePullSecrets:
  - name: my-secret-name ( this will be same as name of secret we created earlier)

---

我也写了一篇有关该过程的详细文章.请在此处找到它.

这篇关于如何使用Jenkins将Docker容器从Amazon ECR自动部署到Kubernetes的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！