云原生与容器--CI/CD 流水线设计实践

系列导读本篇将深入讲解 CI/CD 流水线的设计与最佳实践。文章目录一、CI/CD 概述1.1 什么是 CI/CD1.2 CI/CD 工具对比二、GitOps 实践2.1 GitOps 原则2.2 GitOps 工作流三、Jenkins 流水线3.1 Jenkinsfile四、GitLab CI/CD4.1 .gitlab-ci.yml五、最佳实践5.1 分支策略5.2 流水线原则5.3 质量门禁总结一、CI/CD 概述1.1 什么是 CI/CD┌─────────────────────────────────────────────────────────────┐ │ CI/CD 流程 │ ├─────────────────────────────────────────────────────────────┤ │ │ │ 代码提交 ──► CI ──► CD ──► 生产环境 │ │ │ │ │ │ ▼ ▼ │ │ 构建 部署 │ │ 测试 发布 │ │ 扫描 监控 │ │ │ └─────────────────────────────────────────────────────────────┘1.2 CI/CD 工具对比工具类型特点Jenkins自托管插件丰富、灵活GitLab CI内置与 GitLab 集成GitHub Actions云服务与 GitHub 集成ArgoCDGitOpsK8s 原生Tekton云原生K8s 原生二、GitOps 实践2.1 GitOps 原则1. 声明式所有配置都是声明式的 2. 版本化Git 作为单一事实来源 3. 自动化自动应用变更 4. 持续协调持续监控状态差异2.2 GitOps 工作流┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ 应用仓库 │ ──► │ 配置仓库 │ ──► │ ArgoCD │ │ (代码) │ │ (清单) │ │ (同步) │ └─────────────┘ └─────────────┘ └─────────────┘ │ ▼ ┌─────────────┐ │ Kubernetes │ └─────────────┘三、Jenkins 流水线3.1 Jenkinsfile// Jenkinsfilepipeline{agent any environment{REGISTRYregistry.example.comIMAGE_NAMEorder-serviceIMAGE_TAG${env.BUILD_NUMBER}}stages{stage(Checkout){steps{checkout scm}}stage(Build){steps{sh./mvnw clean package -DskipTests}}stage(Test){steps{sh./mvnw test}post{always{junit**/target/surefire-reports/*.xml}}}stage(SonarQube){steps{withSonarQubeEnv(SonarQube){sh./mvnw sonar:sonar}}}stage(Build Image){steps{shdocker build -t${REGISTRY}/${IMAGE_NAME}:${IMAGE_TAG}.}}stage(Push Image){steps{withCredentials([usernamePassword(credentialsId:registry-credentials,usernameVariable:USER,passwordVariable:PASS)]){shdocker login -u${USER}-p${PASS}${REGISTRY}shdocker push${REGISTRY}/${IMAGE_NAME}:${IMAGE_TAG}}}}stage(Deploy to Dev){steps{shkubectl set image deployment/${IMAGE_NAME}${IMAGE_NAME}${REGISTRY}/${IMAGE_NAME}:${IMAGE_TAG}-n dev}}stage(Deploy to Prod){when{branchmain}input{messageDeploy to Production?okDeploy}steps{shkubectl set image deployment/${IMAGE_NAME}${IMAGE_NAME}${REGISTRY}/${IMAGE_NAME}:${IMAGE_TAG}-n prod}}}post{success{slackSend(color:good,message:Build${IMAGE_TAG}succeeded!)}failure{slackSend(color:danger,message:Build${IMAGE_TAG}failed!)}}}四、GitLab CI/CD4.1 .gitlab-ci.ymlstages:-build-test-package-deployvariables:REGISTRY:registry.example.comIMAGE_NAME:order-servicebuild:stage:buildimage:maven:3.8-openjdk-11script:-mvn clean package-DskipTestsartifacts:paths:-target/*.jarexpire_in:1 hourtest:stage:testimage:maven:3.8-openjdk-11script:-mvn testartifacts:reports:junit:target/surefire-reports/*.xmlsonarqube:stage:testimage:maven:3.8-openjdk-11script:-mvn sonar:sonar-Dsonar.host.url$SONAR_URL-Dsonar.login$SONAR_TOKENdocker-build:stage:packageimage:docker:latestservices:-docker:dindscript:-docker login-u $REGISTRY_USER-p $REGISTRY_PASS $REGISTRY-docker build-t $REGISTRY/$IMAGE_NAME:$CI_COMMIT_SHA .-docker push $REGISTRY/$IMAGE_NAME:$CI_COMMIT_SHAdeploy-dev:stage:deployimage:bitnami/kubectl:latestscript:-kubectl set image deployment/$IMAGE_NAME $IMAGE_NAME$REGISTRY/$IMAGE_NAME:$CI_COMMIT_SHA-n devenvironment:name:developmentonly:-developdeploy-prod:stage:deployimage:bitnami/kubectl:latestscript:-kubectl set image deployment/$IMAGE_NAME $IMAGE_NAME$REGISTRY/$IMAGE_NAME:$CI_COMMIT_SHA-n prodenvironment:name:productionwhen:manualonly:-main五、最佳实践5.1 分支策略main (生产) │ ├── develop (开发) │ │ │ ├── feature/xxx (功能) │ ├── feature/yyy │ │ │ └── release/x.x (发布) │ └── hotfix/xxx (修复)5.2 流水线原则1. 快速反馈CI 阶段 10分钟 2. 自动化测试单元测试 集成测试 3. 安全扫描代码扫描 镜像扫描 4. 环境隔离Dev → Test → Staging → Prod 5. 回滚机制一键回滚5.3 质量门禁# 质量门禁配置quality-gates:unit-test-coverage:80%sonar-quality-gate:truesecurity-vulnerabilities:0 criticaldocker-image-scan:pass总结✅CI/CD 概述持续集成、持续部署✅GitOps 实践声明式、版本化✅Jenkins 流水线Jenkinsfile 配置✅GitLab CI/CD.gitlab-ci.yml 配置✅最佳实践分支策略、质量门禁下篇预告云原生架构设计模式作者刘~浪地球系列云原生与容器四更新时间2026-04-15