当前位置：首页 > news >正文

jenkins使用docker api配置自签证书 +发布项目

news 来源：原创 2024/9/19 9:49:39

配置证书

1、创建目录/etc/docker/certs，

在该目录下执行下列命令

openssl genrsa -aes256 -out ca-key.pem 4096
openssl req -new -x509 -days 3650 -key ca-key.pem -sha256 -out ca.pemopenssl genrsa -out server-key.pem 4096 \
openssl req -subj "/CN=server" -sha256 -new -key server-key.pem -out server.csr \
echo subjectAltName = DNS:223.5.5.5,IP:106.14.114.xx,IP:172.22.251.52,IP:127.0.0.1 >> extfile.cnf \
echo extendedKeyUsage = serverAuth >> extfile.cnf \
openssl x509 -req -days 3650 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf//备注 ip为自己服务器的内外网地址openssl genrsa -out key.pem 4096 \
openssl req -subj '/CN=client' -new -key key.pem -out client.csr \
echo extendedKeyUsage = clientAuth > extfile-client.cnf \
openssl x509 -req -days 3650 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile-client.cnfrm -rf -v client.csr server.csr extfile.cnf extfile-client.cnf \
chmod -v 0400 ca-key.pem key.pem server-key.pem \
chmod -v 0444 ca.pem server-cert.pem cert.pem

2、文件配置（/lib/systemd/system/docker.service ）
编辑该文件如下:

[Service]
ExecStart=
ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/etc/docker/certs/ca.pem --tlscert=/etc/docker/certs/server-cert.pem --tlskey=/etc/docker/certs/server-key.pem -H fd:// -H tcp://0.0.0.0:2376

3、重启docker服务

systemctl enable docker.service && systemctl daemon-reload  && systemctl start docker.service
systemctl status docker.service

4、查看docker api服务是否成功

netstat -lntp | grep dockerd

二、Jenkins配置

1、配置coding代码仓库访问权限。

2、配置docker镜像

3、docker api配置：Jenkins配置三个证书（ca.pem、cert.pem、key.pem）

在这里插入图片描述

三、新建试图、配置任务

任务：新建任务——>流水线——>选择“Pipeline script from SCM”——>选择“git”（配置Jenkinsfile路径、取消“轻量级检出”）

四. jenkinsfile上的配置

 stage('Deploy to docker') {environment {// docker客户端证书凭证，若不需要ssl访问则注释DOCKER_CERT_PATH = credentials('saidi252-credit')}steps {script {container_port = 80container_port_map = ""docker_client_env = ""if (params.container_port) {container_port = "${params.container_port}"container_port_map = " -p ${params.container_port}:80 "}if (params.docker_remotes) {def docker_remote_arr = "${params.docker_remotes}".split(",")// 部署服务处理for (int i = 0; i < docker_remote_arr.size(); ++i) {docker_remote = "${docker_remote_arr[i]}"docker_client_env = "export DOCKER_TLS_VERIFY=1; export DOCKER_HOST=tcp://${docker_remote}:2377; docker_remote=${docker_remote};"sh "$docker_client_env docker rm -f $DOMAIN_NAME"//部署服务sh "$docker_client_env docker run -d --name ${DOMAIN_NAME} --restart=always \-e TZ='Asia/Shanghai'  -e CONTAINER_PORT=${container_port} -m ${LIMIT_MEMORY}M \$container_port_map -v /etc/localtime:/etc/localtime:ro   \$docker_image"echo "清理过时的镜像"sh "$docker_client_env docker images $docker_image_name -q --filter before=$docker_image | xargs --no-run-if-empty docker rmi "}}}}}

完