Ingxaki yokucoca "i-smart" yemifanekiso yesikhongozeli kunye nesisombululo sayo kwi-werf

Eli nqaku lixoxa ngeengxaki zokucoca imifanekiso eqokelelwa kwiiregistries ze-container (i-Docker Registry kunye ne-analogues yayo) kwiinyani zemibhobho ye-CI / CD yanamhlanje yezicelo zendalo zefu ezinikezelwe kwi-Kubernetes. Iikhrayitheriya eziphambili zokufaneleka kwemifanekiso kunye nobunzima obubangelwa ukucoca ngokuzenzekelayo, ukugcina indawo kunye nokuhlangabezana neemfuno zamaqela anikwe. Okokugqibela, sisebenzisa umzekelo weprojekthi ethile yoMthombo oVulekileyo, siya kukuxelela ukuba obu bunzima bunokoyiswa njani.

Intshayelelo

Inani leemifanekiso kwirejistri yesikhongozeli linokukhula ngokukhawuleza, lithatha indawo engaphezulu yokugcina kwaye ngaloo ndlela linyuse kakhulu iindleko zalo. Ukulawula, ukunciphisa okanye ukugcina ukukhula okwamkelekileyo kwendawo ehlala kwirejista, yamkelwe:

1. sebenzisa inani elimiselweyo leethegi zemifanekiso;
2. coca imifanekiso ngandlela ithile.

Umda wokuqala ngamanye amaxesha uyamkeleka kumaqela amancinci. Ukuba abaphuhlisi banethegi ezaneleyo ezisisigxina (latest, main, test, boris njl.), i-registry ayiyi kuvuvukala ngobukhulu kwaye ixesha elide awuyi kucinga malunga nokucoca konke. Emva koko, yonke imifanekiso engabalulekanga iyacinywa, kwaye akukho msebenzi oseleyo wokucoca (yonke into eyenziwa ngumqokeleli wenkunkuma oqhelekileyo).

Nangona kunjalo, le ndlela inciphisa kakhulu uphuhliso kwaye ayifane isebenze kwiiprojekthi zale mihla zeCI/CD. Inxalenye ebalulekileyo yophuhliso yaba oluzenzekelayo, ekuvumela ukuba uvavanye, usebenzise kwaye uhambise umsebenzi omtsha kubasebenzisi ngokukhawuleza. Umzekelo, kuzo zonke iiprojekthi zethu, umbhobho weCI wenziwa ngokuzenzekelayo ngesibophelelo ngasinye. Kuyo, umfanekiso uhlanganiswe, uvavanywe, ukhutshwe kwiisekethe ezahlukeneyo ze-Kubernetes zokulungiswa kweempazamo kunye nokutshekishwa okuseleyo, kwaye ukuba konke kulungile, utshintsho lufikelela kumsebenzisi wokugqibela. Kwaye oku akuseyiyo isayensi ye-rocket, kodwa yinto yemihla ngemihla yabaninzi-enokwenzeka kuwe, ekubeni ufunda eli nqaku.

Ekubeni ukulungiswa kwebugs kunye nokuphuhlisa ukusebenza okutsha kuqhutyelwa ngokufanayo, kwaye ukukhutshwa kunokwenziwa ngamaxesha amaninzi ngosuku, kuyacaca ukuba inkqubo yophuhliso ihamba kunye nenani elibalulekileyo lokuzibophelela, oku kuthetha ukuba. inani elikhulu lemifanekiso kwirejista. Ngenxa yoko, umba wokuququzelela ukucocwa okusebenzayo kobhaliso kuvela, i.e. ukususa imifanekiso engabalulekanga.

Kodwa unokugqiba njani ukuba umfanekiso ufanelekile?

Iikhrayitheriya zokufaneleka komfanekiso

Kwiimeko ezininzi, eyona ndlela iphambili iya kuba:

1. Eyokuqala (eyona nto icacileyo kwaye ibaluleke kakhulu) yimifanekiso leyo isetyenziswa ngoku eKubernetes. Ukususa le mifanekiso kunokukhokelela kwiindleko ezibalulekileyo zexesha lokunciphisa imveliso (umzekelo, imifanekiso ingafuneka ukuphindaphinda) okanye ukuchasa iinzame zeqela lokulungisa nayiphi na i-loops. (Ngenxa yesi sizathu siye senza okukhethekileyo Umthumeli wangaphandle wePrometheus, elandelela ukungabikho kwemifanekiso enjalo kulo naliphi na iqela leKubernetes.)

2. Okwesibini (okungacacanga, kodwa kubaluleke kakhulu kwaye kwakhona kuhambelana nokuxhaphaza) - imifanekiso leyo efunekayo ekubuyiseleni umva kwimeko yokukhangela iingxaki ezinzulu kuguqulelo lwangoku. Ngokomzekelo, kwimeko yeHelm, le yimifanekiso esetyenziswa kwiinguqulelo ezigciniweyo zokukhululwa. (Ngendlela, ngokungagqibekanga kwi-Helm umda luhlaziyo lwe-256, kodwa akunakwenzeka ukuba nabani na ufuna ukugcina enjalo inani elikhulu leenguqulelo? ..) Emva koko, thina, ngokukodwa, sigcina iinguqulelo ukuze sikwazi ukuzisebenzisa kamva, oko kukuthi. “buyisela umva” kubo ukuba kuyimfuneko.

3. Okwesithathu - iimfuno zomphuhlisi: Yonke imifanekiso enxulumene nomsebenzi wabo wangoku. Umzekelo, ukuba sithathela ingqalelo iPR, kuyavakala ukushiya umfanekiso ohambelana nesibophelelo sokugqibela kwaye, yithi, ukuzibophelela kwangaphambili: ngale ndlela umphuhlisi unokubuyela ngokukhawuleza kuwo nawuphi na umsebenzi kwaye asebenze ngotshintsho lwamva nje.

4. Okwesine - imifanekiso ukuba ihambelana nenguqulelo yesicelo sethu, okt. ziyimveliso yokugqibela: v1.0.0, 20.04.01/XNUMX/XNUMX, sierra, njl.

QAPHELA: Iikhrayitheriya ezichazwe apha zaqulunqwa ngokusekwe kumava okunxibelelana neqela lamaqela ophuhliso asuka kwiinkampani ezahlukeneyo. Nangona kunjalo, ngokuqinisekileyo, kuxhomekeke kwiinkcukacha kwiinkqubo zophuhliso kunye neziseko ezisetyenzisiweyo (umzekelo, i-Kubernetes ayisetyenziswanga), le migaqo inokwahluka.

Ukufaneleka kunye nezisombululo ezikhoyo

Iinkonzo ezidumileyo kunye neerejista zeebhokisi, njengomthetho, zinika imigaqo-nkqubo yokucoca umfanekiso: kuzo unokuchaza iimeko apho ithegi isuswe kwirejista. Nangona kunjalo, ezi meko zithintelwe ziiparamitha ezinje ngamagama, ixesha lokudala, kunye nenani leethegi*.

* Kuxhomekeke kumiliselo oluthile lwerejistri. Siye saqwalasela amathuba ezisombululo zilandelayo: Azure CR, Docker Hub, ECR, GCR, GitHub Packages, GitLab Container Registry, Harbour Registry, JFrog Artifactory, Quay.io - ukususela ngoSeptemba'2020.

Le seti yeeparamitha yanele ngokwaneleyo ukwanelisa umlinganiselo wesine - oko kukuthi, ukukhetha imifanekiso ehambelana neenguqulelo. Nangona kunjalo, kuzo zonke ezinye iikhrayitheriya, umntu kufuneka akhethe uhlobo oluthile lwesisombululo se-compromise (oluqilima okanye, ngokuchaseneyo, umgaqo-nkqubo ophantsi) - kuxhomekeke kwizinto ezilindelekileyo kunye nobuchule bemali.

Ngokomzekelo, ikhrayitheriya yesithathu - ehambelana neemfuno zabaphuhlisi - inokusombululwa ngokuququzelela iinkqubo ngaphakathi kwamaqela: amagama athile emifanekiso, ukugcina uluhlu olukhethekileyo lokuvumela kunye nezivumelwano zangaphakathi. Kodwa ekugqibeleni kusafuneka izenzekele. Kwaye ukuba izakhono zezisombululo esele zenziwe azanelanga, kufuneka wenze into ngokwakho.

Imeko eneekhrayitheriya ezimbini zokuqala iyafana: abanako ukwaneliseka ngaphandle kokufumana idatha evela kwinkqubo yangaphandle - leyo apho izicelo zifakwe khona (kwimeko yethu, Kubernetes).

Umzobo wokuhamba komsebenzi kwi-Git

Masithi usebenza into enje kwiGit:

I-icon enentloko kwidayagram ibonisa imifanekiso yesikhongozeli esetyenziswa ngoku kwi-Kubernetes kubo nabaphi na abasebenzisi (abasebenzisi bokugqibela, abavavanyi, abaphathi, njl.)

Kwenzeka ntoni ukuba imigaqo-nkqubo yokucoca ivumela kuphela ukuba imifanekiso igcinwe (ayicinywa) ngamagama anikiweyo ethegi?

Ngokucacileyo, imeko enjalo ayiyi kuvuyisa nabani na.

Yintoni eya kutshintsha ukuba imigaqo-nkqubo ivumela ukuba imifanekiso ingacinywa? ngokwexesha elinikiweyo / inani lezenzo zokugqibela?

Isiphumo siye saba ngcono kakhulu, kodwa kusekude kakhulu. Ngapha koko, sisenabaphuhlisi abafuna imifanekiso kwirejista (okanye ifakwe kwii-K8s) ukulungisa iimpazamo...

Ukushwankathela imeko yangoku yemarike: imisebenzi ekhoyo kwiirejistri zeekhonteyina ayinikezeli ukuguquguquka okwaneleyo xa ucoca, kwaye esona sizathu siphambili soku. akukho ndlela yokunxibelelana nehlabathi langaphandle. Kuvela ukuba amaqela afuna ukuguquguquka okunjalo anyanzelekile ukuba asebenze ngokuzimeleyo ukucima umfanekiso "ukusuka ngaphandle", usebenzisa i-Docker Registry API (okanye i-API yendabuko yokuphunyezwa okuhambelanayo).

Nangona kunjalo, besijonge isisombululo sendalo yonke esiya kuthi sizenze ngokuzenzekelayo ukucocwa kwemifanekiso kumaqela ahlukeneyo sisebenzisa iirejista ezahlukeneyo...

Indlela yethu yokucoca imifanekiso jikelele

Ivela phi le mfuno? Inyani yeyokuba asiloqela elahlukileyo labaphuhlisi, kodwa liqela elikhonza uninzi lwabo ngaxeshanye, linceda ukusombulula imiba yeCI/CD ngokupheleleyo. Kwaye esona sixhobo siphambili sobuchwephesha sesi sisixhobo soMthombo oVulekileyo i-werf. Ubuqhetseba bayo kukuba ayenzi msebenzi omnye, kodwa ihamba kunye neenkqubo eziqhubekayo zokuhanjiswa kuzo zonke izigaba: ukusuka kwindibano ukuya ekuhanjisweni.

Ukupapasha imifanekiso kubhaliso* (kwangoko emva kokuba yakhiwe) ngumsebenzi ocacileyo woncedo olunjalo. Kwaye ekubeni imifanekiso ibekwe apho ukugcinwa, ngoko-ukuba ukugcinwa kwakho akunasiphelo - kufuneka ube noxanduva lokucoca kwabo okulandelayo. Indlela esiyifumene ngayo impumelelo kule nto, eyanelisayo yonke imilinganiselo echaziweyo, iya kuxoxwa ngakumbi.

* Nangona iirejistri ngokwazo zinokwahluka (Docker Registry, GitLab Container Registry, Harbour, njl.), abasebenzisi bazo bajongana neengxaki ezifanayo. Isisombululo sendalo yonke kwimeko yethu asixhomekeke ekuphunyezweni kwerejista, kuba isebenza ngaphandle kweerejistri ngokwazo kwaye inikezela ngokuziphatha okufanayo kumntu wonke.

Nangona sisebenzisa i-werf njengomzekelo wophumezo, sinethemba lokuba iindlela ezisetyenziswayo ziya kuba luncedo kwamanye amaqela ajongene nobunzima obufanayo.

Saye saxakeka ke ngaphandle ukuphunyezwa kwendlela yokucoca imifanekiso - endaweni yezo zakhono esele zakhiwe kwiirejistri zemigqomo. Isinyathelo sokuqala yayikukusebenzisa i-Docker Registry API ukwenza imigaqo-nkqubo efanayo yamandulo yenani leethegi kunye nexesha lokudalwa kwazo (ezikhankanywe ngasentla). Kongezwe kubo vumela uluhlu olusekwe kwimifanekiso esetyenziswa kwiziseko ezingundoqo ezibekiweyo, okt. Kubernetes. Okokugqibela, kwakwanele ukusebenzisa i-Kubernetes API ukuphindaphinda kuzo zonke izixhobo ezisetyenzisiweyo kwaye ufumane uluhlu lwamaxabiso. image.

Esi sisombululo sincinci sisombulule ingxaki ebaluleke kakhulu (inqaku le-1), kodwa yayiyisiqalo sohambo lwethu lokuphucula indlela yokucoca. Inyathelo elilandelayo-kwaye linomdla kakhulu-yayisisigqibo nxulumanisa imifanekiso epapashiweyo ngembali yeGit.

Iinkqubo zokuthega

Ukuqala, sikhethe indlela apho umfanekiso wokugqibela kufuneka ugcine ulwazi oluyimfuneko lokucoca, kwaye wakha inkqubo kwizicwangciso zokumaka. Xa upapasha umfanekiso, umsebenzisi ukhethe ukhetho oluthile lokuthega (git-branch, git-commit okanye git-tag) kwaye kusetyenziswe ixabiso elihambelanayo. Kwiinkqubo ze-CI, la maxabiso amiselwa ngokuzenzekelayo ngokusekwe kwizinto eziguquguqukayo zokusingqongileyo. Inyaniso umfanekiso wokugqibela wanxulunyaniswa neGit ethile, ukugcina idatha efunekayo yokucoca kwiilebhile.

Le ndlela ibangele uluhlu lwemigaqo-nkqubo eyavumela i-Git ukuba isetyenziswe njengomthombo omnye wenyaniso:

• Xa ucima isebe/ithegi kwi-Git, imifanekiso ehambelana nayo kwirejista yacinywa ngokuzenzekelayo.
• Inani lemifanekiso eyayanyaniswa neethegi ze-Git kunye nokuzibophelela kunokulawulwa linani leethegi ezisetyenziswe kwi-schema ekhethiweyo kunye nexesha apho ukuzinikela okunxulumeneyo kwenziwa.

Lilonke, ukuphunyezwa kwesiphumo kwanelisa iimfuno zethu, kodwa umngeni omtsha wawusilindile kungekudala. Inyani yeyokuba ngelixa usebenzisa izikimu zokumaka ezisekwe kwi-Git primitives, siye sadibana nenani leentsilelo. (Ekubeni inkcazo yabo ingaphaya kobubanzi beli nqaku, wonke umntu unokuziqhelanisa neenkcukacha apha.) Ngoko ke, emva kokuba sigqibe ekubeni sitshintshele kwindlela echanekileyo yokumaka (ithegi esekelwe kumxholo), kwafuneka siphinde sihlolisise ukuphunyezwa kokucoca umfanekiso.

I-algorithm entsha

Ngoba? Ngokuthegiswa okusekwe kumxholo, ithegi nganye inokwanelisa ukuzibophelela okuninzi kwiGit. Xa ucoca imifanekiso, awusakwazi ukucinga kuphela ukusuka kwisibophelelo apho ithegi entsha yongezwa kubhaliso.

Kwi-algorithm entsha yokucoca, kwagqitywa ekubeni kususwe izikimu zokumaka kunye nokwakha inkqubo yemeta-image, nganye kuzo igcina iqela le:

• isibophelelo olwenziwa kuso upapasho (akunamsebenzi nokuba umfanekiso wongeziwe, utshintshiwe okanye uhlala unjalo kubhaliso lwesikhongozeli);
• kunye nesazisi sethu sangaphakathi esihambelana nomfanekiso odibeneyo.

Ngamanye amazwi, kwakubonelelwe ukudibanisa iithegi ezipapashiweyo kunye nokuzibophelela kwi-Git.

Ukucwangciswa kokugqibela kunye ne-algorithm jikelele

Xa uqwalasela ukucoca, abasebenzisi ngoku banokufikelela kwimigaqo-nkqubo ekhetha imifanekiso yangoku. Umgaqo-nkqubo ngamnye onjalo uchaziwe:

• iimbekiselo ezininzi, i.e. Iithegi zeGit okanye amasebe eGit asetyenziswa ngexesha lokuskena;
• kunye nomda wemifanekiso ekhangelweyo yereferensi nganye ukusuka kwiseti.

Ukubonisa, nantsi indlela uqwalaselo lomgaqo-nkqubo olungagqibekanga luqale ukubonakala ngathi:

cleanup:
  keepPolicies:
  - references:
      tag: /.*/
      limit:
        last: 10
  - references:
      branch: /.*/
      limit:
        last: 10
        in: 168h
        operator: And
    imagesPerReference:
      last: 2
      in: 168h
      operator: And
  - references:  
      branch: /^(main|staging|production)$/
    imagesPerReference:
      last: 10

Olu lungelelwaniso luqulethe imigaqo-nkqubo emithathu ehambelana nale migaqo ilandelayo:

1. Gcina umfanekiso kwiithegi ezili-10 zokugqibela zeGit (ngomhla wokudala ithegi).
2. Gcina ungagqithisi kwimifanekiso emi-2 epapashwe kwiveki ephelileyo ungagqithisi kwimisonto ye-10 enomsebenzi kwiveki ephelileyo.
3. Gcina imifanekiso eli-10 yamasebe main, staging и production.

I-algorithm yokugqibela ibilisa kula manyathelo alandelayo:

• Ukufumana kwakhona okubonakalayo kwirejistri yesikhongozeli.
• Ngaphandle kwemifanekiso esetyenziswa kwi-Kubernetes, kuba Sele sizikhethe kwangaphambili ngokuvota iK8s API.
• Iskena imbali yeGit kwaye ingabandakanyi imifanekiso esekwe kwimigaqo-nkqubo ekhankanyiweyo.
• Kususwa imifanekiso eseleyo.

Ukubuyela kumzekeliso wethu, nantsi into eyenzekayo nge-werf:

Nangona kunjalo, nokuba awusebenzisi i-werf, indlela efanayo yokucocwa kwemifanekiso ephuculweyo - ekuphunyezweni okanye kwenye (ngokwendlela ekhethwayo yokumaka umfanekiso) - ingasetyenziswa kwezinye iinkqubo / izinto eziluncedo. Ukwenza oku, kwanele ukukhumbula iingxaki ezivelayo kwaye ufumane loo mathuba kwi-stack yakho evumela ukuba udibanise isisombululo sabo ngokufanelekileyo ngokusemandleni. Siyathemba ukuba indlela esiyihambileyo iya kukunceda ujonge imeko yakho ngeenkcukacha kunye neengcinga ezintsha.

isiphelo

• Kungekudala okanye kamva, amaqela amaninzi adibana nengxaki yokuphuphuma kwerejista.
• Xa ufuna izisombululo, okokuqala kuyimfuneko ukumisela imigaqo yokufaneleka komfanekiso.
• Izixhobo ezibonelelwa ngeenkonzo ezidumileyo zobhaliso lweekhonteyina zikuvumela ukuba uququzelele ukucocwa okulula kakhulu okungathatheli ngqalelo "ihlabathi langaphandle": imifanekiso esetyenziswa kwi-Kubernetes kunye nezinto ezikhethekileyo zokuhamba komsebenzi weqela.
• I-algorithm eguquguqukayo kunye nesebenzayo kufuneka ibe nokuqonda kweenkqubo zeCI / CD kwaye ingasebenzi kuphela ngedatha yesithombe seDocker.

PS

Funda nakwibhlog yethu:

• «Ukuthegiswa okusekwe kumxholo kumqokeleli werf: kutheni kwaye isebenza njani?";
• «Iindlela ezi-3 zokudityaniswa kwe-werf: ukuthunyelwa kwi-Kubernetes kunye neHelm "kwi-steroids"";
• «Inkxaso ye-monorepo kunye ne-multirepo kwi-werf kwaye i-Docker Registry inento yokwenza nayo";
• «ukukhutshwa kwe-werf 1.1: ukuphuculwa komakhi namhlanje kunye nezicwangciso zexesha elizayo».

umthombo: www.habr.com