GitOps 和 GitHub Actions
GitOps 和 GitHub Actions
GitOps 理念
GitOps 是现代 Kubernetes 应用交付的最佳实践:
┌──────────────┐
│ Git 仓库 │ ← 唯一的真实来源
└──────┬───────┘
│ Push
┌──────▼───────┐
│ CI Pipeline │ ← 构建、测试、推送镜像
└──────┬───────┘
│ Trigger
┌──────▼───────┐
│ CD Tool │ ← ArgoCD/Flux 自动同步
└──────┬───────┘
│ Deploy
┌──────▼───────┐
│ Kubernetes │ ← 集群状态与 Git 一致
└──────────────┘
核心原则:
- 声明式配置
- 版本控制
- 自动化同步
- 不可变基础设施
GitHub Actions 完整工作流
多环境部署流水线
name: Build and Deploy
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main ]
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
# Job 1: 代码质量检查
lint-and-test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '18'
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Run linter
run: npm run lint
- name: Run tests
run: npm test -- --coverage
- name: Upload coverage
uses: codecov/codecov-action@v3
# Job 2: 安全扫描
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy results
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
# Job 3: 构建和推送镜像
build-and-push:
needs: [lint-and-test, security-scan]
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
outputs:
image-tag: ${{ steps.meta.outputs.tags }}
steps:
- uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to Container Registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=sha,prefix={{branch}}-
- name: Build and push
uses: docker/build-push-action@v5
with:
context: .
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
build-args: |
BUILD_DATE=${{ github.event.head_commit.timestamp }}
VCS_REF=${{ github.sha }}
# Job 4: 部署到开发环境
deploy-dev:
if: github.ref == 'refs/heads/develop'
needs: build-and-push
runs-on: ubuntu-latest
environment: development
steps:
- uses: actions/checkout@v4
- name: Setup kubectl
uses: azure/setup-kubectl@v3
- name: Configure kubeconfig
run: |
mkdir -p $HOME/.kube
echo "${{ secrets.KUBECONFIG_DEV }}" > $HOME/.kube/config
- name: Update deployment
run: |
kubectl set image deployment/myapp \
myapp=${{ needs.build-and-push.outputs.image-tag }} \
-n dev
kubectl rollout status deployment/myapp -n dev
- name: Verify deployment
run: |
kubectl get pods -n dev -l app=myapp
kubectl get svc -n dev -l app=myapp
# Job 5: 部署到生产环境
deploy-prod:
if: github.ref == 'refs/heads/main'
needs: build-and-push
runs-on: ubuntu-latest
environment:
name: production
url: https://app.example.com
steps:
- uses: actions/checkout@v4
- name: Setup kubectl
uses: azure/setup-kubectl@v3
- name: Configure kubeconfig
run: |
mkdir -p $HOME/.kube
echo "${{ secrets.KUBECONFIG_PROD }}" > $HOME/.kube/config
- name: Create backup
run: |
kubectl get deployment myapp -n prod -o yaml > backup-$(date +%Y%m%d-%H%M%S).yaml
- name: Update deployment (Canary 10%)
run: |
# 更新 canary deployment
kubectl set image deployment/myapp-canary \
myapp=${{ needs.build-and-push.outputs.image-tag }} \
-n prod
kubectl rollout status deployment/myapp-canary -n prod
- name: Wait for validation
run: sleep 300 # 等待5分钟观察
- name: Full rollout
run: |
kubectl set image deployment/myapp \
myapp=${{ needs.build-and-push.outputs.image-tag }} \
-n prod
kubectl rollout status deployment/myapp -n prod
- name: Smoke test
run: |
curl -f https://app.example.com/health || exit 1
# Job 6: 通知
notify:
if: always()
needs: [deploy-dev, deploy-prod]
runs-on: ubuntu-latest
steps:
- name: Slack Notification
uses: 8398a7/action-slack@v3
with:
status: ${{ job.status }}
text: 'Deployment ${{ job.status }}'
webhook_url: ${{ secrets.SLACK_WEBHOOK }}
Dockerfile 最佳实践
# 多阶段构建
FROM node:18-alpine AS builder
# 设置工作目录
WORKDIR /app
# 复制依赖文件
COPY package*.json ./
# 安装依赖
RUN npm ci --only=production && \
npm cache clean --force
# 复制源代码
COPY . .
# 构建应用
RUN npm run build
# 生产镜像
FROM node:18-alpine
# 安全:创建非root用户
RUN addgroup -g 1001 -S nodejs && \
adduser -S nodejs -u 1001
# 设置工作目录
WORKDIR /app
# 从builder阶段复制文件
COPY --from=builder --chown=nodejs:nodejs /app/node_modules ./node_modules
COPY --from=builder --chown=nodejs:nodejs /app/dist ./dist
COPY --from=builder --chown=nodejs:nodejs /app/package.json ./
# 切换到非root用户
USER nodejs
# 暴露端口
EXPOSE 3000
# 健康检查
HEALTHCHECK --interval=30s --timeout=3s --start-period=40s --retries=3 \
CMD node healthcheck.js
# 启动应用
CMD ["node", "dist/main.js"]
镜像优化技巧
# 1. 使用 .dockerignore
.git
node_modules
*.md
.env
coverage
# 2. 分层缓存优化
# 先复制依赖文件,后复制源码
COPY package*.json ./
RUN npm ci
COPY . .
# 3. 使用精简基础镜像
FROM node:18-alpine # 而不是 node:18
# 4. 清理缓存
RUN npm ci && npm cache clean --force
# 5. 合并 RUN 命令减少层数
RUN apt-get update && \
apt-get install -y xxx && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*
环境管理
GitHub Environments
在 GitHub 仓库设置中配置环境:
# .github/workflows/deploy.yml
environment:
name: production
url: https://app.example.com
Environment 配置:
- Deployment protection rules: 需要审批
- Required reviewers: 指定审批人
- Wait timer: 延迟部署
- Secrets: 环境专属密钥
Secrets 管理
# Repository secrets
KUBECONFIG_DEV
KUBECONFIG_PROD
REGISTRY_USERNAME
REGISTRY_PASSWORD
# Environment secrets (优先级更高)
DATABASE_URL
API_KEY
小结
本节介绍了 GitOps 和 GitHub Actions:
✅ GitOps 理念:声明式、版本控制、自动化
✅ 完整流水线:测试、构建、扫描、部署
✅ 多环境部署:开发、生产环境隔离
✅ Docker 优化:多阶段构建、安全加固
✅ 环境管理:Secrets、审批流程
下一节介绍 GitLab CI/CD 集成。