第十二章:完整的 DevOps 流水线案例:Spring Boot + Docker + K8s + GitLab CI

第十二章:完整的 DevOps 流水线案例:Spring Boot + Docker + K8s + GitLab CI
本章将 CI/CD 系列的所有知识点串联起来构建一个从代码提交到生产部署的完整 DevOps 流水线。以 Spring Boot 应用为例涵盖代码检查、单元测试、镜像构建与扫描、Helm 部署、多环境管理、健康检查与回滚等全部环节。这是一个可以直接复制到实际项目中的生产级模板。一、项目全景1.1 技术栈1.2 流水线 Stagestextlint → test → build → scan → package → deploy-staging → deploy-production二、项目结构textspring-boot-app/├── .gitlab-ci.yml # CI/CD 流水线定义├── Dockerfile # 多阶段构建├── pom.xml # Maven 配置├── src/ # 应用源码│ └── main/│ └── java/├── chart/ # Helm Chart│ ├── Chart.yaml│ ├── values.yaml│ ├── values/│ │ ├── staging.yaml│ │ └── production.yaml│ └── templates/│ ├── deployment.yaml│ ├── service.yaml│ ├── ingress.yaml│ └── _helpers.tpl└── k8s/ # GitOps 部署清单可选└── overlays/├── staging/└── production/三、Dockerfile多阶段构建dockerfile阶段1构建使用完整 JDKFROM maven:3.8.4-openjdk-17 AS builderWORKDIR /appCOPY pom.xml .RUN mvn dependency:go-offlineCOPY src ./srcRUN mvn clean package -DskipTests阶段2运行使用精简 JREFROM openjdk:17-jre-slimWORKDIR /appCOPY --frombuilder /app/target/*.jar app.jarEXPOSE 8080ENTRYPOINT [“java”, “-jar”, “/app/app.jar”]四、Helm Chart 模板chart/values.yaml# 默认配置replicaCount:2image:repository:${CI_REGISTRY_IMAGE}tag:latestpullPolicy:IfNotPresentservice:type:ClusterIPport:8080ingress:enabled:falsehost:resources:limits:cpu:500mmemory:512Mirequests:cpu:250mmemory:256MilivenessProbe:httpGet:path:/actuator/healthport:8080initialDelaySeconds:30periodSeconds:10readinessProbe:httpGet:path:/actuator/healthport:8080initialDelaySeconds:10periodSeconds:5chart/templates/deployment.yamlapiVersion:apps/v1kind:Deploymentmetadata:name:{{include myapp.fullname .}}labels:app.kubernetes.io/name:{{include myapp.name .}}app.kubernetes.io/instance:{{.Release.Name}}spec:replicas:{{.Values.replicaCount}}selector:matchLabels:app.kubernetes.io/name:{{include myapp.name .}}app.kubernetes.io/instance:{{.Release.Name}}template:metadata:labels:app.kubernetes.io/name:{{include myapp.name .}}app.kubernetes.io/instance:{{.Release.Name}}spec:containers:-name:{{.Chart.Name}}image:{{ .Values.image.repository }}:{{ .Values.image.tag }}imagePullPolicy:{{.Values.image.pullPolicy}}ports:-containerPort:{{.Values.service.port}}livenessProbe:{{-toYaml .Values.livenessProbe|nindent 10}}readinessProbe:{{-toYaml .Values.readinessProbe|nindent 10}}resources:{{-toYaml .Values.resources|nindent 10}}五、GitLab CI 完整流水线.gitlab-ci.ymlstages:-lint-test-build-scan-package-deploy-staging-deploy-productionvariables:MAVEN_OPTS:-Dmaven.repo.local.m2/repositoryIMAGE_TAG:$CI_COMMIT_SHORT_SHACHART_PATH:./chartcache:paths:-.m2/repository/# Stage 1: 代码检查 lint:stage:lintimage:maven:3.8.4-openjdk-17script:-mvn checkstyle:checkallow_failure:trueonly:-merge_requests-main# Stage 2: 单元测试 test:unit:stage:testimage:maven:3.8.4-openjdk-17script:-mvn testartifacts:reports:junit:target/surefire-reports/*.xmlpaths:-target/surefire-reports/coverage:/Coverage: \d\.\d%/# Stage 3: 构建镜像 build-image:stage:buildimage:docker:latestservices:-docker:dindvariables:DOCKER_TLS_CERTDIR:/certsDOCKER_BUILDKIT:1script:-docker login-u $CI_REGISTRY_USER-p $CI_REGISTRY_PASSWORD $CI_REGISTRY-docker build--cache-from $CI_REGISTRY_IMAGE:latest-t $CI_REGISTRY_IMAGE:$IMAGE_TAG .-docker push $CI_REGISTRY_IMAGE:$IMAGE_TAGonly:-main-develop# Stage 4: 镜像安全扫描 scan-image:stage:scanimage:aquasec/trivy:latestscript:-trivy image--severity HIGH,CRITICAL--exit-code 1 $CI_REGISTRY_IMAGE:$IMAGE_TAGonly:-main# Stage 5: 打包 Helm Chart package-chart:stage:packageimage:alpine/helm:3.14script:-cd $CHART_PATH-helm dependency build-helm lint .-helm package .artifacts:paths:-$CHART_PATH/*.tgzonly:-main# Stage 6: 部署到预发布环境 deploy-staging:stage:deploy-stagingimage:alpine/helm:3.14before_script:-mkdir-p $HOME/.kube-echo $KUBECONFIG_STAGING|base64-d$HOME/.kube/configscript:-cd $CHART_PATH-helm upgrade--install myapp ./ \-f values/staging.yaml \--set image.tag$IMAGE_TAG \--namespace staging \--atomic \--timeout 5m-kubectl rollout status deployment/myapp-n stagingenvironment:name:stagingurl:https://staging.myapp.example.comonly:-develop-main# Stage 7: 部署到生产环境手动触发 deploy-production:stage:deploy-productionimage:alpine/helm:3.14before_script:-mkdir-p $HOME/.kube-echo $KUBECONFIG_PRODUCTION|base64-d$HOME/.kube/configscript:-cd $CHART_PATH-helm upgrade--install myapp ./ \-f values/production.yaml \--set image.tag$IMAGE_TAG \--namespace production \--atomic \--timeout 5m-kubectl rollout status deployment/myapp-n productionenvironment:name:productionurl:https://myapp.example.comonly:-mainwhen:manual六、多环境 Values 文件chart/values/staging.yamlreplicaCount:1resources:limits:cpu:200mmemory:256Mirequests:cpu:100mmemory:128Miingress:enabled:truehost:staging.myapp.example.comchart/values/production.yamlreplicaCount:3resources:limits:cpu:500mmemory:512Mirequests:cpu:250mmemory:256Miingress:enabled:truehost:myapp.example.com七、GitOps 版本使用 ArgoCD 替代直接部署如果采用 GitOps 模式将 deploy-staging 和 deploy-production 替换为更新 Git 仓库的 Jobupdate-gitops-staging:stage:deploy-stagingimage:alpine/git:latestscript:-git clone https://gitlab.com/team/gitops-repo.git-cd gitops-repo-sed -i s|tag:.*|tag:$IMAGE_TAG|g overlays/staging/kustomization.yaml-git config user.email cigitlab.com-git config user.name GitLab CI-git add .-git commit -m deploy staging:$IMAGE_TAG-git push https://$GITLAB_USER:$GITLAB_TOKENgitlab.com/team/gitops-repo.git mainenvironment:name:stagingonly:-mainArgoCD 会自动检测 Git 仓库变更并将新镜像部署到集群。八、流水线执行流程text开发人员提交代码到 develop 分支↓lint代码风格检查↓test单元测试 覆盖率报告↓build构建 Docker 镜像并推送到仓库↓scanTrivy 漏洞扫描仅 main 分支↓package打包 Helm Chart↓deploy-staging自动部署到预发布环境↓人工审批↓deploy-production部署到生产环境九、故障处理与回滚9.1 自动回滚Helm 的 --atomic 参数会在升级失败时自动回滚到上一个版本。9.2 手动回滚# 查看发布历史helmhistorymyapp-nproduction# 回滚到指定版本helm rollback myapp2-nproduction9.3 在 CI 中集成回滚rollback-production:stage:deploy-productionimage:alpine/helm:3.14script:-helm rollback myapp $ROLLBACK_REVISION-n productiononly:-mainwhen:manual十、监控与告警集成可选在流水线最后可集成监控告警notify-deployment:stage:deploy-productionimage:curlimages/curl:latestscript:-curl -X POST -H Content-type:application/json \--data {text:✅ 部署成功: myapp 版本 $IMAGE_TAG 已上线} \ $SLACK_WEBHOOKonly:-main十一、小结本章构建了一条完整的 DevOps 流水线覆盖了从代码提交到生产部署的全流程。核心要点多阶段构建Dockerfile 分离编译和运行环境减小镜像体积镜像安全扫描Trivy 在部署前阻断高危漏洞Helm 管理配置通过 values 文件区分环境保持部署一致性多环境隔离staging 自动部署production 手动触发原子部署–atomic 确保失败时自动回滚将这套流水线应用到实际项目中即可实现从代码提交到生产的全自动化、可追溯、可回滚的交付体系。