drone项目实例
实例1: nodejs 项目
.drone.yml 文件示例
注解:
- 需要在 ui 页面上配置2个 secrets 密钥;
dockerconfigjson 是私有 docker 仓库的配置,
wcn7_wait_key 是目标 ssh 主机的ssh密钥。 - 离线部署时,可以先将需要的镜像都上传到私有镜像仓库,
本例 registry.wait 即内部仓库地址 - drone-volume-cache 目的是将 node_modules 内容进行缓存和加载,避免反复拉取;
- http://10.2.1.5:4873/ 这个地址是私有化的 node 仓库
- gitea-release 插件的目的是在 tag 编译后,将 release 发布到仓库
- 效果就是普通的提交,走普通流程,发布到测试环境;
带 tag 的提交走新流程, 发布 release 到 gitea 仓库。
kind: pipeline
name: ctools
type: docker
# 私有镜像站认证信息
image_pull_secrets:
- dockerconfigjson
# 因为有个性化的 clone 需求,所以这里关闭默认的 clone 动作
clone:
disable: true
steps:
- name: 克隆仓库
# image: drone/git
image: registry.wait/cwx/drone/git
pull: if-not-exists
settings:
# clone 时截断以前的提交记录, 即克隆深度
depth: 1
skip_verify: true
# 读取 git 的 tag 作为环境变量 ${DRONE_TAG}
tags: true
# 因为没能解析到名字,临时加一下 hosts
# extra_hosts:
# - "git.services.wait:10.2.1.5"
commands:
- git config --global http.sslVerify false
- git clone https://git.services.wait/chenwx/ctools.git .
- ls -a
- git log --oneline -n 5
# 使用缓存避免反复从网络上下载依赖包
# - name: restore-cache
- name: 加载编译缓存
image: registry.wait/cwx/drone/drillster/drone-volume-cache
# image: drillster/drone-volume-cache
# 默认各阶段是并行处理的, 需要定义依赖关系
depends_on: [克隆仓库]
volumes:
- name: cache
path: /cache
settings:
# 从以前的构建中恢复缓存,即拷贝这个目录下的内容到容器内
restore: true
mount:
- ./node_modules
# - name: build
- name: 开发环境-编译
# image: node:19.9.0
image: registry.wait/cwx/node:19.9.0
pull: if-not-exists
depends_on: [加载编译缓存]
commands:
- ls -a
- node -v
- npm get registry
- npm config set registry http://10.2.1.5:4873/
- npm install
- npm run build
- cd dist
- tar zcvf ctools-0.1.tar.gz ./*
# 排除全部tag,即不匹配任何 tag
when:
ref:
exclude:
- refs/tags/**
# 具有 tag 时的编译动作
# - name: build-tag
- name: 生产环境-编译
# image: node:19.9.0
image: registry.wait/cwx/node:19.9.0
pull: if-not-exists
depends_on: [加载编译缓存]
commands:
- ls -a
- node -v
- npm install
- npm run build
- cd dist
- tar zcvf ctools-${DRONE_TAG##v}.tar.gz ./*
- ls
# 匹配全部tag
when:
ref:
- refs/tags/**
# 将缓存文件卸载
# - name: rebuild-cache
- name: 开发环境-卸载缓存
image: registry.wait/cwx/drone/drillster/drone-volume-cache
# image: drillster/drone-volume-cache
pull: if-not-exists
depends_on: [开发环境-编译]
volumes:
- name: cache
path: /cache
settings:
# 重新创建缓存, 即将文件写回到宿主机
rebuild: true
mount:
- ./node_modules
when:
ref:
exclude:
- refs/tags/**
# 为有 tag 的情况
# - name: rebuild-cache-tag
- name: 生产环境-卸载缓存
# image: drillster/drone-volume-cache
image: registry.wait/cwx/drone/drillster/drone-volume-cache
pull: if-not-exists
depends_on: [生产环境-编译]
volumes:
- name: cache
path: /cache
settings:
rebuild: true
mount:
- ./node_modules
when:
ref:
- refs/tags/**
# 提交一个 release 版本到 gitea
# gitea-release 插件只适用于有 tag 的情况
# - name: gitea_release
- name: 生产环境-gitea-release
# image: plugins/gitea-release
image: registry.wait/cwx/drone/plugins/gitea-release
pull: if-not-exists
depends_on: [生产环境-编译]
settings:
api_key: 2a5ab57061a66a6f37233a3fac07029cb5ad6b76
base_url: https://git.services.wait/
files:
# 上传文件时,把那个 v 前缀去掉
- dist/ctools-${DRONE_TAG##v}.tar.gz
# 如果存在则覆盖
file_exists: overwrite
title: 新版本发布-${DRONE_TAG}
# 忽略 https 证书
insecure: true
volumes:
- name: cwxCA
path: /etc/ssl/certs/ca-certificates.crt
# extra_hosts:
# - "git.services.wait:10.2.1.5"
when:
ref:
- refs/tags/**
# 使用 scp 传输到其它主机
# - name: deployment
- name: 开发环境-推送
# image: appleboy/drone-scp
image: registry.wait/cwx/drone/appleboy/drone-scp
pull: if-not-exists
depends_on: [开发环境-编译]
settings:
host: 10.2.1.5
username: wait
# password:
# # 密码使用单独存储在 drone 上的密码
# from_secret: wcn7_wait_pw
key:
from_secret: wcn7_wait_key
port: 22
# 目标: /home/wait/chenwx/ctools/ctools-0.1.tar.gz
target: /home/wait/${DRONE_REPO_OWNER}/${DRONE_REPO_NAME}
source: dist/ctools-0.1.tar.gz
when:
ref:
exclude:
- refs/tags/**
# 推送到生产环境
# - name: deployment-production
- name: 生产环境-推送
# image: appleboy/drone-scp
image: registry.wait/cwx/drone/appleboy/drone-scp
pull: if-not-exists
depends_on: [生产环境-编译]
settings:
host: 10.3.0.2
username: wait
key:
from_secret: wcn7_wait_key
port: 39022
# 目标: /home/wait/data/pkg/ctools-0.1.tar.gz
target: /home/wait/data/pkg
source: dist/ctools-${DRONE_TAG##v}.tar.gz
when:
ref:
- refs/tags/**
# 到远程主机执行命令
# - name: ssh
- name: 开发环境-部署
# image: appleboy/drone-ssh
image: registry.wait/cwx/drone/appleboy/drone-ssh
pull: if-not-exists
depends_on: [开发环境-推送]
settings:
host:
- 10.2.1.5
username: wait
# password:
# from_secret: wcn7_wait_pw
key:
from_secret: wcn7_wait_key
port: 22
command_timeout: 1m
script:
- cd /home/wait/chenwx/ctools
- rm -rf tmp2 && mkdir tmp2
- tar xvf dist/ctools-0.1.tar.gz -C tmp2/
- rm -rf /home/wait/data/tools/*
- mv tmp2/* /home/wait/data/tools/
when:
ref:
exclude:
- refs/tags/**
# 生产环境-部署命令
# - name: ssh-production
- name: 生产环境-部署
# image: appleboy/drone-ssh
image: registry.wait/cwx/drone/appleboy/drone-ssh
pull: if-not-exists
depends_on: [生产环境-推送]
settings:
host:
- 10.3.0.2
username: wait
key:
from_secret: wcn7_wait_key
port: 39022
command_timeout: 1m
script:
- cd /home/wait/data/pkg
- rm -rf tmp2 && mkdir tmp2
- tar xvf dist/ctools-${DRONE_TAG##v}.tar.gz -C tmp2/
- rm -rf /home/wait/data/tools/*
- mv tmp2/* /home/wait/data/tools/
when:
ref:
- refs/tags/**
volumes:
- name: cache
host:
path: /data/cache
- name: cwxCA
host:
path: /home/wait/data/ca/cwxCA.pem
# path: /home/wait/code/ssl/ca/cwxCA.pem开发环境发布
git push
生产环境发布
git tag v0.0.9
git push origin v0.0.9
实例2: go项目示例
调试截图
**成功流程
完整清单
kind: pipeline
type: kubernetes
name: cwxgoweb-dev
service_account_name: drone
clone:
disable: true
# main 分支 + push
trigger:
branch:
- main
event:
- push
volumes:
- name: gopath-cache
claim:
name: gobuild-cache
read_only: false
steps:
- name: 启动无人机
image: registry.services.wait/cwx/os/alpine:3.18.3
commands:
- echo "测试启动 drone 成功"
- name: 克隆仓库
image: registry.services.wait/cwx/drone/git
pull: if-not-exists
depends_on: [启动无人机]
settings:
# clone 时截断以前的提交记录, 即克隆深度
depth: 1
skip_verify: true
# 读取 git 的 tag 作为环境变量 ${DRONE_TAG}
tags: true
environment:
GITEA_TOKEN:
from_secret: git_token
commands:
- git config --global http.sslVerify false
# 通过 token 拉取代码
- git clone https://chenwx:$GITEA_TOKEN@git.services.wait/chenwx/cwxgoweb.git .
# 输出最近 5 次 commit 信息
- git log --oneline -n 5
- pwd
- ls -a
- name: 编译
image: registry.services.wait/cwx/golang:1.21.0
pull: if-not-exists
depends_on: [克隆仓库]
# 挂载编译缓存
volumes:
- name: gopath-cache
path: /go
commands:
- go env -w GOPROXY=http://nexus.services.wait/repository/proxy-go/
- go env -w GOSUMDB=off
- export CGO_ENABLED=0
- go build -o cwxgoweb src/main.go
# - go build -o cwxgoweb -ldflags '-s -w' src/main.go
- ls -a
# 制作镜像
- name: 生成镜像
image: registry.services.wait/cwx/kaniko-project/executor:v1.15.0-debug
pull: if-not-exists
depends_on: [ 编译 ]
environment:
CA_CERTIFICATE:
from_secret: ca_wait
DOCKER_AUTH_FILE:
from_secret: docker_user_wait_conf
commands:
# 一张内部的CA证书
- echo "$CA_CERTIFICATE" >> /kaniko/ssl/certs/additional-ca-cert-bundle.crt
# docker 仓库认证文件 .docker/config.json
- echo $DOCKER_AUTH_FILE > /kaniko/.docker/config.json
- /kaniko/executor
--context "."
--dockerfile "deploy/docker/drone/dockerfile"
--destination "registry.services.wait/cwx/cwxgoweb:latest"
# 发布k8s集群
- name: deploy
image: registry.services.wait/cwx/zc2638/drone-k8s-plugin:0.0.4
pull: if-not-exists
depends_on: [ 克隆仓库 ]
settings:
k8s_server: https://kubernetes.default.svc.cluster.local
k8s_token:
from_secret: k8s_token
k8s_ca_crt:
from_secret: k8s_ca_crt
k8s_skip_tls: false
namespace: cwx
templates:
- deploy/kubernetes/devel/deployment.yml
- deploy/kubernetes/devel/IngressRoute.yml
- deploy/kubernetes/devel/services.yml
# app_name: ${DRONE_REPO_NAME}
debug: true
---
# 流水线2
# 生产环境打包, 只对带 tag 的事件触发执行
kind: pipeline
type: kubernetes
name: cwxgoweb-pro
service_account_name: drone
# 触发器这里 tag 不能和分支一起使用, 因为 tag 和 分支是没有关系的
trigger:
event:
- tag
volumes:
- name: gobuild-cache
claim:
name: gobuild-cache
read_only: false
# 因为有个性化的 clone 需求, 所以这里关闭默认的 clone 动作
clone:
disable: true
steps:
- name: 克隆仓库
image: registry.services.wait/cwx/drone/git
pull: if-not-exists
settings:
depth: 1
skip_verify: true
tags: true
environment:
GITEA_TOKEN:
from_secret: git_token
# 注意为了避免 tag 比 main 分支先提交的情况
# 这里需要固定拉取 此 tag
commands:
- git config --global http.sslVerify false
- git clone -b ${DRONE_TAG} --depth=1 https://chenwx:$GITEA_TOKEN@git.services.wait/chenwx/cwxgoweb.git .
- pwd
- ls -a
- name: 编译
image: registry.services.wait/cwx/golang:1.21.0
pull: if-not-exists
depends_on: [克隆仓库]
volumes:
- name: gopath-cache
path: /go
commands:
# - go env -w GOPROXY=http://10.2.1.4:8081/repository/group-go/
- go env -w GOPROXY=http://nexus.services.wait/repository/proxy-go/
- go env -w GOSUMDB=off
- export CGO_ENABLED=0
- go build -o cwxgoweb src/main.go
# - go build -o cwxgoweb -ldflags '-s -w' src/main.go
- ls -a
# 有 tag 时, 制作一个 压缩包,后续上传到 release
- name: 打包
image: registry.services.wait/cwx/os/alpine:3.18.3
depends_on: [ 编译 ]
commands:
- ls -a
- tar zcvf cwxgoweb-${DRONE_TAG}.tar.gz ./cwxgoweb
# 当生产环境打包完成后, 提交一个 release 版本到 gitea
# gitea-release 插件只适用于有 tag 的情况
- name: push-release
image: registry.services.wait/cwx/drone/plugins/gitea-release
pull: if-not-exists
depends_on: [ 打包 ]
environment:
GITEA_TOKEN:
from_secret: git_token
settings:
api_key: $GITEA_TOKEN
base_url: https://git.services.wait/
files:
- cwxgoweb-${DRONE_TAG}.tar.gz
# 如果存在则覆盖
file_exists: overwrite
title: 新版本发布 -${DRONE_TAG}
# 忽略 https 证书
insecure: true
# volumes:
# - name: cwxCA
# path: /etc/ssl/certs/ca-certificates.crt
# 制作镜像
- name: 生成镜像
image: registry.services.wait/cwx/kaniko-project/executor:v1.15.0-debug
pull: if-not-exists
depends_on: [ 编译 ]
environment:
CA_CERTIFICATE:
from_secret: ca_wait
DOCKER_AUTH_FILE:
from_secret: docker_user_wait_conf
commands:
# 一张内部的CA证书
- echo "$CA_CERTIFICATE" >> /kaniko/ssl/certs/additional-ca-cert-bundle.crt
# docker 仓库认证文件 .docker/config.json
- echo $DOCKER_AUTH_FILE > /kaniko/.docker/config.json
- /kaniko/executor
--context "."
--dockerfile "deploy/docker/drone/dockerfile"
--destination "registry.services.wait/cwx/cwxgoweb:${DRONE_TAG}"
# 发布k8s集群
- name: deploy
image: registry.services.wait/cwx/zc2638/drone-k8s-plugin:0.0.4
pull: if-not-exists
depends_on: [ 生成镜像 ]
settings:
k8s_server: https://kubernetes.default.svc.cluster.local
k8s_token:
from_secret: k8s_token
k8s_ca_crt:
from_secret: k8s_ca_crt
k8s_skip_tls: false
namespace: cwx
templates:
- deploy/kubernetes/prod/deployment.yml
- deploy/kubernetes/prod/IngressRoute.yml
- deploy/kubernetes/prod/services.yml
images_tags: ${DRONE_TAG}
debug: true实例3: go示例2
注解:
- 拉取代码后,进行编译
- 开发环境只是更新了远程主机的二进制文件,和生成了一个 docker 镜像
- 生产环境模拟做区分,推送一个 包 到 gitea 仓库
- 考虑不要用这个 docker 插件来打镜像,自己本地打似乎更好一些;
- 特别注意的是文件里面一些变量的引用方式很奇怪
kind: pipeline
name: nginx-log-go
type: docker
# 私有镜像站认证信息
image_pull_secrets:
- dockerconfigjson
# 因为有个性化的 clone 需求,所以这里关闭默认的 clone 动作
clone:
disable: true
steps:
- name: 克隆仓库
image: registry.wait/cwx/drone/git
pull: if-not-exists
settings:
# clone 时截断以前的提交记录, 即克隆深度
depth: 1
skip_verify: true
# 读取 git 的 tag 作为环境变量 ${DRONE_TAG}
tags: true
# 工作目录为 /drone/src
commands:
- git config --global http.sslVerify false
- git clone https://git.services.wait/chenwx/nginx-log-go.git .
- git log --oneline -n 5
- pwd
- ls -a
# - name: build
- name: 编译
image: registry.wait/cwx/golang:1.20.3
pull: if-not-exists
depends_on: [克隆仓库]
volumes:
- name: gopath-1.20.3
path: /go
commands:
- go env -w GOPROXY=https://goproxy.cn,direct
- export CGO_ENABLED=0
- go build -o bin/nginxLog -ldflags '-s -w' src/main.go
- ls bin
# 有 tag 时,制作一个 压缩包
- name: 生产环境-打包
image: registry.wait/cwx/os/alpine:3.17.3
depends_on: [编译]
commands:
- ls -a
- cd bin
- tar zcvf nginxLog-${DRONE_TAG##v}.tar.gz ./nginxLog
# 匹配全部tag
when:
ref:
- refs/tags/**
# 提交一个 release 版本到 gitea
# gitea-release 插件只适用于有 tag 的情况
- name: 生产环境-push-release
image: registry.wait/cwx/drone/plugins/gitea-release
pull: if-not-exists
depends_on: [生产环境-打包]
settings:
api_key: 2a5ab57061a66a6f37233a3fac07029cb5ad6b76
base_url: https://git.services.wait/
files:
# 上传文件时,把那个 v 前缀去掉
- bin/nginxLog-${DRONE_TAG##v}.tar.gz
# 如果存在则覆盖
file_exists: overwrite
title: 新版本发布-${DRONE_TAG}
# 忽略 https 证书
insecure: true
volumes:
- name: cwxCA
path: /etc/ssl/certs/ca-certificates.crt
when:
ref:
- refs/tags/**
# 使用 scp 传输到其它主机
- name: 开发环境-推送
image: registry.wait/cwx/drone/appleboy/drone-scp
pull: if-not-exists
depends_on: [编译]
settings:
host: 10.2.1.5
username: wait
key:
from_secret: wcn7_wait_key
port: 22
target: /home/wait/data/pkg/${DRONE_REPO_NAME}
source: bin/nginxLog
when:
ref:
exclude:
- refs/tags/**
# 到远程主机执行命令
- name: 开发环境-部署
image: registry.wait/cwx/drone/appleboy/drone-ssh
pull: if-not-exists
depends_on: [开发环境-推送]
settings:
host:
- 10.2.1.5
username: wait
key:
from_secret: wcn7_wait_key
port: 22
command_timeout: 1m
script:
- cd /home/wait/data/pkg/${DRONE_REPO_NAME}
- rm -f /home/wait/bin/nginxLog
- mv bin/nginxLog /home/wait/bin/
when:
ref:
exclude:
- refs/tags/**
# 制作镜像
# 存在的问题,虽然插件最后有清理容器的动作,但没有实际执行成功
- name: 生成镜像
image: registry.wait/cwx/plugins/docker:20.14.2
pull: if-not-exists
depends_on: [编译]
settings:
registry: registry.wait
repo: registry.wait/cwx/nginx-log-go # 私有仓库
tags:
- dev
no_cache: true
# 自动分割 git tag 的标签
# auto_tag: true
dockerfile: dockerfile
# 允许不安全的通信, 实际测试没生效,还是得挂证书
# insecure: true
username:
from_secret: docker_registry_username
password:
from_secret: docker_registry_password
volumes:
- name: cwxCA
path: /etc/ssl/certs/ca-certificates.crt
- name: docker
path: /var/run/docker.sock
# 制作镜像
# 此处采用 docker in docker 的方式目的是不想二次生成镜像
- name: 生产环境-生成镜像
image: registry.wait/cwx/docker:23.0.4
pull: if-not-exists
depends_on: [生成镜像]
volumes:
- name: docker
path: /var/run/docker.sock
- name: docker_configjson
path: /root/.docker/config.json
environment:
IMG_NAME: registry.wait/cwx/nginx-log-go
# USERNAME:
# from_secret: docker_registry_username
# PASSWORD:
# from_secret: docker_registry_password
commands:
- echo $TAG_NAME
- echo ${TAG_NAME}
- "docker tag $IMG_NAME:dev $IMG_NAME:${DRONE_TAG##v}"
- "docker push $IMG_NAME:${DRONE_TAG##v}"
# - docker login -u $USERNAME -p $PASSWORD registry.wait
# - docker tag $IMG_NAME:dev $IMG_NAME:${DRONE_TAG##v}
# - docker push $IMG_NAME:${DRONE_TAG##v}
when:
ref:
- refs/tags/**
# 生产环境-部署命令
- name: 生产环境-部署
image: registry.wait/cwx/drone/appleboy/drone-ssh
pull: if-not-exists
depends_on: [生产环境-生成镜像]
settings:
host:
- 10.2.1.5
port: 22
username: wait
key:
from_secret: wcn7_wait_key
command_timeout: 1m
script:
- cd /home/wait/env_docker/nodes/wcn7/service
- sed -i "/registry.wait\\/cwx\\/nginx-log-go/s/nginx-log-go:.*$/nginx-log-go:${DRONE_TAG##v}/" docker-compose.yml
- docker compose up nginx-log-go -d
when:
ref:
- refs/tags/**
volumes:
- name: gopath-1.20.3
host:
path: /data/cache/gopath-1.20.3
- name: cwxCA
host:
path: /home/wait/data/ca/cwxCA.pem
- name: docker
host:
path: /var/run/docker.sock
- name: docker_configjson
host:
path: /home/wait/.docker/config.json
实例4: 当前站点的发布实践
看起来还有很多改进的空间, 但是我后来发现了 gitea-runner 这一套了, 就不再想用 drone 了。 回头看我还是很喜欢的 drone 的纯容器模式。使用 runner 不得不接触大量的 js,虽然不复杂,但也挺麻烦的。
.drone.yml 文件
kind: pipeline
type: kubernetes
name: myblog
service_account_name: drone
# 因为有个性化的 git 需求, 所以这里禁用默认的 clone
clone:
disable: true
# 触发器
trigger:
event:
- push
steps:
- name: 克隆仓库
image: registry.services.wait/cwx/drone/git
pull: if-not-exists
settings:
depth: 1
skip_verify: true
tags: true
environment:
GITEA_TOKEN:
from_secret: git_token
commands:
- git config --global http.sslVerify false
- git clone https://chenwx:$GITEA_TOKEN@git.services.wait/chenwx/myblog.git .
- git clone https://chenwx:$GITEA_TOKEN@git.services.wait/chenwx/hugo-theme-stack.git themes/hugo-theme-stack
- name: 编译
image: registry.services.wait/cwx/hugo:ubuntu-v0.118
pull: if-not-exists
depends_on: [克隆仓库]
commands:
- hugo
- tar zcvf myblog.tar.gz -C public/ .
- name: 推送
image: registry.services.wait/cwx/drone/appleboy/drone-scp
pull: if-not-exists
depends_on: [ 编译 ]
settings:
host: 10.2.1.5
username: wait
key:
from_secret: wait_ssh_key
port: 22
source: myblog.tar.gz
target: /tmp/
- name: deplay
image: registry.services.wait/cwx/drone/appleboy/drone-ssh
pull: if-not-exists
depends_on: [ 推送 ]
settings:
host:
- 10.2.1.5
username: wait
key:
from_secret: wait_ssh_key
port: 22
command_timeout: 1m
script:
- rm -rf /data/nfs_private/blog-web-data/blog/*
- tar xf /tmp/myblog.tar.gz -C /data/nfs_private/blog-web-data/blog/
- rm -f /tmp/myblog.tar.gz最后更新于