如何用circleci结合helm部署springboot应用到GKE(Google Kubernetes Engine)&如何给应用加上域名，并利用GKE免费颁发的证书?

在这篇文章中我介绍了如何用手工的方式部署一个简单的springboot项目到GKE,这篇文章介绍如何使用circle ci实现自动化部署。

要用circle ci实现部署，需要编写config.yml文件，为简化起见，workflow只写1步

version: 2.1

#orbs:
#  ssh-agent: circleci/[email protected]

workflows:
  version: 2
  deploy-process:
    jobs:
      - build_docker:
          name: build_docker_infra
          tag_prefix: staging
          filters:
            branches:
              only:
                - master
#      - deploy:
#          name: deploy_infra
#          requires:
#            - build_docker_infra
#          filters:
#            branches:
#              only:
#                - master
#          cluster_name: staging

executors:
  gcloud-helm:
    docker:
      - image: docker.io/celebrateyang/gcloud-helm:282.0.0
jobs:
  build_docker:
    executor: gcloud-helm
    parameters:
      tag_prefix:
        type: string
    environment:
      GCP_PROJECT_ID: your-project-id
      IMAGE: gcr.io/path/springboot-app
    steps:
      - attach_workspace:
          at: .
      - checkout
      - setup_remote_docker:
          version: 18.09.3
          docker_layer_caching: true
      - run:
          name: Set environment variables
          command: |
            echo 'export IMAGE_TAG=<< parameters.tag_prefix >>-${CIRCLE_SHA1}' >> $BASH_ENV
            echo 'export BUILDER_TAG=<< parameters.tag_prefix >>-builder' >> $BASH_ENV
      - run:
          name: Setup Google Cloud SDK
          command: |
            echo $GCLOUD_SERVICE_KEY
            echo $GCLOUD_SERVICE_KEY > ${HOME}/gcloud-service-key.json
            gcloud auth activate-service-account --key-file=${HOME}/gcloud-service-key.json
            gcloud --quiet config set project your-project-id
            gcloud --quiet auth configure-docker
            gcloud --quiet config set compute/zone europe-west4-x
            gcloud --quiet container clusters get-credentials staging
      - run:
          name: Pull builder and main docker images to use layer caching
          command: |
            source $BASH_ENV
            docker pull ${IMAGE}:latest || true
            docker pull ${IMAGE}:builder || true
      - run:
          name: Build Docker Image
          command: |
            source $BASH_ENV
            docker build -t ${IMAGE}:${IMAGE_TAG} --cache-from ${IMAGE}:builder --cache-from ${IMAGE}:latest .
            docker image ls
            kubectl get pod -n infra
      - run:
          name: Push
          command: |
            source $BASH_ENV
            docker push ${IMAGE}:${IMAGE_TAG}
      - run:
          name: Deploy
          command: |
            source $BASH_ENV
            helm upgrade --install boot-chart-release-001 ./spacex-chart -n infra --set image.repository=${IMAGE},image.tag=${IMAGE_TAG}

如上配置完毕后，circleci会自动执行部署。如有需要讲解细节的，请私信我。

如何给应用加上域名，并利用GKE免费颁发的证书?

1. 编写ingress文件(前提:集群已经安装好了ingress-controller)
   在上一篇文章中，已经利用helm create spacex-chart -n infra 创建好了chart的目录结构。那么我们要生成ingress文件的话，只需要修改一下values.yaml即可
   
   用helm生成ingress如下.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: spacex-chart
  labels:
    helm.sh/chart: spacex-chart-0.1.0
    app.kubernetes.io/name: spacex-chart
    app.kubernetes.io/instance: spacex-chart
    app.kubernetes.io/version: "1.16.0"
    app.kubernetes.io/managed-by: Helm
  annotations:
    networking.gke.io/managed-certificates: spacex-tls
spec:
  rules:
    - host: "你的域名"
      http:
        paths:
          - path: /
            pathType: ImplementationSpecific
            backend:
              service:
                name: spacex-chart
                port:
                  number: 80

3. 上面的ingress在gke中执行成功后，gke会生成一个外网的ip.请将你的域名指向这个ip.
   生成的ip:
   

将你的域名指向这个ip

4. 让gke来签发和管理证书，执行以下yaml,比如命名为 spacex-manged-cert.yaml
执行命令：kubectl apply -f spacex-manged-cert.yaml -n infra

apiVersion: networking.gke.io/v1
kind: ManagedCertificate
metadata:
  name: spacex-tls
  namespace: infra
spec:
  domains:
    - 你的域名

查看kubectl get managedcertificate -n infra， 可以看到仍在处理阶段，需要一段时间。此时gke会自动验证dns,并颁发证书。以后该证书将由gke自动管理，用户是看不到证书的。

准备好后，status会变成Active. 此时访问你的域名，就是https啦