在使用 kubernetes 过程中由于某些需求往往要修改一下 k8s 官方的源码,然后重新编译才行。本文就以修改 kubeadm 生成证书为默认 100 年为例,来讲解如何使用 GitHub Actions 来编译和发布生成的二进制文件。
构建
clone repo
将 kubernetes 官方源码 fork 到自己的 repo 中
|
1 2 3 4 5 6 |
$ git clone https://github.com/k8sli/kubernetes.git $ cd kubernetes $ git remote add upstream https://github.com/kubernetes/kubernetes.git $ git fetch --all $ git checkout upstream/release-1.21 $ git checkout -B kubeadm-1.21 |
workflow
.github/workflows/kubeadm.yaml
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 |
--- name: Build kubeadm binary on: push: tag: - 'v*' jobs: build: runs-on: ubuntu-20.04 # 这里我们选择以 tag 的方式惩触发 job 的运行 if: startsWith(github.ref, 'refs/tags/') steps: - name: Checkout uses: actions/checkout@v2 - name: Build kubeadm binary shell: bash run: | # 运行 build/run.sh 构建脚本来编译相应平台上的二进制文件 build/run.sh make kubeadm KUBE_BUILD_PLATFORMS=linux/amd64 build/run.sh make kubeadm KUBE_BUILD_PLATFORMS=linux/arm64 # 构建好的二进制文件存放在 _output/dockerized/bin/ 中 # 我们根据二进制目标文件的系统名称+CPU体系架构名称进行命名 - name: Prepare for upload shell: bash run: | mv _output/dockerized/bin/linux/amd64/kubeadm kubeadm-linux-amd64 mv _output/dockerized/bin/linux/arm64/kubeadm kubeadm-linux-arm64 sha256sum kubeadm-linux-{amd64,arm64} > sha256sum.txt # 使用 softprops/action-gh-release 来将构建产物上传到 GitHub release 当中 - name: Release and upload packages uses: softprops/action-gh-release@v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: files: | sha256sum.txt kubeadm-linux-amd64 kubeadm-linux-arm64 |
build/run.sh
: Run a command in a build docker container. Common invocations:
build/run.sh make: Build just linux binaries in the container. Pass options and packages as necessary.build/run.sh make cross: Build all binaries for all platforms. To build only a specific platform, addKUBE_BUILD_PLATFORMS=<os>/<arch>build/run.sh make kubectl KUBE_BUILD_PLATFORMS=darwin/amd64: Build the specific binary for the specific platform (kubectlanddarwin/amd64respectively in this example)build/run.sh make test: Run all unit testsbuild/run.sh make test-integration: Run integration testbuild/run.sh make test-cmd: Run CLI tests
修改源码
cmd/kubeadm/app/constants/constants.go
找到 CertificateValidity 变量将它在 365 天后面加两个 0,就将证书续命为 100 年了。
|
1 2 3 4 5 6 |
// CertificateValidity defines the validity for all the signed certificates generated by kubeadm - CertificateValidity = time.Hour * 24 * 365 + CertificateValidity = time.Hour * 24 * 36500 // CACertAndKeyBaseName defines certificate authority base name CACertAndKeyBaseName = "ca" |
- staging/src/k8s.io/client-go/util/cert
找到NotAfter,默认生成ca证书是10年,改为100年
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) { now := time.Now() tmpl := x509.Certificate{ SerialNumber: new(big.Int).SetInt64(0), Subject: pkix.Name{ CommonName: cfg.CommonName, Organization: cfg.Organization, }, DNSNames: []string{cfg.CommonName}, NotBefore: now.UTC(), // NotAfter: now.Add(duration365d * 10).UTC(), // extend ca cert to 100 years NotAfter: now.Add(duration365d * 100).UTC(), KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, BasicConstraintsValid: true, IsCA: true, } |
cherry-pick
在分支上完成修改之后,我们将这个修改 cherry-pick 到其他的 tag 上面去,下面以 v1.21.4 为例子:在 v1.21.4 tag 的基础之上将上述的修改 cherry-pick 过来,重新打上新的 tag。
- 获取上述修改的 commit id
|
1 |
$ COMMIT_ID=$(git rev-parse HEAD) |
- checkout 到 v1.21.4 这个 tag 上
|
1 2 3 4 5 6 7 8 9 10 11 |
$ git checkout v1.21.4 Note: checking out 'v1.21.4'. You are in 'detached HEAD' state. You can look around, make experimental changes and commit them, and you can discard any commits you make in this state without impacting any branches by performing another checkout. If you want to create a new branch to retain commits you create, you may do so (now or later) by using -b with the checkout command again. Example: HEAD is now at 3cce4a82b44 Release commit for Kubernetes v1.21.4 |
- 将修改 cherry-pick 到当前 tag 上
|
1 2 3 4 5 |
$ git cherry-pick $COMMIT_ID [detached HEAD baadbe03458] Update kubeadm CertificateValidity time to ten years Date: Tue Aug 24 16:32:49 2021 +0800 2 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/kubeadm.yaml |
- 重新打上新的 tag,如
v1.21.4-patch-1.0
|
1 2 |
$ git tag v1.21.4-patch-1.0 -f Updated tag 'v1.21.4-patch-1.0' (was 70bcbd6de6c) |
- 将 tag push 到 repo 中触发 workflow
|
1 2 3 4 5 6 7 8 9 10 |
$ git push origin --tags -f Enumerating objects: 17, done. Counting objects: 100% (17/17), done. Delta compression using up to 4 threads Compressing objects: 100% (9/9), done. Writing objects: 100% (10/10), 1.13 KiB | 192.00 KiB/s, done. Total 10 (delta 7), reused 0 (delta 0) remote: Resolving deltas: 100% (7/7), completed with 7 local objects. To github.com:k8sli/kubernetes.git + c2a633e07ec...baadbe03458 v1.21.4-patch-1.0 -> v1.21.4-patch-1.0 (forced update) |
总结
上面只展示了以一个 tag 为单位进行构建的流程,想要构建其他版本的 kubeadm ,可以按照同样的流程和方法来完成。其实写一个 shell 脚本来处理也是十分简单,如下:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
#!/bin/bash set -o errexit set -o nounset # 定义 commit ID : ${COMMIT:="48e4b4c7c62a84ab4ec363588721011b73ee77e6"} # 定义需要重新编译的版本号 : ${TAGS:="v1.22.1 v1.22.0 v1.21.4 v1.21.3 v1.20.10 v1.19.14 v1.18.10"} for tag in ${TAGS}; do git reset --hard ${tag} git cherry-pick ${COMMIT} git tag ${tag}-patch-1.0 git push origin ${tag}-patch-1.0 done |
使用 GitHub Actions 的好处就是能够为我们解决代码管理和产物管理,构建好的二进制文件存放在 GitHub release 当中,下载和使用起来十分方便,不用在自己搞一台单独的机器或者存储服务器,节省很多人力维护成本。
0 Comments