【无标题】好吧
RSAS CI/CD On-Board Deliverance 实施指南
一、文档概述
本文档详细描述RSAS系统在Deliverance平台上实现CI/CD流程的“On-Board Deliverance”(上线交付)步骤,涵盖:
• CI阶段:Playbook构建(集成GitHub Webhook、Runbook、PS CloudBuild触发逻辑)。
• CD阶段:G3组件编排(PWI Creator、PWI Status Validator、PWI Packager等)。
• “Ready for Live”专项:独立Playbook处理生产上线前准备。
二、CI阶段:Playbook创建与组件集成
目标
通过Deliverance实现“GitHub代码变更 → Webhook触发 → Runbook执行 → PS CloudBuild触发”的自动化流水线。
步骤1:初始化CI Playbook
1. 登录Deliverance平台,进入Playbook模块 → 点击「Create Playbook」,命名为RSAS-CI-Pipeline。
2. 选择CI专用执行环境(如CI集群),保存基础配置。
步骤2:配置GitHub Webhook组件
在Playbook的GUI Editor中,拖拽「GitHub Webhook」组件到流程画布,配置:
• Repository:填写RSAS代码仓库(如org/rsas-repo)。
• Trigger Events:勾选Push、Pull Request Merge(代码推送/PR合并时触发)。
• Webhook URL:设置Deliverance接收触发的端点(如https://deliverance.hsbc.com/rsas-ci-webhook)。
• Secret:关联GitHub仓库的Webhook密钥(通过Deliverance密钥管理配置,避免硬编码)。
步骤3:集成Runbook组件
拖拽「Runbook」组件到GitHub Webhook下游(建立触发依赖),配置:
• Runbook Path:指定RSAS CI Runbook路径(如/opt/runbooks/rsas-ci-runbook.sh)。
• Prep Script(可选):添加依赖检查脚本(如检查构建环境Java版本)。
• Post Script(可选):添加Runbook执行日志归档脚本(如cp /var/log/runbook.log /backup/)。
步骤4:配置“Trigger PS CloudBuild”逻辑(自定义脚本)
拖拽「Custom Script」组件到Runbook下游,在Prep Script中编写触发逻辑:
#!/bin/bash
set -e
# 1. 提取Runbook输出的构建参数
BUILD_PARAMS=$(cat /path/to/runbook/output)
BRANCH=$(echo "$BUILD_PARAMS" | grep -oP 'branch=\K\w+')
VERSION=$(echo "$BUILD_PARAMS" | grep -oP 'version=\K\S+')
ENV=$(echo "$BUILD_PARAMS" | grep -oP 'env=\K\w+')
# 2. 分支过滤:仅master/main触发正式构建
if [ "$BRANCH" != "master" ] && [ "$BRANCH" != "main" ]; then
echo "Skip build: Only master/main triggers formal build"
exit 0
fi
# 3. 参数校验:版本号、环境必填
if [ -z "$VERSION" ] || [ -z "$ENV" ]; then
echo "Error: Version and env are required"
exit 1
fi
# 4. 触发PS CloudBuild(带重试)
RETRY=0
MAX_RETRY=3
while [ $RETRY -lt $MAX_RETRY ]; do
ps-cloudbuild submit \
--project rsas-project \
--env "$ENV" \
--version "$VERSION" \
--config cloudbuild.yaml
if [ $? -eq 0 ]; then
echo "PS CloudBuild succeeded"
exit 0
else
RETRY=$((RETRY+1))
echo "Retry #$RETRY: PS CloudBuild failed, retrying..."
sleep 10
fi
done
echo "PS CloudBuild failed after $MAX_RETRY retries"
exit 1
• 异常处理:在Exception Script中添加Slack告警脚本(如curl -X POST https://slack-webhook -d "Build failed")。
步骤5:CI Playbook测试
1. 在Deliverance中点击「Save & Run」,触发测试执行。
2. 验证流程:
◦ GitHub推送测试代码,确认Webhook触发Deliverance流程。
◦ 查看Runbook日志,确认依赖检查、参数提取正常。
◦ 检查PS CloudBuild控制台,确认构建任务启动并生成交付物。
三、CD阶段:G3组件编排与流程配置
目标
通过Deliverance的G3组件,实现“CI交付物 → 部署实例创建 → 状态验证 → 打包”的自动化CD流程。
步骤1:创建CD主Playbook
1. 进入Playbook模块 → 点击「Create Playbook」,命名为RSAS-CD-Main-Pipeline。
2. 选择预发环境执行集群。
步骤2:添加PWI Creator组件
拖拽「PWI Creator(G3)」组件到流程起始处,配置:
• Deliverable Source:指定CI交付物地址(如镜像仓库registry.example.com/rsas:v1.0.0)。
• Project:填写RSAS。
• Environment:选择目标环境(如staging)。
• Prep Condition:设置前置条件(如CI交付物存在且版本匹配,通过变量${ci_deliverable_exists}判断)。
步骤3:添加PWI Status Validator(首次验证)
拖拽「PWI Status Validator(G3)」组件到PWI Creator下游,配置:
• PWI ID:关联PWI Creator生成的实例ID(通过变量引用,如${pwi_creator.output.pwi_id})。
• Check Items:勾选service_running、health_check、log_error(验证服务运行、健康检查、日志无错)。
• Timeout:设置超时(如10min),超时则触发异常。
步骤4:添加PWI Packager组件
拖拽「PWI Packager(G3)」组件到PWI Status Validator下游,配置:
• PWI ID:关联目标PWI实例(同步骤3的PWI ID)。
• Package Type:选择standard(含部署配置、依赖清单的标准格式)。
• Post Script:添加打包元数据归档脚本(如curl -X POST https://deploy-center/api/package -d "id=${pwi_id}")。
步骤5:二次PWI Status Validator(验证打包完整性)
再次拖拽「PWI Status Validator(G3)」组件到PWI Packager下游,配置:
• PWI ID:关联同一PWI实例。
• Check Items:勾选service_running、package_integrity(验证服务仍运行、打包文件完整)。
步骤6:CD主Playbook测试
1. 上传CI交付物到指定源地址。
2. 在Deliverance中执行RSAS-CD-Main-Pipeline,验证:
◦ PWI实例成功创建。
◦ 状态验证通过(服务运行、健康检查正常)。
◦ 打包操作生成符合要求的交付包。
四、“Ready for Live”专项Playbook
目标
单独创建Playbook,完成生产环境上线前的最终校验与“Ready for Live”状态标记。
步骤1:创建专项Playbook
1. 进入Playbook模块 → 点击「Create Playbook」,命名为RSAS-CD-Ready-for-Live。
2. 选择生产环境执行环境。
步骤2:拉取打包交付物
拖拽「Custom Script」组件,在Prep Script中编写拉取脚本:
#!/bin/bash
curl -o /opt/rsas/prod/rsas-pwi-package.tar.gz \
"{{ package_url_from_cd_main }}" \
-H "Authorization: Bearer ${G3_TOKEN}"
步骤3:生产环境预检查
拖拽「Custom Script」组件,在Prep Script中编写预检查逻辑:
#!/bin/bash
set -e
# 1. 端口占用检查(示例:8080端口)
if netstat -tuln | grep -q ":8080"; then
echo "Error: Port 8080 is occupied"
exit 1
fi
# 2. 内存使用率校验(阈值80%)
MEM_USED=$(free | grep Mem | awk '{print $3/$2 * 100.0}')
if (( $(echo "$MEM_USED > 80" | bc -l) )); then
echo "Error: Memory usage exceeds 80%"
exit 1
fi
# 3. 生产数据库权限验证
mysql -u rsas_user -p${DB_PASS} -e "SELECT 1" rsas_prod_db
步骤4:添加“RW-Ready for Live”组件(G3)
拖拽「RW-Ready for Live(G3)」组件到预检查下游,配置:
• PWI ID:关联CD主流程的PWI实例。
• Checklist URL:关联Confluence上线清单(可手动补充或自动生成)。
步骤5:标记“Ready for Live”状态
拖拽「Custom API Call」组件,调用RSAS部署中心API:
• API URL:https://rsas-deploy-center/api/v1/status。
• Method:PUT。
• Body:
{
"project": "RSAS",
"status": "ready_for_live",
"pwi_id": "${pwi_id}",
"checklist_url": "${checklist_url}"
}
• Headers:添加授权头(如Authorization: Bearer ${DEPLOY_TOKEN})。
步骤6:专项Playbook测试
1. 准备模拟生产环境(或预生产环境)。
2. 执行RSAS-CD-Ready-for-Live,验证:
◦ 交付物成功拉取。
◦ 生产预检查通过(端口、资源、数据库权限正常)。
◦ “Ready for Live”状态成功标记到部署中心。
五、端到端验证与交付
1. 全流程验证
1. GitHub推送代码 → 触发CI Playbook → 生成交付物。
2. 交付物触发CD主Playbook → 完成PWI创建、验证、打包。
3. 打包后触发**“Ready for Live”专项Playbook** → 完成生产预检查与状态标记。
4. 在RSAS部署中心确认“Ready for Live”状态及关联清单。
2. 文档交付
将本文档发布到Confluence,并关联RSAS项目空间,确保团队可访问查阅。
注意:所有密钥、令牌(如GitHub Secret、G3_TOKEN、DB_PASS)需通过Deliverance密钥管理配置,禁止硬编码。
RSAS CI/CD On-Board Deliverance Implementation Guide
1. Document Overview
This document details the steps for implementing the "On-Board Deliverance" (launch delivery) of the RSAS system's CI/CD process on the Deliverance platform, covering:
• CI Phase: Playbook creation (integrating GitHub Webhook, Runbook, and PS CloudBuild trigger logic).
• CD Phase: Orchestration of G3 components (PWI Creator, PWI Status Validator, PWI Packager, etc.).
• "Ready for Live" Special Process: A separate playbook for preparations before production launch.
2. CI Phase: Playbook Creation and Component Integration
Objective
Implement an automated pipeline of "GitHub code change → Webhook trigger → Runbook execution → PS CloudBuild trigger" via Deliverance.
Step 1: Initialize CI Playbook
1. Log in to the Deliverance platform, navigate to the Playbook module → click "Create Playbook", and name it RSAS-CI-Pipeline.
2. Select the CI-specific execution environment (e.g., a CI cluster) and save the basic configuration.
Step 2: Configure GitHub Webhook Component
In the Playbook’s GUI Editor, drag the "GitHub Webhook" component to the process canvas and configure:
• Repository: Specify the RSAS code repository (e.g., org/rsas-repo).
• Trigger Events: Check Push and Pull Request Merge (triggered when code is pushed or a PR is merged).
• Webhook URL: Set the endpoint where Deliverance receives triggers (e.g., https://deliverance.hsbc.com/rsas-ci-webhook).
• Secret: Link the GitHub repository’s Webhook secret (configured via Deliverance Secret Management; avoid hardcoding).
Step 3: Integrate Runbook Component
Drag the "Runbook" component to the downstream of GitHub Webhook (to establish trigger dependencies) and configure:
• Runbook Path: Specify the path to the RSAS CI Runbook (e.g., /opt/runbooks/rsas-ci-runbook.sh).
• Prep Script (optional): Add dependency check scripts (e.g., "Check Java version of the build environment").
• Post Script (optional): Add scripts for archiving Runbook execution logs (e.g., cp /var/log/runbook.log /backup/).
Step 4: Configure "Trigger PS CloudBuild" Logic (Custom Script)
Drag the "Custom Script" component to the downstream of Runbook, and write trigger logic in Prep Script:
#!/bin/bash
set -e
# 1. Extract build parameters from Runbook output
BUILD_PARAMS=$(cat /path/to/runbook/output)
BRANCH=$(echo "$BUILD_PARAMS" | grep -oP 'branch=\K\w+')
VERSION=$(echo "$BUILD_PARAMS" | grep -oP 'version=\K\S+')
ENV=$(echo "$BUILD_PARAMS" | grep -oP 'env=\K\w+')
# 2. Branch filtering: Only master/main triggers formal build
if [ "$BRANCH" != "master" ] && [ "$BRANCH" != "main" ]; then
echo "Skip build: Only master/main triggers formal build"
exit 0
fi
# 3. Parameter validation: Version and environment are required
if [ -z "$VERSION" ] || [ -z "$ENV" ]; then
echo "Error: Version and env are required"
exit 1
fi
# 4. Trigger PS CloudBuild (with retry)
RETRY=0
MAX_RETRY=3
while [ $RETRY -lt $MAX_RETRY ]; do
ps-cloudbuild submit \
--project rsas-project \
--env "$ENV" \
--version "$VERSION" \
--config cloudbuild.yaml
if [ $? -eq 0 ]; then
echo "PS CloudBuild succeeded"
exit 0
else
RETRY=$((RETRY+1))
echo "Retry #$RETRY: PS CloudBuild failed, retrying..."
sleep 10
fi
done
echo "PS CloudBuild failed after $MAX_RETRY retries"
exit 1
• Exception Handling: Add a Slack alert script in Exception Script (e.g., curl -X POST https://slack-webhook -d "Build failed").
Step 5: Test CI Playbook
1. Click "Save & Run" in Deliverance to trigger test execution.
2. Verify the process:
◦ Push test code to GitHub and confirm the Webhook triggers the Deliverance process.
◦ Check Runbook logs to confirm dependency checks and parameter extraction work as expected.
◦ Verify in the PS CloudBuild console that the build task starts and generates deliverables.
3. CD Phase: G3 Component Orchestration and Process Configuration
Objective
Implement an automated CD process of "CI deliverable → Deployment instance creation → Status validation → Packaging" via Deliverance’s G3 components.
Step 1: Create CD Main Playbook
1. Navigate to the Playbook module → click "Create Playbook" and name it RSAS-CD-Main-Pipeline.
2. Select the staging environment execution cluster.
Step 2: Add PWI Creator Component
Drag the "PWI Creator (G3)" component to the start of the process and configure:
• Deliverable Source: Specify the CI deliverable address (e.g., image repository registry.example.com/rsas:v1.0.0).
• Project: Enter RSAS.
• Environment: Select the target environment (e.g., staging).
• Prep Condition: Set preconditions (e.g., "CI deliverable exists and version matches", judged by the variable ${ci_deliverable_exists}).
Step 3: Add PWI Status Validator (First Validation)
Drag the "PWI Status Validator (G3)" component to the downstream of PWI Creator and configure:
• PWI ID: Link to the instance ID generated by PWI Creator (referenced via variables, e.g., ${pwi_creator.output.pwi_id}).
• Check Items: Check service_running, health_check, log_error (to validate service operation, health status, and no log errors).
• Timeout: Set a timeout (e.g., 10min); trigger an exception if timed out.
Step 4: Add PWI Packager Component
Drag the "PWI Packager (G3)" component to the downstream of PWI Status Validator and configure:
• PWI ID: Link to the target PWI instance (same as PWI ID in Step 3).
• Package Type: Select standard (a standard format including deployment configuration and dependency lists).
• Post Script: Add scripts for archiving packaging metadata (e.g., curl -X POST https://deploy-center/api/package -d "id=${pwi_id}").
Step 5: Secondary PWI Status Validator (Validate Packaging Integrity)
Drag the "PWI Status Validator (G3)" component again to the downstream of PWI Packager and configure:
• PWI ID: Link to the same PWI instance.
• Check Items: Check service_running, package_integrity (to validate the service is still running and packaged files are complete).
Step 6: Test CD Main Playbook
1. Upload the CI deliverable to the specified source address.
2. Execute RSAS-CD-Main-Pipeline in Deliverance and verify:
◦ The PWI instance is created successfully.
◦ Status validation passes (service runs, health check is normal).
◦ The packaging operation generates deliverables that meet requirements.
4. "Ready for Live" Special Playbook
Objective
Create a separate playbook to complete final verification before production launch and mark the "Ready for Live" status.
Step 1: Create Special Playbook
1. Navigate to the Playbook module → click "Create Playbook" and name it RSAS-CD-Ready-for-Live.
2. Select the production environment execution environment.
Step 2: Pull Packaged Deliverables
Drag the "Custom Script" component and write the pull script in Prep Script:
#!/bin/bash
curl -o /opt/rsas/prod/rsas-pwi-package.tar.gz \
"{{ package_url_from_cd_main }}" \
-H "Authorization: Bearer ${G3_TOKEN}"
Step 3: Production Environment Pre-check
Drag the "Custom Script" component and write pre-check logic in Prep Script:
#!/bin/bash
set -e
# 1. Port occupancy check (example: port 8080)
if netstat -tuln | grep -q ":8080"; then
echo "Error: Port 8080 is occupied"
exit 1
fi
# 2. Memory usage verification (threshold 80%)
MEM_USED=$(free | grep Mem | awk '{print $3/$2 * 100.0}')
if (( $(echo "$MEM_USED > 80" | bc -l) )); then
echo "Error: Memory usage exceeds 80%"
exit 1
fi
# 3. Production database permission verification
mysql -u rsas_user -p${DB_PASS} -e "SELECT 1" rsas_prod_db
Step 4: Add "RW-Ready for Live" Component (G3)
Drag the "RW-Ready for Live (G3)" component to the downstream of pre-check and configure:
• PWI ID: Link to the PWI instance from the main CD process.
• Checklist URL: Link to the Confluence launch checklist (can be supplemented manually or generated automatically).
Step 5: Mark "Ready for Live" Status
Drag the "Custom API Call" component to call the RSAS Deployment Center API:
• API URL: https://rsas-deploy-center/api/v1/status.
• Method: PUT.
• Body:
{
"project": "RSAS",
"status": "ready_for_live",
"pwi_id": "${pwi_id}",
"checklist_url": "${checklist_url}"
}
• Headers: Add an authorization header (e.g., Authorization: Bearer ${DEPLOY_TOKEN}).
Step 6: Test Special Playbook
1. Prepare a simulated production environment (or pre-production environment).
2. Execute RSAS-CD-Ready-for-Live and verify:
◦ The deliverable is pulled successfully.
◦ Production pre-checks pass (ports, resources, and database permissions are normal).
◦ The "Ready for Live" status is marked successfully in the deployment center.
5. End-to-End Verification and Delivery
1. Full Process Verification
1. Push code to GitHub → trigger the CI Playbook → generate deliverables.
2. Deliverables trigger the CD Main Playbook → complete PWI creation, validation, and packaging.
3. After packaging, trigger the "Ready for Live" Special Playbook → complete production pre-checks and status marking.
4. Confirm the "Ready for Live" status and associated checklist in the RSAS Deployment Center.
2. Document Delivery
Publish this document to Confluence and associate it with the RSAS project space to ensure team access.
Note: All secrets and tokens (such as GitHub Secret, G3_TOKEN, DB_PASS) must be configured via Deliverance Secret Management; hardcoding is prohibited.