跳转至

部署运维文档

🚀 部署方式

方式一:本地开发环境部署

环境要求

  • JDK 17+
  • Maven 3.6+
  • MySQL 8.0+
  • Redis 7.0+
  • Nacos 2.0+ (可选)

步骤

  1. 克隆代码 

    git clone <repository-url>
cd auth

  2. 配置数据库 

    # 创建数据库
mysql -u root -p
CREATE DATABASE auth_db CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;

# 导入初始化脚本
mysql -u root -p auth_db < scripts/schema.sql
mysql -u root -p auth_db < scripts/data.sql

  3. 配置Redis 

    # 启动Redis
redis-server

  4. 修改配置文件 

    # src/main/resources/application.yml
spring:
  datasource:
    url: jdbc:mysql://localhost:3306/auth_db
    username: root
    password: your_password
  redis:
    host: localhost
    port: 6379

  5. 启动应用 

    # Maven方式
mvn clean package
java -jar target/auth-core.jar

# 或者直接运行
mvn spring-boot:run

  6. 验证部署 

    curl http://localhost:8080/api/v1/auth/captcha

方式二:Docker部署

Docker Compose部署(推荐)

  1. 创建docker-compose.yml 

    version: '3.8'

services:
  mysql:
    image: mysql:8.0
    container_name: auth-mysql
    environment:
      MYSQL_ROOT_PASSWORD: root123
      MYSQL_DATABASE: auth_db
    ports:
      - "3306:3306"
    volumes:
      - ./data/mysql:/var/lib/mysql
      - ./scripts/schema.sql:/docker-entrypoint-initdb.d/1-schema.sql
      - ./scripts/data.sql:/docker-entrypoint-initdb.d/2-data.sql
    networks:
      - auth-network

  redis:
    image: redis:7-alpine
    container_name: auth-redis
    ports:
      - "6379:6379"
    volumes:
      - ./data/redis:/data
    networks:
      - auth-network

  auth-service:
    build: .
    container_name: auth-service
    ports:
      - "8080:8080"
    environment:
      SPRING_DATASOURCE_URL: jdbc:mysql://mysql:3306/auth_db?useUnicode=true&characterEncoding=utf8&useSSL=false
      SPRING_DATASOURCE_USERNAME: root
      SPRING_DATASOURCE_PASSWORD: root123
      SPRING_REDIS_HOST: redis
      SPRING_REDIS_PORT: 6379
    depends_on:
      - mysql
      - redis
    networks:
      - auth-network

networks:
  auth-network:
    driver: bridge

  2. 创建Dockerfile 

    FROM openjdk:17-slim
LABEL maintainer="zhangziming"

WORKDIR /app

# 复制jar包
COPY target/auth-core.jar app.jar

# 健康检查
HEALTHCHECK --interval=30s --timeout=3s \
  CMD curl -f http://localhost:8080/actuator/health || exit 1

# 暴露端口
EXPOSE 8080

# 启动应用
ENTRYPOINT ["java", "-Xms512m", "-Xmx1024m", "-jar", "app.jar"]

  3. 启动服务 

    # 构建并启动
docker-compose up -d

# 查看日志
docker-compose logs -f auth-service

# 停止服务
docker-compose down

单独Docker部署

# 构建镜像
docker build -t auth-service:1.0.0 .

# 运行容器
docker run -d \
  --name auth-service \
  -p 8080:8080 \
  -e SPRING_DATASOURCE_URL=jdbc:mysql://host.docker.internal:3306/auth_db \
  -e SPRING_DATASOURCE_USERNAME=root \
  -e SPRING_DATASOURCE_PASSWORD=root123 \
  -e SPRING_REDIS_HOST=host.docker.internal \
  -e SPRING_REDIS_PORT=6379 \
  auth-service:1.0.0

方式三:Kubernetes部署

创建Kubernetes配置

  1. ConfigMap配置 

    # k8s/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: auth-config
  namespace: auth
data:
  application.yml: |
    spring:
      datasource:
        url: jdbc:mysql://mysql-service:3306/auth_db
        username: root
        password: ${MYSQL_PASSWORD}
      redis:
        host: redis-service
        port: 6379

  2. Secret配置 

    # k8s/secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: auth-secret
  namespace: auth
type: Opaque
data:
  mysql-password: cm9vdDEyMw==  # base64编码
  jwt-secret: eW91ci1qd3Qtc2VjcmV0  # base64编码

  3. Deployment配置 

    # k8s/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: auth-service
  namespace: auth
spec:
  replicas: 3
  selector:
    matchLabels:
      app: auth-service
  template:
    metadata:
      labels:
        app: auth-service
    spec:
      containers:
      - name: auth-service
        image: auth-service:1.0.0
        ports:
        - containerPort: 8080
        env:
        - name: MYSQL_PASSWORD
          valueFrom:
            secretKeyRef:
              name: auth-secret
              key: mysql-password
        - name: JWT_SECRET
          valueFrom:
            secretKeyRef:
              name: auth-secret
              key: jwt-secret
        volumeMounts:
        - name: config
          mountPath: /app/config
        resources:
          limits:
            cpu: "2"
            memory: "2Gi"
          requests:
            cpu: "500m"
            memory: "512Mi"
        livenessProbe:
          httpGet:
            path: /actuator/health
            port: 8080
          initialDelaySeconds: 60
          periodSeconds: 10
        readinessProbe:
          httpGet:
            path: /actuator/health
            port: 8080
          initialDelaySeconds: 30
          periodSeconds: 5
      volumes:
      - name: config
        configMap:
          name: auth-config

  4. Service配置 

    # k8s/service.yaml
apiVersion: v1
kind: Service
metadata:
  name: auth-service
  namespace: auth
spec:
  type: LoadBalancer
  selector:
    app: auth-service
  ports:
  - protocol: TCP
    port: 80
    targetPort: 8080

  5. 部署到K8s 

    # 创建命名空间
kubectl create namespace auth

# 应用配置
kubectl apply -f k8s/configmap.yaml
kubectl apply -f k8s/secret.yaml
kubectl apply -f k8s/deployment.yaml
kubectl apply -f k8s/service.yaml

# 查看部署状态
kubectl get pods -n auth
kubectl get svc -n auth

# 查看日志
kubectl logs -f deployment/auth-service -n auth

🔧 配置管理

环境配置

开发环境(application-dev.yml)

spring:
  datasource:
    url: jdbc:mysql://localhost:3306/auth_db
    username: root
    password: root
  redis:
    host: localhost
    port: 6379

logging:
  level:
    cn.zhangziming: DEBUG

测试环境(application-test.yml)

spring:
  datasource:
    url: jdbc:mysql://test-mysql:3306/auth_db
    username: ${DB_USERNAME}
    password: ${DB_PASSWORD}
  redis:
    host: test-redis
    port: 6379

logging:
  level:
    cn.zhangziming: INFO

生产环境(application-prod.yml)

spring:
  datasource:
    url: jdbc:mysql://prod-mysql:3306/auth_db
    username: ${DB_USERNAME}
    password: ${DB_PASSWORD}
    hikari:
      maximum-pool-size: 20
      minimum-idle: 5
  redis:
    host: prod-redis
    port: 6379
    password: ${REDIS_PASSWORD}
    lettuce:
      pool:
        max-active: 20
        max-idle: 10

logging:
  level:
    cn.zhangziming: WARN
  file:
    name: /var/log/auth/application.log

Nacos配置中心

配置Nacos

# bootstrap.yml
spring:
  application:
    name: auth-service
  cloud:
    nacos:
      discovery:
        server-addr: nacos-server:8848
        namespace: ${NACOS_NAMESPACE}
      config:
        server-addr: nacos-server:8848
        namespace: ${NACOS_NAMESPACE}
        file-extension: yml
        refresh-enabled: true

Nacos配置示例

# Data ID: auth-service.yml
# Group: DEFAULT_GROUP

auth:
  jwt:
    secret: ${JWT_SECRET}
    access-token-expire: 7200
    refresh-token-expire: 604800

  security:
    login-fail-max-count: 5
    login-fail-lock-time: 900

  captcha:
    enabled: true
    expire-time: 300

📊 监控告警

Spring Boot Actuator

配置Actuator

management:
  endpoints:
    web:
      exposure:
        include: health,info,metrics,prometheus
  endpoint:
    health:
      show-details: always
  metrics:
    export:
      prometheus:
        enabled: true

健康检查端点

# 健康检查
curl http://localhost:8080/actuator/health

# 指标数据
curl http://localhost:8080/actuator/metrics

# Prometheus格式
curl http://localhost:8080/actuator/prometheus

Prometheus监控

Prometheus配置

# prometheus.yml
global:
  scrape_interval: 15s

scrape_configs:
  - job_name: 'auth-service'
    metrics_path: '/actuator/prometheus'
    static_configs:
      - targets: ['auth-service:8080']

Grafana Dashboard

导入Dashboard

  1. 登录Grafana
  2. 导入Dashboard ID: 4701 (Spring Boot 2.1 Statistics)
  3. 配置Prometheus数据源
  4. 配置告警规则

日志监控(ELK)

Logstash配置

input {
  file {
    path => "/var/log/auth/application.log"
    type => "auth-service"
    codec => json
  }
}

filter {
  if [type] == "auth-service" {
    grok {
      match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:level} %{JAVACLASS:class} - %{GREEDYDATA:message}" }
    }
  }
}

output {
  elasticsearch {
    hosts => ["elasticsearch:9200"]
    index => "auth-service-%{+YYYY.MM.dd}"
  }
}

🔄 CI/CD流水线

GitLab CI/CD

.gitlab-ci.yml

stages:
  - build
  - test
  - deploy

variables:
  MAVEN_OPTS: "-Dmaven.repo.local=.m2/repository"

cache:
  paths:
    - .m2/repository

build:
  stage: build
  image: maven:3.8-openjdk-17
  script:
    - mvn clean package -DskipTests
  artifacts:
    paths:
      - target/*.jar
    expire_in: 1 day

test:
  stage: test
  image: maven:3.8-openjdk-17
  script:
    - mvn test
  coverage: '/Total.*?([0-9]{1,3})%/'

deploy-dev:
  stage: deploy
  image: docker:latest
  services:
    - docker:dind
  script:
    - docker build -t auth-service:dev .
    - docker push auth-service:dev
    - kubectl set image deployment/auth-service auth-service=auth-service:dev -n dev
  only:
    - develop

deploy-prod:
  stage: deploy
  image: docker:latest
  services:
    - docker:dind
  script:
    - docker build -t auth-service:$CI_COMMIT_TAG .
    - docker push auth-service:$CI_COMMIT_TAG
    - kubectl set image deployment/auth-service auth-service=auth-service:$CI_COMMIT_TAG -n prod
  only:
    - tags

Jenkins Pipeline

Jenkinsfile

pipeline {
    agent any

    tools {
        maven 'Maven 3.8'
        jdk 'JDK 17'
    }

    stages {
        stage('Checkout') {
            steps {
                git branch: 'main', url: 'https://github.com/your/repo.git'
            }
        }

        stage('Build') {
            steps {
                sh 'mvn clean package -DskipTests'
            }
        }

        stage('Test') {
            steps {
                sh 'mvn test'
            }
            post {
                always {
                    junit 'target/surefire-reports/*.xml'
                }
            }
        }

        stage('Docker Build') {
            steps {
                sh 'docker build -t auth-service:${BUILD_NUMBER} .'
            }
        }

        stage('Deploy to K8s') {
            steps {
                sh '''
                    kubectl set image deployment/auth-service \
                    auth-service=auth-service:${BUILD_NUMBER} \
                    -n production
                '''
            }
        }
    }

    post {
        success {
            echo 'Deployment successful!'
        }
        failure {
            echo 'Deployment failed!'
        }
    }
}

🔐 安全加固

1. HTTPS配置

server:
  port: 8443
  ssl:
    enabled: true
    key-store: classpath:keystore.p12
    key-store-password: ${SSL_PASSWORD}
    key-store-type: PKCS12

2. 防火墙规则

# 只允许必要端口
firewall-cmd --permanent --add-port=8080/tcp
firewall-cmd --permanent --add-port=8443/tcp
firewall-cmd --reload

3. 数据库安全

-- 创建专用用户
CREATE USER 'auth_user'@'%' IDENTIFIED BY 'strong_password';
GRANT SELECT, INSERT, UPDATE, DELETE ON auth_db.* TO 'auth_user'@'%';
FLUSH PRIVILEGES;

📈 性能优化

1. JVM参数优化

java -jar \
  -Xms2g \
  -Xmx2g \
  -XX:+UseG1GC \
  -XX:MaxGCPauseMillis=200 \
  -XX:+HeapDumpOnOutOfMemoryError \
  -XX:HeapDumpPath=/var/log/auth/heapdump.hprof \
  auth-core.jar

2. 连接池优化

spring:
  datasource:
    hikari:
      maximum-pool-size: 20
      minimum-idle: 5
      connection-timeout: 30000
      idle-timeout: 600000
      max-lifetime: 1800000

3. Redis优化

spring:
  redis:
    lettuce:
      pool:
        max-active: 20
        max-idle: 10
        min-idle: 5
        max-wait: 3000

🔍 故障排查

常见问题

  1. 服务无法启动 

    # 查看日志
tail -f /var/log/auth/application.log

# 检查端口占用
netstat -tlnp | grep 8080

# 检查数据库连接
mysql -h localhost -u root -p

  2. Token验证失败 

    # 检查Redis连接
redis-cli ping

# 查看Token
redis-cli
GET auth:user:1

  3. 性能问题 

    # 查看JVM状态
jstat -gcutil <pid> 1000

# 查看线程dump
jstack <pid> > thread.dump

# 查看堆dump
jmap -dump:live,format=b,file=heap.dump <pid>

📋 运维清单

日常运维

  • 定期检查日志
  • 监控系统资源使用
  • 检查告警信息
  • 备份数据库
  • 清理过期日志

定期维护

  • 更新依赖包(每月)
  • 数据库优化(每季度)
  • 安全审计(每季度)
  • 性能测试(每季度)
  • 灾难恢复演练(每半年)

相关文档: - 架构设计文档 - 快速开始指南