2.4.1 Description of the case environment
-
Sample project: http://code.icloud2native.com/root/spring-boot-helloWorld.git
-
Trigger mechanism:
- The user pushes the code to the project repository
- The execution of the pipeline pipeline is triggered from the east by Push Hook
2.4.2 Project Implementation
1. Deploy a gitlab on k8s, the previous section has been completed.
2. The webhook of any running eventlistener does not allow anonymous push events, so the secret of the gitlab webhook token must be generated: 01-gitlab-token.yaml:
apiVersion: v1 kind: Secret metadata: name: gitlab-webhook-token type: Opaque stringData: # Generated by command "openssl rand -base64 12" webhookToken: "8/MDKoGoabPzFeZr"
3. When the eventlistener is running as a pod, it needs to read resources such as trgger, so it needs to grant RBAC: 02-gitlab-eventlistener-rbac.yaml
apiVersion: v1 kind: ServiceAccount metadata: name: tekton-triggers-gitlab-sa secrets: - name: gitlab-webhook-token --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: tekton-triggers-gitlab-minimal rules: # Permissions for every EventListener deployment to function - apiGroups: ["triggers.tekton.dev"] resources: ["eventlisteners", "triggerbindings", "triggertemplates", "interceptors"] # resources: ["*"] verbs: ["get", "list"] - apiGroups: [""] # secrets are only needed for Github/Gitlab interceptors, service accounts only for per trigger authorization resources: ["configmaps", "secrets", "serviceaccounts"] verbs: ["get", "list", "watch"] # Permissions to create resources in associated TriggerTemplates - apiGroups: ["tekton.dev"] resources: ["pipelineruns", "pipelineresources", "taskruns"] verbs: ["create"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: tekton-triggers-gitlab-binding subjects: - kind: ServiceAccount name: tekton-triggers-gitlab-sa roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: tekton-triggers-gitlab-minimal --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: tekton-triggers-gitlab-minimal rules: - apiGroups: ["triggers.tekton.dev"] resources: ["cluster interceptors"] verbs: ["get", "list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: tekton-triggers-gitlab-binding subjects: - kind: ServiceAccount name: tekton-triggers-gitlab-sa namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: tekton-triggers-gitlab-minimal
4. The last task: deploy-task, needs to be deployed to the k8s cluster, so the pod needs certain permissions, define RBAC: 03-task-deploy-to-cluster-rbac.yaml:
--- apiVersion: v1 kind: ServiceAccount metadata: name: helloworld-admin --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: helloworld-admin roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: helloworld-admin namespace: default
5. The pvc defined by the cache based on maven:
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: maven-cache spec: accessModes: - ReadWriteMany resources: requests: storage: 1Gi storageClassName: nfs-csi volumeMode: Filesystem
6. Define all tasks of the project in one file: 05-task-source-2-image.yaml:
--- apiVersion: tekton.dev/v1beta1 kind: Task metadata: name: git-clone spec: description: Clone the code repository to the workspace. params: - name: git-repo-url type: string description: git repository url to clone - name: git-revision type: string description: git revision to checkout (branch, tag, sha, ref) workspaces: - name: source description: The git repo will be cloned onto the volume backing this workspace steps: - name: git-clone image: alpine/git:v2.36.1 script: | git clone -v $(params.git-repo-url) $(workspaces.source.path)/source cd $(workspaces.source.path)/source & amp; & amp; git reset --hard $(params.git-revision) --- apiVersion: tekton.dev/v1beta1 kind: Task metadata: name: build-to-package spec: description: build application and package the files to image workspaces: - name: source description: The git repo that cloned onto the volume backing this workspace steps: - name: build image: maven:3.8-openjdk-11-slim workingDir: $(workspaces.source.path)/source volumeMounts: - name: m2 mountPath: /root/.m2 script: mvn clean install volumes: - name: m2 persistentVolumeClaim: claimName: maven-cache --- apiVersion: tekton.dev/v1beta1 kind: Task metadata: name: generate-build-id spec: params: - name: version description: The version of the application type: string results: - name: datetime description: The current date and time - name: buildId description: The build ID steps: - name: generate-datetime image: ikubernetes/admin-box:v1.2 script: | #!/usr/bin/env bash datetime=`date + %Y%m%d-%H%M%S` echo -n ${datetime} | tee $(results.datetime.path) - name: generate-buildid image: ikubernetes/admin-box:v1.2 script: | #!/usr/bin/env bash buildDatetime = `cat $(results.datetime.path)` buildId=$(params.version)-${buildDatetime} echo -n ${buildId} | tee $(results.buildId.path) --- apiVersion: tekton.dev/v1beta1 kind: Task metadata: name: image-build-and-push spec: description: package the application files to image params: -name: dockerfile description: The path to the dockerfile to build (relative to the context) default: Dockerfile - name: image-url description: Url of image repository - name: image-tag description: Tag to apply to the built image workspaces: - name: source - name: dockerconfig mountPath: /kaniko/.docker steps: - name: image-build-and-push image: gcr.io/kaniko-project/executor:debug securityContext: runAsUser: 0 env: - name: DOCKER_CONFIG value: /kaniko/.docker command: - /kaniko/executor args: - --dockerfile=$(params.dockerfile) - --context=$(workspaces.source.path)/source - --destination=$(params.image-url):$(params.image-tag) --- apiVersion: tekton.dev/v1beta1 kind: Task metadata: name: deploy-using-kubectl spec: workspaces: - name: source description: The git repo params: - name: deploy-config-file description: The path to the yaml file to deploy within the git source - name: image-url description: Image name including repository - name: image-tag description: Image tag steps: - name: update-yaml image: alpine:3.16 command: ["sed"] args: - "-i" - "-e" - "s@__IMAGE__@$(params.image-url):$(params.image-tag)@g" - "$(workspaces.source.path)/source/deploy/$(params.deploy-config-file)" - name: run-kubectl image: lachlanevenson/k8s-kubectl command: ["kubectl"] args: - "apply" - "-f" - "$(workspaces.source.path)/source/deploy/$(params.deploy-config-file)
7. Define the previous task as a pipeline resource: 06-pipeine-s2i.yaml:
apiVersion: tekton.dev/v1beta1 kind: Pipeline metadata: name: source-to-image spec: params: - name: git-repo-url type: string description: git repository url to clone - name: git-revision type: string description: git revision to checkout (branch, tag, sha, ref) default: main - name: image-build-context description: The path to the build context, used by Kaniko - within the workspace default: . - name: image-url description: Url of image repository - name: version description: The version of the application type: string default: "v0.9" - name: deploy-config-file description: The path to the yaml file to deploy within the git source default: all-in-one.yaml workspaces: - name: codebase - name: docker-config tasks: - name: git-clone taskRef: name: git-clone params: - name: git-repo-url value: "$(params.git-repo-url)" - name: git-revision value: "$(params.git-revision)" workspaces: - name: source workspace: codebase - name: build-to-package taskRef: name: build-to-package workspaces: - name: source workspace: codebase runAfter: - git-clone - name: generate-build-id taskRef: name: generate-build-id params: - name: version value: "$(params.version)" runAfter: - git-clone - name: image-build-and-push taskRef: name: image-build-and-push params: - name: image-url value: "$(params. image-url)" - name: image-tag value: "$(tasks.generate-build-id.results.buildId)" workspaces: - name: source workspace: codebase - name: dockerconfig workspace: docker-config runAfter: -generate-build-id -build-to-package - name: deploy-to-cluster taskRef: name: deploy-using-kubectl workspaces: - name: source workspace: codebase params: - name: deploy-config-file value: $(params.deploy-config-file) - name: image-url value: $(params. image-url) - name: image-tag value: "$(tasks.generate-build-id.results.buildId)" runAfter: - image-build-and-push
8. Finally define trigger, triggerbind, triggertemplate: 07-eventlisten.yaml
apiVersion: triggers.tekton.dev/v1beta1 kind: TriggerBinding metadata: name: s2i-binding spec: params: - name: git-revision value: $(body. checkout_sha) - name: git-repo-url value: $(body.repository.git_http_url) - name: image-url value: icloud2native/spring-boot-helloworld - name: version value: v0.10 --- apiVersion: triggers.tekton.dev/v1beta1 kind: TriggerTemplate metadata: name: s2i-tt spec: params: # Define parameters - name: git-revision - name: git-repo-url - name: image-url - name: version resource templates: - apiVersion: tekton.dev/v1beta1 kind: PipelineRun metadata: generateName: s2i-trigger-run- # TaskRun name prefix spec: serviceAccountName: default pipelineRef: name: source-to-image taskRunSpecs: - pipelineTaskName: deploy-to-cluster taskServiceAccountName: helloworld-admin params: - name: git-repo-url value: $(tt.params.git-repo-url) - name: git-revision value: $(tt.params.git-revision) - name: image-url value: $(tt.params.image-url) - name: version value: $(tt.params.version) workspaces: - name: codebase volumeClaimTemplate: spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi storageClassName: nfs-csi - name: docker-config secret: secretName: docker-config --- apiVersion: triggers.tekton.dev/v1beta1 kind: EventListener metadata: name: s2i-listener spec: serviceAccountName: tekton-triggers-gitlab-sa triggers: - name: gitlab-push-events-trigger interceptors: - ref: name: "gitlab" params: - name: "secretRef" value: secretName: gitlab-webhook-token secretKey: webhookToken - name: "eventTypes" value: - "Push Hook" - "Tag Push Hook" - "Merge Request Hook" bindings: - ref: s2i-binding template: ref: s2i-tt
9. Run
kubectl apply -f .
10. Add eventlistener webhook on gitlab and cancel SSL verification
2.4.3 Project Test
Modify the main branch file locally, then push, and check whether it will be triggered on the tekton dashboard:
1. Push to the main branch on gitlab:
2. Check whether the pipeline execution of tekton is triggered
3. Check whether dockerhub and kubernetes are deployed successfully
To be continued. . .