Shulou(Shulou.com)06/01 Report--

This article is about how to carry out the tekton cloud native CI/CD application in gitlab. The editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

Environment: scientific environment, kubernetes 1.18, tekton latest

Description

Tekton is a powerful and flexible Kubernetes native open source framework that can be used to create continuous integration and delivery (CI/CD) systems. The framework allows you to build, test, and deploy across multiple cloud service providers or local systems without worrying about the underlying implementation details.

Tekton provides built-in best practices that allow you to quickly create cloud native CI/CD pipelines. The goal is to allow developers to create and deploy version control of an immutable management infrastructure, or to perform rollbacks more easily. With Tekton, you can also take advantage of advanced deployment models, such as rolling deployment, blue / green deployment, Canary deployment, or GitOps workflow.

Tekton configuration is very winding, really winding, and slow. I really recommend drone. Https://my.oschina.net/u/160697/blog/4487417

Webhook is triggered after the push code is sent to gitlab, and the docker image is packaged and pushed to the harbor private repository.

Install tekton

# pipelinekubectl apply-f https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml# this example uses triggerskubectl apply-f https://storage.googleapis.com/tekton-releases/triggers/latest/release.yaml# and uses dashboard to eliminate the need to install ctl kubectl apply-f https://storage.gogleapis.com/tekton-releases/dashboard/latest/tekton-dashboard-release.yaml

Expose the use of tekton dashboard in the public network, refer to the safe use of https://my.oschina.net/u/160697/blog/4437939 dashboard

ApiVersion: v1kind: Secretmetadata: name: tekton-dashboard-auth-secret namespace: tekton-pipelinestype: OpaquestringData: users: admin:$apr1 $tQ1iFwRf$8SvGrGQcBT.RdZS73ULXH1---apiVersion: traefik.containo.us/v1alpha1kind: Middlewaremetadata: name: tekton-dashboard-auth namespace: tekton-pipelinesspec: basicAuth: secret: tekton-dashboard-auth-secret---apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata: name: tekton-dashboard namespace: tekton-pipelinesspec: entryPoints:-websecure routes:-kind: Rule match: Host ( `tekton.your_ domain.com`) services:-name: tekton-dashboard port: 9097 middlewares:-name: tekton-dashboard-auth tls: certResolver: aliyun domains:-main: "tekton.your_domain.com"

The TaskRun is created automatically through tekton trigger, and in this case only the gitlab repository is used. Reference to official examples is only for reference, which is not in line with the actual situation.

Mkdir gitlab-triggerwget https://raw.githubusercontent.com/tektoncd/triggers/master/examples/gitlab/binding.yamlwget https://raw.githubusercontent.com/tektoncd/triggers/master/examples/gitlab/role.yaml

Generate ssh public and private keys. Copy the public key to the Deploy Keys of gitlab. The private key is placed in Secret in k8s. Refer to the official

Ssh-keygen-t rsacat ~ / .ssh/id_rsa | base64-w 0cat ~ / .ssh/known_hosts | base64-w 0

Create secret.yaml and copy the output above to ssh-privatekey and known_hosts

ApiVersion: v1kind: Secretmetadata: name: gitlab-webhook-secrettype: OpaquestringData: secretToken: "qxFtJX5jh88b83P"-apiVersion: v1kind: Secretmetadata: name: gitlab-ssh-secret annotations: tekton.dev/git-0: your_gitlab_addr:8000type: kubernetes.io/ssh-authdata: ssh-privatekey: known_hosts: # Private Warehouse # https://kubernetes.io/zh/docs/tasks/configure-pod-container/pull-image-private-registry/# kubectl create secret docker -registry regcred-- docker-server=-- docker-username=-- docker-password=-- docker-email=---apiVersion: v1kind: Secretmetadata: name: harbor-registry-secret annotations: tekton.dev/docker-0: registry.you_harbor_addr.com:31000type: kubernetes.io/dockerconfigjsondata: .dockerconfigjson:

Creating a serviceaccount.yaml ServiceAcount contains the three secret created above, which can be used through ServiceAcount

ApiVersion: v1kind: ServiceAccountmetadata: name: tekton-triggers-gitlab-sasecrets:-name: gitlab-webhook-secret-name: gitlab-ssh-secret-name: harbor-registry-secretimagePullSecrets:-name: harbor-registry-secret

Create a gitlab-push-listener.yaml. Using kaniko to build an image, you can cache the image, but Unpacking rootfs as cmd COPY occurs when you use commands such as copy in dockerfile. . Requires it. Every time you have to pull the mirror image, you need a better scientific environment, otherwise it will be very slow. It is required that gcr.io, docker.com, and docker.io all use proxy access. I also made reference to this space.

ApiVersion: v1kind: PersistentVolumeClaimmetadata: name: workspace-cache-pvcspec: accessModes:-ReadWriteMany resources: requests: storage: 2Gi # rook-cephfs is the storageClassName: rook-cephfs---apiVersion: tekton.dev/v1beta1kind: Taskmetadata: name: gitlab-build-and-pushspec: params:-name: pathToDockerFile type: string description: The path to the dockerfile to build default: $(resources.inputs.git-source.path) / defined in storageclass.yaml Dockerfile-name: pathToContext type: string description: | The build context used by Kaniko (https://github.com/GoogleContainerTools/kaniko#kaniko-build-contexts) default: $(resources.inputs.git-source.path) resources: inputs:-name: git-source type: git outputs:-name: builtImage type: image # Cache workspaces:-name: workspace-cache MountPath: / cache steps:-name: cache-images image: gcr.io/kaniko-project/warmer:latest # add image args that needs to be cached at the end: ["--cache-dir=/cache" "--image=golang:alpine"]-name: build-and-push image: gcr.io/kaniko-project/executor:latest workingDir: "$(params.pathToContext)" # specifying DOCKER_CONFIG is required to allow kaniko to detect docker credential env:-name: "DOCKER_CONFIG" value: "/ tekton/home/.docker/" command:-/ kaniko/executor Args:-cache=true-cache-dir=/cache-- dockerfile=$ (params.pathToDockerFile)-destination=$ (resources.outputs.builtImage.url)-context=$ (params.pathToContext)-log-timestamp=true---apiVersion: triggers.tekton.dev/v1alpha1kind: TriggerTemplatemetadata: name: gitlab-build-deploy-templatespec: params:-name: gitrevision -name: gitrepositoryurl-name: gitrepositoryname resourcetemplates:-apiVersion: tekton.dev/v1alpha1 kind: TaskRun metadata: generateName: $(tt.params.gitrepositoryname)-run- spec: serviceAccountName: tekton-triggers-gitlab-sa taskRef: name: gitlab-build-and-push params:-name: pathToDockerFile value: Dockerfile resources: inputs: -name: git-source resourceSpec: type: git params:-name: revision value: $(tt.params.gitrevision)-name: url value: $(tt.params.gitrepositoryurl) outputs:-name: builtImage ResourceSpec: type: image params:-name: url value: registry.your_registry.com:31000/your_project/$ (tt.params.gitrepositoryname) workspaces:-name: workspace-cache # must match workspace name in the Task persistentVolumeClaim: claimName: workspace-cache-pvc # this PVC must already exist---apiVersion: triggers.tekton.dev/v1alpha1kind: TriggerBindingmetadata: name: gitlab-push-bindingspec: params:-name: gitrevision value: $(body.checkout_sha)-name: gitrepositoryurl value: $(body.repository.git_ssh_url)-name: gitrepositoryname value: $(body.repository.name)-apiVersion: triggers.tekton.dev/v1alpha1kind: EventListenermetadata: name: gitlab-listenerspec: serviceAccountName: tekton-triggers- Gitlab-sa triggers:-name: gitlab-push-events-trigger interceptors:-gitlab: secretRef: secretName: gitlab-webhook-secret secretKey: secretToken eventTypes:-Push Hook # Only push events bindings:-ref: gitlab-push-binding template: name: gitlab-build-deploy-template

Create an Ingress so that the gitlab of the public network can be push event to the tekton.

ApiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata: name: tekton-triggerspec: entryPoints:-websecure routes:-kind: Rule match: Host (`tekton-trigger.your_ domain.com`) services:-name: el-gitlab-listener port: 8080 tls: certResolver: aliyun domains:-main: "tekton-trigger.your_domain.com"

Create a webhook in gitlab's project. Url is exposed, and Secret Token is the one in secret.yaml.

Apply the files generated by steps 5-9 to k8s. This example is placed separately in a tekton-gitlab namespace

Kubectl create ns tekton-gitlabkubectl apply-n tekton-gitlab-f secret.yamlkubectl apply-n tekton-gitlab-f role.yamlkubectl apply-n tekton-gitlab-f binding.yamlkubectl apply-n tekton-gitlab-f serviceaccount.yamlkubectl apply-n tekton-gitlab-f gitlab-push-listener.yamlkubectl apply-n tekton-gitlab-f ingress-tekton-trigger.yaml

After push is transferred to gitlab, the taskrun is automatically created and run. The effect is as follows:

The above is how to implement the tekton cloud native CI/CD application in gitlab. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.