Practical application of tekton cloud native CI/CD in gitlab

  1. Environment: scientific environment, kubernetes 1.8+, tekton latest
  2. explain
  • Tekton is a powerful and flexible Kubernetes native open source framework that can be used to create continuous integration and delivery (CI/CD) systems. The framework allows you to build, test and deploy across multiple cloud service providers or local systems without worrying about the basic implementation details.
  • Tekton's built-in best practices allow you to quickly create cloud native CI/CD pipelines. The goal is for developers to create and deploy immutable images, manage version control of the infrastructure, or perform rollback more easily. With Tekton, you can also take advantage of advanced deployment patterns, such as rolling deployment, blue / Green deployment, Canary deployment, or GitOps workflow.
  • This example is for the private gitlab warehouse. After push ing, the webhook is triggered, and the taskrun of tekton is generated through the webhook.
  1. Install tekton
# pipeline
kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml
# This example uses triggers
kubectl apply -f https://storage.googleapis.com/tekton-releases/triggers/latest/release.yaml
# You can use dashboard without installing ctl
kubectl apply -f https://storage.gogleapis.com/tekton-releases/dashboard/latest/tekton-dashboard-release.yaml
  1. Expose the use of tekton dashboard extranet, refer to https://my.oschina.net/u/160697/blog/4437939 Safe use of dashboard
apiVersion: v1
kind: Secret
metadata:
  name: tekton-dashboard-auth-secret
  namespace: tekton-pipelines
type: Opaque
stringData:
  users: admin:$apr1$tQ1iFwRf$8SvGrGQcBT.RdZS73ULXH1

---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: tekton-dashboard-auth
  namespace: tekton-pipelines
spec:
  basicAuth:
    secret: tekton-dashboard-auth-secret

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: tekton-dashboard
  namespace: tekton-pipelines
spec:
  entryPoints:
  - websecure
  routes:
  - kind: Rule
    match: Host(`tekton.your_domain.com`)
    services:
    - name: tekton-dashboard
      port: 9097
    middlewares:
    - name: tekton-dashboard-auth
  tls:
    certResolver: aliyun
    domains:
    - main: "tekton.your_domain.com"

  1. Create TaskRun automatically through tekton trigger. In this example, only gitlab warehouse is used. Reference to official examples is just a reference, which is not practical
mkdir gitlab-trigger
wget https://raw.githubusercontent.com/tektoncd/triggers/master/examples/gitlab/binding.yaml
wget https://raw.githubusercontent.com/tektoncd/triggers/master/examples/gitlab/role.yaml
  1. Generate ssh public and private keys. Copy the public key to the Deploy Keys of gitlab. Put the private key in k8s the Secret. Reference official
ssh-keygen -t rsa
cat ~/.ssh/id_rsa | base64 -w 0
cat ~/.ssh/known_hosts | base64 -w 0

Create secret Yaml, and copy the above output results to SSH privatekey and known_ In hosts

apiVersion: v1
kind: Secret
metadata:
  name: gitlab-webhook-secret
type: Opaque
stringData:
  secretToken: "qxFtJX5jh88b83P"

---
apiVersion: v1
kind: Secret
metadata:
  name: gitlab-ssh-secret
  annotations:
    tekton.dev/git-0: your_gitlab_addr:8000
type: kubernetes.io/ssh-auth
data:
  ssh-privatekey: <base64 encoded>
  known_hosts: <base64 encoded>
  1. Create service.account Yaml ServiceAcount contains the two secret s created above, which can be used through ServiceAcount
apiVersion: v1
kind: ServiceAccount
metadata:
  name: tekton-triggers-gitlab-sa
secrets:
  - name: gitlab-webhook-secret
  - name: gitlab-ssh-secret
  1. Create gitlab push listener yaml. I use an independent storage here, so I don't have to pull all the code every time. Each project is placed in a different directory. The official example is not so detailed.
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: gitlab-workspace-pvc
spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: 10Gi
  #Look cephfs is storageclass Defined in yaml
  storageClassName: rook-cephfs

---
apiVersion: triggers.tekton.dev/v1alpha1
kind: TriggerTemplate
metadata:
  name: gitlab-echo-template
spec:
  params:
    - name: gitrevision
    - name: gitrepositoryurl
    - name: gitrepositoryname
  resourcetemplates:
    - apiVersion: tekton.dev/v1alpha1
      kind: TaskRun
      metadata:
        generateName: gitlab-run-
      spec:
        serviceAccountName: tekton-triggers-gitlab-sa
        taskSpec:
          workspaces:
            - name: gitlab_workspace
              mountPath: /workspace/$(tt.params.gitrepositoryname)
          inputs:
            resources:
              - name: source
                type: git
          steps:
            - image: ubuntu
              script: |
                #! /bin/bash
                pwd
                df -h
                ls -al $(inputs.resources.source.path)
        inputs:
          resources:
            - name: source
              resourceSpec:
                type: git
                params:
                  - name: revision
                    value: $(tt.params.gitrevision)
                  - name: url
                    value: $(tt.params.gitrepositoryurl)
        workspaces:
          - name: gitlab_workspace # must match workspace name in the Task
            persistentVolumeClaim:
              claimName: gitlab-workspace-pvc # this PVC must already exist

---
apiVersion: triggers.tekton.dev/v1alpha1
kind: TriggerBinding
metadata:
  name: gitlab-push-binding
spec:
  params:
    - name: gitrevision
      value: $(body.checkout_sha)
    - name: gitrepositoryurl
      value: $(body.repository.git_ssh_url)
    - name: gitrepositoryname
      value: $(body.repository.name)

---
apiVersion: triggers.tekton.dev/v1alpha1
kind: EventListener
metadata:
  name: gitlab-listener
spec:
  serviceAccountName: tekton-triggers-gitlab-sa
  triggers:
    - name: gitlab-push-events-trigger
      interceptors:
        - gitlab:
            secretRef:
              secretName: gitlab-webhook-secret
              secretKey: secretToken
            eventTypes:
              - Push Hook  # Only push events
      bindings:
        - ref: gitlab-push-binding
      template:
        name: gitlab-echo-template
  1. Create an Ingress so that gitlab of the extranet can push event s into tekton.
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: tekton-trigger
spec:
  entryPoints:
  - websecure
  routes:
  - kind: Rule
    match: Host(`tekton-trigger.your_domain.com`)
    services:
    - name: el-gitlab-listener
      port: 8080
  tls:
    certResolver: aliyun
    domains:
    - main: "tekton-trigger.your_domain.com"

  1. Create a webhook in gitlab's project. The url is exposed, and the Secret Token is secret The one in yaml

  2. Apply the files generated in steps 5-9 to k8s. This example is placed in a separate Tekton gitlab namespace

kubectl create ns tekton-gitlab
kubectl apply -n tekton-gitlab -f secret.yaml
kubectl apply -n tekton-gitlab -f role.yaml
kubectl apply -n tekton-gitlab -f binding.yaml
kubectl apply -n tekton-gitlab -f serviceaccount.yaml
kubectl apply -n tekton-gitlab -f gitlab-push-listener.yaml
kubectl apply -n tekton-gitlab -f ingress-tekton-trigger.yaml
  1. After push ing to gitlab, taskrun will be automatically created and run. The effect is as follows:

Tags: git yaml webhook

Posted by just me and php on Tue, 24 May 2022 21:23:21 +0300