本篇文章给大家分享的是有关如何进行tekton云原生的CI/CD在gitlab应用,小编觉得挺实用的,因此分享给大家学习,希望大家阅读完这篇文章后可以有所收获,话不多说,跟着小编一起来看看吧。
环境:科学环境,kubernetes 1.18+, tekton latest
说明
Tekton 是一个强大且灵活的 Kubernetes 原生开源框架,可用于创建持续集成和交付 (CI/CD) 系统。该框架可让您跨多个云服务商或本地系统进行构建、测试和部署,而无需操心基础实现详情。
Tekton 提供的内置最佳做法可让您快速创建云原生 CI/CD 流水线。其目标是让开发者创建和部署不可变映管理基础架构的版本控制,或者更轻松地执行回滚。借助 Tekton,您还可以利用高级部署模式,例如滚动部署、蓝/绿部署、Canary 部署或 GitOps 工作流。
Tekton配置起来很绕,真绕,又慢。真心推荐drone。https://my.oschina.net/u/160697/blog/4487417
针对push代码到gitlab后触发webhook,通过打包docker镜像并推送到harbor私有仓库。
安装tekton
计算
安全
数据库
网络和加速
企业服务
# pipeline
kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml
# 本例使用到了triggers
kubectl apply -f https://storage.googleapis.com/tekton-releases/triggers/latest/release.yaml
# 使用dashboard就可以不用安装ctl了
kubectl apply -f https://storage.gogleapis.com/tekton-releases/dashboard/latest/tekton-dashboard-release.yaml暴露tekton dashboard外网使用,参考https://my.oschina.net/u/160697/blog/4437939 dashboard安全使用
apiVersion: v1
kind: Secret
metadata:
name: tekton-dashboard-auth-secret
namespace: tekton-pipelines
type: Opaque
stringData:
users: admin:$apr1$tQ1iFwRf$8SvGrGQcBT.RdZS73ULXH1
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: tekton-dashboard-auth
namespace: tekton-pipelines
spec:
basicAuth:
secret: tekton-dashboard-auth-secret
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: tekton-dashboard
namespace: tekton-pipelines
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`tekton.your_domain.com`)
services:
- name: tekton-dashboard
port: 9097
middlewares:
- name: tekton-dashboard-auth
tls:
certResolver: aliyun
domains:
- main: "tekton.your_domain.com"
通过tekton trigger自动创建TaskRun,本例只使用gitlab仓库。参考官方例子,只是参考,不合实际情况
mkdir gitlab-trigger
wget https://raw.githubusercontent.com/tektoncd/triggers/master/examples/gitlab/binding.yaml
wget https://raw.githubusercontent.com/tektoncd/triggers/master/examples/gitlab/role.yaml生成ssh公私钥。把公钥复制到gitlab的Deploy Keys。私钥放到k8s中的Secret中。参考官方
ssh-keygen -t rsa
cat ~/.ssh/id_rsa | base64 -w 0
cat ~/.ssh/known_hosts | base64 -w 0创建secret.yaml,并把上面输出的结果复制到ssh-privatekey和known_hosts中
apiVersion: v1
kind: Secret
metadata:
name: gitlab-webhook-secret
type: Opaque
stringData:
secretToken: "qxFtJX5jh88b83P"
---
apiVersion: v1
kind: Secret
metadata:
name: gitlab-ssh-secret
annotations:
tekton.dev/git-0: your_gitlab_addr:8000
type: kubernetes.io/ssh-auth
data:
ssh-privatekey: <base64 encoded>
known_hosts: <base64 encoded>
# 私有仓库
# https://kubernetes.io/zh/docs/tasks/configure-pod-container/pull-image-private-registry/
# kubectl create secret docker-registry regcred --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email>
---
apiVersion: v1
kind: Secret
metadata:
name: harbor-registry-secret
annotations:
tekton.dev/docker-0: registry.you_harbor_addr.com:31000
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: <base64 encoded>创建serviceaccount.yaml ServiceAcount就包含了上面创建的三个secret,通过ServiceAcount就可以使用了
apiVersion: v1
kind: ServiceAccount
metadata:
name: tekton-triggers-gitlab-sa
secrets:
- name: gitlab-webhook-secret
- name: gitlab-ssh-secret
- name: harbor-registry-secret
imagePullSecrets:
- name: harbor-registry-secret创建gitlab-push-listener.yaml。使用kaniko来构建镜像,,可以缓存镜像,但在dockerfile中使用copy等命令时会发生Unpacking rootfs as cmd COPY . . requires it. ,每次都要拉镜像,需要更好的科学环境,不然很慢。需要要gcr.io, docker.com, docker.io都使用代理访问。也参考了这个篇幅
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: workspace-cache-pvc
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 2Gi
#rook-cephfs就是storageclass.yaml里面定义的
storageClassName: rook-cephfs
---
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: gitlab-build-and-push
spec:
params:
- name: pathToDockerFile
type: string
description: The path to the dockerfile to build
default: $(resources.inputs.git-source.path)/Dockerfile
- name: pathToContext
type: string
description: |
The build context used by Kaniko
(https://github.com/GoogleContainerTools/kaniko#kaniko-build-contexts)
default: $(resources.inputs.git-source.path)
resources:
inputs:
- name: git-source
type: git
outputs:
- name: builtImage
type: image
# 缓存
workspaces:
- name: workspace-cache
mountPath: /cache
steps:
- name: cache-images
image: gcr.io/kaniko-project/warmer:latest
# 在最后添加需要缓存的image
args: ["--cache-dir=/cache",
"--image=golang:alpine"]
- name: build-and-push
image: gcr.io/kaniko-project/executor:latest
workingDir: "$(params.pathToContext)"
# specifying DOCKER_CONFIG is required to allow kaniko to detect docker credential
env:
- name: "DOCKER_CONFIG"
value: "/tekton/home/.docker/"
command:
- /kaniko/executor
args:
- --cache=true
- --cache-dir=/cache
- --dockerfile=$(params.pathToDockerFile)
- --destination=$(resources.outputs.builtImage.url)
- --context=$(params.pathToContext)
- --log-timestamp=true
---
apiVersion: triggers.tekton.dev/v1alpha1
kind: TriggerTemplate
metadata:
name: gitlab-build-deploy-template
spec:
params:
- name: gitrevision
- name: gitrepositoryurl
- name: gitrepositoryname
resourcetemplates:
- apiVersion: tekton.dev/v1alpha1
kind: TaskRun
metadata:
generateName: $(tt.params.gitrepositoryname)-run-
spec:
serviceAccountName: tekton-triggers-gitlab-sa
taskRef:
name: gitlab-build-and-push
params:
- name: pathToDockerFile
value: Dockerfile
resources:
inputs:
- name: git-source
resourceSpec:
type: git
params:
- name: revision
value: $(tt.params.gitrevision)
- name: url
value: $(tt.params.gitrepositoryurl)
outputs:
- name: builtImage
resourceSpec:
type: image
params:
- name: url
value: registry.your_registry.com:31000/your_project/$(tt.params.gitrepositoryname)
workspaces:
- name: workspace-cache # must match workspace name in the Task
persistentVolumeClaim:
claimName: workspace-cache-pvc # this PVC must already exist
---
apiVersion: triggers.tekton.dev/v1alpha1
kind: TriggerBinding
metadata:
name: gitlab-push-binding
spec:
params:
- name: gitrevision
value: $(body.checkout_sha)
- name: gitrepositoryurl
value: $(body.repository.git_ssh_url)
- name: gitrepositoryname
value: $(body.repository.name)
---
apiVersion: triggers.tekton.dev/v1alpha1
kind: EventListener
metadata:
name: gitlab-listener
spec:
serviceAccountName: tekton-triggers-gitlab-sa
triggers:
- name: gitlab-push-events-trigger
interceptors:
- gitlab:
secretRef:
secretName: gitlab-webhook-secret
secretKey: secretToken
eventTypes:
- Push Hook # Only push events
bindings:
- ref: gitlab-push-binding
template:
name: gitlab-build-deploy-template创建一个Ingress让外网的gitlab能push event到tekton中。
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: tekton-trigger
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`tekton-trigger.your_domain.com`)
services:
- name: el-gitlab-listener
port: 8080
tls:
certResolver: aliyun
domains:
- main: "tekton-trigger.your_domain.com"在gitlab的项目中创建一个webhook。url就是暴露的,Secret Token就是secret.yaml中的那个 
把5-9步骤生成的文件应用到k8s中。本例单独放到一个tekton-gitlab的命名空间中
kubectl create ns tekton-gitlab
kubectl apply -n tekton-gitlab -f secret.yaml
kubectl apply -n tekton-gitlab -f role.yaml
kubectl apply -n tekton-gitlab -f binding.yaml
kubectl apply -n tekton-gitlab -f serviceaccount.yaml
kubectl apply -n tekton-gitlab -f gitlab-push-listener.yaml
kubectl apply -n tekton-gitlab -f ingress-tekton-trigger.yamlpush到gitlab后会自动创建taskrun,并运行。效果如下: 
以上就是如何进行tekton云原生的CI/CD在gitlab应用,小编相信有部分知识点可能是我们日常工作会见到或用到的。希望你能通过这篇文章学到更多知识。更多详情敬请关注亿速云行业资讯频道。
亿速云「云服务器」,即开即用、新一代英特尔至强铂金CPU、三副本存储NVMe SSD云盘,价格低至29元/月。点击查看>>
免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。
原文链接:https://my.oschina.net/u/160697/blog/4469399
