温馨提示×

温馨提示×

您好,登录后才能下订单哦!

密码登录×
登录注册×
其他方式登录
点击 登录注册 即表示同意《亿速云用户服务条款》

如何进行tekton云原生的CI/CD在gitlab应用

发布时间:2021-10-12 11:29:42 来源:亿速云 阅读:520 作者:柒染 栏目:云计算

本篇文章给大家分享的是有关如何进行tekton云原生的CI/CD在gitlab应用,小编觉得挺实用的,因此分享给大家学习,希望大家阅读完这篇文章后可以有所收获,话不多说,跟着小编一起来看看吧。

  1. 环境:科学环境,kubernetes 1.18+, tekton latest

  2. 说明

  • Tekton 是一个强大且灵活的 Kubernetes 原生开源框架,可用于创建持续集成和交付 (CI/CD) 系统。该框架可让您跨多个云服务商或本地系统进行构建、测试和部署,而无需操心基础实现详情。

  • Tekton 提供的内置最佳做法可让您快速创建云原生 CI/CD 流水线。其目标是让开发者创建和部署不可变映管理基础架构的版本控制,或者更轻松地执行回滚。借助 Tekton,您还可以利用高级部署模式,例如滚动部署、蓝/绿部署、Canary 部署或 GitOps 工作流。

  • Tekton配置起来很绕,真绕,又慢。真心推荐drone。https://my.oschina.net/u/160697/blog/4487417

  • 针对push代码到gitlab后触发webhook,通过打包docker镜像并推送到harbor私有仓库。

  1. 安装tekton

# pipeline
kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml
# 本例使用到了triggers
kubectl apply -f https://storage.googleapis.com/tekton-releases/triggers/latest/release.yaml
# 使用dashboard就可以不用安装ctl了
kubectl apply -f https://storage.gogleapis.com/tekton-releases/dashboard/latest/tekton-dashboard-release.yaml
  1. 暴露tekton dashboard外网使用,参考https://my.oschina.net/u/160697/blog/4437939 dashboard安全使用

apiVersion: v1
kind: Secret
metadata:
  name: tekton-dashboard-auth-secret
  namespace: tekton-pipelines
type: Opaque
stringData:
  users: admin:$apr1$tQ1iFwRf$8SvGrGQcBT.RdZS73ULXH1

---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: tekton-dashboard-auth
  namespace: tekton-pipelines
spec:
  basicAuth:
    secret: tekton-dashboard-auth-secret

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: tekton-dashboard
  namespace: tekton-pipelines
spec:
  entryPoints:
  - websecure
  routes:
  - kind: Rule
    match: Host(`tekton.your_domain.com`)
    services:
    - name: tekton-dashboard
      port: 9097
    middlewares:
    - name: tekton-dashboard-auth
  tls:
    certResolver: aliyun
    domains:
    - main: "tekton.your_domain.com"

如何进行tekton云原生的CI/CD在gitlab应用

  1. 通过tekton trigger自动创建TaskRun,本例只使用gitlab仓库。参考官方例子,只是参考,不合实际情况

mkdir gitlab-trigger
wget https://raw.githubusercontent.com/tektoncd/triggers/master/examples/gitlab/binding.yaml
wget https://raw.githubusercontent.com/tektoncd/triggers/master/examples/gitlab/role.yaml
  1. 生成ssh公私钥。把公钥复制到gitlab的Deploy Keys。私钥放到k8s中的Secret中。参考官方

ssh-keygen -t rsa
cat ~/.ssh/id_rsa | base64 -w 0
cat ~/.ssh/known_hosts | base64 -w 0

创建secret.yaml,并把上面输出的结果复制到ssh-privatekey和known_hosts中

apiVersion: v1
kind: Secret
metadata:
  name: gitlab-webhook-secret
type: Opaque
stringData:
  secretToken: "qxFtJX5jh88b83P"

---
apiVersion: v1
kind: Secret
metadata:
  name: gitlab-ssh-secret
  annotations:
    tekton.dev/git-0: your_gitlab_addr:8000
type: kubernetes.io/ssh-auth
data:
  ssh-privatekey: <base64 encoded>
  known_hosts: <base64 encoded>

# 私有仓库
# https://kubernetes.io/zh/docs/tasks/configure-pod-container/pull-image-private-registry/
# kubectl create secret docker-registry regcred --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email>
---
apiVersion: v1
kind: Secret
metadata:
  name: harbor-registry-secret
  annotations:
    tekton.dev/docker-0: registry.you_harbor_addr.com:31000
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: <base64 encoded>
  1. 创建serviceaccount.yaml ServiceAcount就包含了上面创建的三个secret,通过ServiceAcount就可以使用了

apiVersion: v1
kind: ServiceAccount
metadata:
  name: tekton-triggers-gitlab-sa
secrets:
  - name: gitlab-webhook-secret
  - name: gitlab-ssh-secret
  - name: harbor-registry-secret
imagePullSecrets:
  - name: harbor-registry-secret
  1. 创建gitlab-push-listener.yaml。使用kaniko来构建镜像,,可以缓存镜像,但在dockerfile中使用copy等命令时会发生Unpacking rootfs as cmd COPY . . requires it. ,每次都要拉镜像,需要更好的科学环境,不然很慢。需要要gcr.io, docker.com, docker.io都使用代理访问。也参考了这个篇幅

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: workspace-cache-pvc
spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: 2Gi
  #rook-cephfs就是storageclass.yaml里面定义的
  storageClassName: rook-cephfs

---
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: gitlab-build-and-push
spec:
  params:
    - name: pathToDockerFile
      type: string
      description: The path to the dockerfile to build
      default: $(resources.inputs.git-source.path)/Dockerfile
    - name: pathToContext
      type: string
      description: |
        The build context used by Kaniko
        (https://github.com/GoogleContainerTools/kaniko#kaniko-build-contexts)
      default: $(resources.inputs.git-source.path)
  resources:
    inputs:
      - name: git-source
        type: git
    outputs:
      - name: builtImage
        type: image
  # 缓存
  workspaces:
    - name: workspace-cache
      mountPath: /cache
  steps:
    - name: cache-images
      image: gcr.io/kaniko-project/warmer:latest
      # 在最后添加需要缓存的image
      args: ["--cache-dir=/cache",
             "--image=golang:alpine"]
    - name: build-and-push
      image: gcr.io/kaniko-project/executor:latest
      workingDir: "$(params.pathToContext)"
      # specifying DOCKER_CONFIG is required to allow kaniko to detect docker credential
      env:
        - name: "DOCKER_CONFIG"
          value: "/tekton/home/.docker/"
      command:
        - /kaniko/executor
      args:
        - --cache=true
        - --cache-dir=/cache
        - --dockerfile=$(params.pathToDockerFile)
        - --destination=$(resources.outputs.builtImage.url)
        - --context=$(params.pathToContext)
        - --log-timestamp=true

---
apiVersion: triggers.tekton.dev/v1alpha1
kind: TriggerTemplate
metadata:
  name: gitlab-build-deploy-template
spec:
  params:
    - name: gitrevision
    - name: gitrepositoryurl
    - name: gitrepositoryname
  resourcetemplates:
    - apiVersion: tekton.dev/v1alpha1
      kind: TaskRun
      metadata:
        generateName: $(tt.params.gitrepositoryname)-run-
      spec:
        serviceAccountName: tekton-triggers-gitlab-sa
        taskRef:
          name: gitlab-build-and-push
        params:
          - name: pathToDockerFile
            value: Dockerfile
        resources:
          inputs:
            - name: git-source
              resourceSpec:
                type: git
                params:
                  - name: revision
                    value: $(tt.params.gitrevision)
                  - name: url
                    value: $(tt.params.gitrepositoryurl)
          outputs:
            - name: builtImage
              resourceSpec:
                type: image
                params:
                  - name: url
                    value: registry.your_registry.com:31000/your_project/$(tt.params.gitrepositoryname)
        workspaces:
          - name: workspace-cache # must match workspace name in the Task
            persistentVolumeClaim:
              claimName: workspace-cache-pvc # this PVC must already exist
---
apiVersion: triggers.tekton.dev/v1alpha1
kind: TriggerBinding
metadata:
  name: gitlab-push-binding
spec:
  params:
    - name: gitrevision
      value: $(body.checkout_sha)
    - name: gitrepositoryurl
      value: $(body.repository.git_ssh_url)
    - name: gitrepositoryname
      value: $(body.repository.name)

---
apiVersion: triggers.tekton.dev/v1alpha1
kind: EventListener
metadata:
  name: gitlab-listener
spec:
  serviceAccountName: tekton-triggers-gitlab-sa
  triggers:
    - name: gitlab-push-events-trigger
      interceptors:
        - gitlab:
            secretRef:
              secretName: gitlab-webhook-secret
              secretKey: secretToken
            eventTypes:
              - Push Hook  # Only push events
      bindings:
        - ref: gitlab-push-binding
      template:
        name: gitlab-build-deploy-template
  1. 创建一个Ingress让外网的gitlab能push event到tekton中。

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: tekton-trigger
spec:
  entryPoints:
  - websecure
  routes:
  - kind: Rule
    match: Host(`tekton-trigger.your_domain.com`)
    services:
    - name: el-gitlab-listener
      port: 8080
  tls:
    certResolver: aliyun
    domains:
    - main: "tekton-trigger.your_domain.com"
  1. 在gitlab的项目中创建一个webhook。url就是暴露的,Secret Token就是secret.yaml中的那个 如何进行tekton云原生的CI/CD在gitlab应用

  2. 把5-9步骤生成的文件应用到k8s中。本例单独放到一个tekton-gitlab的命名空间中

kubectl create ns tekton-gitlab
kubectl apply -n tekton-gitlab -f secret.yaml
kubectl apply -n tekton-gitlab -f role.yaml
kubectl apply -n tekton-gitlab -f binding.yaml
kubectl apply -n tekton-gitlab -f serviceaccount.yaml
kubectl apply -n tekton-gitlab -f gitlab-push-listener.yaml
kubectl apply -n tekton-gitlab -f ingress-tekton-trigger.yaml
  1. push到gitlab后会自动创建taskrun,并运行。效果如下: 如何进行tekton云原生的CI/CD在gitlab应用

以上就是如何进行tekton云原生的CI/CD在gitlab应用,小编相信有部分知识点可能是我们日常工作会见到或用到的。希望你能通过这篇文章学到更多知识。更多详情敬请关注亿速云行业资讯频道。

向AI问一下细节

免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。

AI