本篇文章给大家分享的是有关如何进行tekton云原生的CI/CD在gitlab应用,小编觉得挺实用的,因此分享给大家学习,希望大家阅读完这篇文章后可以有所收获,话不多说,跟着小编一起来看看吧。
环境:科学环境,kubernetes 1.18+, tekton latest
说明
Tekton 是一个强大且灵活的 Kubernetes 原生开源框架,可用于创建持续集成和交付 (CI/CD) 系统。该框架可让您跨多个云服务商或本地系统进行构建、测试和部署,而无需操心基础实现详情。
Tekton 提供的内置最佳做法可让您快速创建云原生 CI/CD 流水线。其目标是让开发者创建和部署不可变映管理基础架构的版本控制,或者更轻松地执行回滚。借助 Tekton,您还可以利用高级部署模式,例如滚动部署、蓝/绿部署、Canary 部署或 GitOps 工作流。
Tekton配置起来很绕,真绕,又慢。真心推荐drone。https://my.oschina.net/u/160697/blog/4487417
针对push代码到gitlab后触发webhook,通过打包docker镜像并推送到harbor私有仓库。
安装tekton
# pipeline kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml # 本例使用到了triggers kubectl apply -f https://storage.googleapis.com/tekton-releases/triggers/latest/release.yaml # 使用dashboard就可以不用安装ctl了 kubectl apply -f https://storage.gogleapis.com/tekton-releases/dashboard/latest/tekton-dashboard-release.yaml
暴露tekton dashboard外网使用,参考https://my.oschina.net/u/160697/blog/4437939 dashboard安全使用
apiVersion: v1 kind: Secret metadata: name: tekton-dashboard-auth-secret namespace: tekton-pipelines type: Opaque stringData: users: admin:$apr1$tQ1iFwRf$8SvGrGQcBT.RdZS73ULXH1 --- apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: tekton-dashboard-auth namespace: tekton-pipelines spec: basicAuth: secret: tekton-dashboard-auth-secret --- apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: tekton-dashboard namespace: tekton-pipelines spec: entryPoints: - websecure routes: - kind: Rule match: Host(`tekton.your_domain.com`) services: - name: tekton-dashboard port: 9097 middlewares: - name: tekton-dashboard-auth tls: certResolver: aliyun domains: - main: "tekton.your_domain.com"
通过tekton trigger自动创建TaskRun,本例只使用gitlab仓库。参考官方例子,只是参考,不合实际情况
mkdir gitlab-trigger wget https://raw.githubusercontent.com/tektoncd/triggers/master/examples/gitlab/binding.yaml wget https://raw.githubusercontent.com/tektoncd/triggers/master/examples/gitlab/role.yaml
生成ssh公私钥。把公钥复制到gitlab的Deploy Keys。私钥放到k8s中的Secret中。参考官方
ssh-keygen -t rsa cat ~/.ssh/id_rsa | base64 -w 0 cat ~/.ssh/known_hosts | base64 -w 0
创建secret.yaml,并把上面输出的结果复制到ssh-privatekey和known_hosts中
apiVersion: v1 kind: Secret metadata: name: gitlab-webhook-secret type: Opaque stringData: secretToken: "qxFtJX5jh88b83P" --- apiVersion: v1 kind: Secret metadata: name: gitlab-ssh-secret annotations: tekton.dev/git-0: your_gitlab_addr:8000 type: kubernetes.io/ssh-auth data: ssh-privatekey: <base64 encoded> known_hosts: <base64 encoded> # 私有仓库 # https://kubernetes.io/zh/docs/tasks/configure-pod-container/pull-image-private-registry/ # kubectl create secret docker-registry regcred --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email> --- apiVersion: v1 kind: Secret metadata: name: harbor-registry-secret annotations: tekton.dev/docker-0: registry.you_harbor_addr.com:31000 type: kubernetes.io/dockerconfigjson data: .dockerconfigjson: <base64 encoded>
创建serviceaccount.yaml ServiceAcount就包含了上面创建的三个secret,通过ServiceAcount就可以使用了
apiVersion: v1 kind: ServiceAccount metadata: name: tekton-triggers-gitlab-sa secrets: - name: gitlab-webhook-secret - name: gitlab-ssh-secret - name: harbor-registry-secret imagePullSecrets: - name: harbor-registry-secret
创建gitlab-push-listener.yaml。使用kaniko来构建镜像,,可以缓存镜像,但在dockerfile中使用copy等命令时会发生Unpacking rootfs as cmd COPY . . requires it. ,每次都要拉镜像,需要更好的科学环境,不然很慢。需要要gcr.io, docker.com, docker.io都使用代理访问。也参考了这个篇幅
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: workspace-cache-pvc spec: accessModes: - ReadWriteMany resources: requests: storage: 2Gi #rook-cephfs就是storageclass.yaml里面定义的 storageClassName: rook-cephfs --- apiVersion: tekton.dev/v1beta1 kind: Task metadata: name: gitlab-build-and-push spec: params: - name: pathToDockerFile type: string description: The path to the dockerfile to build default: $(resources.inputs.git-source.path)/Dockerfile - name: pathToContext type: string description: | The build context used by Kaniko (https://github.com/GoogleContainerTools/kaniko#kaniko-build-contexts) default: $(resources.inputs.git-source.path) resources: inputs: - name: git-source type: git outputs: - name: builtImage type: image # 缓存 workspaces: - name: workspace-cache mountPath: /cache steps: - name: cache-images image: gcr.io/kaniko-project/warmer:latest # 在最后添加需要缓存的image args: ["--cache-dir=/cache", "--image=golang:alpine"] - name: build-and-push image: gcr.io/kaniko-project/executor:latest workingDir: "$(params.pathToContext)" # specifying DOCKER_CONFIG is required to allow kaniko to detect docker credential env: - name: "DOCKER_CONFIG" value: "/tekton/home/.docker/" command: - /kaniko/executor args: - --cache=true - --cache-dir=/cache - --dockerfile=$(params.pathToDockerFile) - --destination=$(resources.outputs.builtImage.url) - --context=$(params.pathToContext) - --log-timestamp=true --- apiVersion: triggers.tekton.dev/v1alpha1 kind: TriggerTemplate metadata: name: gitlab-build-deploy-template spec: params: - name: gitrevision - name: gitrepositoryurl - name: gitrepositoryname resourcetemplates: - apiVersion: tekton.dev/v1alpha1 kind: TaskRun metadata: generateName: $(tt.params.gitrepositoryname)-run- spec: serviceAccountName: tekton-triggers-gitlab-sa taskRef: name: gitlab-build-and-push params: - name: pathToDockerFile value: Dockerfile resources: inputs: - name: git-source resourceSpec: type: git params: - name: revision value: $(tt.params.gitrevision) - name: url value: $(tt.params.gitrepositoryurl) outputs: - name: builtImage resourceSpec: type: image params: - name: url value: registry.your_registry.com:31000/your_project/$(tt.params.gitrepositoryname) workspaces: - name: workspace-cache # must match workspace name in the Task persistentVolumeClaim: claimName: workspace-cache-pvc # this PVC must already exist --- apiVersion: triggers.tekton.dev/v1alpha1 kind: TriggerBinding metadata: name: gitlab-push-binding spec: params: - name: gitrevision value: $(body.checkout_sha) - name: gitrepositoryurl value: $(body.repository.git_ssh_url) - name: gitrepositoryname value: $(body.repository.name) --- apiVersion: triggers.tekton.dev/v1alpha1 kind: EventListener metadata: name: gitlab-listener spec: serviceAccountName: tekton-triggers-gitlab-sa triggers: - name: gitlab-push-events-trigger interceptors: - gitlab: secretRef: secretName: gitlab-webhook-secret secretKey: secretToken eventTypes: - Push Hook # Only push events bindings: - ref: gitlab-push-binding template: name: gitlab-build-deploy-template
创建一个Ingress让外网的gitlab能push event到tekton中。
apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: tekton-trigger spec: entryPoints: - websecure routes: - kind: Rule match: Host(`tekton-trigger.your_domain.com`) services: - name: el-gitlab-listener port: 8080 tls: certResolver: aliyun domains: - main: "tekton-trigger.your_domain.com"
在gitlab的项目中创建一个webhook。url就是暴露的,Secret Token就是secret.yaml中的那个 
把5-9步骤生成的文件应用到k8s中。本例单独放到一个tekton-gitlab的命名空间中
kubectl create ns tekton-gitlab kubectl apply -n tekton-gitlab -f secret.yaml kubectl apply -n tekton-gitlab -f role.yaml kubectl apply -n tekton-gitlab -f binding.yaml kubectl apply -n tekton-gitlab -f serviceaccount.yaml kubectl apply -n tekton-gitlab -f gitlab-push-listener.yaml kubectl apply -n tekton-gitlab -f ingress-tekton-trigger.yaml
push到gitlab后会自动创建taskrun,并运行。效果如下: 
以上就是如何进行tekton云原生的CI/CD在gitlab应用,小编相信有部分知识点可能是我们日常工作会见到或用到的。希望你能通过这篇文章学到更多知识。更多详情敬请关注亿速云行业资讯频道。
免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。
