溫馨提示×
您好,登錄后才能下訂單哦!
點擊 登錄注冊 即表示同意《億速云用戶服務條款》
您好,登錄后才能下訂單哦!
本篇文章給大家分享的是有關如何進行tekton云原生的CI/CD在gitlab應用,小編覺得挺實用的,因此分享給大家學習,希望大家閱讀完這篇文章后可以有所收獲,話不多說,跟著小編一起來看看吧。
環境:科學環境,kubernetes 1.18+, tekton latest
說明
Tekton 是一個強大且靈活的 Kubernetes 原生開源框架,可用于創建持續集成和交付 (CI/CD) 系統。該框架可讓您跨多個云服務商或本地系統進行構建、測試和部署,而無需操心基礎實現詳情。
Tekton 提供的內置最佳做法可讓您快速創建云原生 CI/CD 流水線。其目標是讓開發者創建和部署不可變映管理基礎架構的版本控制,或者更輕松地執行回滾。借助 Tekton,您還可以利用高級部署模式,例如滾動部署、藍/綠部署、Canary 部署或 GitOps 工作流。
Tekton配置起來很繞,真繞,又慢。真心推薦drone。https://my.oschina.net/u/160697/blog/4487417
針對push代碼到gitlab后觸發webhook,通過打包docker鏡像并推送到harbor私有倉庫。
安裝tekton
# pipeline kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml # 本例使用到了triggers kubectl apply -f https://storage.googleapis.com/tekton-releases/triggers/latest/release.yaml # 使用dashboard就可以不用安裝ctl了 kubectl apply -f https://storage.gogleapis.com/tekton-releases/dashboard/latest/tekton-dashboard-release.yaml
暴露tekton dashboard外網使用,參考https://my.oschina.net/u/160697/blog/4437939 dashboard安全使用
apiVersion: v1 kind: Secret metadata: name: tekton-dashboard-auth-secret namespace: tekton-pipelines type: Opaque stringData: users: admin:$apr1$tQ1iFwRf$8SvGrGQcBT.RdZS73ULXH1 --- apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: tekton-dashboard-auth namespace: tekton-pipelines spec: basicAuth: secret: tekton-dashboard-auth-secret --- apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: tekton-dashboard namespace: tekton-pipelines spec: entryPoints: - websecure routes: - kind: Rule match: Host(`tekton.your_domain.com`) services: - name: tekton-dashboard port: 9097 middlewares: - name: tekton-dashboard-auth tls: certResolver: aliyun domains: - main: "tekton.your_domain.com"
通過tekton trigger自動創建TaskRun,本例只使用gitlab倉庫。參考官方例子,只是參考,不合實際情況
mkdir gitlab-trigger wget https://raw.githubusercontent.com/tektoncd/triggers/master/examples/gitlab/binding.yaml wget https://raw.githubusercontent.com/tektoncd/triggers/master/examples/gitlab/role.yaml
生成ssh公私鑰。把公鑰復制到gitlab的Deploy Keys。私鑰放到k8s中的Secret中。參考官方
ssh-keygen -t rsa cat ~/.ssh/id_rsa | base64 -w 0 cat ~/.ssh/known_hosts | base64 -w 0
創建secret.yaml,并把上面輸出的結果復制到ssh-privatekey和known_hosts中
apiVersion: v1 kind: Secret metadata: name: gitlab-webhook-secret type: Opaque stringData: secretToken: "qxFtJX5jh88b83P" --- apiVersion: v1 kind: Secret metadata: name: gitlab-ssh-secret annotations: tekton.dev/git-0: your_gitlab_addr:8000 type: kubernetes.io/ssh-auth data: ssh-privatekey: <base64 encoded> known_hosts: <base64 encoded> # 私有倉庫 # https://kubernetes.io/zh/docs/tasks/configure-pod-container/pull-image-private-registry/ # kubectl create secret docker-registry regcred --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email> --- apiVersion: v1 kind: Secret metadata: name: harbor-registry-secret annotations: tekton.dev/docker-0: registry.you_harbor_addr.com:31000 type: kubernetes.io/dockerconfigjson data: .dockerconfigjson: <base64 encoded>
創建serviceaccount.yaml ServiceAcount就包含了上面創建的三個secret,通過ServiceAcount就可以使用了
apiVersion: v1 kind: ServiceAccount metadata: name: tekton-triggers-gitlab-sa secrets: - name: gitlab-webhook-secret - name: gitlab-ssh-secret - name: harbor-registry-secret imagePullSecrets: - name: harbor-registry-secret
創建gitlab-push-listener.yaml。使用kaniko來構建鏡像,,可以緩存鏡像,但在dockerfile中使用copy等命令時會發生Unpacking rootfs as cmd COPY . . requires it. ,每次都要拉鏡像,需要更好的科學環境,不然很慢。需要要gcr.io, docker.com, docker.io都使用代理訪問。也參考了這個篇幅
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: workspace-cache-pvc spec: accessModes: - ReadWriteMany resources: requests: storage: 2Gi #rook-cephfs就是storageclass.yaml里面定義的 storageClassName: rook-cephfs --- apiVersion: tekton.dev/v1beta1 kind: Task metadata: name: gitlab-build-and-push spec: params: - name: pathToDockerFile type: string description: The path to the dockerfile to build default: $(resources.inputs.git-source.path)/Dockerfile - name: pathToContext type: string description: | The build context used by Kaniko (https://github.com/GoogleContainerTools/kaniko#kaniko-build-contexts) default: $(resources.inputs.git-source.path) resources: inputs: - name: git-source type: git outputs: - name: builtImage type: image # 緩存 workspaces: - name: workspace-cache mountPath: /cache steps: - name: cache-images image: gcr.io/kaniko-project/warmer:latest # 在最后添加需要緩存的image args: ["--cache-dir=/cache", "--image=golang:alpine"] - name: build-and-push image: gcr.io/kaniko-project/executor:latest workingDir: "$(params.pathToContext)" # specifying DOCKER_CONFIG is required to allow kaniko to detect docker credential env: - name: "DOCKER_CONFIG" value: "/tekton/home/.docker/" command: - /kaniko/executor args: - --cache=true - --cache-dir=/cache - --dockerfile=$(params.pathToDockerFile) - --destination=$(resources.outputs.builtImage.url) - --context=$(params.pathToContext) - --log-timestamp=true --- apiVersion: triggers.tekton.dev/v1alpha1 kind: TriggerTemplate metadata: name: gitlab-build-deploy-template spec: params: - name: gitrevision - name: gitrepositoryurl - name: gitrepositoryname resourcetemplates: - apiVersion: tekton.dev/v1alpha1 kind: TaskRun metadata: generateName: $(tt.params.gitrepositoryname)-run- spec: serviceAccountName: tekton-triggers-gitlab-sa taskRef: name: gitlab-build-and-push params: - name: pathToDockerFile value: Dockerfile resources: inputs: - name: git-source resourceSpec: type: git params: - name: revision value: $(tt.params.gitrevision) - name: url value: $(tt.params.gitrepositoryurl) outputs: - name: builtImage resourceSpec: type: image params: - name: url value: registry.your_registry.com:31000/your_project/$(tt.params.gitrepositoryname) workspaces: - name: workspace-cache # must match workspace name in the Task persistentVolumeClaim: claimName: workspace-cache-pvc # this PVC must already exist --- apiVersion: triggers.tekton.dev/v1alpha1 kind: TriggerBinding metadata: name: gitlab-push-binding spec: params: - name: gitrevision value: $(body.checkout_sha) - name: gitrepositoryurl value: $(body.repository.git_ssh_url) - name: gitrepositoryname value: $(body.repository.name) --- apiVersion: triggers.tekton.dev/v1alpha1 kind: EventListener metadata: name: gitlab-listener spec: serviceAccountName: tekton-triggers-gitlab-sa triggers: - name: gitlab-push-events-trigger interceptors: - gitlab: secretRef: secretName: gitlab-webhook-secret secretKey: secretToken eventTypes: - Push Hook # Only push events bindings: - ref: gitlab-push-binding template: name: gitlab-build-deploy-template
創建一個Ingress讓外網的gitlab能push event到tekton中。
apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: tekton-trigger spec: entryPoints: - websecure routes: - kind: Rule match: Host(`tekton-trigger.your_domain.com`) services: - name: el-gitlab-listener port: 8080 tls: certResolver: aliyun domains: - main: "tekton-trigger.your_domain.com"
在gitlab的項目中創建一個webhook。url就是暴露的,Secret Token就是secret.yaml中的那個 
把5-9步驟生成的文件應用到k8s中。本例單獨放到一個tekton-gitlab的命名空間中
kubectl create ns tekton-gitlab kubectl apply -n tekton-gitlab -f secret.yaml kubectl apply -n tekton-gitlab -f role.yaml kubectl apply -n tekton-gitlab -f binding.yaml kubectl apply -n tekton-gitlab -f serviceaccount.yaml kubectl apply -n tekton-gitlab -f gitlab-push-listener.yaml kubectl apply -n tekton-gitlab -f ingress-tekton-trigger.yaml
push到gitlab后會自動創建taskrun,并運行。效果如下: 
以上就是如何進行tekton云原生的CI/CD在gitlab應用,小編相信有部分知識點可能是我們日常工作會見到或用到的。希望你能通過這篇文章學到更多知識。更多詳情敬請關注億速云行業資訊頻道。
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。
