如何進(jìn)行tekton云原生的CI/CD在gitlab應(yīng)用

本篇文章給大家分享的是有關(guān)如何進(jìn)行tekton云原生的CI/CD在gitlab應(yīng)用，小編覺得挺實(shí)用的，因此分享給大家學(xué)習(xí)，希望大家閱讀完這篇文章后可以有所收獲，話不多說，跟著小編一起來看看吧。

1. 環(huán)境：科學(xué)環(huán)境，kubernetes 1.18+, tekton latest

2. 說明

• Tekton 是一個(gè)強(qiáng)大且靈活的 Kubernetes 原生開源框架，可用于創(chuàng)建持續(xù)集成和交付 (CI/CD) 系統(tǒng)。該框架可讓您跨多個(gè)云服務(wù)商或本地系統(tǒng)進(jìn)行構(gòu)建、測試和部署，而無需操心基礎(chǔ)實(shí)現(xiàn)詳情。

• Tekton 提供的內(nèi)置最佳做法可讓您快速創(chuàng)建云原生 CI/CD 流水線。其目標(biāo)是讓開發(fā)者創(chuàng)建和部署不可變映管理基礎(chǔ)架構(gòu)的版本控制，或者更輕松地執(zhí)行回滾。借助 Tekton，您還可以利用高級部署模式，例如滾動部署、藍(lán)/綠部署、Canary 部署或 GitOps 工作流。

• Tekton配置起來很繞，真繞，又慢。真心推薦drone。https://my.oschina.net/u/160697/blog/4487417

• 針對push代碼到gitlab后觸發(fā)webhook，通過打包docker鏡像并推送到harbor私有倉庫。

3. 安裝tekton

# pipeline
kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml
# 本例使用到了triggers
kubectl apply -f https://storage.googleapis.com/tekton-releases/triggers/latest/release.yaml
# 使用dashboard就可以不用安裝ctl了
kubectl apply -f https://storage.gogleapis.com/tekton-releases/dashboard/latest/tekton-dashboard-release.yaml

4. 暴露tekton dashboard外網(wǎng)使用，參考https://my.oschina.net/u/160697/blog/4437939 dashboard安全使用

apiVersion: v1
kind: Secret
metadata:
  name: tekton-dashboard-auth-secret
  namespace: tekton-pipelines
type: Opaque
stringData:
  users: admin:$apr1$tQ1iFwRf$8SvGrGQcBT.RdZS73ULXH1

---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: tekton-dashboard-auth
  namespace: tekton-pipelines
spec:
  basicAuth:
    secret: tekton-dashboard-auth-secret

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: tekton-dashboard
  namespace: tekton-pipelines
spec:
  entryPoints:
  - websecure
  routes:
  - kind: Rule
    match: Host(`tekton.your_domain.com`)
    services:
    - name: tekton-dashboard
      port: 9097
    middlewares:
    - name: tekton-dashboard-auth
  tls:
    certResolver: aliyun
    domains:
    - main: "tekton.your_domain.com"

5. 通過tekton trigger自動創(chuàng)建TaskRun，本例只使用gitlab倉庫。參考官方例子，只是參考，不合實(shí)際情況

mkdir gitlab-trigger
wget https://raw.githubusercontent.com/tektoncd/triggers/master/examples/gitlab/binding.yaml
wget https://raw.githubusercontent.com/tektoncd/triggers/master/examples/gitlab/role.yaml

6. 生成ssh公私鑰。把公鑰復(fù)制到gitlab的Deploy Keys。私鑰放到k8s中的Secret中。參考官方

ssh-keygen -t rsa
cat ~/.ssh/id_rsa | base64 -w 0
cat ~/.ssh/known_hosts | base64 -w 0

創(chuàng)建secret.yaml，并把上面輸出的結(jié)果復(fù)制到ssh-privatekey和known_hosts中

apiVersion: v1
kind: Secret
metadata:
  name: gitlab-webhook-secret
type: Opaque
stringData:
  secretToken: "qxFtJX5jh88b83P"

---
apiVersion: v1
kind: Secret
metadata:
  name: gitlab-ssh-secret
  annotations:
    tekton.dev/git-0: your_gitlab_addr:8000
type: kubernetes.io/ssh-auth
data:
  ssh-privatekey: <base64 encoded>
  known_hosts: <base64 encoded>

# 私有倉庫
# https://kubernetes.io/zh/docs/tasks/configure-pod-container/pull-image-private-registry/
# kubectl create secret docker-registry regcred --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email>
---
apiVersion: v1
kind: Secret
metadata:
  name: harbor-registry-secret
  annotations:
    tekton.dev/docker-0: registry.you_harbor_addr.com:31000
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: <base64 encoded>

7. 創(chuàng)建serviceaccount.yaml ServiceAcount就包含了上面創(chuàng)建的三個(gè)secret，通過ServiceAcount就可以使用了

apiVersion: v1
kind: ServiceAccount
metadata:
  name: tekton-triggers-gitlab-sa
secrets:
  - name: gitlab-webhook-secret
  - name: gitlab-ssh-secret
  - name: harbor-registry-secret
imagePullSecrets:
  - name: harbor-registry-secret

8. 創(chuàng)建gitlab-push-listener.yaml。使用kaniko來構(gòu)建鏡像,，可以緩存鏡像，但在dockerfile中使用copy等命令時(shí)會發(fā)生Unpacking rootfs as cmd COPY . . requires it. ，每次都要拉鏡像，需要更好的科學(xué)環(huán)境，不然很慢。需要要gcr.io, docker.com, docker.io都使用代理訪問。也參考了這個(gè)篇幅

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: workspace-cache-pvc
spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: 2Gi
  #rook-cephfs就是storageclass.yaml里面定義的
  storageClassName: rook-cephfs

---
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: gitlab-build-and-push
spec:
  params:
    - name: pathToDockerFile
      type: string
      description: The path to the dockerfile to build
      default: $(resources.inputs.git-source.path)/Dockerfile
    - name: pathToContext
      type: string
      description: |
        The build context used by Kaniko
        (https://github.com/GoogleContainerTools/kaniko#kaniko-build-contexts)
      default: $(resources.inputs.git-source.path)
  resources:
    inputs:
      - name: git-source
        type: git
    outputs:
      - name: builtImage
        type: image
  # 緩存
  workspaces:
    - name: workspace-cache
      mountPath: /cache
  steps:
    - name: cache-images
      image: gcr.io/kaniko-project/warmer:latest
      # 在最后添加需要緩存的image
      args: ["--cache-dir=/cache",
             "--image=golang:alpine"]
    - name: build-and-push
      image: gcr.io/kaniko-project/executor:latest
      workingDir: "$(params.pathToContext)"
      # specifying DOCKER_CONFIG is required to allow kaniko to detect docker credential
      env:
        - name: "DOCKER_CONFIG"
          value: "/tekton/home/.docker/"
      command:
        - /kaniko/executor
      args:
        - --cache=true
        - --cache-dir=/cache
        - --dockerfile=$(params.pathToDockerFile)
        - --destination=$(resources.outputs.builtImage.url)
        - --context=$(params.pathToContext)
        - --log-timestamp=true

---
apiVersion: triggers.tekton.dev/v1alpha1
kind: TriggerTemplate
metadata:
  name: gitlab-build-deploy-template
spec:
  params:
    - name: gitrevision
    - name: gitrepositoryurl
    - name: gitrepositoryname
  resourcetemplates:
    - apiVersion: tekton.dev/v1alpha1
      kind: TaskRun
      metadata:
        generateName: $(tt.params.gitrepositoryname)-run-
      spec:
        serviceAccountName: tekton-triggers-gitlab-sa
        taskRef:
          name: gitlab-build-and-push
        params:
          - name: pathToDockerFile
            value: Dockerfile
        resources:
          inputs:
            - name: git-source
              resourceSpec:
                type: git
                params:
                  - name: revision
                    value: $(tt.params.gitrevision)
                  - name: url
                    value: $(tt.params.gitrepositoryurl)
          outputs:
            - name: builtImage
              resourceSpec:
                type: image
                params:
                  - name: url
                    value: registry.your_registry.com:31000/your_project/$(tt.params.gitrepositoryname)
        workspaces:
          - name: workspace-cache # must match workspace name in the Task
            persistentVolumeClaim:
              claimName: workspace-cache-pvc # this PVC must already exist
---
apiVersion: triggers.tekton.dev/v1alpha1
kind: TriggerBinding
metadata:
  name: gitlab-push-binding
spec:
  params:
    - name: gitrevision
      value: $(body.checkout_sha)
    - name: gitrepositoryurl
      value: $(body.repository.git_ssh_url)
    - name: gitrepositoryname
      value: $(body.repository.name)

---
apiVersion: triggers.tekton.dev/v1alpha1
kind: EventListener
metadata:
  name: gitlab-listener
spec:
  serviceAccountName: tekton-triggers-gitlab-sa
  triggers:
    - name: gitlab-push-events-trigger
      interceptors:
        - gitlab:
            secretRef:
              secretName: gitlab-webhook-secret
              secretKey: secretToken
            eventTypes:
              - Push Hook  # Only push events
      bindings:
        - ref: gitlab-push-binding
      template:
        name: gitlab-build-deploy-template

9. 創(chuàng)建一個(gè)Ingress讓外網(wǎng)的gitlab能push event到tekton中。

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: tekton-trigger
spec:
  entryPoints:
  - websecure
  routes:
  - kind: Rule
    match: Host(`tekton-trigger.your_domain.com`)
    services:
    - name: el-gitlab-listener
      port: 8080
  tls:
    certResolver: aliyun
    domains:
    - main: "tekton-trigger.your_domain.com"

10. 在gitlab的項(xiàng)目中創(chuàng)建一個(gè)webhook。url就是暴露的，Secret Token就是secret.yaml中的那個(gè)

11. 把5-9步驟生成的文件應(yīng)用到k8s中。本例單獨(dú)放到一個(gè)tekton-gitlab的命名空間中

kubectl create ns tekton-gitlab
kubectl apply -n tekton-gitlab -f secret.yaml
kubectl apply -n tekton-gitlab -f role.yaml
kubectl apply -n tekton-gitlab -f binding.yaml
kubectl apply -n tekton-gitlab -f serviceaccount.yaml
kubectl apply -n tekton-gitlab -f gitlab-push-listener.yaml
kubectl apply -n tekton-gitlab -f ingress-tekton-trigger.yaml

12. push到gitlab后會自動創(chuàng)建taskrun，并運(yùn)行。效果如下：

以上就是如何進(jìn)行tekton云原生的CI/CD在gitlab應(yīng)用，小編相信有部分知識點(diǎn)可能是我們?nèi)粘９ぷ鲿姷交蛴玫降?。希望你能通過這篇文章學(xué)到更多知識。更多詳情敬請關(guān)注億速云行業(yè)資訊頻道。