OpenShift 4 Tekton (6) - 将Tekton和ArgoCD集成
文章目录
- 实现场景
- 实现CI/CD配置
- 准备Git Repo
- 安装Tekton和ArgoCD客户端
- 安装Tekton Operator、ArgoCD Operator和ArgoCD服务端环境
- 创建ArgoCD的应用
- 创建Tekton Pipeline
- 允许Tekton Pipeline更新Infra Repo中的内容
- 创建Webhook并配置Code Repo的Webhook
- 运行Tekton Pipeline
- 方法1-手动触发
- 方法2-Webhook触发
- 参考
实现场景
本文实现下图基于包括GitHub、Tekton、ArgoCD、WebHook的CI/CD场景:
- NodeJs应用代码放在Github的Code Repository中,代码变化后会通过Webhook触发Tekton的Pipeline运行。
- Tekton的Pipeline先从Code Repository中获得应用代码,然后Build成Image,随后将应用Image推送到OpenShift内部的Image Registry上。最后再更新GitHub的Infra Repository中的部署配置。
- ArgoCD发现Infra Repository中的部署配置变化后自动同步到OpenShift。
- OpenShift根据新的部署配置从其内部的Image Registry获取最新的应用Image,然后部署到OpenShift中。
实现CI/CD配置
准备Git Repo
- Fork以下3个git repo到自己的github账户中。
https://github.com/liuxiaoyu-git/tutorial-tekton-argocd-pipeline(Tekton Pipeline)
https://github.com/liuxiaoyu-git/tutorial-tekton-argocd-code(NodeJs应用代码)
https://github.com/liuxiaoyu-git/tutorial-tekton-argocd-infra(OpenShift部署) - 在tutorial-tekton-argocd-pipeline的git repo中修改以下文件的内容,将其中的“liuxiaoyu-git”替换为自己的git账户名。
pipeline/pipeline-build-git.yaml
pipeline/git.yaml - 执行命令设置环境变量。
$ export GIT_USERNAME=YOUR-GIT
$ export GIT_PIPELINE='tutorial-tekton-argocd-pipeline'
$ export GIT_CODE='tutorial-tekton-argocd-code'
$ export GIT_INFRA='tutorial-tekton-argocd-infra'
安装Tekton和ArgoCD客户端
- 运行以下命令,安装Tekton客户端。
$ curl -LO https://github.com/tektoncd/cli/releases/download/v0.8.0/tkn_0.8.0_Linux_x86_64.tar.gz
$ tar -xvf tkn_0.8.0_Linux_x86_64.tar.gz
$ sudo mv tkn /usr/bin/
- 运行以下命令,安装ArgoCD客户端。
$ sudo curl -L https://github.com/argoproj/argo-cd/releases/download/v1.4.2/argocd-linux-amd64 -o /usr/local/bin/argocd
$ sudo chmod +x /usr/local/bin/argocd
安装Tekton Operator、ArgoCD Operator和ArgoCD服务端环境
- 执行命令下载tutorial-tekton-argocd-pipeline repo。
$ git clone https://github.com/$GIT_USERNAME/tutorial-tekton-argocd-pipeline
$ cd tutorial-tekton-argocd-pipeline
- 执行命令安装Tekton Operator、ArgoCD Operator。
$ oc apply -f operators/tekton-operator.yaml
$ oc apply -f operators/argocd-operator.yaml
- 执行命令,查看Tekton Operator、ArgoCD Operator的安装状态。
$ oc get ClusterServiceVersion -n argocd
NAME DISPLAY VERSION REPLACES PHASE
argocd-operator-helm.v0.0.3 Argo CD Operator (Helm) 0.0.3 argocd-operator-helm.v0.0.2 Succeeded
openshift-pipelines-operator.v0.10.7 OpenShift Pipelines Operator 0.10.7 openshift-pipelines-operator.v0.8.2 Succeeded
4. 成功后执行命令创建ArgoCD服务端环境。
$ oc apply -f operators/argocd-cr.yaml
- 执行命令,查看ArgoCD部署执行情况。
$ oc get deploy
NAME READY UP-TO-DATE AVAILABLE AGE
argocd-application-controller 1/1 1 1 4m2s
argocd-dex-server 1/1 1 1 4m2s
argocd-operator-helm 1/1 1 1 10m
argocd-redis 1/1 1 1 4m2s
argocd-repo-server 1/1 1 1 4m2s
argocd-server 1/1 1 1 4m2s
6. 执行命令,获得ArgoCD的admin用户登录密码。
$ export ARGOCD_NAMESPACE="argocd"
$ export ARGOCD_PASSWORD=$(oc get pods -n $ARGOCD_NAMESPACE -l app.kubernetes.io/name=argocd-server -o name | cut -d'/' -f 2)
- 获得ArgoCD服务端的访问URL。
$ export ARGOCD_SERVER=$(oc get route argocd-server -n $ARGOCD_NAMESPACE -o jsonpath='{.spec.host}')
$ export ARGOCD_URL="https://$ARGOCD_SERVER"
- 确认可以用ArgoCD的客户端和浏览器分别登录ArgoCD。
$ argocd login --username admin --password $ARGOCD_PASSWORD $ARGOCD_SERVER
创建ArgoCD的应用
- 创建OpenShift项目用来运行Tekton Pipeline。
$ oc new-project tekton-argocd
- 执行命令,创建一个Argo应用,并将其对应到tutorial-tekton-argocd-infra。
$ export NAMESPACE=$(oc project -q)
$ export ARGOCD_APP=$(oc project -q)
$ export GIT_REPOSITORY_URL="https://github.com/$GIT_USERNAME/tutorial-tekton-argocd-infra"
$ export GIT_MANIFEST_DIR="yamls/ocp"
$ argocd app create $ARGOCD_APP \
--project default \
--repo $GIT_REPOSITORY_URL \
--path $GIT_MANIFEST_DIR \
--dest-server https://kubernetes.default.svc \
--dest-namespace $NAMESPACE \
--sync-policy automated \
--self-heal \
--auto-prune
- 当创建Argo应用后,可以在ArgoCD控制台中看到该应用的状态如下。由于当前在OpenShift中还没有对应的ImageStream,所以会提示找不到“image-registry.openshift-image-registry.svc:5000/tekton-argocd/app:6bf1e2b”镜像(Tag可能会有差别)。
创建Tekton Pipeline
- 在tekton-argocd项目中创建Pipeline资源。
$ oc apply -f pipeline/ -n $NAMESPACE
pipelineresource.tekton.dev/source created
pipelineresource.tekton.dev/image created
pipeline.tekton.dev/build-git created
task.tekton.dev/build-git created
task.tekton.dev/build created
- 确认有以下Tekton对象。
$ tkn task ls -n $NAMESPACE
NAME AGE
build 1 minute ago
build-git 1 minute ago
$ tkn pipeline ls -n $NAMESPACE
NAME AGE LAST RUN STARTED DURATION STATUS
build-git 1 minute ago --- --- --- ---
$ tkn resources ls -n $NAMESPACE
NAME TYPE DETAILS
source git url: https://github.com/csantanapr/tutorial-tekton-argocd-code
image image url: image-registry.openshift-image-registry.svc:5000/$NAMESPACE/app
- 运行Tekton的名为build的Task。
$ tkn task start build \
-i image=image \
-i source=source \
--showlog \
-s pipeline \
-n $NAMESPACE
- 在Task成功执行后,确认tekton-argocd项目中已经有了名为app的ImageStream。说明:实际tag可能和下面示例tag会不一样。
$ oc get imagestream -n $NAMESPACE
NAME IMAGE REPOSITORY TAGS UPDATED
app default-route-openshift-image-registry.apps.cluster-beijing-c8e6.beijing-c8e6.example.opentlc.com/tekton-argocd/app 6bf1e2b 30 seconds ago
允许Tekton Pipeline更新Infra Repo中的内容
- 在自己GitHub账号中进入Setting,然后在页面点击“Developer setting”链接,最后进入“Personal access tokens”。
- 点击“Generate new token”按钮,进入“New personal access token”页面。先在Note中填入“Tekton Pipeline”,然后在Scopes区域选中repo和admin:repo_hook,最后点击下面Generate token按钮。
- 复制生成的Token字符创,并用它设置以下GIT_TOKEN变量,然后生成secret对象。
$ export GIT_TOKEN=''
$ oc create secret generic git-infra-secret \
--from-literal=username="$GIT_USERNAME" \
--from-literal=token="$GIT_TOKEN" \
-n $NAMESPACE
创建Webhook并配置Code Repo的Webhook
- 执行命令,为Pipeline创建Webhook。
$ oc apply -f triggers/ -n $NAMESPACE
$ oc create route edge --service=el-cicd -n $NAMESPACE
$ export GIT_WEBHOOK_URL=$(oc get route el-cicd -o jsonpath='{.spec.host}' -n $NAMESPACE)
- 执行命令,将Webhook配置到名为tutorial-tekton-argocd-code的Git Repo上。
$ curl -v -X POST -u $GIT_USERNAME:$GIT_TOKEN -d "{\"name\": \"web\",\"active\": true,\"events\": [\"push\"],\"config\": {\"url\": \"https://$GIT_WEBHOOK_URL\",\"content_type\": \"json\",\"insecure_ssl\": \"0\"}}" -L https://api.github.com/repos/$GIT_USERNAME/$GIT_CODE/hooks
- 如执行成功,应有以下执行响应结果。
** About to connect() to api.github.com port 443 (#0)
** Trying 13.250.94.254...
** Connected to api.github.com (13.250.94.254) port 443 (#0)
** Initializing NSS with certpath: sql:/etc/pki/nssdb
** CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
** SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
** Server certificate:
** subject: CN=*.github.com,O="GitHub, Inc.",L=San Francisco,ST=California,C=US
** start date: Jul 08 00:00:00 2019 GMT
** expire date: Jul 16 12:00:00 2020 GMT
** common name: *.github.com
** issuer: CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US
** Server auth using Basic with user 'liuxiaoyu-git'
> POST /repos/liuxiaoyu-git/tutorial-tekton-argocd-code/hooks HTTP/1.1
> Authorization: Basic bGl1eGlhb3l1LWdpdDoyYzkxZWQ3Nzg0MzU3NjMyMTM3YTVhNDRiMjBmNjcyMzEzY2Q2ZWEx
> User-Agent: curl/7.29.0
> Host: api.github.com
> Accept: */*
> Content-Length: 202
> Content-Type: application/x-www-form-urlencoded
>
4. upload completely sent off: 202 out of 202 bytes
< HTTP/1.1 201 Created
< Date: Sun, 26 Apr 2020 14:54:17 GMT
< Content-Type: application/json; charset=utf-8
< Content-Length: 771
< Server: GitHub.com
< Status: 201 Created
< X-RateLimit-Limit: 5000
< X-RateLimit-Remaining: 4999
< X-RateLimit-Reset: 1587916457
< Cache-Control: private, max-age=60, s-maxage=60
< Vary: Accept, Authorization, Cookie, X-GitHub-OTP
< ETag: "0f8659953257c11b433917a9088c7e97"
< X-OAuth-Scopes: admin:repo_hook, repo
< X-Accepted-OAuth-Scopes: admin:repo_hook, public_repo, repo, write:repo_hook
< Location: https://api.github.com/repos/liuxiaoyu-git/tutorial-tekton-argocd-code/hooks/205246180
< X-GitHub-Media-Type: github.v3; format=json
< Access-Control-Expose-Headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, Deprecation, Sunset
< Access-Control-Allow-Origin: *
< Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
< X-Frame-Options: deny
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
< Content-Security-Policy: default-src 'none'
< Vary: Accept-Encoding, Accept, X-Requested-With
< X-GitHub-Request-Id: EA0C:0D30:E2DBFC:1226B13:5EA5A099
<
{
"type": "Repository",
"id": 205246180,
"name": "web",
"active": true,
"events": [
"push"
],
"config": {
"content_type": "json",
"insecure_ssl": "0",
"url": "https://el-cicd-tekton-argocd.apps.cluster-beijing-c8e6.beijing-c8e6.example.opentlc.com"
},
"updated_at": "2020-04-26T14:54:17Z",
"created_at": "2020-04-26T14:54:17Z",
"url": "https://api.github.com/repos/liuxiaoyu-git/tutorial-tekton-argocd-code/hooks/205246180",
"test_url": "https://api.github.com/repos/liuxiaoyu-git/tutorial-tekton-argocd-code/hooks/205246180/test",
"ping_url": "https://api.github.com/repos/liuxiaoyu-git/tutorial-tekton-argocd-code/hooks/205246180/pings",
"last_response": {
"code": null,
"status": "unused",
"message": null
}
}
** Connection #0 to host api.github.com left intact
- 进入Github的tutorial-tekton-argocd-code的Repository,然后进入Settings中的Webhooks。确认SSL verification是Disable的。
运行Tekton Pipeline
方法1-手动触发
- 执行以下命令,手动运行Pipeline,然后
$ tkn pipeline start build-git \
--showlog \
-r source=source \
-r image=image \
-s pipeline \
-n $NAMESPACE
- 在完成后查看部署到OpenShift的测试应用页面。
$ curl http://$(oc get route ui -n tekton-argocd |awk 'NR==2 {print $2}')
<!DOCTYPE html><html><head><title>Cloud Native demo March 12th 2020</title><link rel="stylesheet" href="/stylesheets/style.css"></head><body><h1>Cloud Native demo March 12th 2020</h1><p>Welcome to Cloud Native demo March 12th 2020</p></body></html>
- 确认ImageStream已经有更新。
$ oc get is
NAME IMAGE REPOSITORY TAGS UPDATED
app default-route-openshift-image-registry.apps.cluster-beijing-c8e6.beijing-c8e6.example.opentlc.com/tekton-argocd/app deca336,6bf1e2b 3 minutes ago
方法2-Webhook触发
- 在Github上修改tutorial-tekton-argocd-code中的“tutorial-tekton-argocd-code/src/routes/index.js”文件中“Cloud Native demo”后面的日期。
var express = require('express');
var router = express.Router();
/* GET home page. */
router.get('/', function (req, res, next) {
res.render('index', { title: 'Cloud Native demo April 26th 2020' });
});
module.exports = router;
- 修改文件并提交后,确认pipelinerun在运行。
$ tkn pipelinerun list
NAME STARTED DURATION STATUS
cicd-run-8dtxk 3 hours ago 5 minutes Succeeded
build-git-run-zq7hv 3 hours ago 3 minutes Succeeded
- 在完成运行后可以在ArgoCD控制台中看到tekton-argocd项目是Synced状态。
- 最后执行命令,查看返回的页面内容已经发生了变化。
$ curl http://$(oc get route ui -n tekton-argocd |awk 'NR==2 {print $2}')
<!DOCTYPE html><html><head><title>Cloud Native demo March 12th 2020</title><link rel="stylesheet" href="/stylesheets/style.css"></head><body><h1>Cloud Native demo March 12th 2020</h1><p>Welcome to Cloud Native demo April 27th 2020</p></body></html>
参考
https://cloudnative101.dev/project-cicd/solution/