如何进行tekton云原生的CI/CD在gitlab应用

本篇文章给大家分享的是有关如何进行tekton云原生的CI/CD在gitlab应用，小编觉得挺实用的，因此分享给大家学习，希望大家阅读完这篇文章后可以有所收获，话不多说，跟着小编一起来看看吧。

创新互联公司是一家专注于成都网站设计、成都网站建设与策划设计,额济纳网站建设哪家好?创新互联公司做网站,专注于网站建设10余年,网设计领域的专业建站公司;建站业务涵盖:额济纳等地区。额济纳做网站价格咨询:18980820575

1. 环境：科学环境，kubernetes 1.18+, tekton latest

2. 说明

• Tekton 是一个强大且灵活的 Kubernetes 原生开源框架，可用于创建持续集成和交付 (CI/CD) 系统。该框架可让您跨多个云服务商或本地系统进行构建、测试和部署，而无需操心基础实现详情。

• Tekton 提供的内置最佳做法可让您快速创建云原生 CI/CD 流水线。其目标是让开发者创建和部署不可变映管理基础架构的版本控制，或者更轻松地执行回滚。借助 Tekton，您还可以利用高级部署模式，例如滚动部署、蓝/绿部署、Canary 部署或 GitOps 工作流。

• Tekton配置起来很绕，真绕，又慢。真心推荐drone。https://my.oschina.net/u/160697/blog/4487417

• 针对push代码到gitlab后触发webhook，通过打包docker镜像并推送到harbor私有仓库。

3. 安装tekton

# pipeline
kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml
# 本例使用到了triggers
kubectl apply -f https://storage.googleapis.com/tekton-releases/triggers/latest/release.yaml
# 使用dashboard就可以不用安装ctl了
kubectl apply -f https://storage.gogleapis.com/tekton-releases/dashboard/latest/tekton-dashboard-release.yaml

4. 暴露tekton dashboard外网使用，参考https://my.oschina.net/u/160697/blog/4437939 dashboard安全使用

apiVersion: v1
kind: Secret
metadata:
  name: tekton-dashboard-auth-secret
  namespace: tekton-pipelines
type: Opaque
stringData:
  users: admin:$apr1$tQ1iFwRf$8SvGrGQcBT.RdZS73ULXH1

---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: tekton-dashboard-auth
  namespace: tekton-pipelines
spec:
  basicAuth:
    secret: tekton-dashboard-auth-secret

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: tekton-dashboard
  namespace: tekton-pipelines
spec:
  entryPoints:
  - websecure
  routes:
  - kind: Rule
    match: Host(`tekton.your_domain.com`)
    services:
    - name: tekton-dashboard
      port: 9097
    middlewares:
    - name: tekton-dashboard-auth
  tls:
    certResolver: aliyun
    domains:
    - main: "tekton.your_domain.com"

5. 通过tekton trigger自动创建TaskRun，本例只使用gitlab仓库。参考官方例子，只是参考，不合实际情况

mkdir gitlab-trigger
wget https://raw.githubusercontent.com/tektoncd/triggers/master/examples/gitlab/binding.yaml
wget https://raw.githubusercontent.com/tektoncd/triggers/master/examples/gitlab/role.yaml

6. 生成ssh公私钥。把公钥复制到gitlab的Deploy Keys。私钥放到k8s中的Secret中。参考官方

ssh-keygen -t rsa
cat ~/.ssh/id_rsa | base64 -w 0
cat ~/.ssh/known_hosts | base64 -w 0

创建secret.yaml，并把上面输出的结果复制到ssh-privatekey和known_hosts中

apiVersion: v1
kind: Secret
metadata:
  name: gitlab-webhook-secret
type: Opaque
stringData:
  secretToken: "qxFtJX5jh88b83P"

---
apiVersion: v1
kind: Secret
metadata:
  name: gitlab-ssh-secret
  annotations:
    tekton.dev/git-0: your_gitlab_addr:8000
type: kubernetes.io/ssh-auth
data:
  ssh-privatekey: 
  known_hosts: 

# 私有仓库
# https://kubernetes.io/zh/docs/tasks/configure-pod-container/pull-image-private-registry/
# kubectl create secret docker-registry regcred --docker-server= --docker-username= --docker-password= --docker-email=
---
apiVersion: v1
kind: Secret
metadata:
  name: harbor-registry-secret
  annotations:
    tekton.dev/docker-0: registry.you_harbor_addr.com:31000
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: 

7. 创建serviceaccount.yaml ServiceAcount就包含了上面创建的三个secret，通过ServiceAcount就可以使用了

apiVersion: v1
kind: ServiceAccount
metadata:
  name: tekton-triggers-gitlab-sa
secrets:
  - name: gitlab-webhook-secret
  - name: gitlab-ssh-secret
  - name: harbor-registry-secret
imagePullSecrets:
  - name: harbor-registry-secret

8. 创建gitlab-push-listener.yaml。使用kaniko来构建镜像,，可以缓存镜像，但在dockerfile中使用copy等命令时会发生Unpacking rootfs as cmd COPY . . requires it. ，每次都要拉镜像，需要更好的科学环境，不然很慢。需要要gcr.io, docker.com, docker.io都使用代理访问。也参考了这个篇幅

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: workspace-cache-pvc
spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: 2Gi
  #rook-cephfs就是storageclass.yaml里面定义的
  storageClassName: rook-cephfs

---
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: gitlab-build-and-push
spec:
  params:
    - name: pathToDockerFile
      type: string
      description: The path to the dockerfile to build
      default: $(resources.inputs.git-source.path)/Dockerfile
    - name: pathToContext
      type: string
      description: |
        The build context used by Kaniko
        (https://github.com/GoogleContainerTools/kaniko#kaniko-build-contexts)
      default: $(resources.inputs.git-source.path)
  resources:
    inputs:
      - name: git-source
        type: git
    outputs:
      - name: builtImage
        type: image
  # 缓存
  workspaces:
    - name: workspace-cache
      mountPath: /cache
  steps:
    - name: cache-images
      image: gcr.io/kaniko-project/warmer:latest
      # 在最后添加需要缓存的image
      args: ["--cache-dir=/cache",
             "--image=golang:alpine"]
    - name: build-and-push
      image: gcr.io/kaniko-project/executor:latest
      workingDir: "$(params.pathToContext)"
      # specifying DOCKER_CONFIG is required to allow kaniko to detect docker credential
      env:
        - name: "DOCKER_CONFIG"
          value: "/tekton/home/.docker/"
      command:
        - /kaniko/executor
      args:
        - --cache=true
        - --cache-dir=/cache
        - --dockerfile=$(params.pathToDockerFile)
        - --destination=$(resources.outputs.builtImage.url)
        - --context=$(params.pathToContext)
        - --log-timestamp=true

---
apiVersion: triggers.tekton.dev/v1alpha1
kind: TriggerTemplate
metadata:
  name: gitlab-build-deploy-template
spec:
  params:
    - name: gitrevision
    - name: gitrepositoryurl
    - name: gitrepositoryname
  resourcetemplates:
    - apiVersion: tekton.dev/v1alpha1
      kind: TaskRun
      metadata:
        generateName: $(tt.params.gitrepositoryname)-run-
      spec:
        serviceAccountName: tekton-triggers-gitlab-sa
        taskRef:
          name: gitlab-build-and-push
        params:
          - name: pathToDockerFile
            value: Dockerfile
        resources:
          inputs:
            - name: git-source
              resourceSpec:
                type: git
                params:
                  - name: revision
                    value: $(tt.params.gitrevision)
                  - name: url
                    value: $(tt.params.gitrepositoryurl)
          outputs:
            - name: builtImage
              resourceSpec:
                type: image
                params:
                  - name: url
                    value: registry.your_registry.com:31000/your_project/$(tt.params.gitrepositoryname)
        workspaces:
          - name: workspace-cache # must match workspace name in the Task
            persistentVolumeClaim:
              claimName: workspace-cache-pvc # this PVC must already exist
---
apiVersion: triggers.tekton.dev/v1alpha1
kind: TriggerBinding
metadata:
  name: gitlab-push-binding
spec:
  params:
    - name: gitrevision
      value: $(body.checkout_sha)
    - name: gitrepositoryurl
      value: $(body.repository.git_ssh_url)
    - name: gitrepositoryname
      value: $(body.repository.name)

---
apiVersion: triggers.tekton.dev/v1alpha1
kind: EventListener
metadata:
  name: gitlab-listener
spec:
  serviceAccountName: tekton-triggers-gitlab-sa
  triggers:
    - name: gitlab-push-events-trigger
      interceptors:
        - gitlab:
            secretRef:
              secretName: gitlab-webhook-secret
              secretKey: secretToken
            eventTypes:
              - Push Hook  # Only push events
      bindings:
        - ref: gitlab-push-binding
      template:
        name: gitlab-build-deploy-template

9. 创建一个Ingress让外网的gitlab能push event到tekton中。

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: tekton-trigger
spec:
  entryPoints:
  - websecure
  routes:
  - kind: Rule
    match: Host(`tekton-trigger.your_domain.com`)
    services:
    - name: el-gitlab-listener
      port: 8080
  tls:
    certResolver: aliyun
    domains:
    - main: "tekton-trigger.your_domain.com"

10. 在gitlab的项目中创建一个webhook。url就是暴露的，Secret Token就是secret.yaml中的那个

11. 把5-9步骤生成的文件应用到k8s中。本例单独放到一个tekton-gitlab的命名空间中

kubectl create ns tekton-gitlab
kubectl apply -n tekton-gitlab -f secret.yaml
kubectl apply -n tekton-gitlab -f role.yaml
kubectl apply -n tekton-gitlab -f binding.yaml
kubectl apply -n tekton-gitlab -f serviceaccount.yaml
kubectl apply -n tekton-gitlab -f gitlab-push-listener.yaml
kubectl apply -n tekton-gitlab -f ingress-tekton-trigger.yaml

12. push到gitlab后会自动创建taskrun，并运行。效果如下：

以上就是如何进行tekton云原生的CI/CD在gitlab应用，小编相信有部分知识点可能是我们日常工作会见到或用到的。希望你能通过这篇文章学到更多知识。更多详情敬请关注创新互联行业资讯频道。