From ac2475266299b5cd42c490ed64a2877c0a2a122e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20Mass=C3=A9?= Date: Fri, 23 Sep 2022 15:43:21 +0200 Subject: [PATCH] improve k8s manifests --- .../{pipelinerun => tekton}/pipelinerun.yaml | 2 +- hacking/tekton/taskrun-buildah.yaml | 18 ++++++ hacking/tekton/taskrun-deploy.yaml | 16 +++++ k8s/buildconfig.yaml | 0 k8s/knative-image-transformer.yaml | 5 ++ k8s/knative-service.yaml | 12 ++++ k8s/kustomization.yaml | 17 ++++++ k8s/pipeline.yaml | 35 ++++++++++- k8s/role.yaml | 2 +- k8s/rolebinding.yaml | 14 ++++- k8s/task-buildah.yaml | 22 ++++--- k8s/task-deploy.yaml | 61 +++++++++++++++++++ 12 files changed, 191 insertions(+), 13 deletions(-) rename hacking/{pipelinerun => tekton}/pipelinerun.yaml (83%) create mode 100644 hacking/tekton/taskrun-buildah.yaml create mode 100644 hacking/tekton/taskrun-deploy.yaml delete mode 100644 k8s/buildconfig.yaml create mode 100644 k8s/knative-image-transformer.yaml create mode 100644 k8s/knative-service.yaml create mode 100644 k8s/kustomization.yaml create mode 100644 k8s/task-deploy.yaml diff --git a/hacking/pipelinerun/pipelinerun.yaml b/hacking/tekton/pipelinerun.yaml similarity index 83% rename from hacking/pipelinerun/pipelinerun.yaml rename to hacking/tekton/pipelinerun.yaml index 923d6b5..bd31520 100644 --- a/hacking/pipelinerun/pipelinerun.yaml +++ b/hacking/tekton/pipelinerun.yaml @@ -10,7 +10,7 @@ spec: - name: gitRepositoryURL value: https://github.com/nmasse-itix/demo-appdev.git - name: outputContainerImage - value: image-registry.openshift-image-registry.svc.cluster.local:5000/demo-appdev/function + value: image-registry.openshift-image-registry.svc:5000/demo-appdev/function workspaces: - name: scratch volumeClaimTemplate: diff --git a/hacking/tekton/taskrun-buildah.yaml b/hacking/tekton/taskrun-buildah.yaml new file mode 100644 index 0000000..974cf03 --- /dev/null +++ b/hacking/tekton/taskrun-buildah.yaml @@ -0,0 +1,18 @@ +apiVersion: tekton.dev/v1beta1 +kind: TaskRun +metadata: + generateName: buildah- +spec: + serviceAccountName: tekton-robot + taskRef: + name: buildah + params: + - name: outputContainerImage + value: image-registry.openshift-image-registry.svc:5000/demo-appdev/function + workspaces: + - emptyDir: {} + name: src + - emptyDir: {} + name: containers + debug: + breakpoint: ["onFailure"] diff --git a/hacking/tekton/taskrun-deploy.yaml b/hacking/tekton/taskrun-deploy.yaml new file mode 100644 index 0000000..28975fd --- /dev/null +++ b/hacking/tekton/taskrun-deploy.yaml @@ -0,0 +1,16 @@ +apiVersion: tekton.dev/v1beta1 +kind: TaskRun +metadata: + generateName: deploy- +spec: + serviceAccountName: tekton-robot + taskRef: + name: deploy + params: + - name: imageDigest + value: sha256:7977a31c6829d4629698ae5f3dcd5691e90f83bed1b336bff16d2afafa12cba4 + workspaces: + - emptyDir: {} + name: src + debug: + breakpoint: ["onFailure"] diff --git a/k8s/buildconfig.yaml b/k8s/buildconfig.yaml deleted file mode 100644 index e69de29..0000000 diff --git a/k8s/knative-image-transformer.yaml b/k8s/knative-image-transformer.yaml new file mode 100644 index 0000000..e75dfca --- /dev/null +++ b/k8s/knative-image-transformer.yaml @@ -0,0 +1,5 @@ +images: +- path: spec/template/spec/containers/image + kind: Service + version: serving.knative.dev/v1 + diff --git a/k8s/knative-service.yaml b/k8s/knative-service.yaml new file mode 100644 index 0000000..d805eac --- /dev/null +++ b/k8s/knative-service.yaml @@ -0,0 +1,12 @@ +apiVersion: serving.knative.dev/v1 +kind: Service +metadata: + name: function +spec: + template: + spec: + containers: + - image: image-registry.openshift-image-registry.svc:5000/demo-appdev/function + env: + - name: TODO + value: "TODO" diff --git a/k8s/kustomization.yaml b/k8s/kustomization.yaml new file mode 100644 index 0000000..c046e52 --- /dev/null +++ b/k8s/kustomization.yaml @@ -0,0 +1,17 @@ +resources: +- imagestream.yaml +- pipeline.yaml +- rolebinding.yaml +- role.yaml +- serviceaccount.yaml +- task-buildah.yaml +- task-deploy.yaml +- task-git-clone.yaml +- task-maven-package.yaml +- knative-service.yaml +images: +- name: image-registry.openshift-image-registry.svc:5000/demo-appdev/function +configurations: +- knative-image-transformer.yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization diff --git a/k8s/pipeline.yaml b/k8s/pipeline.yaml index 6999340..f200e59 100644 --- a/k8s/pipeline.yaml +++ b/k8s/pipeline.yaml @@ -12,10 +12,12 @@ spec: type: string tasks: # Clone the git repository - - name: git-clone + - name: git-clone-src params: - name: url value: "$(params.gitRepositoryURL)" + - name: revision + value: "main" - name: verbose value: "false" workspaces: @@ -24,10 +26,25 @@ spec: subPath: src taskRef: name: git-clone + # Clone the git repository (GitOps) + - name: git-clone-gitops + params: + - name: url + value: "$(params.gitRepositoryURL)" + - name: revision + value: "gitops" + - name: verbose + value: "false" + workspaces: + - name: output + workspace: scratch + subPath: gitops + taskRef: + name: git-clone # Build the Quarkus app - name: maven-package runAfter: - - git-clone + - git-clone-src workspaces: - name: src workspace: scratch @@ -50,3 +67,17 @@ spec: subPath: containers taskRef: name: buildah + # Deploy the new version + - name: deploy + runAfter: + - buildah + - git-clone-gitops + params: + - name: imageDigest + value: "$(tasks.buildah.results.imageDigest)" + workspaces: + - name: src + workspace: scratch + subPath: gitops + taskRef: + name: deploy diff --git a/k8s/role.yaml b/k8s/role.yaml index 5d5169a..8ecb846 100644 --- a/k8s/role.yaml +++ b/k8s/role.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: tekton-robot + name: tekton-robot-scc rules: - apiGroups: - security.openshift.io diff --git a/k8s/rolebinding.yaml b/k8s/rolebinding.yaml index 3354899..abe993c 100644 --- a/k8s/rolebinding.yaml +++ b/k8s/rolebinding.yaml @@ -1,11 +1,23 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: tekton-robot + name: tekton-robot-scc subjects: - kind: ServiceAccount name: tekton-robot roleRef: apiGroup: rbac.authorization.k8s.io kind: Role + name: tekton-robot-scc +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: tekton-robot-pusher +subjects: +- kind: ServiceAccount name: tekton-robot +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:image-builder diff --git a/k8s/task-buildah.yaml b/k8s/task-buildah.yaml index 7dfeb05..f4afa5c 100644 --- a/k8s/task-buildah.yaml +++ b/k8s/task-buildah.yaml @@ -26,6 +26,8 @@ spec: value: "$(results.imageDigest.path)" - name: TARGET_IMAGE value: "$(params.outputContainerImage)" + - name: "CONTAINERFILE" + value: "src/main/docker/Dockerfile.native" securityContext: capabilities: add: @@ -47,27 +49,31 @@ spec: extra_args="$extra_args --file $CONTAINERFILE" fi - buildah bud --storage-driver vfs --manifest tekton -t $TARGET_IMAGE $extra_args -f src/main/docker/Dockerfile.native . + buildah bud --storage-driver vfs -t localhost/build:latest $extra_args . echo } function push () { echo "=========================================================" - echo " buildah push $1" + echo " buildah push $TARGET_IMAGE" echo "=========================================================" echo - # buildah requires a slight modification to the push secret provided by the service - # account to use it for pushing the image - cp /var/run/secrets/openshift.io/push/.dockercfg /tmp - echo "{ \"auths\": $(cat /var/run/secrets/openshift.io/push/.dockercfg) }" > /tmp/.dockercfg + buildah push --storage-driver vfs --digestfile "$RESULT_IMAGE_DIGEST" localhost/build:latest "docker://$1" + echo + } - buildah manifest push --storage-driver vfs --all tekton "docker://$1" --digestfile "$RESULT_IMAGE_DIGEST" --tls-verify=false --authfile /tmp/.dockercfg + function login () { + echo "=========================================================" + echo " buildah login $1" + echo "=========================================================" + echo + buildah login -u sa -p $(cat /var/run/secrets/kubernetes.io/serviceaccount/token) "$1" echo } + login image-registry.openshift-image-registry.svc:5000 build - push "$TARGET_IMAGE:latest" exit 0 diff --git a/k8s/task-deploy.yaml b/k8s/task-deploy.yaml new file mode 100644 index 0000000..7eb4068 --- /dev/null +++ b/k8s/task-deploy.yaml @@ -0,0 +1,61 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: deploy +spec: + params: + - name: kustomizeImage + type: string + default: k8s.gcr.io/kustomize/kustomize:v4.5.5 + - name: gitImage + type: string + default: docker.io/alpine/git:v2.26.2 + - name: imageDigest + description: The digest of the last built image + workspaces: + - name: src + mountPath: /src + steps: + - name: kustomize + image: $(params.kustomizeImage) + workingDir: /src/k8s + env: + - name: IMAGE_DIGEST + value: "$(params.imageDigest)" + script: | + #!/bin/bash + + set -Eeuo pipefail + + echo "=========================================================" + echo " kustomize edit set image" + echo "=========================================================" + echo + + echo "Setting image tag to digest $IMAGE_DIGEST..." + echo + + kustomize edit set image function@$IMAGE_DIGEST + + exit 0 + - name: git-push + image: $(params.gitImage) + workingDir: /src + env: + - name: IMAGE_DIGEST + value: "$(params.imageDigest)" + script: | + #!/bin/bash + + set -Eeuo pipefail + + echo "=========================================================" + echo " git push" + echo "=========================================================" + echo + + git add k8s/kustomization.yaml + git commit -m 'deploy image $IMAGE_DIGEST' + git push + + exit 0