improve k8s manifests

hacking/pipelinerun/pipelinerun.yaml → hacking/tekton/pipelinerun.yaml

@@ -10,7 +10,7 @@ spec:
   - name: gitRepositoryURL
     value: https://github.com/nmasse-itix/demo-appdev.git
   - name: outputContainerImage
-    value: image-registry.openshift-image-registry.svc.cluster.local:5000/demo-appdev/function
+    value: image-registry.openshift-image-registry.svc:5000/demo-appdev/function
   workspaces:
   - name: scratch
     volumeClaimTemplate:

hacking/tekton/taskrun-buildah.yaml

@@ -0,0 +1,18 @@
+apiVersion: tekton.dev/v1beta1
+kind: TaskRun
+metadata:
+  generateName: buildah-
+spec:
+  serviceAccountName: tekton-robot
+  taskRef:
+    name: buildah
+  params:
+  - name: outputContainerImage
+    value: image-registry.openshift-image-registry.svc:5000/demo-appdev/function
+  workspaces:
+  - emptyDir: {}
+    name: src
+  - emptyDir: {}
+    name: containers
+  debug:
+    breakpoint: ["onFailure"]

hacking/tekton/taskrun-deploy.yaml

@@ -0,0 +1,16 @@
+apiVersion: tekton.dev/v1beta1
+kind: TaskRun
+metadata:
+  generateName: deploy-
+spec:
+  serviceAccountName: tekton-robot
+  taskRef:
+    name: deploy
+  params:
+  - name: imageDigest
+    value: sha256:7977a31c6829d4629698ae5f3dcd5691e90f83bed1b336bff16d2afafa12cba4
+  workspaces:
+  - emptyDir: {}
+    name: src
+  debug:
+    breakpoint: ["onFailure"]

k8s/knative-image-transformer.yaml

@@ -0,0 +1,5 @@
+images:
+- path: spec/template/spec/containers/image
+  kind: Service
+  version: serving.knative.dev/v1
+

k8s/knative-service.yaml

@@ -0,0 +1,12 @@
+apiVersion: serving.knative.dev/v1
+kind: Service
+metadata:
+  name: function
+spec:
+  template:
+    spec:
+      containers:
+        - image: image-registry.openshift-image-registry.svc:5000/demo-appdev/function
+          env:
+            - name: TODO
+              value: "TODO"

k8s/kustomization.yaml

@@ -0,0 +1,17 @@
+resources:
+- imagestream.yaml
+- pipeline.yaml
+- rolebinding.yaml
+- role.yaml
+- serviceaccount.yaml
+- task-buildah.yaml
+- task-deploy.yaml
+- task-git-clone.yaml
+- task-maven-package.yaml
+- knative-service.yaml
+images:
+- name: image-registry.openshift-image-registry.svc:5000/demo-appdev/function
+configurations:
+- knative-image-transformer.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization

k8s/pipeline.yaml

@@ -12,10 +12,12 @@ spec:
     type: string
   tasks:
   # Clone the git repository
-  - name: git-clone
+  - name: git-clone-src
     params:
     - name: url
       value: "$(params.gitRepositoryURL)"
+    - name: revision
+      value: "main"
     - name: verbose
       value: "false"
     workspaces:
@@ -24,10 +26,25 @@ spec:
       subPath: src
     taskRef:
       name: git-clone
+  # Clone the git repository (GitOps)
+  - name: git-clone-gitops
+    params:
+    - name: url
+      value: "$(params.gitRepositoryURL)"
+    - name: revision
+      value: "gitops"
+    - name: verbose
+      value: "false"
+    workspaces:
+    - name: output
+      workspace: scratch
+      subPath: gitops
+    taskRef:
+      name: git-clone
   # Build the Quarkus app
   - name: maven-package
     runAfter:
-    - git-clone
+    - git-clone-src
     workspaces:
     - name: src
       workspace: scratch
@@ -50,3 +67,17 @@ spec:
       subPath: containers
     taskRef:
       name: buildah
+  # Deploy the new version
+  - name: deploy
+    runAfter:
+    - buildah
+    - git-clone-gitops
+    params:
+    - name: imageDigest
+      value: "$(tasks.buildah.results.imageDigest)"
+    workspaces:
+    - name: src
+      workspace: scratch
+      subPath: gitops
+    taskRef:
+      name: deploy

k8s/role.yaml

@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: tekton-robot
+  name: tekton-robot-scc
 rules:
 - apiGroups:
   - security.openshift.io

k8s/rolebinding.yaml

@@ -1,11 +1,23 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: tekton-robot
+  name: tekton-robot-scc
 subjects:
 - kind: ServiceAccount
   name: tekton-robot
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
+  name: tekton-robot-scc
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: tekton-robot-pusher
+subjects:
+- kind: ServiceAccount
   name: tekton-robot
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:image-builder

k8s/task-buildah.yaml

@@ -26,6 +26,8 @@ spec:
       value: "$(results.imageDigest.path)"
     - name: TARGET_IMAGE
       value: "$(params.outputContainerImage)"
+    - name: "CONTAINERFILE"
+      value: "src/main/docker/Dockerfile.native"
     securityContext:
       capabilities:
         add:
@@ -47,27 +49,31 @@ spec:
           extra_args="$extra_args --file $CONTAINERFILE"
         fi
 
-        buildah bud --storage-driver vfs --manifest tekton -t $TARGET_IMAGE $extra_args -f src/main/docker/Dockerfile.native .
+        buildah bud --storage-driver vfs -t localhost/build:latest $extra_args .
         echo
       }
 
       function push () {
         echo "========================================================="
-        echo " buildah push $1"
+        echo " buildah push $TARGET_IMAGE"
         echo "========================================================="
         echo
 
-        # buildah requires a slight modification to the push secret provided by the service
+        buildah push --storage-driver vfs --digestfile "$RESULT_IMAGE_DIGEST" localhost/build:latest "docker://$1"
-        # account to use it for pushing the image
+        echo
-        cp /var/run/secrets/openshift.io/push/.dockercfg /tmp
+      }
-        echo "{ \"auths\": $(cat /var/run/secrets/openshift.io/push/.dockercfg) }" > /tmp/.dockercfg
 
-        buildah manifest push --storage-driver vfs --all tekton "docker://$1" --digestfile "$RESULT_IMAGE_DIGEST" --tls-verify=false --authfile /tmp/.dockercfg
+      function login () {
+        echo "========================================================="
+        echo " buildah login $1"
+        echo "========================================================="
+        echo
+        buildah login -u sa -p $(cat /var/run/secrets/kubernetes.io/serviceaccount/token) "$1"
         echo
       }
 
+      login image-registry.openshift-image-registry.svc:5000
       build
-
       push "$TARGET_IMAGE:latest"
 
       exit 0      

k8s/task-deploy.yaml

@@ -0,0 +1,61 @@
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: deploy
+spec:
+  params:
+  - name: kustomizeImage
+    type: string
+    default: k8s.gcr.io/kustomize/kustomize:v4.5.5
+  - name: gitImage
+    type: string
+    default: docker.io/alpine/git:v2.26.2
+  - name: imageDigest
+    description: The digest of the last built image
+  workspaces:
+  - name: src
+    mountPath: /src
+  steps:
+  - name: kustomize
+    image: $(params.kustomizeImage)
+    workingDir: /src/k8s
+    env:
+    - name: IMAGE_DIGEST
+      value: "$(params.imageDigest)"
+    script: |
+      #!/bin/bash
+
+      set -Eeuo pipefail
+
+      echo "========================================================="
+      echo " kustomize edit set image"
+      echo "========================================================="
+      echo
+
+      echo "Setting image tag to digest $IMAGE_DIGEST..."
+      echo
+
+      kustomize edit set image function@$IMAGE_DIGEST
+
+      exit 0
+  - name: git-push
+    image: $(params.gitImage)
+    workingDir: /src
+    env:
+    - name: IMAGE_DIGEST
+      value: "$(params.imageDigest)"
+    script: |
+      #!/bin/bash
+
+      set -Eeuo pipefail
+
+      echo "========================================================="
+      echo " git push"
+      echo "========================================================="
+      echo
+
+      git add k8s/kustomization.yaml
+      git commit -m 'deploy image $IMAGE_DIGEST'
+      git push
+
+      exit 0