tekton 發(fā)布 kubernetes 應(yīng)用

基于Kubernetes 服務(wù)部署 Tekton Pipeline 實例，部署完成后使用tekton來完成源碼拉取、應(yīng)用打包、鏡像推送和應(yīng)用部署。

本文實現(xiàn)一個 golang-helloworld 項目 CI/CD 的完整流程，具體包括以下步驟：

• 從 gitee 倉庫拉取代碼，將源碼構(gòu)建成二進(jìn)制文件
• 根據(jù) Dockerfile 構(gòu)建鏡像并推送到阿里云ACR鏡像倉庫
• 使用sed命令替換yaml文件中的鏡像地址為上一步構(gòu)建的鏡像
• 使用 kubectl apply -f 命令部署yaml文件到kubernetes集群

示例git倉庫：https://gitee.com/willzhangee/tekton-golang-demo

創(chuàng)建serviceaccount

鏡推送到外部鏡像倉庫需要進(jìn)行認(rèn)證，創(chuàng)建登錄阿里云ACR倉庫的secret

kubectl create secret docker-registry aliyun-acr \
--docker-server=https://registry.cn-shenzhen.aliyuncs.com \
--docker-username=<your-username> \
--docker-password=<your-password> \
--dry-run=client -o json | jq -r '.data.".dockerconfigjson"' | base64 -d > /tmp/config.jsonkubectl create secret generic docker-config --from-file=/tmp/config.json

創(chuàng)建kubernetes secret

kubectl create secret generic kubernetes-config --from-file=/root/.kube/config

創(chuàng)建serviceAccount

$ cat serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:name: build-bot
secrets:- name: docker-config- name: kubernetes-config
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:name: tekton-kubectl-role
rules:
- apiGroups:- "*"resources:- pods- deployments- deployments/scale- deployments/statusverbs:- get- list- watch- create- delete- patch- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:name: tekton-kubectl-binding
subjects:
- kind: ServiceAccountname: build-bot
roleRef:apiGroup: rbac.authorization.k8s.iokind: Rolename: tekton-kubectl-role

應(yīng)用yaml文件

kubectl apply -f serviceaccount.yaml

創(chuàng)建 git-clone task

在執(zhí)行鏡像構(gòu)建前Dockerfile存放在git倉庫中，需要將代碼克隆到本地，需要安裝git-clone task，這里使用官方task。

kubectl apply -f \
https://raw.githubusercontent.com/tektoncd/catalog/main/task/git-clone/0.9/git-clone.yaml

創(chuàng)建kaniko-build task

創(chuàng)建kaniko-build task，用于構(gòu)建dokcer鏡像，基于官方kaniko-task改造。

$ cat kaniko-build-task.yaml
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:name: kaniko-build
spec:params:- name: IMAGE_URLdescription: Name (reference) of the image to build.- name: IMAGE_TAGdescription: Tag to apply to the built imagedefault: latest- name: DOCKERFILEdescription: Path to the Dockerfile to build.default: ./Dockerfile- name: CONTEXTdescription: The build context used by Kaniko.default: ./- name: EXTRA_ARGStype: arraydefault: []- name: BUILDER_IMAGEdescription: The image on which builds will run (default is v1.5.1)default: gcr.io/kaniko-project/executor:v1.5.1@sha256:c6166717f7fe0b7da44908c986137ecfeab21f31ec3992f6e128fff8a94be8a5workspaces:- name: sourcedescription: Holds the context and Dockerfile- name: dockerconfigdescription: Includes a docker `config.json`optional: truemountPath: /kaniko/.dockerresults:- name: IMAGE_DIGESTdescription: Digest of the image just built.- name: IMAGE_URLdescription: URL of the image just built.steps:- name: build-and-pushworkingDir: $(workspaces.source.path)image: $(params.BUILDER_IMAGE)args:- $(params.EXTRA_ARGS)- --dockerfile=$(params.DOCKERFILE)- --context=$(workspaces.source.path)/$(params.CONTEXT)- --destination=$(params.IMAGE_URL):$(params.IMAGE_TAG)- --digest-file=$(results.IMAGE_DIGEST.path)securityContext:runAsUser: 0

應(yīng)用yaml文件

kubectl apply -f kaniko-build-task.yaml

創(chuàng)建kubernetes-deploy task

創(chuàng)建kubernetes-deploy task，用于部署yaml文件到kubernetes集群。

$ cat kubernetes-deploy-task.yaml
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:name: kubernetes-deploy
spec:workspaces:- name: manifest-dir- name: kubeconfig-dirmountPath: /root/.kubeparams:- name: pathToYamlFiledescription: The path to the yaml file to deploy within the git sourcedefault: deployment.yaml- name: IMAGE_URL- name: IMAGE_TAG- name: KUBECTL_IMAGEdefault: docker.io/bitnami/kubectl:lateststeps:- name: run-kubectlimage: $(params.KUBECTL_IMAGE)workingDir: $(workspaces.manifest-dir.path)script: |sed -i s#IMAGE#$(params.IMAGE_URL)#g $(params.pathToYamlFile)sed -i s#TAG#$(params.IMAGE_TAG)#g $(params.pathToYamlFile)kubectl apply -f $(params.pathToYamlFile)

應(yīng)用yaml文件

kubectl apply -f kubernetes-deploy-task.yaml

創(chuàng)建pipeline和pipelinerun

$ cat pipeline-run.yaml
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:name: devops-hello-world-pipeline
spec:workspaces:- name: shared-data- name: docker-config- name: kubernetes-configparams:# git-clone- name: git_urltype: string- name: revisiontype: string- name: gitInitImagetype: string# kaniko-build- name: dockerfiletype: stringdescription: reference of the image to build- name: builder_imagetype: stringdescription: reference of the image to build- name: image_urldescription: Url of image repository- name: image_tagdescription: Tag to apply to the built imagedefault: latest# kubernetes-deploy- name: kubectl_imagetype: stringtasks:- name: clonetaskRef:name: git-cloneworkspaces:- name: outputworkspace: shared-dataparams:- name: urlvalue: $(params.git_url)- name: revisionvalue: $(params.revision)- name: gitInitImagevalue: $(params.gitInitImage)- name: build-push-imageparams:- name: DOCKERFILEvalue: $(params.dockerfile)- name: IMAGE_URLvalue: $(params.image_url)- name: IMAGE_TAGvalue: $(tasks.clone.results.commit)- name: BUILDER_IMAGEvalue: $(params.builder_image)taskRef:name: kanikorunAfter:- cloneworkspaces:- name: sourceworkspace: shared-data- name: dockerconfigworkspace: docker-config- name: deploy-to-k8staskRef:name: kubernetes-deployparams:- name: KUBECTL_IMAGEvalue: $(params.kubectl_image)- name: IMAGE_URLvalue: $(params.image_url)- name: IMAGE_TAGvalue: $(tasks.clone.results.commit)- name: pathToYamlFilevalue: deployment.yamlworkspaces:- name: manifest-dirworkspace: shared-data- name: kubeconfig-dirworkspace: kubernetes-configrunAfter:- build-push-image
---
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:generateName: devops-hello-world-pipeline-run-
spec:serviceAccountName: build-botpipelineRef:name: devops-hello-world-pipelineparams:# git-clone- name: git_urlvalue: https://gitee.com/willzhangee/tekton-golang-demo.git- name: revisionvalue: master- name: gitInitImage#value: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:latestvalue: dyrnq/tektoncd-pipeline-cmd-git-init:latest# kaniko- name: dockerfilevalue: ./Dockerfile- name: builder_image# value: gcr.io/kaniko-project/executor:v1.5.1@sha256:c6166717f7fe0b7da44908c986137ecfeab21f31ec3992f6e128fff8a94be8a5value: docker.io/bitnami/kaniko:latest- name: image_urlvalue: registry.cn-shenzhen.aliyuncs.com/cnmirror/devops-hello-world- name: image_tagvalue: latest# kubernetes-deploy- name: kubectl_imagevalue: 'docker.io/bitnami/kubectl:latest'workspaces:- name: shared-datavolumeClaimTemplate:spec:accessModes:- ReadWriteOncestorageClassName: openebs-hostpathresources:requests:storage: 1Gi- name: docker-configsecret:secretName: docker-config- name: kubernetes-configsecret:secretName: kubernetes-config

參數(shù)說明：

• gitInitImage：執(zhí)行g(shù)it clone任務(wù)的鏡像，官方鏡像無法訪問，推薦在docekrhub中查找替代鏡像
• builder_image：執(zhí)行kaniko 構(gòu)建任務(wù)的鏡像，官方鏡像無法訪問，推薦在docekrhub中查找替代鏡像
• image_url：最終構(gòu)建的應(yīng)用鏡像
• serviceAccountName：指定serviceAccountName用于認(rèn)證
• shared-data workspace：用于在不同任務(wù)之間共享數(shù)據(jù)，PipelineRun中定義了volumeClaimTemplate類型的workspaces，能夠動態(tài)申請所需的持久卷，使用kubectl get storageclass命令，確認(rèn)k8s集群有默認(rèn)可用的storageclass資源可用，本示例輸出為openebs-hostpath (default)
• docker-config workspace：用于鏡像倉庫認(rèn)證的secret卷，將secret中的config.json掛載到/kaniko/.docker下
• kubernetes-config：用于訪問kubernetes，掛載到/root/.kube目錄下

應(yīng)用yaml文件

kubectl create -f pipeline-run.yaml

查看pipelinerun執(zhí)行結(jié)果

連接到kubernetes 確認(rèn)部署的應(yīng)用

root@kube001:~# kubectl get pods -l run=go-web-app
NAME                          READY   STATUS    RESTARTS   AGE
go-web-app-79454cfdd7-dcz7p   1/1     Running   0          64s

查看鏡像信息

root@kube001:~# kubectl get pods go-web-app-79454cfdd7-dcz7p -o jsonpath='{.spec.containers[0].image}'
registry.cn-shenzhen.aliyuncs.com/cnmirror/devops-hello-world:927ec5cc665690ad798ffbbd02a8db520692951e

參考：https://juejin.cn/post/7073347226772340749