Source to Image
![]()
#案例环境说明
◼ 示例项目
◆ 代码仓库:github.com/ikubernetes/spring-boot-helloworld.git
◆ 项目管理及构建工具:Maven
◼ Pipeline中的各Task
◆ git-clone:克隆项目的源代码
◆ build-to-package:代码测试、构建和打包
◆ generate-build-id:生成Build ID
◆ image-build-and-push:镜像构建(和推送)
◆ deploy-to-cluster:将新版本的镜像更新到Kubernetes集群上
◼ Workspace
◆ 基于PVC建立,跨Task共享
使用Kaniko镜像作为 构建Dockerfile
https://github.com/GoogleContainerTools/kaniko
![]()
示例1:Pipeline完成Image构建,但不进行推送
![]()
#【1】Task:通过git clone代码
#01-task-git-clone.yaml
[root@xianchaomaster1 02-s2i-push-to-dockerhub]# cat 01-task-git-clone.yaml
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: git-clone
spec:
description: Clone the code repository to the workspace.
params:
- name: url
type: string
description: git url to clone
default: ""
- name: branch
type: string
description: git branch to checkout
default: "main"
workspaces:
- name: source
description: The git repo will be cloned onto the volume backing this workspace
steps:
- name: git-clone
image: alpine/git:v2.36.1
script: git clone -b $(params.branch) -v $(params.url) $(workspaces.source.path)/source
#【2】Task:通过maven:mvn clean test package、通过PVC:保存maven状态,下次创建就不要在下载maven依赖就很快了
#02-task-source-build.yaml
[root@xianchaomaster1 02-s2i-push-to-dockerhub]# cat 02-task-source-build.yaml
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: build-to-package
spec:
description: build application and package the files to image
workspaces:
- name: source
description: The git repo that cloned onto the volume backing this workspace
steps:
- name: build
image: maven:3.8-openjdk-11-slim
workingDir: $(workspaces.source.path)/source
volumeMounts:
- name: m2
mountPath: /root/.m2
script: mvn clean install
volumes:
- name: m2
persistentVolumeClaim:
claimName: maven-cache-02
#03-task-build-image.yaml
#【3】Task:使用kaniko,通过Dockerfile 构建镜像但是先不推送、官方镜像下载不了:gcr.io/kaniko-project/executor:debug
[root@xianchaonode1 ~]# crictl pull aisuko/kaniko-project-executor:latest
[root@xianchaomaster1 01-s2i-no-push]# cat 03-task-build-image.yaml
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: image-build
spec:
description: package the application files to image
params:
- name: dockerfile
description: The path to the dockerfile to build (relative to the context)
default: Dockerfile
- name: image-url
description: Url of image repository
- name: image-tag
description: Tag to apply to the built image
default: latest
workspaces:
- name: source
steps:
- name: build-and-push-image
# image: gcr.io/kaniko-project/executor:debug
image: aisuko/kaniko-project-executor:latest
securityContext:
runAsUser: 0
command:
- /kaniko/executor
args:
- --dockerfile=$(params.dockerfile)
- --context=$(workspaces.source.path)/source
- --no-push
#04-pipeline-source-to-image.yaml
#Pipeline:整合前面三个Tasks
[root@xianchaomaster1 01-s2i-no-push]# cat 04-pipeline-source-to-image.yaml
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: source-to-image
spec:
params:
- name: git-url
- name: pathToContext
description: The path to the build context, used by Kaniko - within the workspace
default: .
- name: image-url
description: Url of image repository
- name: image-tag
description: Tag to apply to the built image
workspaces:
- name: codebase
tasks:
- name: git-clone
taskRef:
name: git-clone
params:
- name: url
value: "$(params.git-url)"
workspaces:
- name: source
workspace: codebase
- name: build-to-package
taskRef:
name: build-to-package
workspaces:
- name: source
workspace: codebase
runAfter:
- git-clone
- name: image-build
taskRef:
name: image-build
params:
- name: image-url
value: "$(params.image-url)"
- name: image-tag
value: "$(params.image-tag)"
workspaces:
- name: source
workspace: codebase
runAfter:
- build-to-package
[root@xianchaomaster1 01-s2i-no-push]# kubectl apply -f 01-task-git-clone.yaml -f 02-task-source-build.yaml -f 03-task-build-image.yaml -f 04-pipeline-source-to-image.yaml
task.tekton.dev/git-clone created
task.tekton.dev/build-to-package created
task.tekton.dev/image-build created
pipeline.tekton.dev/source-to-image created
[root@xianchaomaster1 01-s2i-no-push]# tkn task list
NAME DESCRIPTION AGE
build-to-package build application a... 14 seconds ago
git-clone Clone the code repo... 14 seconds ago
image-build package the applica... 14 seconds ago
[root@xianchaomaster1 01-s2i-no-push]# tkn pipeline list
NAME AGE LAST RUN STARTED DURATION STATUS
source-to-image 34 seconds ago --- --- --- ---
#05-pipelinerun-source-to-image.yaml
#Pipelinerun:定义一个PVC:maven-cache 并且 Pipelinerun
#创建WS:codebase 传递给之前的Tasks变量 并且赋值
[root@xianchaomaster1 01-s2i-no-push]# cat 05-pipelinerun-source-to-image.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: maven-cache
spec:
storageClassName: nfs-csi
accessModes:
- ReadWriteMany
resources:
requests:
storage: 5Gi
---
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
name: s2i-no-push-run-00001
spec:
pipelineRef:
name: source-to-image
params:
- name: git-url
#value: https://gitee.com/mageedu/spring-boot-helloWorld.git
value: http://code.gitlab.svc.cluster.local/root/spring-boot-helloWorld.git
- name: image-url
value: ikubernetes/spring-boot-helloworld
- name: image-tag
value: latest
workspaces:
- name: codebase
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: nfs-csi
![]()
示例2:Pipeline完成Image,且自动将其推送至Docker Hub,完成应用交付
![]()
https://github.com/anjia0532/gcr.io_mirror/issues/1906
#原镜像
gcr.io/kaniko-project/executor:v1.9.1-debug
#转换后镜像
anjia0532/kaniko-project.executor:v1.9.1-debug
#需要文件
[root@xianchaomaster1 02-s2i-push-to-dockerhub]# tree -a
.
├── 01-task-git-clone.yaml
├── 02-task-source-build.yaml
├── 03-task-build-image.yaml
├── 04-pipeline-source-to-image.yaml
├── 05-pipelinerun-source-to-image.yaml
├── .docker
│ └── config.json
├── mache-cache-02-pvc.yaml
└── README.md
1 directory, 8 files
#【1】创建PVC:maven-cache-02 用于缓存maven 下载的插件,再次利用pvc时构建项目更快
[root@xianchaomaster1 02-s2i-push-to-dockerhub]# cat mache-cache-02-pvc.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: maven-cache-02
spec:
storageClassName: nfs-csi
accessModes:
- ReadWriteMany
resources:
requests:
storage: 5Gi
---
#【2】有两种办法创建Secret
#【2.1】使用本地镜像仓库-Secret:创建 使用Kaniko登陆Harbor凭据变成 K8S Secret
#Harbor部署参考《Harbor 部署HTTPS 以及 containerd 连接Harbor配置》
docker login harbor.magedu.net
将/root/.docker/config.json内容复制到以下文件
cd /root/KnativeSrc/tekton-and-argocd-in-practise-main/04-tekton-pipeline-in-practise/02-s2i-push-to-dockerhub
mkdir .docker/
[root@xianchaomaster1 .docker]# pwd
/root/KnativeSrc/tekton-and-argocd-in-practise-main/04-tekton-pipeline-in-practise/02-s2i-push-to-dockerhub/.docker
[root@xianchaomaster1 .docker]# cat .docker/config.json
{
"auths": {
"harbor.magedu.net": {
"auth": "YWRtaW46SGFyYm9yMTIzNDU="
}
}
}
示例:kubectl create secret generic docker-config --from-file=<path to .docker/config.json>
[root@xianchaomaster1 02-s2i-push-to-dockerhub]# cd /root/KnativeSrc/tekton-and-argocd-in-practise-main/04-tekton-pipeline-in-practise/02-s2i-push-to-dockerhub
[root@xianchaomaster1 02-s2i-push-to-dockerhub]# kubectl create secret generic docker-config --from-file=.docker/config
[root@xianchaomaster1 02-s2i-push-to-dockerhub]# kubectl get secret
NAME TYPE DATA AGE
docker-config Opaque 1 7h47m
[root@xianchaomaster1 02-s2i-push-to-dockerhub]# kubectl describe secret
Name: docker-config
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
config.json: 149 bytes
#【添加需要配置 coredns解析 harbor域名解析到实际IP】
#如果不进行解析 10.96.0.10 coredns无法解析到harbor 就无法推送到仓库了
# hosts {
# 192.168.40.104 harbor.sheca.com
# fallthrough
# }
[root@ca-k8s-master01 02-s2i-push-to-dockerhub]# kubectl edit cm coredns -n kube-system
apiVersion: v1
data:
Corefile: |
.:53 {
errors
health {
lameduck 5s
}
ready
kubernetes cluster.local in-addr.arpa ip6.arpa {
pods insecure
fallthrough in-addr.arpa ip6.arpa
ttl 30
}
hosts {
192.168.40.104 harbor.sheca.com
fallthrough
}
prometheus :9153
forward . /etc/resolv.conf {
max_concurrent 1000
}
cache 30
loop
reload
loadbalance
}
#验证是否正常可以解析到 harbor域名地址
[root@ca-k8s-master01 02-s2i-push-to-dockerhub]# kubectl run client-$RANDOM --image=ikubernetes/admin-box:v1.2 --restart=Never -it --command -- /bin/sh
root@client-27554 # nslookup harbor.sheca.com
Server: 10.96.0.10
Address: 10.96.0.10#53
Name: harbor.sheca.com
Address: 192.168.40.104
#或者
#【2.2】采用 DockerHub官方进行测试 -实验未成功
[root@ca-k8s-master01 02-s2i-push-to-dockerhub]# docker login
Username:
Password:
mkdir .docker/
cd /root/knative-1.7/Tekton/tekton-and-argocd-in-practise-main/04-tekton-pipeline-in-practise/02-s2i-push-to-dockerhub/.docker
cp /root/.docker/config.json .docker/
kubectl create secret generic docker-config --from-file=.docker/config.json
kubectl get secret
kubectl describe secret
#【3】Task:通过git clone代码
#01-task-git-clone.yaml
[root@xianchaomaster1 02-s2i-push-to-dockerhub]# cat 01-task-git-clone.yaml
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: git-clone
spec:
description: Clone the code repository to the workspace.
params:
- name: url
type: string
description: git url to clone
default: ""
- name: branch
type: string
description: git branch to checkout
default: "main"
workspaces:
- name: source
description: The git repo will be cloned onto the volume backing this workspace
steps:
- name: git-clone
image: alpine/git:v2.36.1
script: git clone -b $(params.branch) -v $(params.url) $(workspaces.source.path)/source
#【4】Task:通过maven:mvn clean test package、通过PVC:保存maven状态,下次创建就不要在下载maven依赖就很快了
# 02-task-source-build.yaml
[root@xianchaomaster1 02-s2i-push-to-dockerhub]# cat 02-task-source-build.yaml
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: build-to-package
spec:
description: build application and package the files to image
workspaces:
- name: source
description: The git repo that cloned onto the volume backing this workspace
steps:
- name: build
image: maven:3.8-openjdk-11-slim
workingDir: $(workspaces.source.path)/source
volumeMounts:
- name: m2
mountPath: /root/.m2
script: mvn clean install
volumes:
- name: m2
persistentVolumeClaim:
claimName: maven-cache-02
#【5】Task:使用kaniko、通过Dockerfile 构建镜像并且推送到自建仓库中Harbor、script用于调试容器、kaniko指定参数跳过安全认证
#官方镜像下载不了:gcr.io/kaniko-project/executor:debug
#03-task-build-image.yaml
[root@xianchaomaster1 02-s2i-push-to-dockerhub]# cat 03-task-build-image.yaml
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: image-build-and-push
spec:
description: package the application files to image
params:
- name: dockerfile
description: The path to the dockerfile to build (relative to the context)
default: Dockerfile
- name: image-url
description: Url of image repository
- name: image-tag
description: Tag to apply to the built image
default: latest
workspaces:
- name: source
- name: dockerconfig
optional: true
# Secret resource which contains identity to image registry
mountPath: /kaniko/.docker
steps:
- name: image-build-and-push
image: anjia0532/kaniko-project.executor:v1.9.1-debug
#image: gcr.io/kaniko-project/executor:debug
#image: registry.cn-hangzhou.aliyuncs.com/birkhoff/kaniko-project-executor:debug
#image: mgit/base:kaniko-executor-debug-stable
#image: registry.cn-hangzhou.aliyuncs.com/birkhoff/kaniko-project-executor:v1.6.0-debug
#image: registry.cn-hangzhou.aliyuncs.com/birkhoff/kaniko-project-executor:btest
securityContext:
runAsUser: 0
env:
- name: DOCKER_CONFIG
value: /kaniko/.docker
#script: |
# #!/busybox/sh
# set -eu
# sleep 5000
command:
- /kaniko/executor
args:
- --dockerfile=$(params.dockerfile)
- --context=$(workspaces.source.path)/source
- --destination=$(params.image-url):$(params.image-tag)
- --skip-tls-verify
- --insecure
- --insecure-pull
#- --insecure-registry
- --skip-tls-verify-pull
- --registry-mirror=harbor.magedu.net
#【6】Pipeline:整合前面三个Tasks
#04-pipeline-source-to-image.yaml
[root@xianchaomaster1 02-s2i-push-to-dockerhub]# cat 04-pipeline-source-to-image.yaml
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: source-to-image
spec:
params:
- name: git-url
- name: pathToContext
description: The path to the build context, used by Kaniko - within the workspace
default: .
- name: image-url
description: Url of image repository
- name: image-tag
description: Tag to apply to the built image
workspaces:
- name: codebase
- name: docker-config
tasks:
- name: git-clone
taskRef:
name: git-clone
params:
- name: url
value: "$(params.git-url)"
workspaces:
- name: source
workspace: codebase
- name: build-to-package
taskRef:
name: build-to-package
workspaces:
- name: source
workspace: codebase
runAfter:
- git-clone
- name: image-build-and-push
taskRef:
name: image-build-and-push
params:
- name: image-url
value: "$(params.image-url)"
- name: image-tag
value: "$(params.image-tag)"
workspaces:
- name: source
workspace: codebase
- name: dockerconfig
workspace: docker-config
runAfter:
- build-to-package
#【7】
#05-pipelinerun-source-to-image.yaml
[root@xianchaomaster1 02-s2i-push-to-dockerhub]# cat 05-pipelinerun-source-to-image.yaml
---
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
name: s2i-image-push-run-00001
spec:
pipelineRef:
name: source-to-image
params:
- name: git-url
value: http://code.gitlab.svc.cluster.local/root/spring-boot-helloWorld.git
#value: https://gitee.com/mageedu/spring-boot-helloWorld.git
- name: image-url
value: harbor.magedu.net/birkhoffxia/spring-boot-helloworld
#value: registry.cn-hangzhou.aliyuncs.com/birkhoff/spring-boot-helloworld
#value: birkhoffxks/spring-boot-helloworld
- name: image-tag
value: v0.9.1
workspaces:
- name: codebase
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: nfs-csi
- name: docker-config
secret:
secretName: docker-config
#【8】创建pvc-创建secret-01-02-03-04-05 启动
kubectl create secret generic docker-config --from-file=.docker/config
kubectl apply -f mache-cache-02-pvc.yaml
kubectl apply -f 01-task-git-clone.yaml
kubectl apply -f 02-task-source-build.yaml
kubectl apply -f 03-task-build-image.yaml
kubectl apply -f 04-pipeline-source-to-image.yaml
kubectl apply -f 05-pipelinerun-source-to-image.yaml
![]()
![]()
示例3-添加Task,生成Build ID,并将之作为Image的标签
![]()
https://github.com/anjia0532/gcr.io_mirror/issues/1906
#原镜像
gcr.io/kaniko-project/executor:v1.9.1-debug
#转换后镜像
anjia0532/kaniko-project.executor:v1.9.1-debug
#需要文件
[root@xianchaomaster1 03-s2i-auto-gen-build-id]# tree -a
.
├── 01-task-git-clone.yaml
├── 02-task-source-build.yaml
├── 03-generate-build-id.yaml
├── 04-task-build-image.yaml
├── 04-task-build-image.yaml.magedu
├── 05-pipeline-source-to-image.yaml
├── 06-pipelinerun-source-to-image.yaml
├── .docker
│ └── config.json
├── mache-cache-02-pvc.yaml
└── README.md
#如果之前一个实验创建无需创建
#【1】创建PVC:maven-cache-02 用于缓存maven 下载的插件,再次利用pvc时构建项目更快
[root@xianchaomaster1 02-s2i-push-to-dockerhub]# cat mache-cache-02-pvc.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: maven-cache-02
spec:
storageClassName: nfs-csi
accessModes:
- ReadWriteMany
resources:
requests:
storage: 5Gi
---
#如果之前一个实验创建无需创建
#【2】Secret:创建 使用Kaniko登陆Harbor凭据变成 K8S Secret
#Harbor部署参考《Harbor 部署HTTPS 以及 containerd 连接Harbor配置》
docker login harbor.magedu.net
将/root/.docker/config.json内容复制到以下文件
cd /root/KnativeSrc/tekton-and-argocd-in-practise-main/04-tekton-pipeline-in-practise/02-s2i-push-to-dockerhub
mkdir .docker/
[root@xianchaomaster1 .docker]# pwd
/root/KnativeSrc/tekton-and-argocd-in-practise-main/04-tekton-pipeline-in-practise/02-s2i-push-to-dockerhub/.docker
[root@xianchaomaster1 .docker]# cat .docker/config.json
{
"auths": {
"harbor.magedu.net": {
"auth": "YWRtaW46SGFyYm9yMTIzNDU="
}
}
}
示例:kubectl create secret generic docker-config --from-file=<path to .docker/config.json>
[root@xianchaomaster1 02-s2i-push-to-dockerhub]# cd /root/KnativeSrc/tekton-and-argocd-in-practise-main/04-tekton-pipeline-in-practise/02-s2i-push-to-dockerhub
[root@xianchaomaster1 02-s2i-push-to-dockerhub]# kubectl create secret generic docker-config --from-file=.docker/config
[root@xianchaomaster1 02-s2i-push-to-dockerhub]# kubectl get secret
NAME TYPE DATA AGE
docker-config Opaque 1 7h47m
[root@xianchaomaster1 02-s2i-push-to-dockerhub]# kubectl describe secret
Name: docker-config
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
config.json: 149 bytes
#如果之前一个实验创建无需创建
#【3】Task:通过git clone代码
#01-task-git-clone.yaml
[root@xianchaomaster1 03-s2i-auto-gen-build-id]# cat 01-task-git-clone.yaml
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: git-clone
spec:
description: Clone the code repository to the workspace.
params:
- name: url
type: string
description: git url to clone
default: ""
- name: branch
type: string
description: git branch to checkout
default: "main"
workspaces:
- name: source
description: The git repo will be cloned onto the volume backing this workspace
steps:
- name: git-clone
image: alpine/git:v2.36.1
script: git clone -b $(params.branch) -v $(params.url) $(workspaces.source.path)/source
#如果之前一个实验创建无需创建
#【4】Task:通过maven:mvn clean test package、通过PVC:保存maven状态,下次创建就不要在下载maven依赖就很快了
# 02-task-source-build.yaml
[root@xianchaomaster1 03-s2i-auto-gen-build-id]# cat 02-task-source-build.yaml
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: build-to-package
spec:
description: build application and package the files to image
workspaces:
- name: source
description: The git repo that cloned onto the volume backing this workspace
steps:
- name: build
image: maven:3.8-openjdk-11-slim
workingDir: $(workspaces.source.path)/source
volumeMounts:
- name: m2
mountPath: /root/.m2
script: mvn clean install
volumes:
- name: m2
persistentVolumeClaim:
claimName: maven-cache-02
#【5】创建生成 项目id 使用result参数
#03-generate-build-id.yaml
[root@xianchaomaster1 03-s2i-auto-gen-build-id]# cat 03-generate-build-id.yaml
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: generate-build-id
spec:
params:
- name: version
description: The version of the application
type: string
results:
- name: datetime
description: The current date and time
- name: buildId
description: The build ID
steps:
- name: generate-datetime
image: ikubernetes/admin-box:v1.2
script: |
#!/usr/bin/env bash
datetime=`date +%Y%m%d-%H%M%S`
echo -n ${datetime} | tee $(results.datetime.path)
- name: generate-buildid
image: ikubernetes/admin-box:v1.2
script: |
#!/usr/bin/env bash
buildDatetime=`cat $(results.datetime.path)`
buildId=$(params.version)-${buildDatetime}
echo -n ${buildId} | tee $(results.buildId.path)
#【6】Task:使用kaniko、通过Dockerfile 构建镜像并且推送到自建仓库中Harbor、script用于调试容器、kaniko指定参数跳过安全认证
#官方镜像下载不了:gcr.io/kaniko-project/executor:debug
#03-task-build-image.yaml
[root@xianchaomaster1 03-s2i-auto-gen-build-id]# cat 04-task-build-image.yaml
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: image-build-and-push
spec:
description: package the application files to image
params:
- name: dockerfile
description: The path to the dockerfile to build (relative to the context)
default: Dockerfile
- name: image-url
description: Url of image repository
- name: image-tag
description: Tag to apply to the built image
default: latest
workspaces:
- name: source
- name: dockerconfig
optional: true
mountPath: /kaniko/.docker
steps:
- name: image-build-and-push
image: anjia0532/kaniko-project.executor:v1.9.1-debug
securityContext:
runAsUser: 0
env:
- name: DOCKER_CONFIG
value: /kaniko/.docker
command:
- /kaniko/executor
args:
- --dockerfile=$(params.dockerfile)
- --context=$(workspaces.source.path)/source
- --destination=$(params.image-url):$(params.image-tag)
- --skip-tls-verify
- --insecure
- --insecure-pull
- --skip-tls-verify-pull
- --registry-mirror=harbor.magedu.net
#【7】Pipeline:整合前面四个Tasks
#05-pipeline-source-to-image.yaml
[root@xianchaomaster1 03-s2i-auto-gen-build-id]# cat 05-pipeline-source-to-image.yaml
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: source-to-image
spec:
params:
- name: git-url
- name: pathToContext
description: The path to the build context, used by Kaniko - within the workspace
default: .
- name: image-url
description: Url of image repository
- name: version
description: The version of the application
type: string
default: "v0.9"
#results:
# - name: datetime
# description: The current date and time
# - name: buildId
# description: The build ID
workspaces:
- name: codebase
- name: docker-config
tasks:
- name: git-clone
taskRef:
name: git-clone
params:
- name: url
value: "$(params.git-url)"
workspaces:
- name: source
workspace: codebase
- name: build-to-package
taskRef:
name: build-to-package
workspaces:
- name: source
workspace: codebase
runAfter:
- git-clone
- name: generate-build-id
taskRef:
name: generate-build-id
params:
- name: version
value: "$(params.version)"
runAfter:
- git-clone
- name: image-build-and-push
taskRef:
name: image-build-and-push
params:
- name: image-url
value: "$(params.image-url)"
- name: image-tag
value: "$(tasks.generate-build-id.results.buildId)"
workspaces:
- name: source
workspace: codebase
- name: dockerconfig
workspace: docker-config
runAfter:
- generate-build-id
- build-to-package
#【8】
#05-pipelinerun-source-to-image.yaml
[root@xianchaomaster1 03-s2i-auto-gen-build-id]# cat 06-pipelinerun-source-to-image.yaml
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
name: s2i-buildid-run-00002
spec:
pipelineRef:
name: source-to-image
params:
- name: git-url
value: http://code.gitlab.svc.cluster.local/root/spring-boot-helloWorld.git
- name: image-url
value: harbor.magedu.net/birkhoffxia/spring-boot-helloworld
- name: version
value: v0.9.2
workspaces:
- name: codebase
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: nfs-csi
- name: docker-config
secret:
secretName: docker-config
#【9】创建pvc-创建secret-01-02-03-04-05-06 启动
kubectl create secret generic docker-config --from-file=.docker/config
kubectl apply -f mache-cache-02-pvc.yaml
kubectl apply -f 01-task-git-clone.yaml
kubectl apply -f 02-task-source-build.yaml
kubectl apply -f 03-generate-build-id.yaml
kubectl apply -f 04-task-build-image.yaml
kubectl apply -f 05-pipeline-source-to-image.yaml
kubectl apply -f 06-pipelinerun-source-to-image.yaml
![]()
![]()
示例4--添加Task,完成应用自动部署
![]()
CD: 持续部署
# 构建成Docker Image的应用相关资源配置文件
# 资源配置格式:
原生的kubernetes资源配置
kubernetes kustomize
kubectl apply 到 API Server
Helm Charts
helm install 到 API Server
存储于何处?
# 配置更新:config update
# 认证: ServiceAccount
kubeconfig配置
存放于何处,于何处能够调用?
# 授权:
确保相关的认证到APIServer的用户,有相应的资源操作权限
目标环境:
是否需要人工介入:
# 示例:
原生的kubernetes资源配置
代码仓库:deploy/kubernetes/
如何更新配置?
sed命令
kubectl
确保其正确加载到kubeconfig
确保完成了合理的授权
触发机制:
手动触发
定时触发
pollSCMs
代码仓库上事件触发
事件本身:
事件属性
[root@xianchaomaster1 04-s2i-auto-deploy]# tree -a
.
├── 01-task-git-clone.yaml
├── 02-task-source-build.yaml
├── 03-generate-build-id.yaml
├── 04-task-build-image.yaml
├── 04-task-build-image.yaml.magedu
├── 05-task-deploy.yaml
├── 06-pipeline-source-to-image.yaml
├── 07-rbac.yaml
├── 08-pipelinerun-source-to-image.yaml
├── .docker
│ └── config.json
├── mache-cache-02-pvc.yaml
└── README.md
1 directory, 12 files
#如果之前一个实验创建无需创建
#【1】创建PVC:maven-cache-02 用于缓存maven 下载的插件,再次利用pvc时构建项目更快
[root@xianchaomaster1 02-s2i-push-to-dockerhub]# cat mache-cache-02-pvc.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: maven-cache-02
spec:
storageClassName: nfs-csi
accessModes:
- ReadWriteMany
resources:
requests:
storage: 5Gi
---
[root@xianchaomaster1 04-s2i-auto-deploy]# kubectl apply -f mache-cache-02-pvc.yaml
[root@xianchaomaster1 04-s2i-auto-deploy]# kubectl get pvc
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
maven-cache-02 Bound pvc-1fb661df-6438-4a52-a8d8-2e741222bc60 5Gi RWX nfs-csi 12h
#如果之前一个实验创建无需创建
#【2】Secret:创建 使用Kaniko登陆Harbor凭据变成 K8S Secret
#Harbor部署参考《Harbor 部署HTTPS 以及 containerd 连接Harbor配置》
docker login harbor.magedu.net
将/root/.docker/config.json内容复制到以下文件
cd /root/KnativeSrc/tekton-and-argocd-in-practise-main/04-tekton-pipeline-in-practise/02-s2i-push-to-dockerhub
mkdir .docker/
[root@xianchaomaster1 .docker]# pwd
/root/KnativeSrc/tekton-and-argocd-in-practise-main/04-tekton-pipeline-in-practise/02-s2i-push-to-dockerhub/.docker
[root@xianchaomaster1 .docker]# cat .docker/config.json
{
"auths": {
"harbor.magedu.net": {
"auth": "YWRtaW46SGFyYm9yMTIzNDU="
}
}
}
示例:kubectl create secret generic docker-config --from-file=<path to .docker/config.json>
[root@xianchaomaster1 02-s2i-push-to-dockerhub]# cd /root/KnativeSrc/tekton-and-argocd-in-practise-main/04-tekton-pipeline-in-practise/02-s2i-push-to-dockerhub
[root@xianchaomaster1 02-s2i-push-to-dockerhub]# kubectl create secret generic docker-config --from-file=.docker/config
[root@xianchaomaster1 02-s2i-push-to-dockerhub]# kubectl get secret
NAME TYPE DATA AGE
docker-config Opaque 1 7h47m
[root@xianchaomaster1 02-s2i-push-to-dockerhub]# kubectl describe secret
Name: docker-config
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
config.json: 149 bytes
#如果之前一个实验创建无需创建
#【3】Task:通过git clone代码
[root@xianchaomaster1 04-s2i-auto-deploy]# cat 01-task-git-clone.yaml
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: git-clone
spec:
description: Clone the code repository to the workspace.
params:
- name: url
type: string
description: git url to clone
default: ""
- name: branch
type: string
description: git branch to checkout
default: "main"
workspaces:
- name: source
description: The git repo will be cloned onto the volume backing this workspace
steps:
- name: git-clone
image: alpine/git:v2.36.1
script: git clone -b $(params.branch) -v $(params.url) $(workspaces.source.path)/source
[root@xianchaomaster1 04-s2i-auto-deploy]# kubectl apply -f 01-task-git-clone.yaml
[root@xianchaomaster1 04-s2i-auto-deploy]# tkn task list | grep git-clone
git-clone Clone the code repo... 12 hours ago
#如果之前一个实验创建无需创建
#【4】Task:通过maven:mvn clean test package、通过PVC:保存maven状态,下次创建就不要在下载maven依赖就很快了
[root@xianchaomaster1 04-s2i-auto-deploy]# cat 02-task-source-build.yaml
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: build-to-package
spec:
description: build application and package the files to image
workspaces:
- name: source
description: The git repo that cloned onto the volume backing this workspace
steps:
- name: build
image: maven:3.8-openjdk-11-slim
workingDir: $(workspaces.source.path)/source
volumeMounts:
- name: m2
mountPath: /root/.m2
script: mvn clean install
volumes:
- name: m2
persistentVolumeClaim:
claimName: maven-cache-02
[root@xianchaomaster1 04-s2i-auto-deploy]# kubectl apply -f 02-task-source-build.yaml
[root@xianchaomaster1 04-s2i-auto-deploy]# tkn task list | grep build-to-package
build-to-package build application a... 12 hours ago
#【5】创建生成 项目id 使用result参数
#03-generate-build-id.yaml
[root@xianchaomaster1 04-s2i-auto-deploy]# cat 03-generate-build-id.yaml
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: generate-build-id
spec:
params:
- name: version
description: The version of the application
type: string
results:
- name: datetime
description: The current date and time
- name: buildId
description: The build ID
steps:
- name: generate-datetime
image: ikubernetes/admin-box:v1.2
script: |
#!/usr/bin/env bash
datetime=`date +%Y%m%d-%H%M%S`
echo -n ${datetime} | tee $(results.datetime.path)
- name: generate-buildid
image: ikubernetes/admin-box:v1.2
script: |
#!/usr/bin/env bash
buildDatetime=`cat $(results.datetime.path)`
buildId=$(params.version)-${buildDatetime}
echo -n ${buildId} | tee $(results.buildId.path)
[root@xianchaomaster1 04-s2i-auto-deploy]# kubectl apply -f 03-generate-build-id.yaml
[root@xianchaomaster1 04-s2i-auto-deploy]# tkn task list | grep generate-build-id
generate-build-id 4 hours ago
#【6】Task:使用kaniko、通过Dockerfile 构建镜像并且推送到自建仓库中Harbor、script用于调试容器、kaniko指定参数跳过安全认证
#官方镜像下载不了:gcr.io/kaniko-project/executor:debug
[root@xianchaomaster1 04-s2i-auto-deploy]# cat 04-task-build-image.yaml
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: image-build-and-push
spec:
description: package the application files to image
params:
- name: dockerfile
description: The path to the dockerfile to build (relative to the context)
default: Dockerfile
- name: image-url
description: Url of image repository
- name: image-tag
description: Tag to apply to the built image
default: latest
workspaces:
- name: source
- name: dockerconfig
optional: true
mountPath: /kaniko/.docker
steps:
- name: image-build-and-push
image: anjia0532/kaniko-project.executor:v1.9.1-debug
securityContext:
runAsUser: 0
env:
- name: DOCKER_CONFIG
value: /kaniko/.docker
command:
- /kaniko/executor
args:
- --dockerfile=$(params.dockerfile)
- --context=$(workspaces.source.path)/source
- --destination=$(params.image-url):$(params.image-tag)
- --skip-tls-verify
- --insecure
- --insecure-pull
- --skip-tls-verify-pull
- --registry-mirror=harbor.magedu.net
[root@xianchaomaster1 04-s2i-auto-deploy]# kubectl apply -f 04-task-build-image.yaml
[root@xianchaomaster1 04-s2i-auto-deploy]# tkn task list | grep image-build-and-push
image-build-and-push package the applica... 12 hours ago
#【7】更新yaml文件替换里面的版本参数
#05-task-deploy.yaml
crictl pull lachlanevenson/k8s-kubectl
crictl pull alpine:3.16
[root@xianchaomaster1 04-s2i-auto-deploy]# cat 05-task-deploy.yaml
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: deploy-using-kubectl
spec:
workspaces:
- name: source
description: The git repo
params:
- name: deploy-config-file
description: The path to the yaml file to deploy within the git source
- name: image-url
description: Image name including repository
- name: image-tag
description: Image tag
steps:
- name: update-yaml
image: alpine:3.16
command: ["sed"]
args:
- "-i"
- "-e"
- "s@__IMAGE__@$(params.image-url):$(params.image-tag)@g"
- "$(workspaces.source.path)/source/deploy/$(params.deploy-config-file)"
- name: run-kubectl
image: lachlanevenson/k8s-kubectl
command: ["kubectl"]
args:
- "apply"
- "-f"
- "$(workspaces.source.path)/source/deploy/$(params.deploy-config-file)"
[root@xianchaomaster1 04-s2i-auto-deploy]# kubectl apply -f 05-task-deploy.yaml
[root@xianchaomaster1 04-s2i-auto-deploy]# tkn task list | grep deploy-using-kubectl
deploy-using-kubectl 2 hours ago
#【8】定义Pipeline 把之前5个Task进行整合
#06-pipeline-source-to-image.yaml
[root@xianchaomaster1 04-s2i-auto-deploy]# cat 06-pipeline-source-to-image.yaml
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: source-to-image
spec:
params:
- name: git-url
- name: pathToContext
description: The path to the build context, used by Kaniko - within the workspace
default: .
- name: image-url
description: Url of image repository
- name: deploy-config-file
description: The path to the yaml file to deploy within the git source
default: all-in-one.yaml
- name: version
description: The version of the application
type: string
default: "v0.9"
workspaces:
- name: codebase
- name: docker-config
tasks:
- name: git-clone
taskRef:
name: git-clone
params:
- name: url
value: "$(params.git-url)"
workspaces:
- name: source
workspace: codebase
- name: build-to-package
taskRef:
name: build-to-package
workspaces:
- name: source
workspace: codebase
runAfter:
- git-clone
- name: generate-build-id
taskRef:
name: generate-build-id
params:
- name: version
value: "$(params.version)"
runAfter:
- git-clone
- name: image-build-and-push
taskRef:
name: image-build-and-push
params:
- name: image-url
value: "$(params.image-url)"
- name: image-tag
value: "$(tasks.generate-build-id.results.buildId)"
workspaces:
- name: source
workspace: codebase
- name: dockerconfig
workspace: docker-config
runAfter:
- generate-build-id
- build-to-package
- name: deploy-to-cluster
taskRef:
name: deploy-using-kubectl
workspaces:
- name: source
workspace: codebase
params:
- name: deploy-config-file
value: $(params.deploy-config-file)
- name: image-url
value: $(params.image-url)
- name: image-tag
value: "$(tasks.generate-build-id.results.buildId)"
runAfter:
- image-build-and-push
[root@xianchaomaster1 04-s2i-auto-deploy]# kubectl apply -f 06-pipeline-source-to-image.yaml
[root@xianchaomaster1 04-s2i-auto-deploy]# tkn pipeline list | grep source-to-image
source-to-image 12 hours ago s2i-buildid-run-00003 1 hour ago 2m58s Succeeded
#【9】构建rbac授权文件
#07-rbac.yaml
[root@xianchaomaster1 04-s2i-auto-deploy]# cat 07-rbac.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: helloworld-admin
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: helloworld-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: helloworld-admin
namespace: default
kubectl apply -f 07-rbac.yaml
#【10】PipelineRun
#08-pipelinerun-source-to-image.yaml
[root@xianchaomaster1 04-s2i-auto-deploy]# cat 08-pipelinerun-source-to-image.yaml
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
name: s2i-buildid-run-00003
spec:
pipelineRef:
name: source-to-image
taskRunSpecs:
- pipelineTaskName: deploy-to-cluster
taskServiceAccountName: helloworld-admin
params:
- name: git-url
value: http://code.gitlab.svc.cluster.local/root/spring-boot-helloWorld.git
- name: image-url
value: harbor.magedu.net/birkhoffxia/spring-boot-helloworld
- name: version
value: v0.9.3
workspaces:
- name: codebase
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: nfs-csi
- name: docker-config
secret:
secretName: docker-config
[root@xianchaomaster1 04-s2i-auto-deploy]# kubectl apply -f 08-pipelinerun-source-to-image.yaml
[root@xianchaomaster1 04-s2i-auto-deploy]# tkn pipelinerun list
NAME STARTED DURATION STATUS
s2i-buildid-run-00003 1 hour ago 2m58s Succeeded
#node上操作
#查看是否正常 如果不正常 需要在node节点 配置harbor.magedu.net凭据
#《参考:Harbor 部署HTTPS 以及 containerd 连接Harbor配置》中的 五、访问私有化镜像仓库 - 运行时为:containerd
#参考下图配置
[plugins."io.containerd.grpc.v1.cri".registry]
config_path = ""
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."harbor.magedu.net"]
endpoint = ["https://harbor.magedu.net"]
[plugins."io.containerd.grpc.v1.cri".registry.configs]
[plugins."io.containerd.grpc.v1.cri".registry.configs."harbor.magedu.net".tls]
insecure_skip_verify = true
ca_file = "/etc/containerd/certs.d/harbor.magedu.net/ca.crt"
cert_file = "/etc/containerd/certs.d/harbor.magedu.net/magedu.net.cert"
key_file = "/etc/containerd/certs.d/harbor.magedu.net/magedu.net.key"
[plugins."io.containerd.grpc.v1.cri".registry.configs."harbor.magedu.net".auth]
username = "admin"
password = "Harbor12345"
#重启服务
[root@xianchaonode1 harbor.magedu.net]# systemctl daemon-reload
[root@xianchaonode1 harbor.magedu.net]# systemctl restart containerd
[root@xianchaomaster1 04-s2i-auto-deploy]# kubectl get pods
NAME READY STATUS RESTARTS AGE
s2i-buildid-run-00003-build-to-package-pod 0/1 Completed 0 3m6s
s2i-buildid-run-00003-deploy-to-cluster-pod 0/2 Completed 0 22s
s2i-buildid-run-00003-generate-build-id-pod 0/2 Completed 0 3m6s
s2i-buildid-run-00003-git-clone-pod 0/1 Completed 0 3m13s
s2i-buildid-run-00003-image-build-and-push-pod 0/1 Completed 0 2m48s
spring-boot-helloworld-68c4c44f46-47rj6 1/1 Running 0 16s
[root@xianchaomaster1 04-s2i-auto-deploy]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
demoapp ExternalName <none> knative-local-gateway.istio-system.svc.cluster.local 80/TCP 13h
demoapp-00001 ClusterIP 10.107.153.199 <none> 80/TCP,443/TCP 13h
demoapp-00001-private ClusterIP 10.104.114.35 <none> 80/TCP,443/TCP,9090/TCP,9091/TCP,8022/TCP,8012/TCP 13h
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 21h
spring-boot-helloworld NodePort 10.100.26.239 <none> 80:31306/TCP 64m
[root@xianchaomaster1 04-s2i-auto-deploy]# curl 10.100.26.239
Hello Spring Boot 2.0!
![]()
![]()
![]()
浙公网安备 33010602011771号