msb_77209
/
pipeline
1
0
Code Issues Pull Requests Projects Releases Wiki Activity

first commit

Browse Source
master
dongming 2 years ago
commit 5a370bd0a0
39 changed files with 41046 additions and 0 deletions
Show Stats Download Patch File Download Diff File

343
bin/env-create.sh
Unescape View File

@ -0,0 +1,343 @@
#!/bin/bash
set -o errexit
KIND_K8S_NAME="pipeline"
echo "Create K8s $KIND_K8S_NAME and Registry..."
echo '==============================================================================='
# create registry container unless it already exists
reg_name='kind-registry'
reg_port='5001'
if [ "$(docker inspect -f '{{.State.Running}}' "${reg_name}" 2>/dev/null || true)" != 'true' ]; then
docker run \
-d --restart=always -p "127.0.0.1:${reg_port}:5000" --name "${reg_name}" \
registry:2
fi
# create a cluster with the local registry enabled in containerd
cat <<EOF | kind create cluster --config=-
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
name: $KIND_K8S_NAME
containerdConfigPatches:
- |-
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:${reg_port}"]
endpoint = ["http://${reg_name}:5000"]
nodes:
- role: control-plane
image: kindest/node:v1.24.4
kubeadmConfigPatches:
- |
kind: InitConfiguration
nodeRegistration:
kubeletExtraArgs:
node-labels: "ingress-ready=true"
extraPortMappings:
- containerPort: 30022
hostPort: 22
protocol: TCP
- containerPort: 30080
hostPort: 80
protocol: TCP
EOF
# connect the registry to the cluster network if not already connected
if [ "$(docker inspect -f='{{json .NetworkSettings.Networks.kind}}' "${reg_name}")" = 'null' ]; then
docker network connect "kind" "${reg_name}"
fi
# Document the local registry
# https://github.com/kubernetes/enhancements/tree/master/keps/sig-cluster-lifecycle/generic/1755-communicating-a-local-registry
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
name: local-registry-hosting
namespace: kube-public
data:
localRegistryHosting.v1: |
host: "localhost:${reg_port}"
help: "https://kind.sigs.k8s.io/docs/user/local-registry/"
EOF
echo "Create k8s done"
echo "Load image to K8s ${KIND_K8S_NAME} ..."
echo '==============================================================================='
dockerID=`docker ps|grep ${KIND_K8S_NAME}-control-plane|awk '{print $1}'`
images=(
gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/controller:v0.40.2@sha256:dc7bc7d6607466b502d8dc22ba0598461d7477f608ab68aaff1ff4dedaa04f81
gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/webhook:v0.40.2@sha256:6b8aadbdcede63969ecb719e910b55b7681d87110fc0bf92ca4ee943042f620b
gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/kubeconfigwriter:v0.40.2@sha256:0129ea222522c861c0023d5fe4a078fa86fec11aa48faab71128b079434eb2d0
gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.40.2@sha256:28ff94e63e4058afc3f15b4c11c08cf3b54fa91faa646a4bbac90380cd7158df
gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/entrypoint:v0.40.2@sha256:9dfeaaa371733189ddb97d8f1a07895356cf34e1c3c4dc5d1eb67c2caaf7f1d2
gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/nop:v0.40.2@sha256:9d12412d03a203d37f82040e0bb81c0a1d62a48b34dadabb587e007049306848
gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/imagedigestexporter:v0.40.2@sha256:00f18439a37474910d29326afdada8c18af2fbb656c6ca16b7d1345bec94c7b1
gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/pullrequest-init:v0.40.2@sha256:e72aa3aff06960f007b9b59abb70fd14644f40a085e4a81bbdb058a95e272544
gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/workingdirinit:v0.40.2@sha256:677ec1dd01ea891e9bb72d5dee252f6e9c13b7914b9c57f6e9ade2508828cacf
gcr.io/tekton-releases/github.com/tektoncd/triggers/cmd/controller:v0.21.0@sha256:c260835027b2d5bfccef8221eed5fb4571a2a4cb843c5bdea006163ee1f617bf
gcr.io/tekton-releases/github.com/tektoncd/triggers/cmd/webhook:v0.21.0@sha256:bdaef43faede7bc05ded54387f2dee0a3a032710fe876cc17034e75b9faf758d
gcr.io/tekton-releases/github.com/tektoncd/triggers/cmd/interceptors:v0.21.0@sha256:6ec2a6df146507411dfc7b853efd97e43fa5dcbe7e8d9aeb810b704dde3069a1
gcr.io/google.com/cloudsdktool/cloud-sdk@sha256:27b2c22bf259d9bc1a291e99c63791ba0c27a04d2db0a43241ba0f1f20f4067f
gcr.io/tekton-releases/github.com/tektoncd/results/cmd/api:v0.3.0@sha256:ed956232dc782cb9bb16f7bf15459fd56db52ce0952b5e2be70ae5314d0ad8de
gcr.io/tekton-releases/github.com/tektoncd/results/cmd/watcher:v0.3.0@sha256:00b6df37bcee791a96691675a0f83db8ff04bfcf07993e07c61847766f015b44
distroless.dev/busybox@sha256:19f02276bf8dbdd62f069b922f10c65262cc34b710eea26ff928129a736be791
)
for imageName in ${images[@]} ; do
#docker pull $imageName
perfix=`echo $imageName|awk -F':|@' '{print $1}'`
id=`docker images --no-trunc $perfix|sed 1d|awk '{print $3}'`
kind load --name ${KIND_K8S_NAME} docker-image $imageName
docker exec -it $dockerID ctr -n=k8s.io image tag $id $imageName
done
docker tag kindest/node:v1.24.4 localhost:5001/kindest/node:v1.24.4
docker push localhost:5001/kindest/node:v1.24.4
#docker pull docker.io/library/docker:18.05-dind
kind load --name ${KIND_K8S_NAME} docker-image docker.io/library/docker:18.05-dind
#docker pull docker.io/library/bash:5.1.4@sha256:c523c636b722339f41b6a431b44588ab2f762c5de5ec3bd7964420ff982fb1d9
kind load --name ${KIND_K8S_NAME} docker-image docker.io/library/bash:5.1.4@sha256:c523c636b722339f41b6a431b44588ab2f762c5de5ec3bd7964420ff982fb1d9
#docker pull docker.io/gitlab/gitlab-ce:latest
kind load --name ${KIND_K8S_NAME} docker-image docker.io/gitlab/gitlab-ce:latest
#docker pull docker.io/library/postgres:alpine
kind load --name ${KIND_K8S_NAME} docker-image docker.io/library/postgres:alpine
#docker pull docker.io/library/redis:latest
kind load --name ${KIND_K8S_NAME} docker-image docker.io/library/redis:latest
#docker pull docker.io/library/golang:1.18
kind load --name ${KIND_K8S_NAME} docker-image docker.io/library/golang:1.18
#docker pull docker.io/dyrnq/tektoncd-triggers-cmd-eventlistenersink:v0.21.0
kind load --name ${KIND_K8S_NAME} docker-image docker.io/dyrnq/tektoncd-triggers-cmd-eventlistenersink:v0.21.0
echo "Load images done"
echo "Install dependent softwares"
echo '==============================================================================='
echo "Install Tekton..."
echo '-------------------------------------------------------------------------------'
curl --connect-timeout 5 \
--max-time 10 \
--retry 5 \
--retry-delay 0 \
--retry-max-time 40 \
--silent \
https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.40.2/release.yaml | kubectl apply -f -
curl --connect-timeout 5 \
--max-time 10 \
--retry 5 \
--retry-delay 0 \
--retry-max-time 40 \
--silent \
https://storage.googleapis.com/tekton-releases/triggers/previous/v0.21.0/release.yaml|sed 's/gcr\.io\/tekton-releases\/github.com\/tektoncd\/triggers\/cmd\/eventlistenersink:v0.21.0@sha256:10605e3af3cf534e10734ea684c94520299c26b29b9dfb67669f7b01a70147dd/docker.io\/dyrnq\/tektoncd-triggers-cmd-eventlistenersink:v0.21.0/' | kubectl apply -f -
curl --connect-timeout 5 \
--max-time 10 \
--retry 5 \
--retry-delay 0 \
--retry-max-time 40 \
--silent \
https://storage.googleapis.com/tekton-releases/triggers/previous/v0.21.0/interceptors.yaml | kubectl apply -f -
kubectl patch configmap -ntekton-pipelines feature-flags -p '{"data":{"enable-api-fields":"alpha"}}'
echo "Install Tekton Done"
echo "Install Gitlab"
echo '==============================================================================='
echo "Install Postgres..."
echo '-------------------------------------------------------------------------------'
cat <<EOF | kubectl apply -f -
kind: Service
apiVersion: v1
metadata:
name: gitlab-db
spec:
selector:
pod: gitlab-db
ports:
- protocol: TCP
port: 5432
targetPort: 5432
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: gitlab-db-pvc
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: gitlab-db
spec:
replicas: 1
selector:
matchLabels:
pod: gitlab-db
template:
metadata:
labels:
pod: gitlab-db
spec:
containers:
- name: gitlab-db
image: postgres:alpine
imagePullPolicy: IfNotPresent
env:
- name: POSTGRES_USER
value: gitlab
- name: POSTGRES_DB
value: gitlabhq_production
- name: POSTGRES_PASSWORD
value: gitlab
ports:
- containerPort: 5432
volumeMounts:
- name: gitlab-db-volume
mountPath: /var/lib/postgresql/data
subPath: gitlab
volumes:
- name: gitlab-db-volume
persistentVolumeClaim:
claimName: gitlab-db-pvc
EOF
echo "Install Redis..."
echo '-------------------------------------------------------------------------------'
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Service
metadata:
name: gitlab-memcache
spec:
selector:
pod: gitlab-memcache
ports:
- protocol: TCP
port: 6379
targetPort: 6379
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: gitlab-memcache
spec:
replicas: 1
selector:
matchLabels:
pod: gitlab-memcache
template:
metadata:
labels:
pod: gitlab-memcache
spec:
containers:
- name: gitlab-redis-master
image: redis
imagePullPolicy: IfNotPresent
resources:
limits:
cpu: "0.2"
ports:
- containerPort: 6379
EOF
echo "Install Gitlab instanse..."
echo '-------------------------------------------------------------------------------'
cat <<EOF | kubectl apply -f -
---
apiVersion: v1
kind: Service
metadata:
name: gitlab
spec:
type: NodePort
selector:
pod: gitlab
ports:
- name: ssh
protocol: TCP
port: 22
targetPort: 22
nodePort: 30022
- name: http
protocol: TCP
port: 80
targetPort: 80
nodePort: 30080
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: gitlab-pvc
labels:
pod: gitlab
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: gitlab
spec:
replicas: 1
selector:
matchLabels:
pod: gitlab
template:
metadata:
labels:
pod: gitlab
spec:
containers:
- name: gitlab
image: gitlab/gitlab-ce
imagePullPolicy: IfNotPresent
env:
- name: GITLAB_OMNIBUS_CONFIG
value: |
postgresql['enable'] = false
prometheus['monitor_kubernetes'] = false
gitlab_rails['db_username'] = "gitlab"
gitlab_rails['db_password'] = "gitlab"
gitlab_rails['db_host'] = "gitlab-db"
gitlab_rails['db_port'] = "5432"
gitlab_rails['db_database'] = "gitlabhq_production"
gitlab_rails['db_adapter'] = 'postgresql'
gitlab_rails['db_encoding'] = 'utf8'
redis['enable'] = false
gitlab_rails['redis_host'] = 'gitlab-memcache'
gitlab_rails['redis_port'] = '6379'
gitlab_rails['gitlab_shell_ssh_port'] = 22
gitlab_rails['initial_root_password'] = '12345678'
ports:
- containerPort: 80
- containerPort: 22
volumeMounts:
- name: gitlab
mountPath: /var/opt/gitlab
subPath: gitlab_data
- name: gitlab
mountPath: /etc/gitlab
subPath: gitlab_configuration
volumes:
- name: gitlab
persistentVolumeClaim:
claimName: gitlab-pvc
EOF
echo "Install Gitlab Done"

8
bin/env-delete.sh
Unescape View File

@ -0,0 +1,8 @@
#!/bin/bash
KIND_K8S_NAME="pipeline"
registryID=`docker ps | grep 'kind-registry'|awk '{print $1}'`
kind delete cluster --name ${KIND_K8S_NAME}
docker kill $registryID
docker rm $registryID

60
bin/kind.sh
Unescape View File

@ -0,0 +1,60 @@
#!/bin/sh
set -o errexit
# create registry container unless it already exists
reg_name='kind-registry'
reg_port='5001'
if [ "$(docker inspect -f '{{.State.Running}}' "${reg_name}" 2>/dev/null || true)" != 'true' ]; then
docker run \
-d --restart=always -p "127.0.0.1:${reg_port}:5000" --name "${reg_name}" \
registry:2
fi
# create a cluster with the local registry enabled in containerd
cat <<EOF | kind create cluster --config=-
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
name: pipeline
containerdConfigPatches:
- |-
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:${reg_port}"]
endpoint = ["http://${reg_name}:5000"]
nodes:
- role: control-plane
image: kindest/node:v1.24.4
kubeadmConfigPatches:
- |
kind: InitConfiguration
nodeRegistration:
kubeletExtraArgs:
node-labels: "ingress-ready=true"
extraPortMappings:
- containerPort: 22
hostPort: 22
protocol: TCP
- containerPort: 80
hostPort: 80
protocol: TCP
- containerPort: 443
hostPort: 443
protocol: TCP
EOF
# connect the registry to the cluster network if not already connected
if [ "$(docker inspect -f='{{json .NetworkSettings.Networks.kind}}' "${reg_name}")" = 'null' ]; then
docker network connect "kind" "${reg_name}"
fi
# Document the local registry
# https://github.com/kubernetes/enhancements/tree/master/keps/sig-cluster-lifecycle/generic/1755-communicating-a-local-registry
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
name: local-registry-hosting
namespace: kube-public
data:
localRegistryHosting.v1: |
host: "localhost:${reg_port}"
help: "https://kind.sigs.k8s.io/docs/user/local-registry/"
EOF

10
images/Dockerfile
Unescape View File

@ -0,0 +1,10 @@
FROM golang:1.18-alpine
WORKDIR /kind
RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.ustc.edu.cn/g' /etc/apk/repositories
RUN apk add --no-cache \
bash curl docker make
# Install kubectl and make sure it's available in the PATH.
ADD kubectl /bin/kubectl
ADD kind /bin/kind

11
images/Dockerfile-online-install
Unescape View File

@ -0,0 +1,11 @@
FROM golang:1.18-alpine
WORKDIR /kind
RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.ustc.edu.cn/g' /etc/apk/repositories
RUN apk add --no-cache \
bash curl docker make
# Install kubectl and make sure it's available in the PATH.
RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl && chmod +x ./kubectl && mv ./kubectl /bin
RUN curl -Lo ./kind "https://kind.sigs.k8s.io/dl/v0.16.0/kind-$(uname)-amd64" && chmod +x ./kind && mv ./kind /bin

BIN
images/kind
View File

Binary file not shown.

BIN
images/kubectl
View File

Binary file not shown.

230
src/all.yaml
Unescape View File

@ -0,0 +1,230 @@
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: msbdeployment-pipeline
spec:
description: |
Run all tasks
params:
- name: repo-url
type: string
description: The git repository URL to clone from.
- name: branch-name
type: string
description: The git branch to clone.
- name: version
type: string
description: version
- name: image
type: string
description: build image
- name: app-name
type: string
description: Argocd Application name
- name: deploy-repo-url
type: string
description: Argocd repo url
- name: deploy-branch-name
type: string
description: Argocd branch name
workspaces:
- name: shared-data
description: |
save code
tasks:
- name: fetch-repo
taskRef:
name: git-clone
workspaces:
- name: output
workspace: shared-data
params:
- name: url
value: $(params.repo-url)
- name: revision
value: $(params.branch-name)
- name: pre-do
retries: 5
runAfter:
- fetch-repo
workspaces:
- name: source
workspace: shared-data
taskRef:
name: pre-do
params:
- name: version
value: $(params.version)
- name: kaniko
retries: 5
taskRef:
name: kaniko
runAfter:
- pre-do
workspaces:
- name: source
workspace: shared-data
params:
- name: IMAGE
value: $(params.image):$(params.version)
- name: EXTRA_ARGS
value:
- --skip-tls-verify
- --insecure
- --skip-tls-verify-pull
- --insecure-pull
- name: verify-digest
runAfter:
- kaniko
params:
- name: digest
value: $(tasks.kaniko.results.IMAGE_DIGEST)
taskSpec:
params:
- name: digest
steps:
- name: bash
image: ubuntu
script: |
echo $(params.digest)
case .$(params.digest) in
".sha"*) exit 0 ;;
*) echo "Digest value is not correct" && exit 1 ;;
esac
- name: verify-url
runAfter:
- kaniko
params:
- name: url
value: $(tasks.kaniko.results.IMAGE_URL)
taskSpec:
params:
- name: url
steps:
- name: bash
image: ubuntu
script: |
echo $(params.url)
case .$(params.url) in
*"/deployment/msbdeployment:"*) exit 0 ;;
*) echo "URL value is not correct" && exit 1 ;;
esac
- name: kind
retries: 5
taskRef:
name: kind
params:
- name: command
value:
- sh
- -c
- "docker network create --driver=bridge --subnet=172.19.0.0/16 --gateway=172.19.0.1 kind && \
cd $(workspaces.source.path)/test/e2e && \
export CGO_ENABLED=0 && \
export GOPROXY=https://goproxy.cn && \
export IMG=$(tasks.kaniko.results.IMAGE_URL) && \
go test -tags=e2e -config config.yaml -startup-timeout 7200 -test.timeout=120m"
- name: image
value: docker.io/library/docker-kind:v0.0.1
workspaces:
- name: source
workspace: shared-data
runAfter:
- verify-digest
- verify-url
- name: fetch-deploy-repo
runAfter:
- kind
taskRef:
name: git-clone
workspaces:
- name: output
workspace: shared-data
params:
- name: url
value: $(params.deploy-repo-url)
- name: revision
value: $(params.deploy-branch-name)
- name: commit-deploy-image
runAfter:
- fetch-deploy-repo
params:
- name: image-name
#value: $(params.image)
value: localhost:5001/deployment/msbdeployment
- name: image-tag
value: $(params.version)
- name: git-branch
value: $(params.deploy-branch-name)
workspaces:
- name: source
workspace: shared-data
taskSpec:
params:
- name: image-name
- name: image-tag
- name: git-branch
workspaces:
- name: source
steps:
- image: alpine/git:v2.36.2
script: |
#!/usr/bin/env sh
cd $(workspaces.source.path)
git config --global --add safe.directory $(workspaces.source.path)
git checkout -b $(params.git-branch)
sed -i "s#newName: .*#newName: $(params.image-name)#" manager/kustomization.yaml
sed -i "s#newTag: .*#newTag: $(params.image-tag)#" manager/kustomization.yaml
git config --global user.email "tekton-rebot@mashibing.com"
git config --global user.name "tekton rebot"
git add manager/kustomization.yaml
git commit -m "update image to $(params.image-name):$(params.image-tag)"
git push origin $(params.git-branch)
- name: sync-application
runAfter:
- commit-deploy-image
taskRef:
name: argocd-task-sync-and-wait
params:
- name: application-name
value: $(params.app-name)
- name: flags
value: --insecure
- name: argocd-version
value: latest
---
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
name: msbdeployment-pipeline
spec:
serviceAccountName: build-bot
pipelineRef:
name: msbdeployment-pipeline
podTemplate:
securityContext:
fsGroup: 65532
workspaces:
- name: shared-data
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
params:
- name: repo-url
value: git@host.docker.internal:root/mashibing-deployment.git
- name: branch-name
value: master
- name: version
value: "v0.0.2"
- name: image
value: kind-registry:5000/deployment/msbdeployment
- name: app-name
value: msb-app
- name: deploy-repo-url
value: git@host.docker.internal:root/mashibing-deployment-deploy.git
- name: deploy-branch-name
value: master

33
src/argocd/application.yaml
Unescape View File

@ -0,0 +1,33 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: msb-app
# You'll usually want to add your resources to the argocd namespace.
namespace: argocd
# Add this finalizer ONLY if you want these to cascade delete.
finalizers:
- resources-finalizer.argocd.argoproj.io
# Add labels to your application object.
labels:
name: msb-app
spec:
# The project the application belongs to.
project: default
# Source of the application manifests
source:
repoURL: http://host.docker.internal/root/mashibing-deployment-deploy.git
targetRevision: HEAD # For Helm, this refers to the chart version.
path: default
# kustomize specific config
kustomize:
images:
- controller=localhost:5001/deployment/msbdeployment:v0.0.1
# Destination cluster and namespace to deploy the application
destination:
server: https://kubernetes.default.svc
# The namespace will only be set for namespace-scoped resources that have not set a value for .metadata.namespace
namespace: argocd

14
src/argocd/argocd-env.yaml
Unescape View File

@ -0,0 +1,14 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-env-configmap
data:
ARGOCD_SERVER: argocd-server.argocd.svc.cluster.local
---
apiVersion: v1
kind: Secret
metadata:
name: argocd-env-secret
stringData:
ARGOCD_USERNAME: admin
ARGOCD_PASSWORD: "12345678"

62
src/argocd/private-repo.yaml
Unescape View File

@ -0,0 +1,62 @@
apiVersion: v1
kind: Secret
metadata:
name: private-repo-http
namespace: argocd
labels:
argocd.argoproj.io/secret-type: repository
stringData:
type: git
url: http://host.docker.internal/root/mashibing-deployment.git
password: "12345678"
username: root
---
apiVersion: v1
kind: Secret
metadata:
name: private-repo-ssh
namespace: argocd
labels:
argocd.argoproj.io/secret-type: repository
stringData:
type: git
url: git@host.docker.internal:root/mashibing-deployment.git
sshPrivateKey: |
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEA1G7IaI7zsgjgitLWmDMsSkNUy56EkGUsl6uYQKMqrbPcq/2eKfvD
dx90CM49ESAe4oYYwRy4MqyCUvfQP4B4nwQBLYhybyJ6dD7nHgSfu4dDzGTlujiTwJ7Vax
mENgnZM8hF15eY0XvcYcCsbv+7Ws86ftPS4QouZoRI0Ku2s8lvin7ZYYnvoACECEN5cIma
7fAtirsuvgCtYmhEP7BK1ZzBwNdAsnkjaHTHZIYWFhHI7CExzlQNQHo5vf06wyIml7c2Oz
Uv3H98wO2NRK4kNMfMrKMLWtPnDpxD6nqTO1tMUqhUzA/Aeyp0t4nxZNCnZ08MfnXTrONe
pyfBG+HcGqpnbZwsE3EVFZ1u3QfXrUnndfjcyZVrSvIFHkMc/On9hkH8lbtdHenAd/HtL/
R1qboOLOXCva6DrgciRqqlfj1orw7C+9rV6L83uHTdURLJnZNfyMd1QbWcKzUTdpYLzo4n
+t5aHuypLlGGCYIMWFrCu/elxgBrrZmmKvkcQEUfAAAFkPmBO4f5gTuHAAAAB3NzaC1yc2
EAAAGBANRuyGiO87II4IrS1pgzLEpDVMuehJBlLJermECjKq2z3Kv9nin7w3cfdAjOPREg
HuKGGMEcuDKsglL30D+AeJ8EAS2Icm8ienQ+5x4En7uHQ8xk5bo4k8Ce1WsZhDYJ2TPIRd
eXmNF73GHArG7/u1rPOn7T0uEKLmaESNCrtrPJb4p+2WGJ76AAhAhDeXCJmu3wLYq7Lr4A
rWJoRD+wStWcwcDXQLJ5I2h0x2SGFhYRyOwhMc5UDUB6Ob39OsMiJpe3Njs1L9x/fMDtjU
SuJDTHzKyjC1rT5w6cQ+p6kztbTFKoVMwPwHsqdLeJ8WTQp2dPDH5106zjXqcnwRvh3Bqq
Z22cLBNxFRWdbt0H161J53X43MmVa0ryBR5DHPzp/YZB/JW7XR3pwHfx7S/0dam6Dizlwr
2ug64HIkaqpX49aK8Owvva1ei/N7h03VESyZ2TX8jHdUG1nCs1E3aWC86OJ/reWh7sqS5R
hgmCDFhawrv3pcYAa62Zpir5HEBFHwAAAAMBAAEAAAGAUG17Ed8hk8O5o8WseqZRO/KfDZ
KAFR1BE1FjzQEZvPcucq2Mbs/DkvvFFjpjM3MqTlA/2glSEdlvZBMv9ILi6C1/dqpEzR/M
JevU2/AbO8g8GowO0ADwq8pW+fwIqt7yraDDFJtwP8u5xgbJIiNPX1O7DV6MZihRJf4qhV
qlyw7WXKSnD79GCpl3Y5uMRFfM4Q4AaBhzW3ttKadZQ5Wu145Iawb0Fz428irYfQ4pGYT1
QbVVooz/EWzVJMHVuCBatDVstUtcAoAuC+R+83r/C4vo1OOoQ+hhuFffZ2LQxq18N36i2l
41JJb7DtvxhmDUSoNupH3THbLBynfOzRgtXVWxApn+QENrv0pWb07S23cy8iCE/ZJi0WW6
1JpSGA9e2GaxOe/ulCcPZr7V6Jy1urUjQyqC/t7m8rAh2WGDmseemaArOYLt53rxwigKaS
iuy2gvGTxTOkOg4vhzf859y414Gv3J7OfvMmkYT6N4lNdAcebKAYOQaimCLjBgBmyBAAAA
wQDAFwgzyM/qYA79o/gsAuuc4/8RXn4lNzAmuHH3uVuLSk5+sYt4yT/DRNoGJNs3o/U7a/
mM/zaQlS3rUX4qmwA44b8X/LN5yf01kJcZ/p1qKOR63URpp2gfgaz1IyPYmHCg+0QkxvuS
Mrjv/KKbI1DMCN/dHI+ZLN5mv5zPelxhHUii678ky51kj+yA2wtjhoyoSoP8avvtgcPfW9
+ExSgvcBPhDacPQ5/BmMDK1JnEBDuuyl73Eu6mquJoxYi1vncAAADBANoJLzg7JmF5VYDD
De4wPj8CB82sRvXbSVxCr/jY3dIMTVi0v+8sTy7H8mo4Vruj6nlfHt4qB2SexphQqyR5ie
FoaK/2ZRmHyOV5qpRRo/99lTqTgugv77/vipjamptgQ7Sj6a0YkQ+txEfMnRREAAoy7A4B
dyiUTT3SiyEub32aj7PXXlCk3S3PIjRuscAuujC/iHvv/W4Jw9CxXzFuEY6hUPDAOONB1k
0KlvXYiRBENlQXSqgo+0BDdViwbe1snwAAAMEA+WvXndG6ovc/12R/iLzr9t3cgpkC9APU
ZajtI96xaIWSJMkd4f1hXtS8gQeKwijolCiB02dQNdzwxlloMmxTIvoRrjUjho+s8on2lb
0WRstCatHyCk0KtuDx29x1itF1WuPMIqTNvIjimQpE/I9/QAgUiOJyXzCiWh12sBR5mVNs
9gIsLeTzOL/g99/4KajK5BdreAlCl+jJ0LuRZQ1sucqUWoG0Jos8bFjiQ+8sapYBpU8OpW
vpg8MmJrXgvdeBAAAAFGRvbmdtaW5nQGRvbmdtaW5nLXBjAQIDBAUG
-----END OPENSSH PRIVATE KEY-----

22
src/argocd/project.yaml
Unescape View File

@ -0,0 +1,22 @@
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
name: msb-project
namespace: argocd
# Finalizer that ensures that project is not deleted until it is not referenced by any application
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
# Project description
description: Mashibing project
# Allow manifests to deploy from any Git repos
sourceRepos:
- "http://host.docker.internal*"
- "https://host.docker.internal*"
- "git@host.docker.internal*"
# Only permit applications to deploy to the guestbook namespace in the same cluster
destinations:
- namespace: argocd
server: https://kubernetes.default.svc

79
src/git-clone-checking-out-a-branch.yaml
Unescape View File

@ -0,0 +1,79 @@
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: cat-branch-readme
spec:
description: |
cat-branch-readme takes a git repository and a branch name and
prints the README.md file from that branch. This is an example
Pipeline demonstrating the following:
- Using the git-clone catalog Task to clone a branch
- Passing a cloned repo to subsequent Tasks using a Workspace.
- Ordering Tasks in a Pipeline using "runAfter" so that
git-clone completes before we try to read from the Workspace.
- Using a volumeClaimTemplate Volume as a Workspace.
- Avoiding hard-coded paths by using a Workspace's path
variable instead.
params:
- name: repo-url
type: string
description: The git repository URL to clone from.
- name: branch-name
type: string
description: The git branch to clone.
workspaces:
- name: shared-data
description: |
This workspace will receive the cloned git repo and be passed
to the next Task for the repo's README.md file to be read.
tasks:
- name: fetch-repo
taskRef:
name: git-clone
workspaces:
- name: output
workspace: shared-data
params:
- name: url
value: $(params.repo-url)
- name: revision
value: $(params.branch-name)
- name: cat-readme
runAfter: ["fetch-repo"] # Wait until the clone is done before reading the readme.
workspaces:
- name: source
workspace: shared-data
taskSpec:
workspaces:
- name: source
steps:
- image: zshusers/zsh:4.3.15
script: |
#!/usr/bin/env zsh
cat $(workspaces.source.path)/README.md
---
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
name: git-clone-checking-out-a-branch
spec:
serviceAccountName: build-bot
pipelineRef:
name: cat-branch-readme
podTemplate:
securityContext:
fsGroup: 65532
workspaces:
- name: shared-data
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
params:
- name: repo-url
value: git@host.docker.internal:root/mashibing-deployment.git
- name: branch-name
value: master

127
src/git-clone-deploy.yaml
Unescape View File

@ -0,0 +1,127 @@
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: deploy
spec:
description: |
cat-branch-readme takes a git repository and a branch name and
prints the README.md file from that branch. This is an example
Pipeline demonstrating the following:
- Using the git-clone catalog Task to clone a branch
- Passing a cloned repo to subsequent Tasks using a Workspace.
- Ordering Tasks in a Pipeline using "runAfter" so that
git-clone completes before we try to read from the Workspace.
- Using a volumeClaimTemplate Volume as a Workspace.
- Avoiding hard-coded paths by using a Workspace's path
variable instead.
params:
- name: repo-url
type: string
description: The git repository URL to clone from.
- name: branch-name
type: string
description: The git branch to clone.
- name: app-name
type: string
description: The app name.
- name: image-name
type: string
description: The image
- name: image-tag
type: string
description: The image tag
workspaces:
- name: shared-data
description: |
This workspace will receive the cloned git repo and be passed
to the next Task for the repo's README.md file to be read.
tasks:
- name: fetch-deploy-repo
taskRef:
name: git-clone
workspaces:
- name: output
workspace: shared-data
params:
- name: url
value: $(params.repo-url)
- name: revision
value: $(params.branch-name)
- name: commit-deploy-image
runAfter:
- fetch-deploy-repo
params:
- name: image-name
value: $(params.image-name)
- name: image-tag
value: $(params.image-tag)
- name: git-branch
value: $(params.branch-name)
workspaces:
- name: source
workspace: shared-data
taskSpec:
params:
- name: image-name
- name: image-tag
- name: git-branch
workspaces:
- name: source
steps:
- image: alpine/git:v2.36.2
script: |
#!/usr/bin/env sh
cd $(workspaces.source.path)
git config --global --add safe.directory $(workspaces.source.path)
git checkout -b $(params.git-branch)
sed -i "s#newName: .*#newName: $(params.image-name)#" manager/kustomization.yaml
sed -i "s#newTag: .*#newTag: $(params.image-tag)#" manager/kustomization.yaml
git config --global user.email "tekton-rebot@mashibing.com"
git config --global user.name "tekton rebot"
git add manager/kustomization.yaml
git commit -m "update image to $(params.image-name):$(params.image-tag)"
git push origin master
- name: sync-application
runAfter:
- commit-deploy-image
taskRef:
name: argocd-task-sync-and-wait
params:
- name: application-name
value: $(params.app-name)
- name: flags
value: --insecure
- name: argocd-version
value: latest
---
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
name: deploy
spec:
serviceAccountName: build-bot
pipelineRef:
name: deploy
podTemplate:
securityContext:
fsGroup: 65532
workspaces:
- name: shared-data
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
params:
- name: repo-url
value: git@host.docker.internal:root/mashibing-deployment-deploy.git
- name: branch-name
value: master
- name: app-name
value: msb-app
- name: image-name
value: kind-registry:5000/deployment/msbdeployment
- name: image-tag
value: v0.0.2

119
src/git-clone-kaniko.yaml
Unescape View File

@ -0,0 +1,119 @@
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: fetch-code-kaniko
spec:
description: |
fetch code and check vet .etc...
params:
- name: repo-url
type: string
description: The git repository URL to clone from.
- name: branch-name
type: string
description: The git branch to clone.
- name: version
type: string
description: version
- name: image
type: string
description: build image
workspaces:
- name: shared-data
description: |
save code
tasks:
- name: fetch-repo
taskRef:
name: git-clone
workspaces:
- name: output
workspace: shared-data
params:
- name: url
value: $(params.repo-url)
- name: revision
value: $(params.branch-name)
- name: kaniko
taskRef:
name: kaniko
runAfter:
- fetch-repo
workspaces:
- name: source
workspace: shared-data
params:
- name: IMAGE
value: $(params.image)
- name: EXTRA_ARGS
value:
- --skip-tls-verify
- --insecure
- --skip-tls-verify-pull
- --insecure-pull
- name: verify-digest
runAfter:
- kaniko
params:
- name: digest
value: $(tasks.kaniko.results.IMAGE_DIGEST)
taskSpec:
params:
- name: digest
steps:
- name: bash
image: ubuntu
script: |
echo $(params.digest)
case .$(params.digest) in
".sha"*) exit 0 ;;
*) echo "Digest value is not correct" && exit 1 ;;
esac
- name: verify-url
runAfter:
- kaniko
params:
- name: url
value: $(tasks.kaniko.results.IMAGE_URL)
taskSpec:
params:
- name: url
steps:
- name: bash
image: ubuntu
script: |
echo $(params.url)
case .$(params.url) in
*"/kaniko-nocode") exit 0 ;;
*) echo "URL value is not correct" && exit 1 ;;
esac
---
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
name: fetch-code-kaniko
spec:
serviceAccountName: build-bot
pipelineRef:
name: fetch-code-kaniko
podTemplate:
securityContext:
fsGroup: 65532
workspaces:
- name: shared-data
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
params:
- name: repo-url
value: git@host.docker.internal:root/mashibing-deployment.git
- name: branch-name
value: master
- name: version
value: "v0.0.1"
- name: image
value: kind-registry:5000/msbdeployment-controller

72
src/git-clone-pre-do.yaml
Unescape View File

@ -0,0 +1,72 @@
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: fetch-code-pre-do
spec:
description: |
fetch code and check vet .etc...
params:
- name: repo-url
type: string
description: The git repository URL to clone from.
- name: branch-name
type: string
description: The git branch to clone.
- name: version
type: string
description: version
workspaces:
- name: shared-data
description: |
save code
tasks:
- name: fetch-repo
taskRef:
name: git-clone
workspaces:
- name: output
workspace: shared-data
params:
- name: url
value: $(params.repo-url)
- name: revision
value: $(params.branch-name)
- name: pre-do
runAfter: ["fetch-repo"] # Wait until the clone is done before reading the readme.
workspaces:
- name: source
workspace: shared-data
taskRef:
name: pre-do
params:
- name: version
value: $(params.version)
---
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
name: fetch-code-pre-do
spec:
serviceAccountName: build-bot
pipelineRef:
name: fetch-code-pre-do
podTemplate:
securityContext:
fsGroup: 65532
workspaces:
- name: shared-data
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
params:
- name: repo-url
value: git@host.docker.internal:root/mashibing-deployment.git
- name: branch-name
value: master
- name: version
value: "v0.0.1"

238
src/git-clone.yaml
Unescape View File

@ -0,0 +1,238 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: git-clone
labels:
app.kubernetes.io/version: "0.9"
annotations:
tekton.dev/pipelines.minVersion: "0.38.0"
tekton.dev/categories: Git
tekton.dev/tags: git
tekton.dev/displayName: "git clone"
tekton.dev/platforms: "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64"
spec:
description: >-
These Tasks are Git tasks to work with repositories used by other tasks
in your Pipeline.
The git-clone Task will clone a repo from the provided url into the
output Workspace. By default the repo will be cloned into the root of
your Workspace. You can clone into a subdirectory by setting this Task's
subdirectory param. This Task also supports sparse checkouts. To perform
a sparse checkout, pass a list of comma separated directory patterns to
this Task's sparseCheckoutDirectories param.
workspaces:
- name: output
description: The git repo will be cloned onto the volume backing this Workspace.
- name: ssh-directory
optional: true
description: |
A .ssh directory with private key, known_hosts, config, etc. Copied to
the user's home before git commands are executed. Used to authenticate
with the git remote when performing the clone. Binding a Secret to this
Workspace is strongly recommended over other volume types.
- name: basic-auth
optional: true
description: |
A Workspace containing a .gitconfig and .git-credentials file. These
will be copied to the user's home before any git commands are run. Any
other files in this Workspace are ignored. It is strongly recommended
to use ssh-directory over basic-auth whenever possible and to bind a
Secret to this Workspace over other volume types.
- name: ssl-ca-directory
optional: true
description: |
A workspace containing CA certificates, this will be used by Git to
verify the peer with when fetching or pushing over HTTPS.
params:
- name: url
description: Repository URL to clone from.
type: string
- name: revision
description: Revision to checkout. (branch, tag, sha, ref, etc...)
type: string
default: ""
- name: refspec
description: Refspec to fetch before checking out revision.
default: ""
- name: submodules
description: Initialize and fetch git submodules.
type: string
default: "true"
- name: depth
description: Perform a shallow clone, fetching only the most recent N commits.
type: string
default: "1"
- name: sslVerify
description: Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.
type: string
default: "true"
- name: crtFileName
description: file name of mounted crt using ssl-ca-directory workspace. default value is ca-bundle.crt.
type: string
default: "ca-bundle.crt"
- name: subdirectory
description: Subdirectory inside the `output` Workspace to clone the repo into.
type: string
default: ""
- name: sparseCheckoutDirectories
description: Define the directory patterns to match or exclude when performing a sparse checkout.
type: string
default: ""
- name: deleteExisting
description: Clean out the contents of the destination directory if it already exists before cloning.
type: string
default: "true"
- name: httpProxy
description: HTTP proxy server for non-SSL requests.
type: string
default: ""
- name: httpsProxy
description: HTTPS proxy server for SSL requests.
type: string
default: ""
- name: noProxy
description: Opt out of proxying HTTP/HTTPS requests.
type: string
default: ""
- name: verbose
description: Log the commands that are executed during `git-clone`'s operation.
type: string
default: "true"
- name: gitInitImage
description: The image providing the git-init binary that this Task runs.
type: string
default: "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.40.2"
- name: userHome
description: |
Absolute path to the user's home directory.
type: string
default: "/home/git"
results:
- name: commit
description: The precise commit SHA that was fetched by this Task.
- name: url
description: The precise URL that was fetched by this Task.
steps:
- name: clone
image: "$(params.gitInitImage)"
env:
- name: HOME
value: "$(params.userHome)"
- name: PARAM_URL
value: $(params.url)
- name: PARAM_REVISION
value: $(params.revision)
- name: PARAM_REFSPEC
value: $(params.refspec)
- name: PARAM_SUBMODULES
value: $(params.submodules)
- name: PARAM_DEPTH
value: $(params.depth)
- name: PARAM_SSL_VERIFY
value: $(params.sslVerify)
- name: PARAM_CRT_FILENAME
value: $(params.crtFileName)
- name: PARAM_SUBDIRECTORY
value: $(params.subdirectory)
- name: PARAM_DELETE_EXISTING
value: $(params.deleteExisting)
- name: PARAM_HTTP_PROXY
value: $(params.httpProxy)
- name: PARAM_HTTPS_PROXY
value: $(params.httpsProxy)
- name: PARAM_NO_PROXY
value: $(params.noProxy)
- name: PARAM_VERBOSE
value: $(params.verbose)
- name: PARAM_SPARSE_CHECKOUT_DIRECTORIES
value: $(params.sparseCheckoutDirectories)
- name: PARAM_USER_HOME
value: $(params.userHome)
- name: WORKSPACE_OUTPUT_PATH
value: $(workspaces.output.path)
- name: WORKSPACE_SSH_DIRECTORY_BOUND
value: $(workspaces.ssh-directory.bound)
- name: WORKSPACE_SSH_DIRECTORY_PATH
value: $(workspaces.ssh-directory.path)
- name: WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND
value: $(workspaces.basic-auth.bound)
- name: WORKSPACE_BASIC_AUTH_DIRECTORY_PATH
value: $(workspaces.basic-auth.path)
- name: WORKSPACE_SSL_CA_DIRECTORY_BOUND
value: $(workspaces.ssl-ca-directory.bound)
- name: WORKSPACE_SSL_CA_DIRECTORY_PATH
value: $(workspaces.ssl-ca-directory.path)
securityContext:
runAsNonRoot: true
runAsUser: 65532
script: |
#!/usr/bin/env sh
set -eu
if [ "${PARAM_VERBOSE}" = "true" ] ; then
set -x
fi
if [ "${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}" = "true" ] ; then
cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials" "${PARAM_USER_HOME}/.git-credentials"
cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig" "${PARAM_USER_HOME}/.gitconfig"
chmod 400 "${PARAM_USER_HOME}/.git-credentials"
chmod 400 "${PARAM_USER_HOME}/.gitconfig"
fi
if [ "${WORKSPACE_SSH_DIRECTORY_BOUND}" = "true" ] ; then
cp -R "${WORKSPACE_SSH_DIRECTORY_PATH}" "${PARAM_USER_HOME}"/.ssh
chmod 700 "${PARAM_USER_HOME}"/.ssh
chmod -R 400 "${PARAM_USER_HOME}"/.ssh/*
fi
if [ "${WORKSPACE_SSL_CA_DIRECTORY_BOUND}" = "true" ] ; then
export GIT_SSL_CAPATH="${WORKSPACE_SSL_CA_DIRECTORY_PATH}"
if [ "${PARAM_CRT_FILENAME}" != "" ] ; then
export GIT_SSL_CAINFO="${WORKSPACE_SSL_CA_DIRECTORY_PATH}/${PARAM_CRT_FILENAME}"
fi
fi
CHECKOUT_DIR="${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}"
cleandir() {
# Delete any existing contents of the repo directory if it exists.
#
# We don't just "rm -rf ${CHECKOUT_DIR}" because ${CHECKOUT_DIR} might be "/"
# or the root of a mounted volume.
if [ -d "${CHECKOUT_DIR}" ] ; then
# Delete non-hidden files and directories
rm -rf "${CHECKOUT_DIR:?}"/*
# Delete files and directories starting with . but excluding ..
rm -rf "${CHECKOUT_DIR}"/.[!.]*
# Delete files and directories starting with .. plus any other character
rm -rf "${CHECKOUT_DIR}"/..?*
fi
}
if [ "${PARAM_DELETE_EXISTING}" = "true" ] ; then
cleandir
fi
test -z "${PARAM_HTTP_PROXY}" || export HTTP_PROXY="${PARAM_HTTP_PROXY}"
test -z "${PARAM_HTTPS_PROXY}" || export HTTPS_PROXY="${PARAM_HTTPS_PROXY}"
test -z "${PARAM_NO_PROXY}" || export NO_PROXY="${PARAM_NO_PROXY}"
git config --global --add safe.directory "${WORKSPACE_OUTPUT_PATH}"
/ko-app/git-init \
-url="${PARAM_URL}" \
-revision="${PARAM_REVISION}" \
-refspec="${PARAM_REFSPEC}" \
-path="${CHECKOUT_DIR}" \
-sslVerify="${PARAM_SSL_VERIFY}" \
-submodules="${PARAM_SUBMODULES}" \
-depth="${PARAM_DEPTH}" \
-sparseCheckoutDirectories="${PARAM_SPARSE_CHECKOUT_DIRECTORIES}"
cd "${CHECKOUT_DIR}"
RESULT_SHA="$(git rev-parse HEAD)"
EXIT_CODE="$?"
if [ "${EXIT_CODE}" != 0 ] ; then
exit "${EXIT_CODE}"
fi
printf "%s" "${RESULT_SHA}" > "$(results.commit.path)"
printf "%s" "${PARAM_URL}" > "$(results.url.path)"

65
src/kaniko.yaml
Unescape View File

@ -0,0 +1,65 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: kaniko
labels:
app.kubernetes.io/version: "0.6"
annotations:
tekton.dev/pipelines.minVersion: "0.17.0"
tekton.dev/categories: Image Build
tekton.dev/tags: image-build
tekton.dev/displayName: "Build and upload container image using Kaniko"
tekton.dev/platforms: "linux/amd64,linux/arm64,linux/ppc64le"
spec:
description: >-
This Task builds a simple Dockerfile with kaniko and pushes to a registry.
This Task stores the image name and digest as results, allowing Tekton Chains to pick up
that an image was built & sign it.
params:
- name: IMAGE
description: Name (reference) of the image to build.
- name: DOCKERFILE
description: Path to the Dockerfile to build.
default: ./Dockerfile
- name: CONTEXT
description: The build context used by Kaniko.
default: ./
- name: EXTRA_ARGS
type: array
default: []
- name: BUILDER_IMAGE
description: The image on which builds will run (default is v1.5.1)
default: gcr.io/kaniko-project/executor:v1.5.1@sha256:c6166717f7fe0b7da44908c986137ecfeab21f31ec3992f6e128fff8a94be8a5
workspaces:
- name: source
description: Holds the context and Dockerfile
- name: dockerconfig
description: Includes a docker `config.json`
optional: true
mountPath: /kaniko/.docker
results:
- name: IMAGE_DIGEST
description: Digest of the image just built.
- name: IMAGE_URL
description: URL of the image just built.
steps:
- name: build-and-push
workingDir: $(workspaces.source.path)
image: $(params.BUILDER_IMAGE)
args:
- $(params.EXTRA_ARGS)
- --dockerfile=$(params.DOCKERFILE)
- --context=$(workspaces.source.path)/$(params.CONTEXT) # The user does not need to care the workspace and the source.
- --destination=$(params.IMAGE)
- --digest-file=$(results.IMAGE_DIGEST.path)
# kaniko assumes it is running as root, which means this example fails on platforms
# that default to run containers as random uid (like OpenShift). Adding this securityContext
# makes it explicit that it needs to run as root.
securityContext:
runAsUser: 0
- name: write-url
image: docker.io/library/bash:5.1.4@sha256:c523c636b722339f41b6a431b44588ab2f762c5de5ec3bd7964420ff982fb1d9
script: |
set -e
image="$(params.IMAGE)"
echo -n "${image}" | tee "$(results.IMAGE_URL.path)"

81
src/kind.yaml
Unescape View File

@ -0,0 +1,81 @@
# Copyright 2021 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: kind
labels:
app.kubernetes.io/version: "0.1"
annotations:
tekton.dev/pipelines.minVersion: "0.12.1"
tekton.dev/categories: Kubernetes
tekton.dev/displayName: "kind"
tekton.dev/tags: "kind"
tekton.dev/platforms: "linux/amd64"
spec:
description: >-
Sets up and executes commands in KinD (Kubernetes in Docker) environment.
See https://kind.sigs.k8s.io for more details.
params:
- name: command
type: array
description: command to run inside kind environment.
- name: image
type: string
description: Task runtime image. Should typically contain the kind CLI (https://kind.sigs.k8s.io)
workspaces:
- name: source
steps:
- image: $(params.image)
workingDir: $(workspaces.source.path)
name: kind
volumeMounts:
- mountPath: /var/run/
name: dind-socket
- mountPath: /lib/modules
name: modules
readOnly: true
- mountPath: /sys/fs/cgroup
name: cgroup
command: ["$(params.command[*])"]
securityContext:
runAsUser: 0
sidecars:
- image: docker:18.05-dind
name: dind
args:
- "--insecure-registry"
- "kind-registry:5000"
securityContext:
privileged: true
volumeMounts:
- mountPath: /var/lib/docker
name: dind-storage
- mountPath: /var/run/
name: dind-socket
volumes:
- name: dind-storage
emptyDir: {}
- name: dind-socket
emptyDir: {}
- name: modules
hostPath:
path: /lib/modules
type: Directory
- name: cgroup
hostPath:
path: /sys/fs/cgroup
type: Directory

78
src/pre-do.yaml
Unescape View File

@ -0,0 +1,78 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: pre-do
labels:
app.kubernetes.io/version: "0.1"
annotations:
tekton.dev/pipelines.minVersion: "0.38.0"
tekton.dev/categories: Shell
tekton.dev/tags: shell
tekton.dev/displayName: "pre do something"
tekton.dev/platforms: "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64"
spec:
description: >-
Pre do something
workspaces:
- name: source
description: Store source code
params:
- name: version
description: Code version
type: string
results:
- name: version
description: The precise commit SHA that was fetched by this Task.
stepTemplate:
workingDir: $(workspaces.source.path)
securityContext:
runAsUser: 0
steps:
- name: download
image: golang:1.18
script: |
#!/usr/bin/env sh
GOPROXY=https://goproxy.cn
go mod download
go mod vendor
- name: static-check
image: golang:1.18
command:
- "go"
args:
- "vet"
- "./..."
- name: generate
image: golang:1.18
command:
- "make"
args:
- "generate"
- name: manifests
image: golang:1.18
command:
- "make"
args:
- "manifests"
- name: test
image: golang:1.18
command:
- "go"
args:
- "test"
- "./..."
- name: build
image: golang:1.18
command:
- "go"
args:
- "build"
- "-o"
- "bin/manager"
- "main.go"
- name: recover-own
image: golang:1.18
script: |
#!/usr/bin/env sh
set -eu
chown 65532:65532 -R $(workspaces.source.path)

90
src/run-sample.yaml
Unescape View File

@ -0,0 +1,90 @@
---
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: kaniko-test-pipeline
spec:
workspaces:
- name: shared-workspace
params:
- name: image
description: reference of the image to build
tasks:
- name: fetch-repository
taskRef:
name: git-clone
workspaces:
- name: output
workspace: shared-workspace
params:
- name: url
value: https://github.com/kelseyhightower/nocode
- name: subdirectory
value: ""
- name: deleteExisting
value: "true"
- name: kaniko
taskRef:
name: kaniko
runAfter:
- fetch-repository
workspaces:
- name: source
workspace: shared-workspace
params:
- name: IMAGE
value: $(params.image)
- name: EXTRA_ARGS
value:
- --skip-tls-verify
- name: verify-digest
runAfter:
- kaniko
params:
- name: digest
value: $(tasks.kaniko.results.IMAGE_DIGEST)
taskSpec:
params:
- name: digest
steps:
- name: bash
image: ubuntu
script: |
echo $(params.digest)
case .$(params.digest) in
".sha"*) exit 0 ;;
*) echo "Digest value is not correct" && exit 1 ;;
esac
- name: verify-url
runAfter:
- kaniko
params:
- name: url
value: $(tasks.kaniko.results.IMAGE_URL)
taskSpec:
params:
- name: url
steps:
- name: bash
image: ubuntu
script: |
echo $(params.url)
case .$(params.url) in
*"/kaniko-nocode") exit 0 ;;
*) echo "URL value is not correct" && exit 1 ;;
esac
---
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
name: kaniko-test-pipeline-run
spec:
pipelineRef:
name: kaniko-test-pipeline
params:
- name: image
value: localhost:5000/kaniko-nocode
workspaces:
- name: shared-workspace
persistentvolumeclaim:
claimName: kaniko-source-pvc

8
src/trigger-binding.yaml
Unescape View File

@ -0,0 +1,8 @@
apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerBinding
metadata:
name: msb-binding
spec:
params:
- name: version
value: $(body.checkout_sha)

12
src/trigger-listener.yaml
Unescape View File

@ -0,0 +1,12 @@
apiVersion: triggers.tekton.dev/v1beta1
kind: EventListener
metadata:
name: msb-listener
spec:
serviceAccountName: tekton-robot
triggers:
- name: msb-trigger
bindings:
- ref: msb-binding
template:
ref: msb-template

38
src/trigger-template.yaml
Unescape View File

@ -0,0 +1,38 @@
apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerTemplate
metadata:
name: msb-template
spec:
params:
- name: version
default: "v0.0.1"
resourcetemplates:
- apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
generateName: msbpipeline-
spec:
serviceAccountName: build-bot
pipelineRef:
name: msbdeployment-pipeline
podTemplate:
securityContext:
fsGroup: 65532
workspaces:
- name: shared-data
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
params:
- name: repo-url
value: git@host.docker.internal:root/mashibing-deployment.git
- name: branch-name
value: master
- name: version
value: $(params.version)
- name: image
value: kind-registry:5000/deployment/msbdeployment

29
src/trigger.rbac.yaml
Unescape View File

@ -0,0 +1,29 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: tekton-robot
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: triggers-msb-eventlistener-binding
subjects:
- kind: ServiceAccount
name: tekton-robot
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: tekton-triggers-eventlistener-roles
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: triggers-msb-eventlistener-clusterbinding
subjects:
- kind: ServiceAccount
name: tekton-robot
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: tekton-triggers-eventlistener-clusterroles

10353
yamls/argocd/core-install.yaml
View File

File diff suppressed because it is too large Load Diff

12412
yamls/argocd/ha-install.yaml
View File

File diff suppressed because it is too large Load Diff

3078
yamls/argocd/ha-namespace-install.yaml
View File

File diff suppressed because it is too large Load Diff

11183
yamls/argocd/install.yaml
View File

File diff suppressed because it is too large Load Diff

1849
yamls/argocd/namespace-install.yaml
View File

File diff suppressed because it is too large Load Diff

55
yamls/docker-kind.yaml
Unescape View File

@ -0,0 +1,55 @@
apiVersion: "v1"
kind: "Pod"
metadata:
name: "test"
spec:
containers:
- args:
- "-c"
- "sleep 999999999999999"
command:
- "sh"
image: "docker.io/library/docker-kind:v0.0.1"
imagePullPolicy: "Never"
name: "docker-kind"
resources: {}
securityContext:
privileged: false
tty: true
volumeMounts:
- mountPath: /var/run/
name: dind-socket
- mountPath: /lib/modules
name: modules
readOnly: true
- mountPath: /sys/fs/cgroup
name: cgroup
- image: "docker.io/library/docker:18.05-dind"
imagePullPolicy: "Never"
name: "dockerd"
args:
- "--insecure-registry"
- "kind-registry:5000"
securityContext:
privileged: true
volumeMounts:
- mountPath: /var/lib/docker
name: dind-storage
- mountPath: /var/run/
name: dind-socket
readOnly: false
restartPolicy: "Always"
securityContext: {}
volumes:
- name: dind-storage
emptyDir: {}
- name: dind-socket
emptyDir: {}
- name: modules
hostPath:
path: /lib/modules
type: Directory
- name: cgroup
hostPath:
path: /sys/fs/cgroup
type: Directory

74
yamls/gitlab/gitlab-pod.yaml
Unescape View File

@ -0,0 +1,74 @@
---
apiVersion: v1
kind: Service
metadata:
name: gitlab
spec:
selector:
pod: gitlab
ports:
- protocol: TCP
port: 80
targetPort: 80
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: gitlab-pvc
labels:
pod: gitlab
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: gitlab
spec:
replicas: 1
selector:
matchLabels:
pod: gitlab
template:
metadata:
labels:
pod: gitlab
spec:
containers:
- name: gitlab
image: gitlab/gitlab-ce
imagePullPolicy: IfNotPresent
env:
- name: GITLAB_OMNIBUS_CONFIG
value: |
postgresql['enable'] = false
prometheus['monitor_kubernetes'] = false
gitlab_rails['db_username'] = "gitlab"
gitlab_rails['db_password'] = "gitlab"
gitlab_rails['db_host'] = "gitlab-db"
gitlab_rails['db_port'] = "5432"
gitlab_rails['db_database'] = "gitlabhq_production"
gitlab_rails['db_adapter'] = 'postgresql'
gitlab_rails['db_encoding'] = 'utf8'
redis['enable'] = false
gitlab_rails['redis_host'] = 'gitlab-memcache'
gitlab_rails['redis_port'] = '6379'
gitlab_rails['gitlab_shell_ssh_port'] = 22
gitlab_rails['initial_root_password'] = '12345678'
ports:
- containerPort: 80
volumeMounts:
- name: gitlab
mountPath: /var/opt/gitlab
subPath: gitlab_data
- name: gitlab
mountPath: /etc/gitlab
subPath: gitlab_configuration
volumes:
- name: gitlab
persistentVolumeClaim:
claimName: gitlab-pvc

60
yamls/gitlab/gitlab-postgres.yaml
Unescape View File

@ -0,0 +1,60 @@
kind: Service
apiVersion: v1
metadata:
name: gitlab-db
spec:
selector:
pod: gitlab-db
ports:
- protocol: TCP
port: 5432
targetPort: 5432
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: gitlab-db-pvc
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: gitlab-db
spec:
replicas: 1
selector:
matchLabels:
pod: gitlab-db
template:
metadata:
labels:
pod: gitlab-db
spec:
containers:
- name: gitlab-db
image: postgres:alpine
imagePullPolicy: IfNotPresent
env:
- name: POSTGRES_USER
value: gitlab
- name: POSTGRES_DB
value: gitlabhq_production
- name: POSTGRES_PASSWORD
value: gitlab
ports:
- containerPort: 5432
volumeMounts:
- name: gitlab-db-volume
mountPath: /var/lib/postgresql/data
subPath: gitlab
volumes:
- name: gitlab-db-volume
persistentVolumeClaim:
claimName: gitlab-db-pvc

35
yamls/gitlab/gitlab-redis.yaml
Unescape View File

@ -0,0 +1,35 @@
apiVersion: v1
kind: Service
metadata:
name: gitlab-memcache
spec:
selector:
pod: gitlab-memcache
ports:
- protocol: TCP
port: 6379
targetPort: 6379
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: gitlab-memcache
spec:
replicas: 1
selector:
matchLabels:
pod: gitlab-memcache
template:
metadata:
labels:
pod: gitlab-memcache
spec:
containers:
- name: gitlab-redis-master
image: redis
imagePullPolicy: IfNotPresent
resources:
limits:
cpu: "0.2"
ports:
- containerPort: 6379

17
yamls/gitlab/ingress.yaml
Unescape View File

@ -0,0 +1,17 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: gitlab
spec:
ingressClassName: nginx
rules:
- host: "gitlab-mashibing.com"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: gitlab
port:
number: 80

15
yamls/gitlab/private-registry-svc.yaml
Unescape View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Service
metadata:
labels:
app: private-repository-k8s
name: private-repository-k8s
spec:
ports:
- port: 5000
nodePort: 31320
protocol: TCP
targetPort: 5000
selector:
app: private-repository-k8s
type: NodePort

42
yamls/gitlab/private-registry.yaml
Unescape View File

@ -0,0 +1,42 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: private-repository-k8s
labels:
app: private-repository-k8s
spec:
replicas: 1
selector:
matchLabels:
app: private-repository-k8s
template:
metadata:
labels:
app: private-repository-k8s
spec:
volumes:
- name: certs-vol
hostPath:
path: /var/host/certs
type: Directory
- name: registry-vol
hostPath:
path: /var/host/lib/registry
type: Directory
containers:
- image: registry:2
name: private-repository-k8s
imagePullPolicy: IfNotPresent
env:
- name: REGISTRY_HTTP_TLS_CERTIFICATE
value: "/certs/registry.crt"
- name: REGISTRY_HTTP_TLS_KEY
value: "/certs/registry.key"
ports:
- containerPort: 5000
volumeMounts:
- name: certs-vol
mountPath: /certs
- name: registry-vol
mountPath: /var/lib/registry

13
yamls/test-pod.yaml
Unescape View File

@ -0,0 +1,13 @@
apiVersion: "v1"
kind: "Pod"
metadata:
name: "test-internal"
spec:
containers:
- image: "localhost:5001/alpine:latest"
imagePullPolicy: "Always"
name: "alpine"
command:
- "sleep"
args:
- "9999999"

31
yamls/test.yaml
Unescape View File

@ -0,0 +1,31 @@
apiVersion: "v1"
kind: "Pod"
metadata:
name: "test"
spec:
containers:
- image: "docker.io/library/docker:dind"
imagePullPolicy: "Never"
name: "dockerd"
args:
- "--insecure-registry"
- "kind-registry:5000"
securityContext:
privileged: true
volumeMounts:
- mountPath: "/var/lib/docker"
name: "volume-docker"
readOnly: false
- mountPath: "/var/run"
name: "volume-docker-sock"
readOnly: false
hostNetwork: false
restartPolicy: "Never"
securityContext: {}
volumes:
- hostPath:
path: "/var/host/lib/docker"
name: "volume-docker"
- hostPath:
path: "/var/host/run"
name: "volume-docker-sock"
Write Preview
Loading…
Cancel
Save