《OpenShift 4.x HOL教程汇总》
说明:本文已经在OpenShift 4.8环境中验证
文章目录
本节将向“ tasks-stage-pipeline”新增加一个Task,将部署应用需要的YAML文件推送到Gitee的Repository上。然后我们再利用OpenShift GitOps自动将YAML资源自动部署到2个目标项目里,在部署应用过程中会使用到已经在《 OpenShift 4 - DevSecOps Workshop (13) - 将镜像推送到Quay,并进行漏洞扫描》步骤中推送到Quay上的应用镜像。
用 Task 向 Gitee 推送部署应用的 YAML
准备环境
将 Quay 的 Repository 公开
- 为了测试方便,在Quay控制台中设置 “tekton-tasks” 的Repository属性,点击“Make Public”将它设为可公开访问。注意:我们在正式运行管道的时候还会将 “tekton-tasks” 的Repository再设回私有状态。
创建GitOps使用的Git Repository
- 在Gitea中创建一个名为“gitops-tekton-tasks”的公开仓库。
添加 create-yaml-file 任务
- 在"USER_ID-cicd项目中根据以下YAML创建 create-yaml-file 任务。该任务会生成部署指定Quay上Image的YAML文件,即“tekton-tasks.yaml”,保存在共享Workspace中。说明:缺省生成的部署YAML中有个别没用的配置会影响ArgoCD的同步状态,因此需要删掉。
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: create-yaml-file
spec:
params:
- name: USERNAME
type: string
- name: IMAGE_NAME
type: string
- name: IMAGE_TAG
type: string
- name: QUAY_URL
type: string
steps:
- image: 'quay.io/openshift/origin-cli:latest'
name: create-yaml-file
resources: {
}
script: >
#!/bin/sh
set -e -o pipefail
echo "Creating YAML file"
oc new-app --image="$(params.QUAY_URL)/$(params.USERNAME)/$(params.IMAGE_NAME):$(params.IMAGE_TAG)" --dry-run -oyaml > $(workspaces.gitops-repo.path)/tekton-tasks.yaml
sed -i '/- image: /c\ - image: quay.apps.cluster-394c.394c.sandbox1709.opentlc.com\/user1\/tekton-tasks@sha256:fc3f0f3c81e847ae9b4dcaf2c5ac664c4c91de47cdca851788cd1c16859732d0' $(workspaces.gitops-repo.path)/tekton-tasks.yaml
sed -i '/status:/d' $(workspaces.gitops-repo.path)/tekton-tasks.yaml
sed -i '/generation: null/d' $(workspaces.gitops-repo.path)/tekton-tasks.yaml
sed -i '/referencePolicy:/d' $(workspaces.gitops-repo.path)/tekton-tasks.yaml
sed -i '/ type: ""/d' $(workspaces.gitops-repo.path)/tekton-tasks.yaml
sed -i '/dockerImageRepository:/d' $(workspaces.gitops-repo.path)/tekton-tasks.yaml
sed -i '/loadBalancer:/d' $(workspaces.gitops-repo.path)/tekton-tasks.yaml
workspaces:
- description: Location for storing gitops files
name: gitops-repo
创建 update-gitops-repo 任务
- 在"USER_ID-cicd项目中根据以下YAML创建 update-gitops-repo 任务。该任务将存在共享Workspace的“tekton-tasks.yaml”文件更新至Gitee的Repo中(为了方面测试,每次向Repo添加一个随机文件,正式环境可删除)
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: update-gitops-repo
spec:
params:
- name: GIT_URL
type: string
- name: USERNAME
type: string
- name: PASSWORD
type: string
- name: REPO_NAME
type: string
steps:
- image: 'gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:latest'
name: update-gitops-repo
resources: {
}
script: >
#!/bin/sh
set -e -o pipefail
git config --global user.email "[email protected]"
git config --global user.name "$(params.USERNAME)"
git clone https://$(params.GIT_URL)/$(params.USERNAME)/$(params.REPO_NAME)
cd $(params.REPO_NAME)
if [ ! -d app ]; then mkdir app; fi
\cp $(workspaces.gitops-repo.path)/tekton-tasks.yaml /workspace/$(params.REPO_NAME)/app
git rm -f *.testing && echo testing > $RANDOM.testing # Remove this line in product
git add *
git commit -m "update tekton-tasks.yaml"
git remote set-url origin https://$(params.USERNAME):$(params.PASSWORD)@$(params.GIT_URL)/$(params.USERNAME)/$(params.REPO_NAME)
git push -u origin master
workspaces:
- description: Location for storing gitops files
name: gitops-repo
在Pipeline中调用任务
- 在"USER_ID-cicd项目中根据以下YAML创建update-gitops-pipeline管道。
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: update-gitops-pipeline
spec:
params:
- name: GIT_URL
type: string
- name: GIT_USERNAME
type: string
- name: GIT_PASSWORD
type: string
- name: GIT_REPO_NAME
type: string
- name: QUAY_URL
type: string
- name: QUAY_USERNAME
type: string
- name: IMAGE_TAG
type: string
tasks:
- name: create-yaml-file
params:
- name: IMAGE_NAME
value: tekton-tasks
- name: IMAGE_TAG
value: $(params.IMAGE_TAG)
- name: QUAY_URL
value: $(params.QUAY_URL)
- name: USERNAME
value: $(params.QUAY_USERNAME)
taskRef:
kind: Task
name: create-yaml-file
workspaces:
- name: gitops-repo
workspace: local-maven-repo
- name: update-gitops-repo
params:
- name: GIT_URL
value: $(params.GIT_URL)
- name: REPO_NAME
value: $(params.GIT_REPO_NAME)
- name: USERNAME
value: $(params.GIT_USERNAME)
- name: PASSWORD
value: $(params.GIT_PASSWORD)
runAfter:
- create-yaml-file
taskRef:
kind: Task
name: update-gitops-repo
workspaces:
- name: gitops-repo
workspace: local-maven-repo
workspaces:
- name: local-maven-repo
- 执行命令测试update-gitops-pipeline管道,然后在Gitee中的gitops-tekton-tasks中可以看到测试的testing文件。注意:测试中“IMAGE_TAG”参数设为“quay1”,因此需要确认在Quay中有该tag的镜像。
$ GIT_URL=$(oc get route gitea-server -n devsecops -ojsonpath={
.spec.host})
$ QUAY_URL=$(oc get route quayecosystem-quay -n devsecops -ojsonpath={
.spec.host})
$ tkn pipeline start update-gitops-pipeline -n ${USER_ID}-cicd --showlog -L \
-p GIT_URL=${GIT_URL} \
-p GIT_USERNAME=${USER_ID} \
-p GIT_PASSWORD=openshift \
-p GIT_REPO_NAME=gitops-tekton-tasks \
-p QUAY_URL=${QUAY_URL} \
-p QUAY_USERNAME=${USER_ID} \
-p IMAGE_TAG=quay1 \
--workspace name=local-maven-repo,claimName=maven-repo-pvc
PipelineRun started: update-gitops-pipeline-3zhu98-cfc7n
Waiting for logs to be available...
[create-yaml-file : create-yaml-file] Creating YAML file
[update-gitops-repo : update-gitops-repo] Cloning into 'gitops-tekton-tasks'...
[update-gitops-repo : update-gitops-repo] fatal: pathspec '*.testing' did not match any files
[update-gitops-repo : update-gitops-repo] [master 6a3c339] update tekton-tasks.yaml
[update-gitops-repo : update-gitops-repo] 1 file changed, 91 insertions(+)
[update-gitops-repo : update-gitops-repo] create mode 100644 app/tekton-tasks.yaml
[update-gitops-repo : update-gitops-repo] remote: . Processing 1 references
[update-gitops-repo : update-gitops-repo] remote: Processed 1 references in total
[update-gitops-repo : update-gitops-repo] To https://gitea-server-devsecops.apps.cluster-394c.394c.sandbox1709.opentlc.com/user1/gitops-tekton-tasks
[update-gitops-repo : update-gitops-repo] 4c9f10d..6a3c339 master -> master
[update-gitops-repo : update-gitops-repo] Branch 'master' set up to track remote branch 'master' from 'origin'.
用 OpenShift GitOps 部署应用
安装 OpenShift GitOps 环境
请参照《GitOps(1)通过OpenShift GitOps Operator安装ArgoCD》安装 OpenShift GitOps 环境和客户端环境。
注意:此过程使用OpenShift ClusterAdmin用户操作一次即可。
配置ArgoCD客户端环境
- 先用OpenShift的集群管理员用户执行以下命令,让用户能操作openshift-gitops项目中的ArgoCD。
$ oc adm policy add-role-to-user edit ${
USER} -n openshift-gitops
- 用OpenShift的一般用户登录ArgoCD客户端。注意:ArgoCD的用户和OpenShift的用户是两套用户,但可以用RHSSO统一认证。
$ ARGOCD_VER=$(curl --silent "https://api.github.com/repos/argoproj/argo-cd/releases/latest" | grep '"tag_name"' | sed -E 's/.*"([^"]+)".*/\1/')
$ ARGOCD_URL=$(oc get route openshift-gitops-server -n openshift-gitops -o jsonpath='{.spec.host}')
$ ARGOCD_PASSWD=$(oc get secret openshift-gitops-cluster -n openshift-gitops -ojsonpath='{.data.admin\.password}' | base64 -d)
$ sudo curl -L https://github.com/argoproj/argo-cd/releases/download/${ARGOCD_VER}/argocd-linux-amd64 -o /usr/local/bin/argocd
$ sudo chmod +x /usr/local/bin/argocd
$ argocd login --username admin --password ${ARGOCD_PASSWD} --insecure ${ARGOCD_URL}
向目标项目部署应用
- 用OpenShift的一般用户创建2个测试Gitops用的项目。
$ oc new-project ${USER_ID}-prod-1
$ oc new-project ${USER_ID}-prod-2
- 用OpenShift的集群管理员为这两个项目添加标签“argocd.argoproj.io/managed-by=openshift-gitops”。
$ oc label namespace ${USER_ID}-prod-1 argocd.argoproj.io/managed-by=openshift-gitops
$ oc label namespace ${USER_ID}-prod-2 argocd.argoproj.io/managed-by=openshift-gitops
- 用OpenShift的一般用户执行命令,根据Git的配置向OpenShift的测试项目同步两个应用。
$ argocd app create --name ${USER_ID}-tekton-task-1 --project default \
--repo https://${GIT_URL}/${USER_ID}/gitops-tekton-tasks.git \
--path app \
--revision HEAD \
--dest-server https://kubernetes.default.svc \
--dest-namespace ${USER_ID}-prod-1 \
--sync-policy automated
$ argocd app create --name ${USER_ID}-tekton-task-2 --project default \
--repo https://${GIT_URL}/${USER_ID}/gitops-tekton-tasks.git \
--path app \
--revision HEAD \
--dest-server https://kubernetes.default.svc \
--dest-namespace ${USER_ID}-prod-2 \
--sync-policy automated
- 在ArgoCD控制台查看应用同步状态即可。
- 执行命令也可查看ArgoCD的应用状态
$ argocd app list
NAME CLUSTER NAMESPACE PROJECT STATUS HEALTH SYNCPOLICY CONDITIONS REPO PATH TARGET
user1-tekton-task-1 https://kubernetes.default.svc user1-prod-1 default Synced Healthy Auto <none> https://gitea-server-devsecops.apps.cluster-394c.394c.sandbox1709.opentlc.com/user1/gitops-tekton-tasks.git app HEAD
user1-tekton-task-2 https://kubernetes.default.svc user1-prod-2 default Synced Healthy Auto <none> https://gitea-server-devsecops.apps.cluster-394c.394c.sandbox1709.opentlc.com/user1/gitops-tekton-tasks.git app HEAD
参考:使用证书访问Gitee
生成用SSH访问访问Gitee的证书
- 执行命令生成一对秘钥,运行命令后全部回车即可。成功后会在~/.ssh/目录中生成一对秘钥文件:gitee-key和gitee-key.pub。
$ ssh-keygen -t rsa -C "[email protected]" -f ~/.ssh/gitee-key
- 查看生成的公钥字符串。
$ cat ~/.ssh/gitee-key.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCYbE/qUrT5q/ip0NcEJSAWzxbxgTiC5hYtKqpxGV49oT6XM5q48vw2XwBXj/SitLj3kSKr+52aA9apy637RaJz9hclazEKu+PH/UDRCCOeBS4R54sDQJYrQplE3c98q/3k2F3TxU1QAmpawkKbaZZMGyq0MiFvfFyF4DjXAzPb9X3libXkdDo7n4paqdkfqX2ukPtFWAsNp+OUTHnpLL0SExvL06DOPAT4shgmJMxZVP2DPnkRJhkGig3lAy9c0txh2PmGynMfBqXYoZizVhzuUJbYigkqjJCz+OdUuml9me8r04V5PDOQ1wC/8Tra0fYQtfVODUPzxKtrE6PmnLsSbDPHFsJ3kBbqsEO0Nc2pUal8ilw3hehkn6pGejxQaEjY1vWgm4bqze/ghM6JjwwjihshlYCbtFGGIjwI1zKLNAj6UBpmv1PeTPBpqJWlKGyKgZeXcW76O0oki+u08l34jYuHrMZi2551hhqVNZF1Yoqnk93ZoXWd48bNmcpZ7G0= [email protected]
将公钥添加到Gitee
- 登录Gitee后进入用户的“设置”菜单,然后通过左侧菜单再进入“安全设置”的“SSH公钥”。
- 将上一步的公钥字符创粘贴到“公钥”区域,最后点击“确定”按钮。
通过证书对Gitee的Repo进行操作
git clone https://gitee.com/dawnskyliu/gitops-helm-argocd
cd gitops-helm-argocd
oc new-app --name=mywar jboss-webserver31-tomcat8-openshift:1.4~https://github.com/liuxiaoyu-git/tomcat-war --dry-run=true -oyaml > mywar.yaml
git add *
git commit -m "add mywar.yaml"
git remote add origin https://gitee.com/dawnskyliu/gitops-helm-argocd.git
ssh -T [email protected] -i ~/.ssh/gitee-key
git push -u origin master