OpenShift 4 - DevSecOps Workshop (8) - 为Pipeline增加生成Image任务

《OpenShift 4.x HOL教程汇总》
说明：本文已经在OpenShift 4.8环境中验证

本步将像Pipeline中添加任务来生成应用镜像，随后将其推送到Quay。

手工验证生成 Image 的操作

1. 从Nexus下载已经生成的应用包到“oc-build”目录。

$ mkdir oc-build
$ wget -O oc-build/jboss-tasks-rs-7.0.0-SNAPSHOT.war "http://${NEXUS_URL}/service/rest/v1/search/assets/download?sort=version&repository=maven-snapshots&maven.groupId=org.jboss.quickstarts.eap&maven.artifactId=jboss-tasks-rs&maven.baseVersion=7.0.0-SNAPSHOT&maven.extension=war"

2. 基于在openshift项目中的“jboss-eap72-openshift:1.1”镜像流创建一个名为“tekton-tasks”新的BuildConfig对象。

$ oc new-build --name=tekton-tasks --image-stream jboss-eap72-openshift:1.1 --binary=true -n ${DEV}
--> Found image 0ca7413 (23 months old) in image stream "openshift/jboss-eap72-openshift" under tag "1.1" for "jboss-eap72-openshift:1.1"
  
    JBoss EAP 7.2
    -------------
    Platform for building and running JavaEE applications on JBoss EAP 7.2
 
    Tags: builder, javaee, eap, eap7
 
    * A source build using binary input will be created
      * The resulting image will be pushed to image stream tag "tekton-tasks:latest"
      * A binary build was created, use 'oc start-build --from-dir' to trigger a new build
 
--> Creating resources with label build=tekton-tasks ...
    imagestream.image.openshift.io "tekton-tasks" created
    buildconfig.build.openshift.io "tekton-tasks" created
--> Success

3. 查看由上一步创建的BuildConfig对象和ImageStream对象。注意BuildConfig的LATEST和istag对象的“IMAGE REFERENCE”的内容。

$ oc get buildconfig tekton-tasks -n ${DEV}
NAME           TYPE     FROM     LATEST
tekton-tasks   Source   Binary   0
 
$ oc get is tekton-tasks -n ${DEV}
NAME           IMAGE REPOSITORY                                                                                              TAGS     UPDATED
tekton-tasks   default-route-openshift-image-registry.apps.cluster-39c8.39c8.sandbox139.opentlc.com/user1-dev/tekton-tasks   latest
 
$ oc get istag tekton-tasks:latest -n ${DEV}
Error from server (NotFound): imagestreamtags.image.openshift.io "tekton-tasks:latest" not found

4. 启动名为“tekton-tasks”的BuildConfig。

$ oc start-build tekton-tasks --from-dir=./oc-build/ --wait=true -n ${DEV}
Uploading directory "oc-build" as binary input for the build ...
Uploading finished
build.build.openshift.io/tekton-tasks-1 started

5. 再次查看BuildConfig对象和ImageStream对象，确认其中BuildConfig的LATEST和istag对象的“IMAGE REFERENCE”都发生了更新变化。，另外也生成了名为"tekton-tasks:latest"的istag对象。

$ oc get bc tekton-tasks -n ${DEV}
NAME           TYPE     FROM     LATEST
tekton-tasks   Source   Binary   1
 
$ oc get is tekton-tasks -n ${DEV}
NAME           IMAGE REPOSITORY                                                                                              TAGS     UPDATED
tekton-tasks   default-route-openshift-image-registry.apps.cluster-39c8.39c8.sandbox139.opentlc.com/user1-dev/tekton-tasks   latest   19 seconds ago
 
$ oc get istag tekton-tasks:latest -n ${DEV}
NAME                  IMAGE REFERENCE                                                                                                                                   UPDATED
tekton-tasks:latest   image-registry.openshift-image-registry.svc:5000/user1-dev/tekton-tasks@sha256:f28e444783d263701061da94e0150a67ccce9a69b55d999b04982334e861e877   29 seconds ago

为 Pipeline 增加生成 Image 的任务

下面我们将在 Task 中实现上一步手工生成 Image 的操作。

1. 执行命令创建名为“create-image”的任务，其中使用了create-build-config和build-app-image来创建BuildConfig并生成ImageStream和Image对象。

$ oc apply -f - << EOF
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: create-image
  namespace: ${
    
    CICD}
spec:
  params:
    - default: tasks
      description: The name of the app
      name: app_name
      type: string
    - description: The name dev project
      name: dev_project
      type: string
    - description: binary artifact path in the local artifact repo
      # something like org/jboss/quickstarts/eap/jboss-tasks-rs/7.0.0-SNAPSHOT/jboss-tasks-rs-7.0.0-SNAPSHOT.war
      type: string
      name: artifact_path
  resources:
    inputs:
      - name: source
        type: git
  steps:
    - name: create-build-config
      image: 'quay.io/openshift/origin-cli:latest'
      script: >
        #!/bin/sh
        
        set -e -o pipefail
        
        echo "Creating new build config"  
        
        # This allows the new build to be created whether it exists or not
        
        oc new-build -o yaml --name=\$(params.app_name) --image-stream=jboss-eap72-openshift:1.1 --binary=true -n
        \$(params.dev_project) | oc apply -n \$(params.dev_project) -f - 
    - name: build-app-image
      image: 'quay.io/openshift/origin-cli:latest'    
      script: >
        #!/bin/sh
        
        set -e -o pipefail
        
        echo "Start the openshift build"  
        
        rm -rf \$(resources.inputs.source.path)/oc-build && mkdir -p \$(resources.inputs.source.path)/oc-build/deployments 
        
        cp \$(workspaces.maven-repo.path)/\$(params.artifact_path) \$(resources.inputs.source.path)/oc-build/deployments/ROOT.war 
        
        oc start-build \$(params.app_name) --from-dir=\$(resources.inputs.source.path)/oc-build -n \$(params.dev_project) --wait=true 
        
  workspaces:
    - name: maven-repo
EOF

2. 执行命令测试运行"create-image"任务。

$ tkn task start create-image -n ${CICD} --showlog \
	--inputresource source=tasks-source-code \
	--param app_name=tekton-tasks \
	--param dev_project=${DEV} \
	--param artifact_path='org/jboss/quickstarts/eap/jboss-tasks-rs/7.0.0-SNAPSHOT/jboss-tasks-rs-7.0.0-SNAPSHOT.war' \
	--workspace name=maven-repo,claimName=maven-repo-pvc
TaskRun started: create-image-run-pdj4q
Waiting for logs to be available...
[git-source-source-gx868] {
    
    "level":"info","ts":1629181943.040389,"caller":"git/git.go:169","msg":"Successfully cloned https://gitea-server-devsecops.apps.cluster-39c8.39c8.sandbox139.opentlc.com/user1/openshift-tasks.git @ bde310585bda8209cf384a85c6a72c6f34813910 (grafted, HEAD, origin/dso4) in path /workspace/source"}
[git-source-source-gx868] {
    
    "level":"info","ts":1629181943.1477466,"caller":"git/git.go:207","msg":"Successfully initialized and updated submodules in path /workspace/source"}
 
[create-build-config] Creating new build config
[create-build-config] imagestream.image.openshift.io/tekton-tasks created
[create-build-config] buildconfig.build.openshift.io/tekton-tasks created
 
[build-app-image] Start the openshift build
[build-app-image] Uploading directory "/workspace/source/oc-build" as binary input for the build ...
[build-app-image] 
[build-app-image] Uploading finished
[build-app-image] build.build.openshift.io/tekton-tasks-1 started

3. 再次查看BuildConfig 、ImageStream和istag对象，其中BuildConfig的LATEST和istag对象的“IMAGE REFERENCE”都发生了更新变化。

$ oc get buildconfig tekton-tasks -n ${DEV}
NAME           TYPE     FROM     LATEST
tekton-tasks   Source   Binary   2

$ oc get imagestream tekton-tasks -n ${DEV}
NAME           IMAGE REPOSITORY                                                                                              TAGS     UPDATED
tekton-tasks   default-route-openshift-image-registry.apps.cluster-39c8.39c8.sandbox139.opentlc.com/user1-dev/tekton-tasks   latest   13 minutes ago

$ oc get istag tekton-tasks:latest -n ${DEV}
NAME                  IMAGE REFERENCE                                                                                                                                   UPDATED
tekton-tasks:latest   image-registry.openshift-image-registry.svc:5000/user1-dev/tekton-tasks@sha256:eac120a2ca3cd6c6f423829f74eeb3bdd29965067fd53fa0378620aeb7a7cd5b   About a minute ago

4. 执行命令向“tasks-dev-pipeline”管道追加“create-image”任务。

$ TASKS="$(oc get pipelines tasks-dev-pipeline -n ${
      
      CICD} -o yaml | yq r - 'spec.tasks' | yq p - 'spec.tasks')"
$ oc patch pipelines tasks-dev-pipeline -n ${CICD} --type=merge -p "$(cat << EOF
$TASKS
    - name: create-image
      taskRef:
        kind: Task
        name: create-image
      params:
          - name: app_name
            value: tekton-tasks
          - name: dev_project
            value: ${DEV}
          - name: artifact_path
            value: org/jboss/quickstarts/eap/jboss-tasks-rs/7.0.0-SNAPSHOT/jboss-tasks-rs-7.0.0-SNAPSHOT.war
      resources:
        inputs:
          - name: source
            resource: pipeline-source
      workspaces:
        - name: maven-repo
          workspace: local-maven-repo
      runAfter:
          - archive
EOF
)"

或者可以根据下图在OpenShift控制台上增加“create-image”任务。

5. 用命令运行测试“tasks-dev-pipeline”管道。

$ tkn pipeline start tasks-dev-pipeline -n ${CICD} --showlog \
	--resource pipeline-source=tasks-source-code \
	--workspace name=local-maven-repo,claimName=maven-repo-pvc
。。。
[create-build-config] Creating new build config
[create-build-config] imagestreamtag.image.openshift.io/tekton-tasks:latest created
[create-build-config] buildconfig.build.openshift.io/tekton-tasks configured
 
[build-app-image] Start the openshift build
[build-app-image] Uploading directory "/workspace/source/oc-build" as binary input for the build ...
[build-app-image]
[build-app-image] Uploading finished
[build-app-image] build.build.openshift.io/tekton-tasks-1 started

也可在OpenShift控制台上运行“tasks-dev-pipeline”管道，然后查看管道运行的日志。

6. 完成运行后可再次查看BuildConfig和istag对象，确定BuildConfig的LATEST和istag对象的“IMAGE REFERENCE”都发生了更新变化。。

$ oc get buildconfig tekton-tasks -n ${DEV}
NAME           TYPE     FROM     LATEST
tekton-tasks   Source   Binary   3
 
$ oc get istag tekton-tasks:latest -n ${DEV}
NAME                  IMAGE REFERENCE                                                                                                                                   UPDATED
tekton-tasks:latest   image-registry.openshift-image-registry.svc:5000/user1-dev/tekton-tasks@sha256:29328b9e9b9fa756e46786dceed7c0b7d7ec8e034a5d96e9c1299357e3431947   8 minutes ago

测试运行生成的 Image

1. 执行命令，基于上一步生成的“tekton-tasks:latest”镜像运行应用。

$ oc new-app --image-stream=tekton-tasks:latest -n ${DEV}
$ oc expose svc tekton-tasks -n ${DEV}

2. 或者用OpenShift控制台根据下图进入“容器镜像”
   
   然后部署“user1-dev”中的“tekton-tasks:latest”镜像流。
   在部署好后点击“路由”下方的链接即可访问应用。