OpenShift 4 Tekton - 将Tekton和ArgoCD集成

《OpenShift 4.x HOL教程汇总》

实现场景

本文实现下图基于包括GitHub、Tekton、ArgoCD、WebHook的CI/CD场景：

1. NodeJs应用代码放在Github的Code Repository中，代码变化后会通过Webhook触发Tekton的Pipeline运行。
2. Tekton的Pipeline先从Code Repository中获得应用代码，然后Build成Image，随后将应用Image推送到OpenShift内部的Image Registry上。最后再更新GitHub的Infra Repository中的部署配置。
3. ArgoCD发现Infra Repository中的部署配置变化后自动同步到OpenShift。
4. OpenShift根据新的部署配置从其内部的Image Registry获取最新的应用Image，然后部署到OpenShift中。
   

实现CI/CD配置

准备Git Repo

1. Fork以下3个git repo到自己的github账户中。
   https://github.com/liuxiaoyu-git/tutorial-tekton-argocd-pipeline（Tekton Pipeline）
   https://github.com/liuxiaoyu-git/tutorial-tekton-argocd-code（NodeJs应用代码）
   https://github.com/liuxiaoyu-git/tutorial-tekton-argocd-infra（OpenShift部署）
2. 在tutorial-tekton-argocd-pipeline的git repo中修改以下文件的内容，将其中的“liuxiaoyu-git”替换为自己的git账户名。
   pipeline/pipeline-build-git.yaml
   pipeline/git.yaml
3. 执行命令设置环境变量。

$ export GIT_USERNAME=YOUR-GIT
$ export GIT_PIPELINE='tutorial-tekton-argocd-pipeline'
$ export GIT_CODE='tutorial-tekton-argocd-code'
$ export GIT_INFRA='tutorial-tekton-argocd-infra'

安装Tekton和ArgoCD客户端

1. 运行以下命令，安装Tekton客户端。

$ curl -LO https://github.com/tektoncd/cli/releases/download/v0.8.0/tkn_0.8.0_Linux_x86_64.tar.gz
$ tar -xvf tkn_0.8.0_Linux_x86_64.tar.gz
$ sudo mv tkn /usr/bin/

2. 运行以下命令，安装ArgoCD客户端。

$ sudo curl -L https://github.com/argoproj/argo-cd/releases/download/v1.4.2/argocd-linux-amd64 -o /usr/local/bin/argocd
$ sudo chmod +x /usr/local/bin/argocd

安装Tekton Operator、ArgoCD Operator和ArgoCD服务端环境

1. 执行命令下载tutorial-tekton-argocd-pipeline repo。

$ git clone https://github.com/$GIT_USERNAME/tutorial-tekton-argocd-pipeline
$ cd tutorial-tekton-argocd-pipeline

2. 执行命令安装Tekton Operator、ArgoCD Operator。

$ oc apply -f operators/tekton-operator.yaml
$ oc apply -f operators/argocd-operator.yaml

3. 执行命令，查看Tekton Operator、ArgoCD Operator的安装状态。

$ oc get ClusterServiceVersion -n argocd
NAME                                   DISPLAY                        VERSION   REPLACES                              PHASE
argocd-operator-helm.v0.0.3            Argo CD Operator (Helm)        0.0.3     argocd-operator-helm.v0.0.2           Succeeded
openshift-pipelines-operator.v0.10.7   OpenShift Pipelines Operator   0.10.7    openshift-pipelines-operator.v0.8.2   Succeeded

4. 成功后执行命令创建ArgoCD服务端环境。

$ oc apply -f operators/argocd-cr.yaml

5. 执行命令，查看ArgoCD部署执行情况。

$ oc get deploy
NAME                            READY   UP-TO-DATE   AVAILABLE   AGE
argocd-application-controller   1/1     1            1           4m2s
argocd-dex-server               1/1     1            1           4m2s
argocd-operator-helm            1/1     1            1           10m
argocd-redis                    1/1     1            1           4m2s
argocd-repo-server              1/1     1            1           4m2s
argocd-server                   1/1     1            1           4m2s

6. 执行命令，获得ArgoCD的admin用户登录密码。

$ export ARGOCD_NAMESPACE="argocd"
$ export ARGOCD_PASSWORD=$(oc get pods -n $ARGOCD_NAMESPACE -l app.kubernetes.io/name=argocd-server -o name | cut -d'/' -f 2)

7. 获得ArgoCD服务端的访问URL。

$ export ARGOCD_SERVER=$(oc get route argocd-server -n $ARGOCD_NAMESPACE -o jsonpath='{.spec.host}')
$ export ARGOCD_URL="https://$ARGOCD_SERVER"

8. 确认可以用ArgoCD的客户端和浏览器分别登录ArgoCD。

$ argocd login --username admin --password $ARGOCD_PASSWORD $ARGOCD_SERVER

创建ArgoCD的应用

1. 创建OpenShift项目用来运行Tekton Pipeline。

$ oc new-project tekton-argocd

2. 执行命令，创建一个Argo应用，并将其对应到tutorial-tekton-argocd-infra。

$ export NAMESPACE=$(oc project -q)
$ export ARGOCD_APP=$(oc project -q)
$ export GIT_REPOSITORY_URL="https://github.com/$GIT_USERNAME/tutorial-tekton-argocd-infra"
$ export GIT_MANIFEST_DIR="yamls/ocp"
$ argocd app create $ARGOCD_APP \
  --project default \
  --repo $GIT_REPOSITORY_URL \
  --path $GIT_MANIFEST_DIR \
  --dest-server https://kubernetes.default.svc \
  --dest-namespace $NAMESPACE \
  --sync-policy automated \
  --self-heal \
  --auto-prune

3. 当创建Argo应用后，可以在ArgoCD控制台中看到该应用的状态如下。由于当前在OpenShift中还没有对应的ImageStream，所以会提示找不到“image-registry.openshift-image-registry.svc:5000/tekton-argocd/app:6bf1e2b”镜像（Tag可能会有差别）。
   

创建Tekton Pipeline

1. 在tekton-argocd项目中创建Pipeline资源。

$ oc apply -f pipeline/ -n $NAMESPACE
pipelineresource.tekton.dev/source created
pipelineresource.tekton.dev/image created
pipeline.tekton.dev/build-git created
task.tekton.dev/build-git created
task.tekton.dev/build created

2. 确认有以下Tekton对象。

$ tkn task ls -n $NAMESPACE
NAME        AGE
build       1 minute ago
build-git   1 minute ago
 
$ tkn pipeline ls -n $NAMESPACE
NAME        AGE            LAST RUN   STARTED   DURATION   STATUS
build-git   1 minute ago   ---        ---       ---        ---
 
$ tkn resources ls -n $NAMESPACE
NAME     TYPE    DETAILS
source   git     url: https://github.com/csantanapr/tutorial-tekton-argocd-code
image    image   url: image-registry.openshift-image-registry.svc:5000/$NAMESPACE/app

3. 运行Tekton的名为build的Task。

$ tkn task start build \
  -i image=image \
  -i source=source \
  --showlog \
  -s pipeline \
  -n $NAMESPACE

4. 在Task成功执行后，确认tekton-argocd项目中已经有了名为app的ImageStream。说明：实际tag可能和下面示例tag会不一样。

$ oc get imagestream -n $NAMESPACE
NAME   IMAGE REPOSITORY                                                                                                      TAGS      UPDATED
app    default-route-openshift-image-registry.apps.cluster-beijing-c8e6.beijing-c8e6.example.opentlc.com/tekton-argocd/app   6bf1e2b   30 seconds ago

允许Tekton Pipeline更新Infra Repo中的内容

1. 在自己GitHub账号中进入Setting，然后在页面点击“Developer setting”链接，最后进入“Personal access tokens”。
   
2. 点击“Generate new token”按钮，进入“New personal access token”页面。先在Note中填入“Tekton Pipeline”，然后在Scopes区域选中repo和admin:repo_hook，最后点击下面Generate token按钮。
   
3. 复制生成的Token字符创，并用它设置以下GIT_TOKEN变量，然后生成secret对象。

$ export GIT_TOKEN='<GIT_TOKEN>'
$ oc create secret generic git-infra-secret \
  --from-literal=username="$GIT_USERNAME" \
  --from-literal=token="$GIT_TOKEN" \
  -n $NAMESPACE

创建Webhook并配置Code Repo的Webhook

1. 执行命令，为Pipeline创建Webhook。

$ oc apply -f triggers/ -n $NAMESPACE
$ oc create route edge --service=el-cicd -n $NAMESPACE
$ export GIT_WEBHOOK_URL=$(oc get route el-cicd -o jsonpath='{.spec.host}' -n $NAMESPACE)

2. 执行命令，将Webhook配置到名为tutorial-tekton-argocd-code的Git Repo上。

$ curl -v -X POST -u $GIT_USERNAME:$GIT_TOKEN -d "{\"name\": \"web\",\"active\": true,\"events\": [\"push\"],\"config\": {\"url\": \"https://$GIT_WEBHOOK_URL\",\"content_type\": \"json\",\"insecure_ssl\": \"0\"}}" -L https://api.github.com/repos/$GIT_USERNAME/$GIT_CODE/hooks

3. 如执行成功，应有以下执行响应结果。

** About to connect() to api.github.com port 443 (#0)
**   Trying 13.250.94.254...
** Connected to api.github.com (13.250.94.254) port 443 (#0)
** Initializing NSS with certpath: sql:/etc/pki/nssdb
**   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
** SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
** Server certificate:
**       subject: CN=*.github.com,O="GitHub, Inc.",L=San Francisco,ST=California,C=US
**       start date: Jul 08 00:00:00 2019 GMT
**       expire date: Jul 16 12:00:00 2020 GMT
**       common name: *.github.com
**       issuer: CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US
** Server auth using Basic with user 'liuxiaoyu-git'
> POST /repos/liuxiaoyu-git/tutorial-tekton-argocd-code/hooks HTTP/1.1
> Authorization: Basic bGl1eGlhb3l1LWdpdDoyYzkxZWQ3Nzg0MzU3NjMyMTM3YTVhNDRiMjBmNjcyMzEzY2Q2ZWEx
> User-Agent: curl/7.29.0
> Host: api.github.com
> Accept: */*
> Content-Length: 202
> Content-Type: application/x-www-form-urlencoded
>
 4. upload completely sent off: 202 out of 202 bytes
< HTTP/1.1 201 Created
< Date: Sun, 26 Apr 2020 14:54:17 GMT
< Content-Type: application/json; charset=utf-8
< Content-Length: 771
< Server: GitHub.com
< Status: 201 Created
< X-RateLimit-Limit: 5000
< X-RateLimit-Remaining: 4999
< X-RateLimit-Reset: 1587916457
< Cache-Control: private, max-age=60, s-maxage=60
< Vary: Accept, Authorization, Cookie, X-GitHub-OTP
< ETag: "0f8659953257c11b433917a9088c7e97"
< X-OAuth-Scopes: admin:repo_hook, repo
< X-Accepted-OAuth-Scopes: admin:repo_hook, public_repo, repo, write:repo_hook
< Location: https://api.github.com/repos/liuxiaoyu-git/tutorial-tekton-argocd-code/hooks/205246180
< X-GitHub-Media-Type: github.v3; format=json
< Access-Control-Expose-Headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, Deprecation, Sunset
< Access-Control-Allow-Origin: *
< Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
< X-Frame-Options: deny
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
< Content-Security-Policy: default-src 'none'
< Vary: Accept-Encoding, Accept, X-Requested-With
< X-GitHub-Request-Id: EA0C:0D30:E2DBFC:1226B13:5EA5A099
<
{
  "type": "Repository",
  "id": 205246180,
  "name": "web",
  "active": true,
  "events": [
    "push"
  ],
  "config": {
    "content_type": "json",
    "insecure_ssl": "0",
    "url": "https://el-cicd-tekton-argocd.apps.cluster-beijing-c8e6.beijing-c8e6.example.opentlc.com"
  },
  "updated_at": "2020-04-26T14:54:17Z",
  "created_at": "2020-04-26T14:54:17Z",
  "url": "https://api.github.com/repos/liuxiaoyu-git/tutorial-tekton-argocd-code/hooks/205246180",
  "test_url": "https://api.github.com/repos/liuxiaoyu-git/tutorial-tekton-argocd-code/hooks/205246180/test",
  "ping_url": "https://api.github.com/repos/liuxiaoyu-git/tutorial-tekton-argocd-code/hooks/205246180/pings",
  "last_response": {
    "code": null,
    "status": "unused",
    "message": null
  }
}
** Connection #0 to host api.github.com left intact

5. 进入Github的tutorial-tekton-argocd-code的Repository，然后进入Settings中的Webhooks。确认SSL verification是Disable的。
   

运行Tekton Pipeline

方法1-手动触发

1. 执行以下命令，手动运行Pipeline，然后

$ tkn pipeline start build-git \
            --showlog \
            -r source=source \
            -r image=image \
            -s pipeline \
            -n $NAMESPACE

2. 在完成后查看部署到OpenShift的测试应用页面。

$ curl http://$(oc get route ui -n tekton-argocd |awk 'NR==2 {print $2}')
<!DOCTYPE html><html><head><title>Cloud Native demo March 12th 2020</title><link rel="stylesheet" href="/stylesheets/style.css"></head><body><h1>Cloud Native demo March 12th 2020</h1><p>Welcome to Cloud Native demo March 12th 2020</p></body></html>

3. 确认ImageStream已经有更新。

$ oc get is
NAME   IMAGE REPOSITORY                                                                                                      TAGS              UPDATED
app    default-route-openshift-image-registry.apps.cluster-beijing-c8e6.beijing-c8e6.example.opentlc.com/tekton-argocd/app   deca336,6bf1e2b   3 minutes ago

方法2-Webhook触发

1. 在Github上修改tutorial-tekton-argocd-code中的“tutorial-tekton-argocd-code/src/routes/index.js”文件中“Cloud Native demo”后面的日期。

var express = require('express');
var router = express.Router();
 
/* GET home page. */
router.get('/', function (req, res, next) {
  res.render('index', { title: 'Cloud Native demo April 26th 2020' });
});
 
module.exports = router;

2. 修改文件并提交后，确认pipelinerun在运行。

$ tkn pipelinerun list
NAME                  STARTED       DURATION    STATUS
cicd-run-8dtxk        3 hours ago   5 minutes   Succeeded
build-git-run-zq7hv   3 hours ago   3 minutes   Succeeded

3. 在完成运行后可以在ArgoCD控制台中看到tekton-argocd项目是Synced状态。
   
4. 最后执行命令，查看返回的页面内容已经发生了变化。

$ curl http://$(oc get route ui -n tekton-argocd |awk 'NR==2 {print $2}')
<!DOCTYPE html><html><head><title>Cloud Native demo March 12th 2020</title><link rel="stylesheet" href="/stylesheets/style.css"></head><body><h1>Cloud Native demo March 12th 2020</h1><p>Welcome to Cloud Native demo April 27th 2020</p></body></html>

参考

https://cloudnative101.dev/project-cicd/solution/