beppe/cicdTest
1
0
Fork 0
mirror of https://github.com/bvanroll/cicdTest.git synced 2025-08-29 12:02:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

HLEP

Browse Source
This commit is contained in:
Beppe Vanrolleghem
2020-03-12 07:25:45 +01:00
parent b08a76e8a5
commit f8898596f2
5 changed files with 720 additions and 337 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
manifests/full-pipeline.yaml
View File

@@ -2,7 +2,7 @@
apiVersion: v1
kind: Namespace
metadata:
name: tekton-pipeline-istio-project-1
name: stage-tekton-pipeline
labels:
istio-injection: enabled #zorgt voor auto sidecar injection
---
@@ -10,7 +10,7 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: service-acc
namespace: tekton-pipeline-istio-project-1
namespace: stage-tekton-pipeline
secrets:
- name: regcred
---
@@ -24,6 +24,7 @@ rules:
- "apps"
- "deploy"
- "networking.istio.io"
# deze zullen we ook moeten aanpassen elke pipeline die we maken, maar, deze pipelines zijn nu specifiek per branch, dus dit zou geen probleem leveren.
resources:
- pods
- serviceaccounts
@@ -54,13 +55,13 @@ roleRef:
subjects:
- kind: ServiceAccount
name: service-acc
namespace: tekton-pipeline-istio-project-1
namespace: stage-tekton-pipeline
---
apiVersion: tekton.dev/v1alpha1
kind: PipelineResource
metadata:
name: git-master
namespace: tekton-pipeline-istio-project-1
namespace: stage-tekton-pipeline
spec:
type: git
params:
@@ -73,7 +74,7 @@ apiVersion: tekton.dev/v1alpha1
kind: PipelineResource
metadata:
name: git-experimental
namespace: tekton-pipeline-istio-project-1
namespace: stage-tekton-pipeline
spec:
type: git
params:
@@ -86,7 +87,7 @@ apiVersion: tekton.dev/v1alpha1
kind: Task
metadata:
name: build-and-push
namespace: tekton-pipeline-istio-project-1
namespace: stage-tekton-pipeline
spec:
inputs:
resources:
@@ -117,7 +118,7 @@ apiVersion: tekton.dev/v1alpha1
kind: Task
metadata:
name: destroy-application
namespace: tekton-pipeline-istio-project-1
namespace: stage-tekton-pipeline
spec:
inputs:
resources:
@@ -137,7 +138,7 @@ apiVersion: tekton.dev/v1alpha1
kind: Task
metadata:
name: deploy-application
namespace: tekton-pipeline-istio-project-1
namespace: stage-tekton-pipeline
spec:
inputs:
resources:
@@ -156,7 +157,7 @@ apiVersion: tekton.dev/v1alpha1
kind: Pipeline
metadata:
name: application-pipeline
namespace: tekton-pipeline-istio-project-1
namespace: stage-tekton-pipeline
spec:
resources:
- name: git-master

62
manifests/github-event-listener.yaml
View File

@@ -1,9 +1,11 @@
# 1 trigger binding wordt geconfigureerd, en dan worden meerdere trigger templates aangemaakt
# voor de verschillende service mesh types. Op deze manier moet ik niet elke keer een aparte pipeline aanmaken per service mesh type. Het nadeel hieraan is dat dan elke keer elke pipeline gerunned wordt, maar uiteindelijk maakt dit niet veel uit zolang de deploy.yaml files leeg zijn wanneer de commits door gaan
---
apiVersion: tekton.dev/v1alpha1
kind: TriggerBinding
metadata:
name: github-trigger-binding
namespace: tekton-pipeline-istio-project-1
namespace: stage-tekton-pipeline
spec:
params:
- name: gitrevision
@@ -21,7 +23,7 @@ apiVersion: tekton.dev/v1alpha1
kind: TriggerTemplate
metadata:
name: github-trigger-template
namespace: tekton-pipeline-istio-project-1
namespace: stage-tekton-pipeline
spec:
params:
- name: gitrevision
@@ -34,13 +36,13 @@ spec:
kind: PipelineRun
metadata:
name: application-pipeline-run
namespace: tekton-pipeline-istio-project-1
namespace: stage-tekton-pipeline
spec:
serviceAccountName: service-acc
pipelineRef:
name: application-pipeline
name: application-pipeline #gebruik dit om de pipeline aan te passen naar andere versies, zolang ze zich in dezelfde namespace bevinden kunnen we deze pipeline hergebruiken om deployments op de cluster uit te voeren. service-mesh agnostisch.
resources:
- name: git-master
- name: git-master
resourceRef:
name: git-master
- name: git-experimental
@@ -51,7 +53,7 @@ kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tekton-trigger-role
namespace: tekton-pipeline-istio-project-1
namespace: stage-tekton-pipeline
rules:
# Permissions for every EventListener deployment to function
- apiGroups: ["tekton.dev"]
@@ -69,7 +71,7 @@ apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: tekton-trigger-role-binding
namespace: tekton-pipeline-istio-project-1
namespace: stage-tekton-pipeline
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
@@ -77,13 +79,13 @@ roleRef:
subjects:
- kind: ServiceAccount
name: service-acc
namespace: tekton-pipeline-istio-project-1
namespace: stage-tekton-pipeline
---
apiVersion: tekton.dev/v1alpha1
kind: EventListener
metadata:
name: github-event-listener
namespace: tekton-pipeline-istio-project-1
namespace: stage-tekton-pipeline
spec:
serviceAccountName: service-acc
triggers:
@@ -92,45 +94,3 @@ spec:
template:
name: github-trigger-template
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: expose-event-listener
namespace: tekton-pipeline-istio-project-1
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: http
protocol: HTTP
hosts:
- "*"
- port:
number: 80
name: http2
protocol: HTTP
hosts:
- "*"
- port:
number: 8080
name: http3
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: link-gateway-listener
namespace: tekton-pipeline-istio-project-1
spec:
hosts:
- "*"
gateways:
- expose-event-listener
http:
- route:
- destination:
host: el-github-event-listener

154
manifests/github-webhook-setup.yaml
View File

@@ -8,7 +8,7 @@
# kind: Secret
# metadata:
# name: webhook-secret
# namespace: tekton-pipeline-istio-project-1
# namespace: stage-tekton-pipeline
# stringData:
# token: GITHUBTOKEN
# secret: random-string-data
@@ -17,7 +17,7 @@ apiVersion: tekton.dev/v1alpha1
kind: Task
metadata:
name: create-webhook
namespace: tekton-pipeline-istio-project-1
namespace: stage-tekton-pipeline
spec:
volumes:
- name: github-secret
@@ -69,7 +69,7 @@ apiVersion: tekton.dev/v1alpha1
kind: TaskRun
metadata:
name: create-repo-webhook
namespace: tekton-pipeline-istio-project-1
namespace: stage-tekton-pipeline
spec:
taskRef:
name: create-webhook
@@ -91,3 +91,151 @@ spec:
value: 35.233.93.220
timeout: 1000s
serviceAccountName: service-acc
---
apiVersion: tekton.dev/v1alpha1
kind: Task
metadata:
name: create-ingress
namespace: stage-tekton-pipeline
spec:
volumes:
- name: work
emptyDir: {}
inputs:
params:
- name: CreateCertificate
description: "Enables/disables the creation of a self-signed certificate for $(inputs.params.ExternalDomain)"
default: "true"
- name: CertificateKeyPassphrase
description: "Phrase that protects private key. This must be provided when the self-signed certificate is created"
- name: CertificateSecretName
description: "Secret name for Ingress certificate. The Secret should not exist if the self-signed certificate creation is enabled"
- name: ExternalDomain
description: "The external domain for the EventListener e.g. `$(inputs.params.EventListenerName).PROXYIP.nip.io`"
- name: Service
description: "The name of the Service used in the Ingress. This will also be the name of the Ingress."
- name: ServicePort
description: "The service port that the ingress is being created on"
- name: ServiceUID
description: "The uid of the service. If set, this creates an owner reference on the service"
default: ""
steps:
- name: generate-certificate
image: frapsoft/openssl
volumeMounts:
- name: work
mountPath: /var/tmp/work
command:
- sh
args:
- -ce
- |
set -e
cat <<EOF | sh
#!/bin/sh
if [ $(inputs.params.CreateCertificate) = "false" ];then
exit 0
fi
mkdir /var/tmp/work/ingress
openssl genrsa -des3 -out /var/tmp/work/ingress/key.pem -passout pass:$(inputs.params.CertificateKeyPassphrase) 2048
openssl req -x509 -new -nodes -key /var/tmp/work/ingress/key.pem -sha256 -days 1825 -out /var/tmp/work/ingress/certificate.pem -passin pass:$(inputs.params.CertificateKeyPassphrase) -subj /CN=$(inputs.params.ExternalDomain)
openssl rsa -in /var/tmp/work/ingress/key.pem -out /var/tmp/work/ingress/key.pem -passin pass:$(inputs.params.CertificateKeyPassphrase)
EOF
- name: create-certificate-secret
image: lachlanevenson/k8s-kubectl:latest
volumeMounts:
- name: work
mountPath: /var/tmp/work
command:
- sh
args:
- -ce
- |
set -e
cat <<EOF | sh
#!/bin/sh
if [ $(inputs.params.CreateCertificate) = "false" ];then
exit 0
fi
kubectl create secret tls $(inputs.params.CertificateSecretName) --cert=/var/tmp/work/ingress/certificate.pem --key=/var/tmp/work/ingress/key.pem || true
EOF
- name: create-ingress
image: lachlanevenson/k8s-kubectl:latest
command:
- sh
args:
- -ce
- |
set -e
if [ -n "$(inputs.params.ServiceUID)" ];then
cat <<EOF | kubectl create -f - || true
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: $(inputs.params.Service)
ownerReferences:
- name: $(inputs.params.Service)
apiVersion: v1
kind: Service
uid: $(inputs.params.ServiceUID)
spec:
tls:
- secretName: $(inputs.params.CertificateSecretName)
hosts:
- $(inputs.params.ExternalDomain)
rules:
- host: $(inputs.params.ExternalDomain)
http:
paths:
- backend:
serviceName: $(inputs.params.Service)
servicePort: $(inputs.params.ServicePort)
EOF
else
cat <<EOF | kubectl create -f - || true
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: $(inputs.params.Service)
spec:
tls:
- secretName: $(inputs.params.CertificateSecretName)
hosts:
- $(inputs.params.ExternalDomain)
rules:
- host: $(inputs.params.ExternalDomain)
http:
paths:
- backend:
serviceName: $(inputs.params.Service)
servicePort: $(inputs.params.ServicePort)
EOF
fi
---
apiVersion: tekton.dev/v1alpha1
kind: TaskRun
metadata:
name: create-ingress-run
namespace: stage-tekton-pipeline
spec:
taskRef:
name: create-ingress
inputs:
params:
- name: CreateCertificate
value: "true"
- name: CertificateKeyPassphrase
value: asecretphrase
- name: CertificateSecretName
value: ingresssecret
- name: ExternalDomain
value: 35.233.93.220
- name: Service
value: getting-started
- name: ServicePort
value: "443"
timeout: 1000s
serviceAccountName: service-acc