Skip to content

Commit

Permalink
Migrate the folder template CD service to workspaces
Browse files Browse the repository at this point in the history 
Folder template relies on the cluster PipelineResource to target
deployments of resources and git PipelineResource to clone the
git repository.

Migrate that to workspaces:
- the git-clone task from the catalog is used to clone the repo
- a secret stored in the cluster bound through a workspace is
  used to target the deployment

Secrets have been preprovisioned on the cluster, their name is
tektoncd-<pipeline-resource-name>, their type is kubeconfig.
See tektoncd#887 for more
details.

The interface of the trigger template is untouched, so existing
cronjobs will continue to work as they are.

Signed-off-by: Andrea Frittoli <andrea.frittoli@uk.ibm.com>
  • Loading branch information
@afrittoli
afrittoli committed Jul 21, 2022
1 parent 14320ab commit 57b6807
Show file tree
Hide file tree
Showing 2 changed files with 173 additions and 86 deletions.
17 changes: 17 additions & 0 deletions docs/dogfooding.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,23 @@ Secrets which have been applied to the `dogfooding` cluster but are not committe
- dogfooding-tektonci-default-token
- robocat-tekton-deployer-token
- robocat-tektoncd-cadmin-token
- K8s configuration secrets. These secrets are used in Tekton CD services to deploy
resources to a cluster using the embedded k8s client configuration:

```
$ kubectl get secret -l app=tekton.cd
NAME TYPE DATA AGE
tektoncd-dogfooding kubeconfig 1 18s
tektoncd-dogfooding-tekton-cd kubeconfig 1 18s
tektoncd-dogfooding-tekton-ci-default kubeconfig 1 15s
tektoncd-dogfooding-tektoncd-cleaner kubeconfig 1 15s
tektoncd-dogfooding-tektonci-default kubeconfig 1 11s
tektoncd-prow-cluster-config-bot kubeconfig 1 13s
tektoncd-prow-github-admin-default kubeconfig 1 11s
tektoncd-robocat-cadmin kubeconfig 1 9s
tektoncd-robocat-tekton-deployer kubeconfig 1 8s
```

- Netlify API Token, in the `dns-manager` namespace, named `netlify-credentials`
- Lots of other secrets, hopefully we can add more documentation on them
here as we go.
Expand Down
242 changes: 156 additions & 86 deletions tekton/resources/cd/folder-template.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,138 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: deploy-from-folder
spec:
params:
- name: folderPath
description: folder within the workspace to deploy from
- name: namespace
description: target namespace
- name: deployMethod
description: One of "apply", "create" or "replace"
- name: isOverlay
description: Whether the folder is a kustomize overlay "true" or "false"
workspaces:
- name: resources
description: resources to deploy
- name: targetCluster
description: kubeconfig of the target Cluster/ServiceAccount
stepTemplate:
env:
- name: KUBECONFIG
value: $(workspaces.targetCluster.path)/kubeconfig
- name: RESOURCES_PATH
value: $(workspaces.resources.path)
- name: FOLDER_PATH
value: $(params.folderPath)
- name: NAMESPACE
value: $(params.namespace)
- name: DEPLOY_METHOD
value: $(params.deployMethod)
- name: IS_OVERLAY
value: $(params.isOverlay)
steps:
- name: deploy-from-folder
image: gcr.io/tekton-releases/dogfooding/kubectl
script: |
#!/bin/sh
set -ex
# Determine whether to enforce namespace across resources
NAMESPACE_PARAM="-n ${NAMESPACE}"
[[ "${NAMESPACE}" == "" ]] && NAMESPACE_PARAM=""
# Handle overlays
TARGET=${RESOURCES_PATH}/${FOLDER_PATH}
if [[ "${IS_OVERLAY}" == "true" ]]; then
TARGET=target.yaml
kustomize build \
${RESOURCES_PATH}/${FOLDER_PATH} > $TARGET
fi
# Check if there is any diff
DIFF=diff.txt
kubectl diff $NAMESPACE_PARAM -f $TARGET | tee $DIFF
# If there is no diff, we don't need to update
if [ ! -s ${DIFF?} ]; then
echo "No change detected, nothing to be done."
exit 0
fi
# When deploying with replace, we need to do a create first,
# to ensure new resources are created
CREATE_OUTPUT=create.txt
if [[ "${DEPLOY_METHOD}" == "replace" ]]; then
kubectl create $NAMESPACE_PARAM -f $TARGET 2> $CREATE_OUTPUT || true
# If there was some unexpected message in the error log, fail
if egrep -v '(already exists|^Warning)' $CREATE_OUTPUT; then
echo "Something went wrong when creating resources"
exit 1
fi
fi
# Run the actual deployment. If it fails, it will fail the step.
kubectl "${DEPLOY_METHOD}" $NAMESPACE_PARAM -f $TARGET
---
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: deploy-from-folder
spec:
params:
- name: gitRepository
description: URL of the repository that holds the folder
- name: gitRevision
description: Git revision
- name: folderPath
description: folder within the workspace to deploy from
- name: namespace
description: target namespace
- name: deployMethod
description: One of "apply", "create" or "replace"
- name: isOverlay
description: Whether the folder is a kustomize overlay "true" or "false"
workspaces:
- name: resources
description: resources to deploy
- name: targetCluster
description: kubeconfig of the target Cluster/ServiceAccount
tasks:
- name: git-clone
taskRef:
name: git-clone
bundle: gcr.io/tekton-releases/catalog/upstream/git-clone:0.7
params:
- name: url
value: $(params.gitRepository)
- name: revision
value: $(params.gitRevision)
workspaces:
- name: output
workspace: resources
- name: deploy
runAfter: ["git-clone"]
taskRef:
name: deploy-from-folder
params:
- name: folderPath
value: $(params.folderPath)
- name: namespace
value: $(params.namespace)
- name: deployMethod
value: $(params.deployMethod)
- name: isOverlay
value: $(params.isOverlay)
workspaces:
- name: resources
workspace: resources
- name: targetCluster
workspace: targetCluster
---
apiVersion: triggers.tekton.dev/v1alpha1
kind: TriggerTemplate
metadata:
Expand All @@ -37,96 +169,34 @@ spec:
default: "false"
resourcetemplates:
- apiVersion: tekton.dev/v1beta1
kind: TaskRun
kind: PipelineRun
metadata:
generateName: deploy-resources-$(tt.params.folderDescription)-
spec:
taskSpec:
params:
pipelineRef:
name: deploy-from-folder
params:
- name: gitRepository
value: https://$(tt.params.gitRepository)
- name: gitRevision
value: $(tt.params.gitRevision)
- name: folderPath
value: $(tt.params.folderPath)
- name: namespace
value: $(tt.params.namespace)
- name: deployMethod
value: $(tt.params.deployMethod)
- name: isOverlay
resources:
inputs:
- name: source
type: git
- name: targetCluster
type: cluster
stepTemplate:
env:
- name: KUBECONFIG
value: /workspace/$(resources.inputs.targetCluster.name)/kubeconfig
- name: FOLDER_PATH
value: $(params.folderPath)
- name: NAMESPACE
value: $(params.namespace)
- name: DEPLOY_METHOD
value: $(params.deployMethod)
- name: IS_OVERLAY
value: $(params.isOverlay)
steps:
- name: deploy-from-folder
image: gcr.io/tekton-releases/dogfooding/kubectl
script: |
#!/bin/sh
set -ex
# Determine whether to enforce namespace across resources
NAMESPACE_PARAM="-n ${NAMESPACE}"
[[ "${NAMESPACE}" == "" ]] && NAMESPACE_PARAM=""
# Handle overlays
TARGET=$(resources.inputs.source.path)/${FOLDER_PATH}
if [[ "${IS_OVERLAY}" == "true" ]]; then
TARGET=target.yaml
kustomize build \
$(resources.inputs.source.path)/${FOLDER_PATH} > $TARGET
fi
# Check if there is any diff
DIFF=diff.txt
kubectl diff $NAMESPACE_PARAM -f $TARGET | tee $DIFF
# If there is no diff, we don't need to update
if [ ! -s ${DIFF?} ]; then
echo "No change detected, nothing to be done."
exit 0
fi
# When deploying with replace, we need to do a create first,
# to ensure new resources are created
CREATE_OUTPUT=create.txt
if [[ "${DEPLOY_METHOD}" == "replace" ]]; then
kubectl create $NAMESPACE_PARAM -f $TARGET 2> $CREATE_OUTPUT || true
# If there was some unexpected message in the error log, fail
if egrep -v '(already exists|^Warning)' $CREATE_OUTPUT; then
echo "Something went wrong when creating resources"
exit 1
fi
fi
# Run the actual deployment. If it fails, it will fail the step.
kubectl "${DEPLOY_METHOD}" $NAMESPACE_PARAM -f $TARGET
params:
- name: folderPath
value: $(tt.params.folderPath)
- name: namespace
value: $(tt.params.namespace)
- name: deployMethod
value: $(tt.params.deployMethod)
- name: isOverlay
value: $(tt.params.isOverlay)
resources:
inputs:
- name: source
resourceSpec:
type: git
params:
- name: revision
value: $(tt.params.gitRevision)
- name: url
value: https://$(tt.params.gitRepository)
- name: targetCluster
resourceRef:
name: $(tt.params.clusterResource)
value: $(tt.params.isOverlay)
workspaces:
- name: resources
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
- name: targetCluster
secret:
secretName: tektoncd-$(tt.params.clusterResource)

0 comments on commit 57b6807

Please sign in to comment.