Skip to content

Commit

Permalink
Migrate install Tekton release CD service to workspaces
Browse files Browse the repository at this point in the history 
Install Tekton release relies on the cluster PipelineResource
to target deployments of resources.

Migrate that to workspaces: a secret stored in the cluster bound
through a workspace is used to target the deployment.

Secrets have been preprovisioned on the cluster, their name is
tektoncd-, their type is kubeconfig.

See tektoncd#887 for more details.

The change is implemented so that the template interface does not
change and thus all existing cronjobs are still valid as well as
the deployment script.

Signed-off-by: Andrea Frittoli <andrea.frittoli@uk.ibm.com>
  • Loading branch information
@afrittoli
afrittoli committed Jul 23, 2022
1 parent d366d52 commit b9f2a2b
Show file tree
Hide file tree
Showing 7 changed files with 247 additions and 322 deletions.
2 changes: 1 addition & 1 deletion tekton/resources/cd/helm-template.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ spec:
default: ""
- name: preDeployResources
description: >-
Some charts require resources to be deployed firt, usually CRDs.
Some charts require resources to be deployed first, usually CRDs.
When provided this should be the URL to a YAML file with resources.
default: ""
resourcetemplates:
Expand Down
203 changes: 203 additions & 0 deletions tekton/resources/cd/install-tekton-release.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,203 @@
# Copyright 2019 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: install-tekton-release
spec:
params:
- name: projectName
description: Name of the Tekton project to install e.g. pipeline, trigger, dashboard, experimental
default: pipeline
- name: namespace
description: The namespace specified in the release. This does not enforce a namespace, it's used to verify that all pods are running in the specified namespace
default: tekton-pipelines
- name: environment
description: Name of the target environment. Used to apply relevant overlays
default: dogfooding
- name: releaseFile
description: Name of the release file
default: release.yaml
- name: postReleaseFile
description: Name of the release file
default: ""
workspaces:
- name: resources
description: resources to deploy
- name: targetCluster
description: kubeconfig of the target Cluster/ServiceAccount
stepTemplate:
env:
- name: KUBECONFIG
value: $(workspaces.targetCluster.path)/kubeconfig
- name: PROJECT_NAME
value: $(params.projectName)
- name: NAMESPACE
value: $(params.namespace)
- name: ENVIRONMENT
value: $(params.environment)
- name: RELEASE_ROOT
value: $(workspaces.resources.path)/release
- name: RELEASE_FILE
value: $(params.releaseFile)
- name: POST_RELEASE_FILE
value: $(params.postReleaseFile)
- name: LIBRARY_PATH
value: $(workspaces.resources.path)/plumbing/tekton/cd
steps:
- name: deploy-tekton-project
image: gcr.io/tekton-releases/dogfooding/ko-gcloud:latest
script: |
#!/usr/bin/env bash
set -exo pipefail
# Export KUBECONFIG so that it's available to pre-scripts too
export KUBECONFIG
# Set up RELEASE_ROOT
# Handle Overlays
OVERLAY_FOLDER=${PROJECT_NAME}/overlays/${ENVIRONMENT}
APPLY_MODE="-k $OVERLAY_FOLDER"
cd ${LIBRARY_PATH}
if [ ! -d ${PROJECT_NAME} ]; then
# There are is not base or project for ${PROJECT_NAME}
# Apply the release as is
APPLY_MODE="--filename $RELEASE_ROOT/${RELEASE_FILE}"
else
# If the base exists, an overlay for the specified environment must exist
if [ ! -d "$OVERLAY_FOLDER" ]; then
echo "Environment ${ENVIRONMENT} not found for project ${PARAM.PROJECT_NAME}"
exit 1
fi
cp $RELEASE_ROOT/${RELEASE_FILE} ${PROJECT_NAME}/base/release.yaml
find .
# Execute pre-deploy scripts if any
scripts=$(find ${OVERLAY_FOLDER}/pre -name '*.sh' 2> /dev/null || true)
for script in $scripts; do $script; done
fi
kubectl apply --kubeconfig $KUBECONFIG $APPLY_MODE
- name: wait-until-pods-and-crds
image: gcr.io/tekton-releases/dogfooding/ko-gcloud:latest
script: |
#!/usr/bin/env bash
set -exo pipefail
APPLICATION="tekton-${PROJECT_NAME}"
if [ "${PROJECT_NAME}" == "pipeline" ]; then
APPLICATION="${APPLICATION}s"
fi
# Wait for pods to be ready and CRDs to be established
kubectl wait --for condition=ready --timeout=120s pods -l app.kubernetes.io/part-of=$APPLICATION -n ${NAMESPACE}
kubectl wait --for condition=established --timeout=60s crd -l app.kubernetes.io/part-of=$APPLICATION
- name: deploy-extra-manifest
image: gcr.io/tekton-releases/dogfooding/ko-gcloud:latest
script: |
#!/usr/bin/env bash
set -exo pipefail
if [ "${POST_RELEASE_FILE}" != "" ]; then
kubectl apply --kubeconfig $KUBECONFIG -f ${RELEASE_ROOT}/${POST_RELEASE_FILE}
fi
---
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: install-tekton-release
spec:
params:
- name: gitRepository
description: URL of the repository that holds the folder
default: github.com/tektoncd/plumbing
- name: gitRevision
description: Git revision
default: main
- name: projectName
description: Name of the Tekton project to install e.g. pipeline, trigger, dashboard, experimental
default: pipeline
- name: namespace
description: The namespace specified in the release. This does not enforce a namespace, it's used to verify that all pods are running in the specified namespace
default: tekton-pipelines
- name: version
description: The vX.Y.Z version that we want to install (including `v`)
- name: environment
description: Name of the target environment. Used to apply relevant overlays
default: dogfooding
- name: releaseFile
description: Name of the release file
default: release.yaml
- name: postReleaseFile
description: Name of the release file
default: ""
- name: releaseBucket
description: Bucket were the release files are stored e.g. gs://tekton-releases/pipeline
workspaces:
- name: resources
description: resources to deploy
- name: targetCluster
description: kubeconfig of the target Cluster/ServiceAccount
- name: credentials
description: bucket credentials. If not needed, pass an emptyDir{}
tasks:
- name: git-clone
taskRef:
name: git-clone
bundle: gcr.io/tekton-releases/catalog/upstream/git-clone:0.7
params:
- name: url
value: https://$(params.gitRepository)
- name: revision
value: $(params.gitRevision)
- name: subdirectory
value: plumbing
workspaces:
- name: output
workspace: resources
- name: fetch-release
runAfter: ['git-clone']
taskRef:
name: gcs-download
bundle: gcr.io/tekton-releases/catalog/upstream/gcs-download:0.1
params:
- name: path
value: release
- name: location
value: $(params.releaseBucket)/previous/$(params.version)
- name: typeDir
value: "true"
workspaces:
- name: output
workspace: resources
- name: credentials
workspace: credentials
- name: install-tekton-release
runAfter: ['fetch-release']
taskRef:
name: install-tekton-release
params:
- name: projectName
value: $(params.projectName)
- name: namespace
value: $(params.namespace)
- name: environment
value: $(params.environment)
- name: postReleaseFile
value: $(params.postReleaseFile)
workspaces:
- name: resources
workspace: resources
- name: targetCluster
workspace: targetCluster
3 changes: 2 additions & 1 deletion tekton/resources/cd/kustomization.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,4 +29,5 @@ resources:
- serviceaccount.yaml
- notification-triggers.yaml
- ci-triggers.yaml
- peribolos-template.yaml
- peribolos-template.yaml
- install-tekton-release.yaml
73 changes: 35 additions & 38 deletions tekton/resources/cd/tekton-template.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: triggers.tekton.dev/v1alpha1
apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerTemplate
metadata:
name: deploy-tekton-release
Expand Down Expand Up @@ -45,45 +45,42 @@ spec:
description: Git revision of the repository that holds plumbing scripts
resourcetemplates:
- apiVersion: tekton.dev/v1beta1
kind: TaskRun
kind: PipelineRun
metadata:
generateName: deploy-$(tt.params.tektonProject)-release-$(tt.params.targetCluster)-
spec:
taskRef:
pipelineRef:
name: install-tekton-release
params:
- name: projectName
value: $(tt.params.tektonProject)
- name: namespace
value: $(tt.params.namespace)
- name: version
value: $(tt.params.tektonVersion)
- name: environment
value: $(tt.params.targetCluster)
- name: release-file
value: $(tt.params.releaseFile)
- name: post-release-file
value: $(tt.params.postReleaseFile)
resources:
inputs:
- name: release-bucket
resourceSpec:
type: storage
params:
- name: type
value: gcs
- name: location
value: $(tt.params.releaseBucket)/$(tt.params.tektonProject)$(tt.params.releaseExtraPath)
- name: dir
value: "y"
- name: k8s-cluster
resourceRef:
name: $(tt.params.clusterResource)
- name: plumbing-library
resourceSpec:
type: git
params:
- name: revision
value: $(tt.params.plumbingRevision)
- name: url
value: https://$(tt.params.plumbingRepository)
- name: gitRepository
value: $(tt.params.plumbingRepository)
- name: gitRevision
value: $(tt.params.plumbingRevision)
- name: projectName
value: $(tt.params.tektonProject)
- name: namespace
value: $(tt.params.namespace)
- name: version
value: $(tt.params.tektonVersion)
- name: environment
value: $(tt.params.targetCluster)
- name: releaseFile
value: $(tt.params.releaseFile)
- name: postReleaseFile
value: $(tt.params.postReleaseFile)
- name: releaseBucket
value: $(tt.params.releaseBucket)/$(tt.params.tektonProject)$(tt.params.releaseExtraPath)
workspaces:
- name: resources
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
- name: targetCluster
secret:
secretName: tektoncd-$(tt.params.clusterResource)
- name: credentials
emptyDir: {}
56 changes: 6 additions & 50 deletions tekton/resources/release/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,20 +5,7 @@ release management. These components are written so that they can be used by
all the projects in the `tektoncd` GitHub org.
The core release pipelines are still owned by the specific project.

## Tasks

### Verify Tekton Release

The task `verify-tekton-release-github` compares the YAML of the release
stored in the GitHub release assets, with the YAML of the release stored in the bucket.

Inputs are:

- Param `projectName`: the name of the project (pipeline, trigger,
dashboard, experimental)
- Param `version`: the version to be installed, e.g. "v0.7.0"
- A storage resource, that should point to the release bucket. The release file
is expected to be at `<bucket>/<projectName>/previous/<version>/release.yaml`
## Tasks and Pipelines

### Install Tekton Release

Expand All @@ -30,48 +17,17 @@ Inputs are:
- Param `projectName`: the name of the project (pipeline, trigger,
dashboard, experimental)
- Param `version`: the version to be installed, e.g. "v0.7.0"
- A storage resource, that should point to the release bucket. The release file
is expected to be at `<bucket>/<projectName>/previous/<version>/release.yaml`
- A cluster resource, that points to the credentials for the target cluster

An example using `tkn`:

```
export TEKTON_BUCKET_RESOURCE=tekton-bucket
export TEKTON_CLUSTER_RESOURCE=k8s-cluster
export TEKTON_PROJECT=pipeline
export TEKTON_VERSION=v0.9.0
tkn task start \
-i release-bucket=$TEKTON_BUCKET_RESOURCE \
-i k8s-cluser=$TEKTON_CLUSTER_RESOURCE \
-p projectName=$TEKTON_PROJECT \
-p version=$TEKTON_VERSION \
install-tekton-release
```
- Param `releaseBucket`. The release file
is expected to be at `<releaseBucket>/<projectName>/previous/<version>/release.yaml`
- Workspace `targetCluster` to be bound to a secret that holds the kubeconfig of the target cluster

The release task can use a `kustomize` overlay if available. The name of the
overlay folder is specified via the `environment` parameter.
The overlay folder must contain a `kustomize.yaml` configuration file. It may
also contain a `pre` folder. Any `*.sh` script found in the folder will be
executed before the release is installed.

```shell
export TEKTON_BUCKET_RESOURCE=tekton-bucket
export TEKTON_CLUSTER_RESOURCE=k8s-cluster
export TEKTON_PROJECT=pipeline
export TEKTON_VERSION=v0.9.0

tkn task start \
-i release-bucket=$TEKTON_BUCKET_RESOURCE \
-i k8s-cluser=$TEKTON_CLUSTER_RESOURCE \
-p projectName=$TEKTON_PROJECT \
-p version=$TEKTON_VERSION \
-p environment=robocat \
install-tekton-release
```

## Save Release Logs
### Save Release Logs

The pipeline `save-release-logs` fetches the logs from a release pipelines
and stores them in the release bucket along with the release YAML.
Expand All @@ -81,7 +37,7 @@ The `tekton-events` event listener receives the CloudEvent, and triggers
the `save-release-logs` with the correct credentials to store the logs
in the release bucket, either the main one or the nightly one.

## Create Draft Release
### Create Draft Release

The pipeline `release-draft` calculates the list of PRs merged between the
previous release and a specified revision. It also builds a list of authors and
Expand Down
Loading

0 comments on commit b9f2a2b

Please sign in to comment.