Skip to content

Commit

Permalink
CI/CD with Tekton
Browse files Browse the repository at this point in the history
  • Loading branch information
jasonmadigan committed Mar 11, 2024
1 parent b710c93 commit ff0e978
Showing 1 changed file with 184 additions and 0 deletions.
184 changes: 184 additions & 0 deletions doc/kuadrantctl-ci-cd.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,184 @@
# kuadrantctl - CI/CD with Tekton and Argo CD

This guide demonstrates setting up a CI/CD pipeline using Tekton to deploy Kubernetes Gateway API and Kuadrant resources generated by `kuadrantctl`, from an OpenAPI specification. In this example, these resources are applied directly to the cluster where Tekton is running.

Prerequisites:

- (Tekton Pipelines[https://tekton.dev/]) installed on your Kubernetes or OpenShift cluster.
- (`kubectl`[https://kubernetes.io/docs/reference/kubectl/]) configured to communicate with your cluster (i.e you have a kubectl config available with access to your cluster)
- (Tekton CLI `tkn`[https://tekton.dev/docs/cli/]) (optional) for easier interaction with Tekton resources.

Setup:

First, create a dedicated namespace:

```bash
kubectl create namespace petstore
```

Step 1: Create a Persistent Volume Claim

To store Tekton build artifacts, create a PVC in the petstore namespace:

```bash
kubectl apply -n petstore -f - <<EOF
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: tekton-kuadrantctl-pvc
namespace: petstore
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
EOF
```

Step 2: Define the Tekton Task

Define the task that outlines steps to clone a repository, generate Kuadrant and Kubernetes resources using `kuadrantctl`, and apply them directly to the cluster:

```bash
kubectl apply -f - <<'EOF'
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: run-kuadrantctl
namespace: petstore
spec:
params:
- name: gitRepoUrl
description: URL of the git repository to clone
- name: gitRevision
description: Git revision to checkout (branch, tag, sha)
workspaces:
- name: source
description: Workspace to checkout the git repo
- name: kubeconfig
description: Workspace containing kubeconfig for Kubernetes cluster access
steps:
- name: clean-workspace
image: alpine:latest
script: |
sh -c 'rm -rf $(workspaces.source.path)/* $(workspaces.source.path)/.[!.]* $(workspaces.source.path)/..?*'
- name: clone
image: alpine/git:latest
script: |
git clone $(params.gitRepoUrl) $(workspaces.source.path)
cd $(workspaces.source.path)
git checkout $(params.gitRevision)
- name: download-kuadrantctl
image: curlimages/curl:latest
script: |
ARCH=$(uname -m)
case $ARCH in
x86_64) BIN_ARCH="amd64";;
arm64) BIN_ARCH="arm64";;
aarch64) BIN_ARCH="arm64";;
*) echo "Unsupported architecture: $ARCH" && exit 1 ;;
esac
cd $(workspaces.source.path)
curl -LO "https://github.com/Kuadrant/kuadrantctl/releases/download/v0.2.0/kuadrantctl-v0.2.0-linux-$BIN_ARCH.tar.gz"
tar -xzf kuadrantctl-v0.2.0-linux-$BIN_ARCH.tar.gz
- name: run-kuadrantctl
image: alpine:latest
script: |
# Install yq silently
apk add --no-cache curl > /dev/null
curl -s -L https://github.com/mikefarah/yq/releases/download/v4.6.1/yq_linux_arm64 -o /usr/bin/yq > /dev/null && chmod +x /usr/bin/yq
cd $(workspaces.source.path)
mkdir -p generated-resources
./kuadrantctl generate kuadrant authpolicy --oas openapi.yaml | yq eval -P | tee generated-resources/authpolicy.yaml
./kuadrantctl generate kuadrant ratelimitpolicy --oas openapi.yaml | yq eval -P | tee generated-resources/ratelimitpolicy.yaml
./kuadrantctl generate gatewayapi httproute --oas openapi.yaml | yq eval -P | tee generated-resources/httproute.yaml
- name: apply-resources
image: lachlanevenson/k8s-kubectl
script: |
apk add --no-cache gettext > /dev/null
cd $(workspaces.source.path)
export KUADRANT_ZONE_ROOT_DOMAIN=example.com # domain name used in the HTTPRoute for the petstore sample app
for file in ./generated-resources/*.yaml; do
envsubst < "$file" | kubectl apply -n petstore -f -
done
EOF
```

We're using Tekton here with a kubectl to apply resources to a cluster. We would generally recommend looking at a tool such as (ArgoCD)[https://argo-cd.readthedocs.io/en/stable/] to implement continuous delivery via a GitOps approach. In this scenario, you would:

- Use `kuadrantctl` to generate Kubernetes/Kuadrant resources as part a Tekton pipeline
- Commit these new resources in to a git respository
- Use ArgoCD to sync these changes via a Git respository to a Kubernetes or OpenShift cluster

Step 3: Create a Kubeconfig Secret

Provide Tekton access to your Kubernetes cluster by creating a secret with your kubeconfig in the `petstore` namespace:

```bash
kubectl create secret generic kubeconfig-secret --from-file=kubeconfig=/path/to/.kube/config -n petstore
```

Create an associated `ClusterRole` and `ClusterRoleBinding`:

```bash
kubectl apply -n petstore -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kuadrant-ci-example-full-access
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kuadrant-ci-example-full-access-binding
subjects:
- kind: ServiceAccount
name: default
namespace: petstore
roleRef:
kind: ClusterRole
name: kuadrant-ci-example-full-access
apiGroup: rbac.authorization.k8s.io
EOF
```

Step 4: Trigger the `TaskRun`

Execute the task within the `petstore` namespace, referencing the kubeconfig secret for cluster access:

In this example, we'll run this task with our Kuadrant Petstore app: https://github.com/kuadrant/api-petstore

```bash
kubectl apply -n petstore -f - <<EOF
apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
name: run-kuadrantctl-taskrun
namespace: petstore
spec:
taskRef:
name: run-kuadrantctl
params:
- name: gitRepoUrl
value: "https://github.com/kuadrant/api-petstore.git"
- name: gitRevision
value: "main"
workspaces:
- name: source
persistentVolumeClaim:
claimName: tekton-kuadrantctl-pvc
- name: kubeconfig
secret:
secretName: kubeconfig-secret
EOF
```

## Cleanup

To cleanup, remove the `petstore` namespace.

0 comments on commit ff0e978

Please sign in to comment.