This tutorial shows the concept of seperation of concerns in DevOps. The project is setup in 3 repos (not all teams will have write access to all of them)
-
This git repo only contains the pipeline setup
-
The git repo that contains only the application source code
-
The git repo that contains only the infrastructure manifests (yaml)
-
We will be using Tekton to build the container image, and update the Infra Git repo.
-
We will be using ArgoCD to deploy the application from the infra git repo
- Get a copy of the devops git repository and change directory
git clone https://github.com/ibm-cloud-architecture/tutorial-tekton-argocd-pipeline cd tutorial-tekton-argocd-pipeline - Create a new code git repository using this repo as template
- Create a new infra git repository using this repo as template
- You need an OpenShift 4 cluster, you can use CodeReadyContainers (CRC), OpenShift PlayGround, or OpenShift from a cloud provider like IBM Cloud
- Install OpenShift Operators
- Install OpenShift Pipeline Operator
oc apply -f operators/tekton-operator.yaml
- Install ArgoCD (HELM) Operator on the
argocdnamespaceWhen installing the tutorial, make sure you wait until the argocd-operator is finished before installing the argocd-cr..or it will fail. You can do this:oc apply -f operators/argocd-operator.yaml
and wait for the "succeeded" to come up before proceeding.oc get ClusterServiceVersion -n argocd NAME DISPLAY VERSION REPLACES PHASE argocd-operator.v0.0.8 Argo CD 0.0.8 Succeeded
and waut for the argocd server Pod to be runningoc apply -f operators/argocd-cr.yaml
oc get pods -n argocd -l app.kubernetes.io/name=example-argocd-serverNAME READY STATUS RESTARTS AGE example-argocd-server-57c4fd5c45-zf4q6 1/1 Running 0 115s
- Install OpenShift Pipeline Operator
- Install Tekton CLI
tkn - Install ArgoCD CLI
argocd
- Create a new namespace/project
oc new-project tekton-argocd
- Set the environment variable
NAMESPACEexport NAMESPACE=$(oc project -q) echo "NAMESPACE set to $NAMESPACE"
-
Set an environment variable
ARGOCD_URLusing the routeexport ARGOCD_NAMESPACE="argocd" export ARGOCD_SERVER=$(oc get route example-argocd-server -n $ARGOCD_NAMESPACE -o jsonpath='{.spec.host}') export ARGOCD_URL="https://$ARGOCD_SERVER" echo ARGOCD_URL=$ARGOCD_URL echo ARGOCD_SERVER=$ARGOCD_SERVER
-
Login into the UI.
open $ARGOCD_URL -
Use
adminas the username and get the password with the following commandoc get secret example-argocd-cluster -n $ARGOCD_NAMESPACE -o jsonpath='{.data.admin\.password}' | base64 -d
For example the output is similar to this:
tyafMb7BNvO0kP9eizx3CojrK8pYJFQqexport ARGOCD_PASSWORD=$(oc get secret example-argocd-cluster -n $ARGOCD_NAMESPACE -o jsonpath='{.data.admin\.password}' | base64 -d)
-
Login into ArgoCD
argocd login --username admin --password $ARGOCD_PASSWORD $ARGOCD_SERVER
Note: if you have problems with DNS using CRC, you might need to edit
/etc/hostsand add entry for the$ARGOCD_SERVERwith IP Address fromcrc ip -
Create the App in ArgoCD using your own Infra git repository
export GIT_REPOSITORY_URL="https://github.com/ibm-cloud-architecture/tutorial-tekton-argocd-infra"
export ARGOCD_APP=$(oc project -q) export GIT_MANIFEST_DIR="yamls/ocp"
argocd app create $ARGOCD_APP \ --project default \ --repo $GIT_REPOSITORY_URL \ --path $GIT_MANIFEST_DIR \ --dest-server https://kubernetes.default.svc \ --dest-namespace $NAMESPACE \ --sync-policy automated \ --self-heal \ --auto-prune
application 'tekton-argocd' created
-
Deploy the pipeline assets, edit the
pipelines/git.yamlandpipelines/pipeline-build-git.yamland use your own Code and Infra git repositories respectively.oc apply -f pipeline/ -n $NAMESPACEtkn resources ls -n $NAMESPACENAME TYPE DETAILS source git url: https://github.com/ibm-cloud-architecture/tutorial-tekton-argocd-code image image url: image-registry.openshift-image-registry.svc:5000/$NAMESPACE/apptkn task ls -n $NAMESPACENAME AGE build 36 seconds ago build-git 36 seconds agotkn pipeline ls -n $NAMESPACENAME AGE LAST RUN STARTED DURATION STATUS build-git 17 seconds ago --- --- --- --- -
Run the build task to test image build only
tkn task start build \ -i image=image \ -i source=source \ --showlog \ -s pipeline \ -n $NAMESPACEtkn taskrun ls -n $NAMESPACENAME STARTED DURATION STATUS build-run-c4d4r 4 minutes ago 2 minutes Succeededoc get imagestream -n $NAMESPACENAME IMAGE REPOSITORY TAGS UPDATED app image-registry.openshift-image-registry.svc:5000/tekton-argocd/app b711ac7 About a minute ago
-
For your CI pipeline to connect to and use your GitHub repo, it will need a GitHub personal access token with
public_repoandwrite:repo_hookscopes. -
Navigate to Developer Settings and generate a new token; name it something like "CI pipeline"
-
Select
public_reposcope to enable git clone -
Select
write:repo_hookscope so the pipeline can create a web hook -
The GitHub UI will never again let you see this token, so be sure to save the token in your password manager or somewhere safe that you can access later on
-
Create the secret for the Infra repository, replace
<GIT_USERNAME>and<GIT_TOKEN>, keep the quotesexport GIT_USERNAME='<GIT_USERNAME>' export GIT_TOKEN='<GIT_TOKEN>'
oc create secret generic git-infra-secret \ --from-literal=username="$GIT_USERNAME" \ --from-literal=token="$GIT_TOKEN" \ -n $NAMESPACE
-
Run Pipeline to Build Image and Update Infra Git repo
tkn pipeline start build-git \ --showlog \ -r source=source \ -r image=image \ -s pipeline \ -n $NAMESPACEtkn pipeline ls -n $NAMESPACENAME AGE LAST RUN STARTED DURATION STATUS build-git 2 minutes ago build-git-run-rdhmj 2 minutes ago 1 minute Succeeded
-
This is only possible if your OpenShift cluster is accessible from the the github server (ie github.com)
-
Create a WebHook for the Code Git repo
oc apply -f triggers/ -n $NAMESPACEoc create route edge --service=el-cicd -n $NAMESPACEexport GIT_WEBHOOK_URL=$(oc get route el-cicd -o jsonpath='{.spec.host}' -n $NAMESPACE) echo "https://$GIT_WEBHOOK_URL"
-
Set the
GIT_REPO_NAMEto name of the Code Git repo liketutorial-tekton-argocd-codeexport GIT_REPO_NAME='<GIT_REPO_NAME>'
-
Set the
GIT_REPO_OWNERto name of the Code Git repo likeibm-cloud-architectureexport GIT_REPO_OWNER='<GIT_REPO_OWNER>'
-
Run curl to create the web hook
curl -v -X POST -u $GIT_USERNAME:$GIT_TOKEN \ -d "{\"name\": \"web\",\"active\": true,\"events\": [\"push\"],\"config\": {\"url\": \"https://$GIT_WEBHOOK_URL\",\"content_type\": \"json\",\"insecure_ssl\": \"0\"}}" \ -L https://api.github.com/repos/$GIT_REPO_OWNER/$GIT_REPO_NAME/hooks
Make a change on the Code repository, and verify that Github sent the WebHook to the event listener, and that the Pipeline runs in OpenShift Console
