DevOps with GitOps and Tekton
Development flow
GitOps
Our Continuous Integration (CI) approach is one of “zero-infrastructure overhead”, as such Cloud Pak for application and the garage team have adopted GitOps where a specific git repository contains declarative descriptions of the infrastructure currently desired environments (dev, staging, production), combined with Appsody deploy commands and Tekton to automate the devops pipeline.
Each application repository includes deployment manifests (app-deploy.yaml) to configure the application at deployment time.
The gitops-dev repository contains all deployment manifests of the currently desired infrastructure of an deployment environment.
We are using a pull-based deployments, where the build pipeline is triggered by a pull requests or a commit on the application repository, and an operator, running in the solution namespace, is continuously comparing the desired state in the environment repository with the actual state in the deployed infrastructure.
Tekton Pipeline
Tekton is an open source project that provides a framework to create cloud-native CI/CD pipelines quickly. As a Kubernetes-native framework, Tekton makes it easier to deploy across multiple cloud providers or hybrid environments.
Pre-requisites
Defined a secret for docker registry credential:
- First if not done before, create an access token to your dockerhub account, using the setting > security option.
- Then execute:
oc create secret generic dockerhub-secret --from-literal=token=<you-created-token-on-dockerhub>
Install Tekton pipeline
See the instructions here which can be summarized by the following steps:
# create dedicated pipeline projectoc new-project tekton-pipelines# Give access to current user and to the appsody service account.oc adm policy add-scc-to-user anyuid -z tekton-pipelines-controller# install tektonoc apply --filename https://storage.googleapis.com/tekton-releases/pipeline/latest/release.notags.yaml# Verify pods are startedoc get pods --namespace tekton-pipelines --watch
For a given solution including multiple components deployed as pods, in the same namespace it is recommended to create a service account like the following manifest.
apiVersion: v1kind: ServiceAccountmetadata:name: vaccine-solution-sasecrets:- name: dockerhub-secret---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBinding
One of such file is in the gitops-ev project.
oc apply -f tekton/appsody-tekton.yaml
Application deployment
Each application is built with Appsody and deployed via Appsody operator. Defined in the tekton directory of the gitops-dev project, we have a simple pipeline that will utilize the appsody deploy command to deploy the generated AppsodyApplication CRD YAML to the target environment.
Tekton Pipelines run on the same cluster (and often in the same namespace!) as your running application code, thus allowing for more programmatic control over the deployment, management, operations, and existence of your application components. The key artifact that enables Tekton to deploy any Appsody-based microservice is the generated app-deploy.yaml file.
We need to define a pipeline which may look the same for each project. Still for clear separation of concern, each java projet includes a src/main/tekton folder with the needed pipeline, resources and task manifests. Here is an example of pipeline:
apiVersion: tekton.dev/v1alpha1kind: Pipelinemetadata:name: appsody-build-pipelinespec:resources:- name: git-sourcetype: git- name: docker-image
and pipeline resources that define the target docker image name and the URL of the source repository, those resources are per project. See an example here
The pipeline is executing a Tekton task named appsody-build-push-deploy-task and example can be found here.
When appsody build is executed the deployment manifest for the application (app-deploy.yaml file) is created or updated, the deployment will use this file for the oc apply command.
The image url must match the definition of the Docker image resource that you created for the pipeline.
To run the pipeline manually use the pipeline-run manifest. For example for the reefer monitorign service the manifest is under the scripts folder:
oc apply -f scripts/reefer-monitoring-pipeline-run.yaml# verify the pipeline runtkn pipelinerun listNAME STARTED DURATION STATUSreefer-monitoring-pipeline-run-task 31 seconds ago --- Running
Once the appsody deploy command is succesful, the Appsody Operator and Kubernetes takes care of the rest and reconciles the necessary underlying Kubernetes artifacts that are required to fulfill the requirements of serving up the application code in real-time!