OpenShift 4 - DevSecOps Workshop (8) - 為Pipeline增加生成Image任務

《OpenShift 4.x HOL教程彙總》

說明：本文已經在OpenShift 4.8環境中驗證

文章目錄

• 驗證生成 Image
• 為Pipeline增加生成Image任務
• 運作生成的 Image

本步将生成的應用鏡像，随後将其推送到Quay。

驗證生成 Image

1. 設定變量。

$ USER=$(oc whoami)
$ DEV=${USER}-dev
$ CICD=${USER}-cicd
           

1. 從Nexus下載下傳已經生成的應用包到“oc-build”目錄。

$ NEXUS_URL=$(oc get route nexus -ojsonpath={.spec.host} -n devsecops)
$ mkdir oc-build
$ wget -O oc-build/jboss-tasks-rs-7.0.0-SNAPSHOT.war "http://${NEXUS_URL}/service/rest/v1/search/assets/download?sort=version&repository=maven-snapshots&maven.groupId=org.jboss.quickstarts.eap&maven.artifactId=jboss-tasks-rs&maven.baseVersion=7.0.0-SNAPSHOT&maven.extension=war"
           

1. 基于在openshift項目中的“jboss-eap72-openshift:1.1”鏡像流建立一個名為“tekton-tasks”新的Build對象。

$ oc new-build --name=tekton-tasks --image-stream jboss-eap72-openshift:1.1 --binary=true -n ${DEV}
--> Found image 0ca7413 (23 months old) in image stream "openshift/jboss-eap72-openshift" under tag "1.1" for "jboss-eap72-openshift:1.1"
  
    JBoss EAP 7.2
    -------------
    Platform for building and running JavaEE applications on JBoss EAP 7.2
 
    Tags: builder, javaee, eap, eap7
 
    * A source build using binary input will be created
      * The resulting image will be pushed to image stream tag "tekton-tasks:latest"
      * A binary build was created, use 'oc start-build --from-dir' to trigger a new build
 
--> Creating resources with label build=tekton-tasks ...
    imagestream.image.openshift.io "tekton-tasks" created
    buildconfig.build.openshift.io "tekton-tasks" created
--> Success
           

1. 檢視上一步建立的imagestream對象和buildconfig對象。

$ oc get is tekton-tasks -n ${DEV}
NAME           IMAGE REPOSITORY                                                                                              TAGS     UPDATED
tekton-tasks   default-route-openshift-image-registry.apps.cluster-39c8.39c8.sandbox139.opentlc.com/user1-dev/tekton-tasks   latest
$ oc get istag tekton-tasks:latest -n ${DEV}
Error from server (NotFound): imagestreamtags.image.openshift.io "tekton-tasks:latest" not found
$ oc get bc tekton-tasks -n ${DEV}
NAME           TYPE     FROM     LATEST
tekton-tasks   Source   Binary   0
           

1. 啟動“tekton-tasks”建構。

$ oc start-build tekton-tasks --from-dir=./oc-build/ --wait=true -n ${DEV}
Uploading directory "oc-build" as binary input for the build ...
Uploading finished
build.build.openshift.io/tekton-tasks-1 started
           

1. 再次檢視imagestream對象和buildconfig對象，确認“UPDATED”和“LATEST”都有變化，另外也生成了istag對象。

$ oc get is tekton-tasks -n ${DEV}
NAME           IMAGE REPOSITORY                                                                                              TAGS     UPDATED
tekton-tasks   default-route-openshift-image-registry.apps.cluster-39c8.39c8.sandbox139.opentlc.com/user1-dev/tekton-tasks   latest   19 seconds ago
$ oc get istag tekton-tasks:latest -n ${DEV}
NAME                  IMAGE REFERENCE                                                                                                                                   UPDATED
tekton-tasks:latest   image-registry.openshift-image-registry.svc:5000/user1-dev/[email protected]:f28e444783d263701061da94e0150a67ccce9a69b55d999b04982334e861e877   29 seconds ago
$ oc get bc tekton-tasks -n ${DEV}
NAME           TYPE     FROM     LATEST
tekton-tasks   Source   Binary   1
           

為Pipeline增加生成Image任務

1. 建立“create-image”任務，其中使用了create-build-config和build-app-image來建立buildconfig并生成imagestream和image對象。

$ oc apply -f - << EOF
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: create-image
  namespace: ${CICD}
spec:
  params:
    - default: tasks
      description: The name of the app
      name: app_name
      type: string
    - description: The name dev project
      name: dev_project
      type: string
    - description: binary artifact path in the local artifact repo
      # something like org/jboss/quickstarts/eap/jboss-tasks-rs/7.0.0-SNAPSHOT/jboss-tasks-rs-7.0.0-SNAPSHOT.war
      type: string
      name: artifact_path
  resources:
    inputs:
      - name: source
        type: git
  steps:
    - name: create-build-config
      image: 'quay.io/openshift/origin-cli:latest'
      script: >
        #!/bin/sh
        
        set -e -o pipefail
        
        echo "Creating new build config"  
        
        # This allows the new build to be created whether it exists or not
        
        oc new-build -o yaml --name=\$(params.app_name) --image-stream=jboss-eap72-openshift:1.1 --binary=true -n
        \$(params.dev_project) | oc apply -n \$(params.dev_project) -f - 
    - name: build-app-image
      image: 'quay.io/openshift/origin-cli:latest'    
      script: >
        #!/bin/sh
        
        set -e -o pipefail
        
        echo "Start the openshift build"  
        
        rm -rf \$(resources.inputs.	source.path)/oc-build && mkdir -p \$(resources.inputs.source.path)/oc-build/deployments 
        
        cp \$(workspaces.maven-repo.path)/\$(params.artifact_path) \$(resources.inputs.source.path)/oc-build/deployments/ROOT.war 
        
        oc start-build \$(params.app_name) --from-dir=\$(resources.inputs.source.path)/oc-build -n \$(params.dev_project) --wait=true 
        
  workspaces:
    - name: maven-repo
EOF
           

1. （可選）如果需要，可以執行以下指令允許在“${DEV}” 項目通路到 “${CICD}”項目的資源。

1. 運作"create-image"任務。

$ tkn task start create-image -n ${CICD} --showlog \
	--inputresource source=tasks-source-code \
	--param app_name=tekton-tasks \
	--param dev_project=${DEV} \
	--param artifact_path='org/jboss/quickstarts/eap/jboss-tasks-rs/7.0.0-SNAPSHOT/jboss-tasks-rs-7.0.0-SNAPSHOT.war' \
	--workspace name=maven-repo,claimName=maven-repo-pvc
TaskRun started: create-image-run-pdj4q
Waiting for logs to be available...
[git-source-source-gx868] {"level":"info","ts":1629181943.040389,"caller":"git/git.go:169","msg":"Successfully cloned https://gitea-server-devsecops.apps.cluster-39c8.39c8.sandbox139.opentlc.com/user1/openshift-tasks.git @ bde310585bda8209cf384a85c6a72c6f34813910 (grafted, HEAD, origin/dso4) in path /workspace/source"}
[git-source-source-gx868] {"level":"info","ts":1629181943.1477466,"caller":"git/git.go:207","msg":"Successfully initialized and updated submodules in path /workspace/source"}
 
[create-build-config] Creating new build config
[create-build-config] imagestream.image.openshift.io/tekton-tasks created
[create-build-config] buildconfig.build.openshift.io/tekton-tasks created
 
[build-app-image] Start the openshift build
[build-app-image] Uploading directory "/workspace/source/oc-build" as binary input for the build ...
[build-app-image] 
[build-app-image] Uploading finished
[build-app-image] build.build.openshift.io/tekton-tasks-1 started
           

1. 再次檢視buildconfig 、imagestream和istag對象。從名為“tekton-tasks:latest”的istag确認“LATEST”和“IMAGE REFERENCE”都發生了更新變化。

$ oc get buildconfig tekton-tasks -n ${DEV}
NAME           TYPE     FROM     LATEST
tekton-tasks   Source   Binary   2
$ oc get imagestream tekton-tasks -n ${DEV}
NAME           IMAGE REPOSITORY                                                                                              TAGS     UPDATED
tekton-tasks   default-route-openshift-image-registry.apps.cluster-39c8.39c8.sandbox139.opentlc.com/user1-dev/tekton-tasks   latest   13 minutes ago
$ oc get istag tekton-tasks:latest -n ${DEV}
NAME                  IMAGE REFERENCE                                                                                                                                   UPDATED
tekton-tasks:latest   image-registry.openshift-image-registry.svc:5000/user1-dev/[email protected]:eac120a2ca3cd6c6f423829f74eeb3bdd29965067fd53fa0378620aeb7a7cd5b   About a minute ago
           

1. 執行指令向“tasks-dev-pipeline”管道追加“create-image”任務。

$ TASKS="$(oc get pipelines tasks-dev-pipeline -n ${CICD} -o yaml | yq r - 'spec.tasks' | yq p - 'spec.tasks')"
$ oc patch pipelines tasks-dev-pipeline -n ${CICD} --type=merge -p "$(cat << EOF
$TASKS
    - name: create-image
      taskRef:
        kind: Task
        name: create-image
      params:
          - name: app_name
            value: tekton-tasks
          - name: dev_project
            value: ${DEV}
          - name: artifact_path
            value: org/jboss/quickstarts/eap/jboss-tasks-rs/7.0.0-SNAPSHOT/jboss-tasks-rs-7.0.0-SNAPSHOT.war
      resources:
        inputs:
          - name: source
            resource: pipeline-source
      workspaces:
        - name: maven-repo
          workspace: local-maven-repo
      runAfter:
          - archive
EOF
)"
           

或者可以根據下圖在OpenShift控制台上增加“create-image”任務。

6. 用指令運作“tasks-dev-pipeline”管道。

$ tkn pipeline start tasks-dev-pipeline -n ${CICD} --showlog \
	--resource pipeline-source=tasks-source-code \
	--workspace name=local-maven-repo,claimName=maven-repo-pvc
。。。
[create-build-config] Creating new build config
[create-build-config] imagestreamtag.image.openshift.io/tekton-tasks:latest created
[create-build-config] buildconfig.build.openshift.io/tekton-tasks configured
 
[build-app-image] Start the openshift build
[build-app-image] Uploading directory "/workspace/source/oc-build" as binary input for the build ...
[build-app-image]
[build-app-image] Uploading finished
[build-app-image] build.build.openshift.io/tekton-tasks-1 started
           

也可在OpenShift控制台上運作“tasks-dev-pipeline”管道，然後檢視管道運作的日志。

7. 完成運作後可再次檢視buildconfig和istag，确定“LATEST”和“IMAGE REFERENCE”都有了新變化。

$ oc get buildconfig tekton-tasks -n ${DEV}
NAME           TYPE     FROM     LATEST
tekton-tasks   Source   Binary   3
$ oc get istag tekton-tasks:latest -n ${DEV}
NAME                  IMAGE REFERENCE                                                                                                                                   UPDATED
tekton-tasks:latest   image-registry.openshift-image-registry.svc:5000/user2-dev/[email protected]:29328b9e9b9fa756e46786dceed7c0b7d7ec8e034a5d96e9c1299357e3431947   8 minutes ago
           

運作生成的 Image

1. 執行指令，基于“tekton-tasks:latest”鏡像運作應用。

$ oc new-app --image-stream=tekton-tasks:latest -n ${DEV}
$ oc expose svc tekton-tasks -n ${DEV}
           

1. 或者用OpenShift控制台根據下圖進入“容器鏡像”

   

   然後部署“user1-dev”中的“tekton-tasks:latest”鏡像流。

   

   在部署好後點選“路由”下方的連結即可通路應用。