fb2edcac9e
- apps/ci/tekton.yaml: installs Tekton v0.65.1 via kustomize remote ref - apps/ci/pipeline.yaml: deploys pipeline resources via ArgoCD - manifests/ci/tekton/kustomization.yaml: points to upstream release - manifests/ci/pipeline/serviceaccount.yaml: pipeline-runner SA - manifests/ci/pipeline/pipeline.yaml: 4-task Pipeline (clone, validate, bump, push) - manifests/ci/pipeline/pipelinerun.yaml: bumps podinfo 6.6.2 → 6.7.0 - scripts/set-git-credentials.sh: creates git-credentials Secret (not in git) - docs/04-tekton-pipeline.md: Exercise 04 participant guide
173 lines
5.9 KiB
YAML
173 lines
5.9 KiB
YAML
apiVersion: tekton.dev/v1
|
|
kind: Pipeline
|
|
metadata:
|
|
name: gitops-image-bump
|
|
namespace: tekton-pipelines
|
|
spec:
|
|
description: |
|
|
Validates manifests, bumps the podinfo image tag in deployment.yaml,
|
|
and pushes the commit back to the ops-demo repo.
|
|
ArgoCD then detects the change and rolls out the new image.
|
|
|
|
params:
|
|
- name: repo-url
|
|
type: string
|
|
description: URL of the ops-demo git repository
|
|
default: https://github.com/innspire/ops-demo.git
|
|
- name: new-tag
|
|
type: string
|
|
description: New podinfo image tag to set (e.g. 6.7.0)
|
|
default: "6.7.0"
|
|
- name: git-user-name
|
|
type: string
|
|
description: Git author name for the bump commit
|
|
default: "Workshop Pipeline"
|
|
- name: git-user-email
|
|
type: string
|
|
description: Git author email for the bump commit
|
|
default: "pipeline@workshop.local"
|
|
|
|
workspaces:
|
|
- name: source
|
|
description: Workspace for cloning the repo
|
|
- name: git-credentials
|
|
description: Secret with GitHub username + PAT (basic-auth)
|
|
|
|
tasks:
|
|
# ── Task 1: Clone the repo ─────────────────────────────────────────────
|
|
- name: clone
|
|
taskSpec:
|
|
workspaces:
|
|
- name: source
|
|
- name: git-credentials
|
|
params:
|
|
- name: repo-url
|
|
- name: git-user-name
|
|
- name: git-user-email
|
|
steps:
|
|
- name: clone
|
|
image: alpine/git:latest
|
|
workingDir: /workspace/source
|
|
env:
|
|
- name: GIT_USERNAME
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: git-credentials
|
|
key: username
|
|
- name: GIT_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: git-credentials
|
|
key: password
|
|
script: |
|
|
#!/bin/sh
|
|
set -eu
|
|
# Inject credentials into the clone URL
|
|
REPO=$(echo "$(params.repo-url)" | sed "s|https://|https://${GIT_USERNAME}:${GIT_PASSWORD}@|")
|
|
git clone "${REPO}" .
|
|
git config user.name "$(params.git-user-name)"
|
|
git config user.email "$(params.git-user-email)"
|
|
echo "Cloned $(git log --oneline -1)"
|
|
workspaces:
|
|
- name: source
|
|
workspace: source
|
|
- name: git-credentials
|
|
workspace: git-credentials
|
|
params:
|
|
- name: repo-url
|
|
value: $(params.repo-url)
|
|
- name: git-user-name
|
|
value: $(params.git-user-name)
|
|
- name: git-user-email
|
|
value: $(params.git-user-email)
|
|
|
|
# ── Task 2: Validate manifests (dry-run) ──────────────────────────────
|
|
- name: validate
|
|
runAfter: [clone]
|
|
taskSpec:
|
|
workspaces:
|
|
- name: source
|
|
steps:
|
|
- name: dry-run
|
|
image: bitnami/kubectl:latest
|
|
workingDir: /workspace/source
|
|
script: |
|
|
#!/bin/sh
|
|
set -eu
|
|
echo "Running kubectl dry-run on manifests/apps/podinfo/"
|
|
kubectl apply --dry-run=client -f manifests/apps/podinfo/
|
|
echo "Validation passed."
|
|
workspaces:
|
|
- name: source
|
|
workspace: source
|
|
|
|
# ── Task 3: Bump image tag ─────────────────────────────────────────────
|
|
- name: bump-image-tag
|
|
runAfter: [validate]
|
|
taskSpec:
|
|
workspaces:
|
|
- name: source
|
|
params:
|
|
- name: new-tag
|
|
steps:
|
|
- name: bump
|
|
image: mikefarah/yq:4.44.3
|
|
workingDir: /workspace/source
|
|
script: |
|
|
#!/bin/sh
|
|
set -eu
|
|
FILE="manifests/apps/podinfo/deployment.yaml"
|
|
CURRENT=$(yq '.spec.template.spec.containers[0].image' "${FILE}")
|
|
echo "Current image: ${CURRENT}"
|
|
yq -i '.spec.template.spec.containers[0].image = "ghcr.io/stefanprodan/podinfo:$(params.new-tag)"' "${FILE}"
|
|
UPDATED=$(yq '.spec.template.spec.containers[0].image' "${FILE}")
|
|
echo "Updated image: ${UPDATED}"
|
|
workspaces:
|
|
- name: source
|
|
workspace: source
|
|
params:
|
|
- name: new-tag
|
|
value: $(params.new-tag)
|
|
|
|
# ── Task 4: Commit and push ────────────────────────────────────────────
|
|
- name: git-commit-push
|
|
runAfter: [bump-image-tag]
|
|
taskSpec:
|
|
workspaces:
|
|
- name: source
|
|
- name: git-credentials
|
|
params:
|
|
- name: new-tag
|
|
steps:
|
|
- name: push
|
|
image: alpine/git:latest
|
|
workingDir: /workspace/source
|
|
env:
|
|
- name: GIT_USERNAME
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: git-credentials
|
|
key: username
|
|
- name: GIT_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: git-credentials
|
|
key: password
|
|
script: |
|
|
#!/bin/sh
|
|
set -eu
|
|
git add manifests/apps/podinfo/deployment.yaml
|
|
git commit -m "chore(pipeline): bump podinfo to $(params.new-tag)"
|
|
|
|
# Inject credentials for push
|
|
REMOTE_URL=$(git remote get-url origin | sed "s|https://|https://${GIT_USERNAME}:${GIT_PASSWORD}@|")
|
|
git push "${REMOTE_URL}" HEAD:main
|
|
echo "Pushed commit: $(git log --oneline -1)"
|
|
workspaces:
|
|
- name: source
|
|
workspace: source
|
|
- name: git-credentials
|
|
workspace: git-credentials
|
|
params:
|
|
- name: new-tag
|
|
value: $(params.new-tag)
|