Skip to content

Commit

Permalink
Add gateway deployment for Pipelines as Code
Browse files Browse the repository at this point in the history
Signed-off-by: Frederic Giloux <[email protected]>
  • Loading branch information
fgiloux committed Jun 29, 2022
1 parent b96308d commit ce41e3a
Show file tree
Hide file tree
Showing 13 changed files with 270 additions and 20 deletions.
47 changes: 47 additions & 0 deletions .github/workflows/gateway-deployment-image.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
name: Build and Publish the Gateway Deployment Image

on:
push:
branches:
- main
paths:
- "images/gateway/**"
workflow_dispatch:

jobs:
build-push:

runs-on: ubuntu-latest
permissions:
contents: read
packages: write
outputs:
sha_short: ${{ steps.vars.outputs.sha_short }}

steps:
- uses: actions/checkout@v3

- name: Get the short sha
id: vars
run: echo "::set-output name=sha_short::$(echo ${{ github.sha }} | cut -b -7)"

# Build and push a gateway-deployment image, tagged with latest and the commit SHA.
- name: Build gateway-deployment Image
id: build-image
uses: redhat-actions/buildah-build@v2
with:
image: gateway-deployment
context: ./images/gateway
tags: latest ${{ steps.vars.outputs.sha_short }} ${{ github.ref_name }}
containerfiles: |
./images/gateway-deployment/Dockerfile
- name: Push to ghcr.io
id: push-to-ghcr
uses: redhat-actions/push-to-registry@v2
with:
image: ${{ steps.build-image.outputs.image }}
tags: ${{ steps.build-image.outputs.tags }} ${{ github.ref_name }}
registry: ghcr.io/${{ github.repository_owner }}
username: ${{ github.actor }}
password: ${{ github.token }}
17 changes: 12 additions & 5 deletions docs/gateway.md
Original file line number Diff line number Diff line change
Expand Up @@ -41,23 +41,23 @@ HAProxy configuration can be amended through the ConfigMap. See the section belo
Connection settings, support for https can be configured by amending the HAProxy configuration contained in the ConfigMap.
This will get streamlined with the automation of the installation of Tekton triggers.

The first use case for the gateway is to forward requests to the listeners of Tekton triggers. This may also be used to proxy other services.
The first use case for the gateway is to forward requests to the EventListener for Pipelines as Code. This may also be used to proxy other services.
Therefore, additional frontends can be configured so that queries with other paths are forwarded to other backend servers.

Path-based routing is configured in this snippet:

```bash
acl PATH_trigger path_beg -i /trigger
use_backend be_trigger if PATH_trigger
acl PATH_pac path_beg -i /pac/
use_backend be_el_pac if PATH_pac
```
The backend in charge of processing the query can be specified in the referenced section:
```bash
server s1 httpecho.trigger.svc.cluster.local:80
server el-pac el-pipelines-as-code-interceptor.openshift-pipelines.svc.cluster.local:8080
```
here the backend is the service `httpecho` in the `trigger` namespace listening to port 80.
here the backend is the service `el-pipelines-as-code-interceptor` in the `openshift-pipelines` namespace listening to port 8080.
## Demo
Expand All @@ -70,3 +70,10 @@ here the backend is the service `httpecho` in the `trigger` namespace listening
**_NOTE:_** This is only needed for phase 1. This component will get removed when we move to phase 2 and have the event listeners provisioned through kcp.
---
## Limitations
- There is currently no controller watching EventListeners to configure the gateway dynamically. This means that the gateway would work for Pipelines as Code, which offers a stable entrypoint but not for pure Tekton Triggers.
- PipelineRuns are not visible in any kcp workspace.
- Ingress is currently broken with kcp 0.5 and may not get fixed before 0.7
Original file line number Diff line number Diff line change
Expand Up @@ -19,18 +19,18 @@ data:
timeout http-keep-alive 300s
timeout check 10s
frontend trigger_gateway-http
bind :80
frontend fe_el_pac_http
bind :8080
mode http
tcp-request inspect-delay 5s
tcp-request content accept if HTTP
acl PATH_trigger path_beg -i /trigger
use_backend be_trigger if PATH_trigger
acl PATH_pac path_beg -i /pac/
use_backend be_el_pac if PATH_pac
backend be_trigger
backend be_el_pac
mode http
option redispatch
option forwardfor
timeout check 5000ms
server s1 httpecho.trigger.svc.cluster.local:80
server el-pac el-pipelines-as-code-interceptor.openshift-pipelines.svc.cluster.local:8080
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,14 @@ spec:
containers:
- name: gateway
image: docker.io/haproxytech/haproxy-debian@sha256:7086aaf61dfe7f07fa36eafd4bb567a60564f7dd6fcf7cdafdfbbab19c01f0ba
resources:
requests:
cpu: 100m
memory: 256Mi
ports:
- name: http-port
protocol: TCP
containerPort: 80
containerPort: 8080
volumeMounts:
- name: config
mountPath: /usr/local/etc/haproxy/haproxy.cfg
Expand All @@ -29,4 +33,4 @@ spec:
volumes:
- name: config
configMap:
name: haproxy-config
name: haproxy-config
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,13 @@ metadata:
name: trigger
spec:
rules:
- host: trigger-gateway.kcp-apps.127.0.0.1.nip.io
http:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: httpecho
name: gateway
port:
number: 80
number: 80

Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,4 @@ spec:
targetPort: http-port
protocol: TCP
selector:
app: gateway
app: gateway
5 changes: 5 additions & 0 deletions gitops/kcp/gateway/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
resources:
- haproxy-cfg-cm.yaml
- haproxy-deployment.yaml
- haproxy-ingress.yaml
- haproxy-service.yaml
6 changes: 5 additions & 1 deletion gitops/pac/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -36,4 +36,8 @@ KUBECONFIG="/pathto/kubeconfig" GITOPS_REPO="https://gitops.org.com/org/pipeline

## Pipelines

Pipelines for the registration of new clusters via ArgoCD and kcp are available.
Pipelines are available for:

- the registration of new workload clusters to kcp
- the installation of the Tekton components on the workload cluster leveraging Argo CD
- the deployment of the gateway through kcp
File renamed without changes.
61 changes: 61 additions & 0 deletions gitops/sre/.tekton/gateway-deployment.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
name: gateway-deployment
annotations:
pipelinesascode.tekton.dev/on-target-branch: "[main]"
pipelinesascode.tekton.dev/on-event: "[push]"
pipelinesascode.tekton.dev/task: "git-clone"
spec:
params:
- name: repo_url
value: "{{repo_url}}"
- name: revision
value: "{{revision}}"
pipelineSpec:
params:
- name: repo_url
- name: revision
workspaces:
- name: source
tasks:
- name: fetch-repository
taskRef:
name: git-clone
workspaces:
- name: output
workspace: source
params:
- name: depth
value: "500"
- name: url
value: $(params.repo_url)
- name: revision
value: $(params.revision)
- name: kcp-register
runAfter:
- fetch-repository
workspaces:
- name: source
workspace: source
taskSpec:
workspaces:
- name: source
steps:
- name: gateway-deployment
image: ghcr.io/openshift-pipelines/gateway-deployment:main
workingDir: $(workspaces.source.path)
env:
- name: DATA_DIR
value: $(workspaces.source.path)/gitops/sre
- name: KCP_ORG
value: "pipelines-service"
workspaces:
- name: source
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Mi
13 changes: 13 additions & 0 deletions images/gateway/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
FROM registry.access.redhat.com/ubi8/ubi-minimal:8.6
WORKDIR /
RUN mkdir /workspace && chmod 777 /workspace && chown 65532:65532 /workspace
ENV HOME /tmp/home
RUN mkdir $HOME && chmod 777 $HOME && chown 65532:65532 $HOME
COPY ./install.sh /usr/local/bin/install.sh
RUN KUBE_VERSION=v1.24.0 && \
curl -L -o /usr/local/bin/kubectl "https://dl.k8s.io/release/$KUBE_VERSION/bin/linux/amd64/kubectl" && \
chmod 755 /usr/local/bin/kubectl
USER 65532:65532
VOLUME /workspace
WORKDIR /workspace
ENTRYPOINT ["/usr/local/bin/install.sh"]
109 changes: 109 additions & 0 deletions images/gateway/install.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
#!/usr/bin/env bash

# Copyright 2022 The pipelines-service Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

set -o errexit
set -o nounset
set -o pipefail

usage() {

printf "Usage: KCP_ORG=root:pipelines-service KCP_WORKSPACE=infra DATA_DIR=/workspace ./install.sh\n\n"

# Parameters
printf "The following parameters need to be passed to the script:\n"
printf "KCP_ORG: the organistation for which the workload clusters need to be registered, i.e.: root:pipelines-service\n"
printf "KCP_WORKSPACE: the name of the workspace where the gateway gets deployed (created if it does not exist), i.e: infra. If the workspace differs from the one where the WorkloadCluster has been created an APIBinding will need to be added\n"
printf "DATA_DIR: the location of the cluster files\n"
}

prechecks () {
KCP_ORG="${KCP_ORG:-}"
if [[ -z "${KCP_ORG}" ]]; then
printf "KCP_ORG not set\n\n"
usage
exit 1
fi

KCP_WORKSPACE="${KCP_WORKSPACE:-}"
if [[ -z "${KCP_WORKSPACE}" ]]; then
printf "KCP_WORKSPACE not set\n\n"
usage
exit 1
fi

DATA_DIR="${DATA_DIR:-}"
if [[ -z "${DATA_DIR}" ]]; then
printf "DATA_DIR not set\n\n"
usage
exit 1
fi
}

# populate kcp_kcfg with the location of the kubeconfig for connecting to kcp
kcp_kubeconfig() {
if files=($(ls $DATA_DIR/credentials/kubeconfig/kcp/*.kubeconfig 2>/dev/null)); then
if [ ${#files[@]} -ne 1 ]; then
printf "A single kubeconfig file is expected at %s\n" "$DATA_DIR/credentials/kubeconfig/kcp"
usage
exit 1
fi
kcp_kcfg="${files[0]}"
else
printf "A single kubeconfig file is expected at %s\n" "$DATA_DIR/credentials/kubeconfig/kcp"
usage
exit 1
fi
}

switch_org() {
KUBECONFIG=${kcp_kcfg} kubectl kcp workspace use ${KCP_ORG}
if ! (KUBECONFIG=${kcp_kcfg} kubectl api-resources >> /dev/null 2>&1); then
printf "%s is not a valid organization, wrong kubectl context in use or connectivity issue\n" ${KCP_ORG}
usage
exit 1
fi
}

switch_ws() {
if (KUBECONFIG=${kcp_kcfg} kubectl get workspaces -o name | grep "${KCP_WORKSPACE}"); then
printf "use existing workspace\n"
KUBECONFIG=${kcp_kcfg} kubectl kcp workspace use "${KCP_WORKSPACE}"

else
printf "creating workspace %s\n" "${KCP_WORKSPACE}"
KUBECONFIG=${kcp_kcfg} kubectl kcp workspace create "${KCP_WORKSPACE}" --enter
fi
}

install_gateway () {
CONFIG_DIR="${DATA_DIR}/environment/kcp/gateway"
KUBECONFIG=${kcp_kcfg} kubectl apply -k "${CONFIG_DIR}"
}

main() {
prechecks
kcp_kubeconfig
printf "Switching to organization %s\n" "${KCP_ORG}"
switch_org
printf "Switching to workspace %s\n" "${KCP_WORKSPACE}"
switch_ws
printf "Installing gateway\n"
install_gateway
}

if [ "${BASH_SOURCE[0]}" == "$0" ]; then
main "$@"
fi
2 changes: 1 addition & 1 deletion images/kcp-registrar/register.sh
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ prechecks () {
exit 1
fi

KCP_ORG=${KCP_WORKSPACE:-}
KCP_WORKSPACE=${KCP_WORKSPACE:-}
if [[ -z "${KCP_WORKSPACE}" ]]; then
printf "KCP_WORKSPACE not set\n\n"
usage
Expand Down

0 comments on commit ce41e3a

Please sign in to comment.