Tutorial

Build a CI/CD Tekton Pipeline for deploying a Node.js application

Deploy a Node.js application using Red Hat OpenShift on IBM Cloud

Save Like

By Vlad Sancira
Published June 18, 2020

Red Hat OpenShift on IBM Cloud is an extension of the IBM Cloud Kubernetes Service, where IBM manages an OpenShift Container Platform for you.

Tekton Pipelines is an open source framework used for creating cloud-native continuous integration and continuous delivery (CI/CD) pipelines that run on Kubernetes. Tekton Pipelines was built specifically for container environments, supports the software lifecycle, and uses a serverless approach.

In this tutorial, you will become familiar with CI/CD pipelines and webhooks on Red Hat OpenShift 4.3 and Kubernetes 1.17 or higher using Tekton Pipelines.

Prerequisites

Before you begin this tutorial, please complete the following steps:

  1. Register for an IBM Cloud account.
  2. Create a free Kubernetes cluster on IBM Cloud.
  3. Create an OpenShift 4.3 cluster on IBM Cloud.
  4. Install and configure the IBM Cloud CLI.
  5. Configure the standard IBM Cloud Container Registry.

Optional: Download Visual Studio Code IDE for editing the Node.js project. You can also download the tkn command-line for easy command-line interaction with Tekton.

Now that you’ve set up your environment, please note that IBM Cloud offers a free Kubernetes 1.17 cluster for one month for testing purposes. You will also receive a free IBM Cloud Image Registry with 512MB of storage and 5GB of pull traffic each month.

Estimated time

It should take about 1 hour to complete this tutorial.

Steps

  1. Create a cloud-native CI/CD pipeline on OpenShift 4.3

  2. Create a cloud-native CI/CD pipeline on Kubernetes 1.17 or higher

  3. Create a webhook connection from Git to a Tekton CI/CD pipeline

Before you get started, it’s important to understand how the application image is built. Using Tekton Pipelines involves building the application image inside the OpenShift/Kubernetes cluster. When using OpenShift, you use the standard S2I Build task and for Kubernetes you use the Kaniko Build task.

It’s also important to know what each Git folder contains:

If you’d like to use Visual Studio Code to edit and run the Node.js application locally, you can. From the repo root folder run:

npm install .
node ./nodejs/bin/www/
curl http://localhost:8080/nodejs

Great! Now let’s begin.

Create a cloud-native CI/CD pipeline on OpenShift 4.3

OpenShift Pipelines is a cloud-native, CI/CD) solution based on Kubernetes resources. It uses Tekton building blocks to automate deployments across multiple platforms by abstracting away the underlying implementation details. Tekton introduces a number of standard Custom Resource Definitions (CRDs) for defining CI/CD pipelines that are portable across Kubernetes distributions.

  1. Install the OpenShift Pipelines Operator from either the web console or CLI by following the OpenShift documentation.

    After successful installation, you will have the necessary Tekton-related building blocks created in the ‘openshift-pipelines’ project.

     oc get pods -n openshift-pipelines

  2. Create env-ci, env-dev and env-stage projects. In env-ci, you will store the CI/CD pipeline and all pipeline resources. In env-dev and env-stage, you will deploy the application through image promotion.

     oc new-project env-ci
 oc new-project env-dev
 oc new-project env-stage

  3. Create ImageStream nodejs-tekton for storing the NodeJ.js image in env-dev and env-stage projects:

     oc create is nodejs-tekton -n env-dev
 oc create is nodejs-tekton -n env-stage

  4. Allow the pipeline ServiceAccount to make deploys on other env-dev and env-stage projects:

     oc adm policy add-scc-to-user privileged system:serviceaccount:env-ci:pipeline -n env-ci
 oc adm policy add-scc-to-user privileged system:serviceaccount:env-ci:pipeline -n env-dev
 oc adm policy add-scc-to-user privileged system:serviceaccount:env-ci:pipeline -n env-stage
 oc adm policy add-role-to-user edit system:serviceaccount:env-ci:pipeline -n env-ci
 oc adm policy add-role-to-user edit system:serviceaccount:env-ci:pipeline -n env-dev
 oc adm policy add-role-to-user edit system:serviceaccount:env-ci:pipeline -n env-stage

    The image below illustrates what the OpenShift Pipeline design looks like.

    Pipeline Design

Create the CI/CD pipeline

  1. Clone the Git project:

     git clone https://github.com/vladsancira/nodejs-tekton.git
 cd nodejs-tekton

  2. Create Tekton resources, tasks, and a pipeline:

     oc create -f ci-cd-pipeline/tekton-openshift/resources.yaml        -n env-ci
 oc create -f ci-cd-pipeline/tekton-openshift/task-build-s2i.yaml   -n env-ci
 oc create -f ci-cd-pipeline/tekton-openshift/task-deploy.yaml      -n env-ci
 oc create -f ci-cd-pipeline/tekton-openshift/task-test.yaml        -n env-ci
 oc create -f ci-cd-pipeline/tekton-openshift/task-promote.yaml     -n env-ci
 oc create -f ci-cd-pipeline/tekton-openshift/pipeline.yaml         -n env-ci

  3. Create an application secret, which will be mounted as an environment variable inside the Node.js pod:

     oc create -f ci-cd-pipeline/tekton-openshift/secrets.yaml   -n env-dev
 oc create -f ci-cd-pipeline/tekton-openshift/secrets.yaml   -n env-stage

  4. Execute the pipeline:

     tkn t ls -n env-ci
 tkn p ls -n env-ci
 tkn p start nodejs-pipeline -n env-ci

    Pipeline Run

  5. List PipelineRun from the CI environment :

     tkn pr ls -n env-ci
 NAME                                         STARTED        DURATION    STATUS
 nodejs-pipeline-run-4fe564430272f1ea78cad   15 hours ago   2 minutes   Succeeded

Create a cloud-native CI/CD pipeline on Kubernetes 1.17 or higher

  1. Clone the Git project:

     git clone https://github.com/vladsancira/nodejs-tekton.git
 cd nodejs-tekton

  2. Install Tekton Pipelines in the default tekton-pipelines namespace:

     kubectl apply --filename https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml
 kubectl get pods --namespace tekton-pipelines

  3. Create new env-stage, env-dev, and env-ci namespaces. In env-ci, you will store the CI/CD pipeline and all pipeline resources. In env-dev and env-stage namespaces, you will deploy the application via image promotion.

     kubectl create namespace env-stage
 kubectl create namespace env-dev
 kubectl create namespace env-ci

  4. Create an API key for the IBM Cloud Registry and export the PullImage secret from the default namespace. The API key is used for pushing images into the IBM Cloud Registry. When creating a Kubernetes cluster, an IBM Cloud Registry pull secret will be created in the default namespace (for all regions) that is used for pulling images from the IBM Cloud Registry.

     ibmcloud iam api-key-create MyKey -d "this is my API key" --file key_file.json
 cat key_file.json | grep apikey

 kubectl create secret generic ibm-cr-secret  -n env-ci --type="kubernetes.io/basic-auth" --from-literal=username=iamapikey --
 from-literal=password=<API_KEY>
 kubectl annotate secret ibm-cr-secret  -n env-ci tekton.dev/docker-0=us.icr.io

 kubectl get secret default-us-icr-io --export -o yaml > default-us-icr-io.yaml
 kubectl create -f  default-us-icr-io.yaml -n env-dev
 kubectl create -f  default-us-icr-io.yaml -n env-stage

  5. Create a new ServiceAccount to enable the pipeline to run and deploy to env-dev namespace. You will specify this ServiceAccount in the pipeline definition. Also, you will bind a custom Role to this ServiceAccount that will enable it to create, delete, or edit resources in env-dev and env-stage namespaces.

     kubectl apply -f ci-cd-pipeline/tekton-kubernetes/service-account.yaml         -n env-ci
 kubectl apply -f ci-cd-pipeline/tekton-kubernetes/service-account-binding.yaml -n env-dev
 kubectl apply -f ci-cd-pipeline/tekton-kubernetes/service-account-binding.yaml -n env-stage

    Below is an image of the Kubernetes Pipeline design.

    Pipeline Design

Create the CI/CD pipeline

  1. Create Tekton resources, task, and the pipeline:

     kubectl create -f ci-cd-pipeline/tekton-kubernetes/resources.yaml          -n env-ci
 kubectl create -f ci-cd-pipeline/tekton-kubernetes/task-build-kaniko.yaml  -n env-ci
 kubectl create -f ci-cd-pipeline/tekton-kubernetes/task-deploy.yaml        -n env-ci
 kubectl create -f ci-cd-pipeline/tekton-kubernetes/task-test.yaml          -n env-ci
 kubectl create -f ci-cd-pipeline/tekton-kubernetes/task-promote.yaml       -n env-ci
 kubectl create -f ci-cd-pipeline/tekton-kubernetes/pipeline.yaml           -n env-ci

  2. Create an application secret which will be mounted as an environment variable inside the Node.js pod:

     kubectl apply -f ci-cd-pipeline/tekton-kubernetes/secrets.yaml -n env-dev
 kubectl apply -f ci-cd-pipeline/tekton-kubernetes/secrets.yaml -n env-stage

  3. Execute the pipeline using PipelineRun via kubectl:

     kubectl create -f ci-cd-pipeline/tekton-kubernetes/pipeline-run.yaml -n env-ci
 kubectl get pipelinerun -n env-ci
 NAME                                 SUCCEEDED    REASON      STARTTIME   COMPLETIONTIME
 nodejs-pipeline-run-4fe564430272f1e   True        Succeeded   15h         15h

    Or via the tkn command:

     tkn p start nodejs-pipeline -n env-ci
 tkn pr ls -n env-ci

 NAME                                      STARTED        DURATION    STATUS
 nodejs-pipeline-run-4fe564430272f1ea78   15 hours ago   2 minutes   Succeeded

  4. Check the pods and logs:

     kubectl get pods                            -n env-dev
 kubectl get pods                            -n env-stage

 kubectl logs nodejs-app-76fcdc6759-pjxs7 -f -n env-dev

  5. View the Node.js application UI by retrieving the Kubernetes cluster EXTERNAL-IP using the following command:

     kubectl get nodes -o wide

  6. Then open the following URL in a web browser to view the Node.js application UI:

    • From the DEV environment: http://<EXTERNAL-IP>:32426/nodejs
    • From the STAGE environment: http://<EXTERNAL-IP>:32526/nodejs

Create a webhook connection from Git to a Tekton CI/CD pipeline

To create a webhook from Git to your Tekton Pipeline, you need to install Tekton Triggers in your Kubernetes cluster.

Tekton Triggers is a Kubernetes CRD controller that allows you to extract information from events payloads to create Kubernetes resources. Remember, you can use the Tekton Dashboard as a web console for viewing all your Tekton resources.

On OpenShift 4.3, Tekton Triggers is already installed as part of the OpenShift Pipelines Operator, in the openshift-pipelines project (namespace). However, the Tekton Dashboard is not. Instead, you can use the OpenShift Web Console.

The mechanism for triggering builds through webhooks is the same and involves creating an EventListener and exposing that EventListener Service to outside. The EventListener handles external events and receives a Git payload. This payload is parsed through the TriggerBinding resource for certain information, like gitrevision or gitrepositoryurl. These variables are then sent to the TriggerTemplate resource that calls the Tekton Pipeline via a PipelineRun definition (with optional arguments).

Tekton Architecture

For OpenShift:

  1. Create TriggerTemplate, TriggerBinding, and EventListener pipelines:

     oc create -f ci-cd-pipeline/tekton-triggers/webhook-event-listener-openshift.yaml -n env-ci

  2. Create a Route for the EventListener service:

     oc expose svc/el-nodejs-pipeline-listener -n env-ci
 oc get route -n env-ci

  3. Add the Route to Git webhook and then preform a push. The new PipelineRun will be triggered automatically and visible in the pipelines console ci-env project.

    Webhook

For Kubernetes:

  1. Install the Tekton Dashboard and Tekton Triggers:

     kubectl apply -f https://github.com/tektoncd/dashboard/releases/download/v0.6.1.2/tekton-dashboard-release.yaml
 kubectl apply -f https://storage.googleapis.com/tekton-releases/triggers/latest/release.yaml
 kubectl apply -f ci-cd-pipeline/tekton-triggers/tekton-dashboard.yaml -n tekton-pipelines

  2. Create a new ServiceAccount, Role, and RoleBinding. In Kubernetes, this new ServiceAccount will be used for running the EventListener and starting the PipelineRun via the TriggerTemplate. The actual pipeline will still run as the ServiceAccount defined in it.

     kubectl apply -f ci-cd-pipeline/tekton-triggers/webhook-service-account.yaml  -n env-ci

  3. Create TriggerTemplate, TriggerBinding and EventListener pipelines. By default, the EventListener service type is ClusterIP. However, you need to set it to NodePort so it can be triggered from outside the cluster.

     kubectl apply -f ci-cd-pipeline/tekton-triggers/webhook-event-listener-kubernetes.yaml -n env-ci

  4. Retrieve el-nodejs-pipeline-listener PORT and cluster EXTERNAL-IP:

     kubectl get svc el-nodejs-pipeline-listener -n env-ci
 kubectl get nodes -o wide

  5. Add ‘http://>:‘ to GitHib as the webhook. Then perform a push.

    Webhook

  6. Open the Tekton dashboard, http://<CLUSTER_IP>>:32428/#/pipelineruns, to make sure your changes were successful. Your output should look like the following:

Webhook

Summary

Congratulations! You have successfully created a cloud-native CI/CD Tekton Pipeline for building and deploying a Node.js application in an OpenShift/Kubernetes cluster. If you’d like to continue using Tekton and Red Hat OpenShift, try another tutorial where you can learn how to Build a Tekton Pipeline to deploy a mobile app back end to OpenShift 4.

Legend
Tutorial

Build a Tekton Pipeline to deploy a mobile app back end to OpenShift 4

August 4, 2020
Video | Other

What is Tekton?

April 7, 2020
Blog Post

Why now's a great time to use the Tekton Dashboard

March 17, 2020