Build a Tekton Pipeline to deploy a mobile app back end to OpenShift 4
Create an automated Tekton Pipeline to deploy several microservices used to handle data access tasks
Now that OpenShift 4.3 is available on IBM Cloud, there’s a lot of chatter regarding exciting new capabilities. One of the flashier components that I’m most excited about is the ability to view Tekton Pipeline resources from the OpenShift web console. While the Tekton Dashboard is still a great way to view what’s going on with your Tekton resources, this new functionality, part of OpenShift 4, makes it available in the user interface (UI), which you can see in the following screen capture.
To demonstrate some of the capabilities of Tekton, this tutorial deploys an instance of Example Loyalty, an example customer rewards application. This tutorial describes how to convert the manual deployment of the Focus on data privacy with a back end for a mobile loyalty app code pattern into a Tekton Pipeline.
The examples in this tutorial use Red Hat® OpenShift® on IBM Cloud™.
To complete this tutorial, you need the following environment:
A Red Hat OpenShift on IBM Cloud cluster already provisioned to enable you to set up a pipeline. If you need to create one, you can use the IBM Cloud web console or the
ibmcloudCLI. When using the latter, this tutorial may come in handy. NOTE: This tutorial is not compatable with Cloud Pak for Applications. You will need an empty cluster.
A few CLIs, including
oc, which can be found here.
There are a few steps from the main code pattern that need to be implemented before starting the tutorial. Complete the Prerequisites and Deployment sections to set up an App ID instance, a PostgreSQL database, and the integral kubernetes secrets in an
After the prerequisites are met, this tutorial takes approximately 30 minutes to complete, including the time required for the pipeline to run.
Understand the Example Loyality app
Example Loyalty is an example app set up to show how you can reward users of your application. It grew out of a project implemented at several conferences (Ah, remember those days?) to register attendees and distribute swag.
The back end of Example Loyalty is what this tutorial deploys through a pipeline. It consists of several microservices, including two Java services to keep track of events and users respectively, a nightly service to delete user data, a Node.js front end, and a PostgresSQL instance to keep track of it all.
Steps for setting up a pipeline
To get started, you first need to install Tekton Pipelines itself. Then you can apply all the resources you need to run the pipeline specific to this exercise.
1. Target your cluster
Log in to your IBM Cloud account and navigate to the overview page for your OpenShift cluster. Click on the OpenShift web console button in the upper right corner. On web console, click the menu in the upper right corner (the label contains your email address), and select Copy Login Command. Paste the command into your local console window. It should resemble the following example:
$ oc login https://c100-e.us-east.containers.cloud.ibm.com:XXXXX --token=XXXXXXXXXXXXXXXXXXXXXXXXXX
2. Install Tekton
Next up, Tekton installation:
$ kubectl apply --filename https://storage.googleapis.com/tekton-releases/pipeline/latest/release.notags.yaml
3. Create a new project
Let us separate the tools from the application by creating a new project:
$ oc new-project loyalty-infra
4. Create a service account
To make sure the pipeline has the appropriate permissions to store images in the local OpenShift registry, you need to create a service account. For this tutorial, call it “pipeline”.
$ oc create serviceaccount pipeline $ oc adm policy add-scc-to-user privileged -z pipeline $ oc adm policy add-role-to-user edit -z pipeline $ oc policy add-role-to-user edit system:serviceaccount:loyalty-infra:pipeline -n example-loyalty
That last command grants your service account access to the
example-loyalty project. You should have created it as part of the prerequisites.
5. Install tasks
Tekton Pipelines are essentially a chain of of individual tasks. This tutorial uses serveral tasks, but you can install them all at once by cloning the main code pattern repo and then targeting the
$ git clone https://github.com/IBM/loyalty.git $ cd loyalty/pipeline $ oc apply -f tasks
6. Create the pipeline
The pipeline file (
example-health-pipeline.yaml) links together all the tasks of your pipeline, in this case consisting of: code scanning, building code into an image, and then deploying and exposing those images.
$ kubectl apply -f example-loyalty-pipeline.yaml
Steps for threat testing
Did I say code scanning? Let’s take this exercise in creating a pipeline a step further and introduce threat testing by including an application called SonarQube. SonarQube is open source software for inspecting a code base. It supports a plethora of languages. SonarQube can report on bugs and security vulnerabilities, as well as other helpful areas like code coverage and unit tests. This tutorial uses SonarQube to test code for vulnerabilities.
1. Deploy an instance of SonarQube
Another file in the repo describes all the settings needed for a deployment of SonarQube. A Deployment lists all the volumes and mount paths SonarQube requires. Additionally, a Service and Route allow the app to be publicly accessible. One file contains all this information:
$ oc apply -f sonarqube.yaml
2. Create a PVC
You also need a Persistant Volume Claim. It allows the tasks in the pipeline to have a common place to write information to share with one another:
oc apply -f loyalty-pvc.yaml
3. Run the pipeline
Finally, with your vulnerability scanner in place, you can run your loyalty pipeline using a PipelineRun file:
$ oc create -f loyalty-pipelinerun.yaml
Anytime you need to rescan and/or redeploy your code base, simply run that command.
Now to enjoy the fruits of our labor! SonarQube has its own web interface. To get to it, navigate to the
loyalty-infra project in the OpenShift web console. From the menu on the left, select Networking and then Routes:
Select the URL for SonarQube and check out the stats for your installation:
All green! Since there are no vulnerabilites here, you can click through to check out the stats for the lines of code:
Back on the Routes page, you can also find the URL for the user interface of your freshly installed Example Loyalty app. For the
As you can see, Tekton Pipelines are powerful, allowing you to automate some significant workloads. Housed within the same cluster as your imaged code base, this cloud-native approach to continuous deployment can become seamless and hands-free.
After practicing with this example, you can explore ideas for using pipelines in your own installations!