Tekton with ArgoCD

Blueprint for a Tekton + ArgoCD application setup.

Installation

Requires a Kubernetes cluster with Istio installation. You can for example create one on the IBM Cloud.

Install Tekton:

kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml

Create secrets for SSH GitHub and Docker registry access:

This is one way to create a SSH key, that will be added to GitHub. There are in fact many ways for Tekton to get access to GitHub.

ssh-keygen -t rsa -b 4096 -C "tekton@tekton.dev"
# save as tekton / tekton.pub
# add tekton.pub contents to GitHub

# create secret YAML from contents
cat tekton | base64 -w 0
cat > tekton-git-ssh-secret.yaml << EOM
apiVersion: v1
kind: Secret
metadata:
  name: git-ssh-key
  namespace: tekton-pipelines
  annotations:
    tekton.dev/git-0: github.com
type: kubernetes.io/ssh-auth
data:
  ssh-privatekey: <base64 data>
---
EOM

kubectl apply -f tekton-git-ssh-secret.yaml

# create your Docker registry secret, for example:
cat ~/.docker/config.json | base64 -w 0
cat > regsecret.yaml << EOM
kind: Secret
apiVersion: v1
metadata:
  name: regsecret
data:
  .dockercfg: <base 64 data>
type: kubernetes.io/dockercfg
EOM

kubectl apply -n tekton-pipelines -f regsecret.yaml

Setup the Tekton serviceaccount:

kubectl apply -f tekton/

Install the Tekton dashboard:

kubectl apply -f https://github.com/tektoncd/dashboard/releases/latest/download/tekton-dashboard-release.yaml

Install ArgoCD:

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
kubectl apply -f argocd/
kubectl apply -n systemtest -f regsecret.yaml
kubectl apply -n production -f regsecret.yaml

Login in ArgoCD, find out the admin password and create a token:

# pod name is the admin password
kubectl get pods -n argocd | grep argocd-server

# forward ports to access in browser
kubectl -n argocd port-forward svc/argocd-server 8081:80
kubectl -n tekton-pipelines port-forward svc/tekton-dashboard 9097:9097

Create ArgoCD access with Tekton:

kubectl create secret -n tekton-pipelines generic argocd-env-secret '--from-literal=ARGOCD_AUTH_TOKEN=<token>'

Now, adapt all ocurrences of your application and GitOps config repository, and your application Docker image.

Then you can execute the pipeline, manually:

./pipelinerun/trigger-pipeline.sh

Tekton Triggers

You can setup Tekton Triggers that start the build on a push to the repository main branch.

Install Tekton Triggers:

kubectl apply -f https://storage.googleapis.com/tekton-releases/triggers/latest/release.yaml
kubectl apply -f pipelinetriggers/

Create a triggers secret for GitHub:

cat > github-trigger-secret.yaml << EOM
apiVersion: v1
kind: Secret
metadata:
  name: github-trigger-secret
  namespace: tekton-pipelines
type: Opaque
stringData:
  secretToken: "123"
---
EOM

kubectl apply -f github-trigger-secret.yaml

Test the triggers setup manually:

# HMAC is generated from payload and the GitHub triggers secret
curl -i \
  -H 'X-GitHub-Event: push' \
  -H 'X-Hub-Signature: sha1=<HMAC>' \
  -H 'Content-Type: application/json' \
  -d '{"ref":"refs/heads/main","head_commit":{"id":"123abc..."}}' \
  http://tekton-triggers.example.com

After you’ve setup a GitHub WebHook for push events, you can test the pipeline via pushing to you application repository.