The robocat cluster lives in the tekton-nightly GCP project and is
used to deploy nightly versions of Tekton components for testing.
These are step by step instructions on how to setup the robocat cluster using
the available automation. The automation is based on Tekton, so it requires
a "driver" cluster with Tekton deployed, which will run the tasks required to setup
the robocat cluster. This "driver" cluster is the dogfooding cluster.
The initial step is done on the robocat cluster directly, so point your
configuration to it:
kubectl config use-context gke_tekton-nightly_europe-north1-a_robocatTo setup the cluster admin service account, authenticate to
the cluster with an admin user, and apply the content of the root folder:
kubectl apply -f robocat/rootCreate a secret robocat-tektoncd-cadmin-token in the dogfooding cluster,
that holds the token for the cadmin. This secret is used by the
robocat-cadmin pipeline resource, which is used by the automation to drive
deployments in the robotcat cluster.
# Fetch the secret data from robocat
CADMIN_SECRET=$(kubectl get -n tektoncd sa/cadmin -o jsonpath='{.secrets[0].name}')
CA_CRT=$(kubectl get -n tektoncd secret/$CADMIN_SECRET -o jsonpath='{.data.ca\.crt}')
TOKEN=$(kubectl get -n tektoncd secret/$CADMIN_SECRET -o jsonpath='{.data.token}')
# Create the secret on dogfooding
cat <<EOF | kubectl --cluster gke_tekton-releases_us-central1-a_dogfooding create -f -
apiVersion: v1
kind: Secret
metadata:
name: robocat-tektoncd-cadmin-token
type: Opaque
data:
ca.crt: $CA_CRT
token: $TOKEN
EOFObtain the URL of the cluster:
kubectl cluster-infoEnsure that the robocat-tekton-deployer
and the robocat-cadmin resources point to the correct URL of the cluster.
If not fix them in git and re-apply them to the dogfooding cluster.
Almost everything else is setup automatically via cronjobs scheduled in the
dogfooding cluster. Since the setup of the DNS entry and the creation of the
ClusterIssuer at the right time are still not automated, it's best for now
to run through the setup "manually" by triggering the various cronjobs
one by one, at least for the initial setup.
Future hanges to the resources will be deployed nightly from git.
From this point on, most of the work will be done on the dogfooding cluster,
so switch your configuration to point to it:
kubectl config use-context gke_tekton-releases_us-central1-a_dogfoodingCronjobs can be used to deploy a folder or resources, a config map, an Helm chart or a Tekton services from a release.
The generic command to run a cronjob is:
kubectl create job --from=cronjob/$JOB_NAME $JOB_NAME-$(date +%s)| JOB_NAME | Details | Definition | Type |
|---|---|---|---|
JOB_NAME=folder-cd-trigger-robotcat-cadmin |
Namespaces and RBAC | Cronjob | Folder |
JOB_NAME=helm-cd-trigger-cert-manager-helm |
Cert Manager | Cronjob | Helm Chart |
JOB_NAME=folder-cd-trigger-robotcat-cluster-issuer |
ClusterIssuer |
Cronjob | Folder |
JOB_NAME=helm-cd-trigger-minio-helm |
Minio S3 Buckets | Cronjob | Helm Chart |
The following jobs are executed with the tekton-deployer service account,
instead of cadmin. The tekton-deployer service account is created during
of the first cronjob folder-cd-trigger-robotcat-cadmin.
Before running the next jobs, make sure the secret token for tekton-deployer
in the dogfooding cluster is up to date:
# Fetch the secret data from robocat
TD_SECRET=$(kubectl --cluster gke_tekton-nightly_europe-north1-a_robocat \
get -n tekton-pipelines sa/tekton-deployer -o jsonpath='{.secrets[0].name}')
CA_CRT=$(kubectl --cluster gke_tekton-nightly_europe-north1-a_robocat \
get -n tekton-pipelines secret/$TD_SECRET -o jsonpath='{.data.ca\.crt}')
TOKEN=$(kubectl --cluster gke_tekton-nightly_europe-north1-a_robocat \
get -n tekton-pipelines secret/$TD_SECRET -o jsonpath='{.data.token}')
# Create the secret on dogfooding
cat <<EOF | kubectl --cluster gke_tekton-releases_us-central1-a_dogfooding create -f -
apiVersion: v1
kind: Secret
metadata:
name: robocat-tekton-deployer-token
type: Opaque
data:
ca.crt: $CA_CRT
token: $TOKEN
EOF| JOB_NAME | Details | Definition | Type |
|---|---|---|---|
JOB_NAME=tekton-release-cd-trigger-robotcat-pipeline |
Tekton Pipeline | Cronjob | Tekton Release |
JOB_NAME=tekton-release-cd-trigger-robotcat-triggers |
Tekton Triggers | Cronjob | Tekton Release |
JOB_NAME=tekton-release-cd-trigger-robotcat-dashboard |
Tekton Triggers | Cronjob | Tekton Release |
JOB_NAME=folder-cd-trigger-robotcat-tekton-resources |
Tekton Resources | Cronjob | Folder |
Monitor the progress by looking at the logs of recent TaskRuns:
tkn tr logs -fPrerequisite for this step is that the tekton-deployer service account has
been created in the dogfooding cluster as well. Once that is in place, create
the secret in the robocat cluster that holds the service account credentials
need to use tekton-deployer on dogfooding:
# Fetch the secret data from robocat
TD_SECRET=$(kubectl --cluster gke_tekton-releases_us-central1-a_dogfooding \
get -n tekton-pipelines sa/tekton-deployer -o jsonpath='{.secrets[0].name}')
CA_CRT=$(kubectl --cluster gke_tekton-releases_us-central1-a_dogfooding \
get -n tekton-pipelines secret/$TD_SECRET -o jsonpath='{.data.ca\.crt}')
TOKEN=$(kubectl --cluster gke_tekton-releases_us-central1-a_dogfooding \
get -n tekton-pipelines secret/$TD_SECRET -o jsonpath='{.data.token}')
# Create the secret on robocat
cat <<EOF | kubectl --cluster gke_tekton-nightly_europe-north1-a_robocat create -f -
apiVersion: v1
kind: Secret
metadata:
name: dogfooding-tekton-deployer-token
type: Opaque
data:
ca.crt: $CA_CRT
token: $TOKEN
EOFThe secret tektoncd-dogfooding-tekton-deployer holds a Kubernetes
configuration file for the tekton-deployer service account on dogfooding.