《OpenShift / RHEL / DevSecOps 汇总目录》
说明:本文已经在支持 OpenShift 4.12 的 OpenShift 环境中验证
文章目录
- 准备环境
- 安装可实现 KubeVirt 操作的 Tekton 资源
- 创建密钥对
- 在 CI/CD 流水线管道中创建 VM
- 方法1:通过 Manifest 任务创建 VM
- 方法2:通过 Template 创建 VM
- 创建 Secret
- 创建 VM Template
- 创建并运行 CI/CD 流水线管道
- 访问 VM
- 演示视频
- 参考
准备环境
在 OpenShift 控制台的 Operator Hub 中使用 OpenShift Pipeline Operator 安装 OpenShift Pipeline 环境,安装过程使用缺省配置即可。
参考《OpenShift 4 - 在单机版 OpenShift Local 中运行 OpenShift Virtualization》一文安装 OpenShift Virtualization 环境。
因为要运行的组件较多,而且还要运行 VM,因此如果是单机,建议 OpenShift 环境至少有 24 GB 内存。
安装可实现 KubeVirt 操作的 Tekton 资源
- 执行命令,安装最新版的 Tekton 的 ClusterTask,以及 ClusterRole、RoleBinding、ServiceAccount 等资源。
$ VERSION=$(curl -s https://api.github.com/repos/kubevirt/kubevirt-tekton-tasks/releases | jq '.[] | select(.prerelease==false) | .tag_name' | sort -V | tail -n1 | tr -d '"')
$ oc apply -f https://github.com/kubevirt/kubevirt-tekton-tasks/releases/download/${VERSION}/kubevirt-tekton-tasks-okd.yaml
- 主要的任务如下:
- 创建项目。
$ oc new-project ocp-vm
创建密钥对
- 执行命令创建密钥对(如有提示,全部输入 y 或回车即可)。
$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/dawnsky/.ssh/id_rsa):
/home/dawnsky/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/dawnsky/.ssh/id_rsa.
Your public key has been saved in /home/dawnsky/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:TuDfmBo334JvSp6REs5QZdhuNU5233gT4DEFd5/6hkw dawnsky@crc
The key's randomart image is:
+---[RSA 2048]----+
| oo =+o.|
| .o. = o +.+|
| o. = o o +o|
| o .o . +.o|
| . o.S E ..|
| + = = o o |
| = @.. o o |
| B.=o. . |
| . ++o.. |
+----[SHA256]-----+
在 CI/CD 流水线管道中创建 VM
方法1:通过 Manifest 任务创建 VM
此种方法是直接将定义 VirtualMachine 的 YAML 提供给 CI/CD 流水线管道中的 Task。
- 进入 OpenShift 控制台的管道菜单,然后创建一个新的管道。
- 在“管道构建器”中设置管道名称为 create-vm-from-manifest-pipeline。
- 在 “任务” 区域中点击“添加任务”,然后找到 create-vm-from-manifest 任务,将其添加到管道中。
- 选中 create-vm-from-manifest 任务,然后将以下定义 VirtualMachine 的 YAML 复制到页面右侧“参数”区域的 manifest 中。最后点击窗口下方的“创建”。
请用前面创建的公钥文件中的内容替换以下 YAML 中的 ssh_authorized_keys 对应的字符串。
apiVersion: kubevirt.io/v1
kind: VirtualMachine
metadata:
labels:
kubevirt.io/vm: fedora-vm-1
generateName: fedora-vm-1-
spec:
dataVolumeTemplates:
- metadata:
name: fedora-vm-1
spec:
preallocation: false
sourceRef:
kind: DataSource
name: fedora
namespace: openshift-virtualization-os-images
storage:
resources:
requests:
storage: 30Gi
storageClassName: crc-csi-hostpath-provisioner
running: true
template:
metadata:
labels:
kubevirt.io/domain: fedora-vm-1
spec:
domain:
cpu:
cores: 1
devices:
disks:
- bootOrder: 1
disk:
bus: virtio
name: rootdisk
- bootOrder: 2
disk:
bus: virtio
name: cloudinitdisk
interfaces:
- bridge: {}
name: default
machine:
type: ""
resources:
requests:
memory: 1Gi
networks:
- name: 'default'
pod: {}
volumes:
- dataVolume:
name: fedora-vm-1
name: rootdisk
- cloudInitConfigDrive:
userData: |
#cloud-config
user: fedora
password: password
chpasswd:
expire: false
final_message: boot finished, up $UPTIME seconds
hostname: fedora-vm-1
ssh_authorized_keys:
- >-
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQC8Fp8GqfM9+lmL/wFW6ykbA6ftnjSGYGM2tsm+8UlOYWSkcnr7WXICLnfvp0gkDkzd5zIBm8t8O4tp8dT6vcfGuFhHuhZ4G16bFwHk5HRhHrZhEikHDMtjuaGsUCfuArkJHiuv6M0Gc553Ii/NloMGrlVEe5DBVvNNIaaShASCmw5erTElUSpLXRTQurh13MKoe/ZYbYTxjnYdgQKZ5S5mkH5P+AG4GWbqcp7/nfMKuaEE6bSDrgU2BmNENd57PTnXP6OFsSWMmGCfwxlKKzWC/Zx+46FzgaM509zDbPKFdrFgqiGKedNHPYUMb98+K/6Z124/+sOq5Ga0xp3SJX2t
dawnsky@crc
runcmd:
- >-
yum -y install httpd; systemctl enable --now httpd; echo SNO with VMS rules!
$HOSTNAME > /var/www/html/index.html
name: cloudinitdisk
- 最后可查看生成的 Pipeline 的 YAML 视图,其内容如下:
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: create-vm-pipeline
spec:
tasks:
- name: create-vm-from-manifest
params:
- name: manifest
value: |-
apiVersion: kubevirt.io/v1
kind: VirtualMachine
metadata:
labels:
kubevirt.io/vm: fedora-vm-1
generateName: fedora-vm-1-
spec:
dataVolumeTemplates:
- metadata:
name: fedora-vm-1
spec:
preallocation: false
sourceRef:
kind: DataSource
name: fedora
namespace: openshift-virtualization-os-images
storage:
resources:
requests:
storage: 30Gi
storageClassName: crc-csi-hostpath-provisioner
running: true
template:
metadata:
labels:
kubevirt.io/domain: fedora-vm-1
spec:
domain:
cpu:
cores: 1
sockets: 1
threads: 1
devices:
disks:
- bootOrder: 1
disk:
bus: virtio
name: rootdisk
- bootOrder: 2
disk:
bus: virtio
name: cloudinitdisk
interfaces:
- bridge: {}
name: default
machine:
type: ""
resources:
requests:
memory: 1Gi
networks:
- name: 'default'
pod: {}
volumes:
- dataVolume:
name: fedora-vm-1
name: rootdisk
- cloudInitConfigDrive:
userData: |
#cloud-config
user: fedora
password: password
chpasswd:
expire: false
final_message: boot finished, up $UPTIME seconds
hostname: fedora-vm-1
ssh_authorized_keys:
- >-
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQC8Fp8GqfM9+lmL/wFW6ykbA6ftnjSGYGM2tsm+8UlOYWSkcnr7WXICLnfvp0gkDkzd5zIBm8t8O4tp8dT6vcfGuFhHuhZ4G16bFwHk5HRhHrZhEikHDMtjuaGsUCfuArkJHiuv6M0Gc553Ii/NloMGrlVEe5DBVvNNIaaShASCmw5erTElUSpLXRTQurh13MKoe/ZYbYTxjnYdgQKZ5S5mkH5P+AG4GWbqcp7/nfMKuaEE6bSDrgU2BmNENd57PTnXP6OFsSWMmGCfwxlKKzWC/Zx+46FzgaM509zDbPKFdrFgqiGKedNHPYUMb98+K/6Z124/+sOq5Ga0xp3SJX2t
dawnsky@crc
runcmd:
- >-
yum -y install httpd; systemctl enable --now httpd; echo SNO with VMS rules!
$HOSTNAME > /var/www/html/index.html
name: cloudinitdisk
taskRef:
kind: ClusterTask
name: create-vm-from-manifest
- 在 OpenShift 控制台中运行该 Pipeline,然后确认创建的 VM,以及在 VM 中安装并运行的 httpd 服务。
方法2:通过 Template 创建 VM
此种方法是先定义一个 VirtualMachine 的 Template,然后在 Task 中根据 Template 创建 VM。
创建 Secret
- 执行命令,基于公要和私钥创建 Secret(请替换 /home/dawnsky 目录)。注意:私钥中的用户为 fedora,另外还需有 disable-strict-host-key-checking=true。
$ oc create secret generic fedora-vm-public-key --from-file=ssh-publickey=/home/dawnsky/.ssh/id_rsa.pub
$ oc create secret generic fedora-vm-private-key --from-file=ssh-privatekey=/home/dawnsky/.ssh/id_rsa --from-literal=disable-strict-host-key-checking=true --from-literal=user=fedora --type=kubernetes.io/ssh-auth
- 确认创建的 secret 及其类型。
$ oc get secret
NAME TYPE DATA AGE
...
fedora-vm-private-key kubernetes.io/ssh-auth 3 47m
fedora-vm-public-key Opaque 1 21h
...
创建 VM Template
- 在 OpenShift 控制台中进入 Virtualization 的 Template 菜单。
- 点击 Create Template 按钮,然后可在“创建模板” 页面中修改 name、使用的 image 等配置后创建模板。本文使用的配置如下:
kind: Template
apiVersion: template.openshift.io/v1
metadata:
name: vm-template-fedora36
labels:
template.kubevirt.io/type: vm
workload.template.kubevirt.io/server: 'true'
annotations:
description: Fedora36 VM template
iconClass: icon-fedora
openshift.io/display-name: My Fedora36 VM
objects:
- apiVersion: kubevirt.io/v1
kind: VirtualMachine
metadata:
name: '${NAME}'
annotations:
description: Fedora36 VM
labels:
app: '${NAME}'
vm.kubevirt.io/template: vm-template-fedora36
spec:
running: true
template:
metadata:
annotations:
vm.kubevirt.io/os: fedora
vm.kubevirt.io/workload: server
labels:
kubevirt.io/domain: '${NAME}'
spec:
domain:
cpu:
cores: 1
devices:
disks:
- disk:
bus: virtio
name: containerdisk
- disk:
bus: virtio
name: cloudinitdisk
interfaces:
- masquerade: {}
model: virtio
name: default
resources:
requests:
memory: 2Gi
hostname: '${NAME}'
networks:
- name: default
pod: {}
volumes:
- containerDisk:
image: 'quay.io/containerdisks/fedora:36'
name: containerdisk
- cloudInitNoCloud:
userData: |-
#cloud-config
password: ${PASSWORD}
chpasswd: { expire: False }
name: cloudinitdisk
accessCredentials:
- sshPublicKey:
source:
secret:
secretName: '${PUBLIC_KEY_SECRET}'
propagationMethod:
configDrive: {}
parameters:
- name: NAME
description: Name for the new VM
generate: expression
from: 'fedora-vm-[a-z0-9]{6}'
required: true
- name: PASSWORD
description: Password for user fedora
generate: expression
from: '[a-z0-9]{6}'
required: true
- name: PUBLIC_KEY_SECRET
description: Secret including public key
required: true
创建并运行 CI/CD 流水线管道
- 点击 OpenShift 控制台的“管道”菜单,然后创建一个新的管道。
- 在“管道构建器”中将管道名称设为 create-vm-from-template-pipeline。
- 点击“添加任务”,然后找出 create-vm-from-template 任务添加到管道。
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: create-vm-from-template-pipeline
spec:
params:
- description: VM Name
name: vmName
type: string
- description: Password for user fedora
name: vmPassword
type: string
- name: publicKeySecret
type: string
- name: privateKeySecret
type: string
tasks:
- name: create-vm-from-template
params:
- name: templateName
value: vm-template-fedora
- name: templateParams
value:
- 'NAME:$(params.vmName)'
- 'PASSWORD:$(params.vmPassword)'
- 'PUBLIC_KEY_SECRET:$(params.publicKeySecret)'
- name: dataVolumes
value: []
- name: ownDataVolumes
value: []
- name: persistentVolumeClaims
value: []
- name: ownPersistentVolumeClaims
value: []
taskRef:
kind: ClusterTask
name: create-vm-from-template
- name: execute-in-vm
params:
- name: vmName
value: $(params.vmName)
- name: secretName
value: $(params.privateKeySecret)
- name: command
value: []
- name: args
value: []
- name: script
value: |-
#!/usr/bin/env bash
set -ex
sudo yum install -y httpd
sudo systemctl enable --now httpd
echo helloworld > index.html
sudo mv index.html /var/www/html/index.html
curl localhost
runAfter:
- create-vm-from-template
taskRef:
kind: ClusterTask
name: execute-in-vm
完成后 Pipeline 如下:
- 最后在控制台中运行 create-vm-from-template-pipeline 管道,在启动管道窗口输入以下参数即可开始运行。
- 等待管道成功完成运行。
完成运行后查看执行日志,确认有 helloworld 的输出。
访问 VM
-
在 VM 的 Detail 页面中打开 SSH over NodePort。
-
复制并执行上图的 ssh 命令,确认 VM 可以访问。
$ ssh fedora@console-openshift-console.apps-crc.testing -p 30514
The authenticity of host '[console-openshift-console.apps-crc.testing]:30010 ([192.168.130.11]:30514)' can't be established.
ECDSA key fingerprint is SHA256:sDacCgp5UsNbNccBpOwUSQy+pIoK8/dVfeo+Nm2wJLU.
ECDSA key fingerprint is MD5:5f:51:44:66:2a:8a:f0:10:09:46:70:b2:37:96:27:ac.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[console-openshift-console.apps-crc.testing]:30010,[192.168.130.11]:30514' (ECDSA) to the list of known hosts.
Last login: Mon Apr 17 11:24:48 2023
- 执行命令确认可以访问 hello.html 页面。
[fedora@fedora-vm-1 ~] $ curl localhost/hello.html
helloworld
演示视频
参考
https://gitee.com/dawnskyliu/kubevirt-tekton-tasks
https://github.com/kubevirt/kubevirt-tekton-tasks