K3S-HOME/platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

FEAT(ci): add ArgoCD Image Updater and CI/CD pipelines

Browse Source 
- ArgoCD Image Updater for Zot registry polling
- Tekton Tasks: git-clone, buildah-build-push
- Pipelines: nextjs, fastapi, python
- ExternalSecrets for Zot and GitHub credentials
This commit is contained in:
Mayne0213
2026-01-07 14:27:51 +09:00
parent 34de9051c6
commit e1641cd3cf
14 changed files with 503 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
argocd-image-updater/argocd.yaml Normal file
View File

@@ -0,0 +1,35 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: argocd-image-updater
namespace: argocd
spec:
project: default
sources:
- repoURL: https://argoproj.github.io/argo-helm
chart: argocd-image-updater
targetRevision: 0.11.0
helm:
valueFiles:
- $values/argocd-image-updater/helm-values.yaml
- repoURL: https://github.com/K3S-HOME/platform.git
targetRevision: main
ref: values
- repoURL: https://github.com/K3S-HOME/platform.git
targetRevision: main
path: argocd-image-updater/manifests
destination:
server: https://kubernetes.default.svc
namespace: argocd
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
retry:
limit: 5
backoff:
duration: 5s
factor: 2
maxDuration: 3m

28
argocd-image-updater/helm-values.yaml Normal file
View File

@@ -0,0 +1,28 @@
# ArgoCD Image Updater Helm Values
# Configuration for Zot private registry
config:
logLevel: debug
registries:
- name: zot
prefix: zot0213.kro.kr
api_url: https://zot0213.kro.kr
credentials: pullsecret:argocd/zot-registry-credentials
insecure: false
# Resource limits
resources:
requests:
cpu: 10m
memory: 64Mi
limits:
memory: 256Mi
# Tolerations for master node
tolerations:
- key: "node-role.kubernetes.io/master"
operator: "Exists"
effect: "NoExecute"
- key: "node-role.kubernetes.io/control-plane"
operator: "Exists"
effect: "NoSchedule"

6
argocd-image-updater/kustomization.yaml Normal file
View File

@@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- argocd.yaml
- manifests/secret.yaml

27
argocd-image-updater/manifests/secret.yaml Normal file
View File

@@ -0,0 +1,27 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: zot-registry-credentials
namespace: argocd
spec:
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: vault-backend
target:
name: zot-registry-credentials
creationPolicy: Owner
template:
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: |
{"auths":{"zot0213.kro.kr":{"username":"{{ .USERNAME }}","password":"{{ .PASSWORD }}","auth":"{{ printf "%s:%s" .USERNAME .PASSWORD | b64enc }}"}}}
data:
- secretKey: USERNAME
remoteRef:
key: zot
property: USERNAME
- secretKey: PASSWORD
remoteRef:
key: zot
property: PASSWORD

9
kustomization.yaml
View File

@@ -7,5 +7,14 @@ resources:
- cert-manager/argocd.yaml
- traefik/argocd.yaml
# Tekton CI/CD Platform
- tekton/pipeline/argocd.yaml
- tekton/triggers/argocd.yaml
- tekton/dashboard/argocd.yaml
- tekton/ci-cd/argocd.yaml
# ArgoCD Image Updater
- argocd-image-updater/argocd.yaml
# ArgoCD configuration (no Application, just configuration)
- argocd

28
tekton/ci-cd/argocd.yaml Normal file
View File

@@ -0,0 +1,28 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: tekton-ci-cd
namespace: argocd
annotations:
argocd.argoproj.io/compare-options: IgnoreExtraneous
spec:
project: default
source:
repoURL: https://github.com/K3S-HOME/platform.git
targetRevision: main
path: tekton/ci-cd/manifests
destination:
server: https://kubernetes.default.svc
namespace: tekton-pipelines
syncPolicy:
automated:
prune: false
selfHeal: true
syncOptions:
- CreateNamespace=true
retry:
limit: 5
backoff:
duration: 5s
factor: 2
maxDuration: 3m

14
tekton/ci-cd/manifests/kustomization.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
# Secrets
- secrets/zot-registry-secret.yaml
- secrets/github-credentials.yaml
# Tasks
- tasks/git-clone.yaml
- tasks/buildah-build-push.yaml
# Pipelines
- pipelines/nextjs-pipeline.yaml
- pipelines/fastapi-pipeline.yaml
- pipelines/python-pipeline.yaml

59
tekton/ci-cd/manifests/pipelines/fastapi-pipeline.yaml Normal file
View File

@@ -0,0 +1,59 @@
apiVersion: tekton.dev/v1
kind: Pipeline
metadata:
name: fastapi-build-deploy
namespace: tekton-pipelines
spec:
description: Build FastAPI app and push to Zot registry
params:
- name: git-url
description: Git repository URL
type: string
- name: git-revision
description: Git revision (branch/tag/sha)
type: string
default: main
- name: app-name
description: Application name
type: string
- name: context-dir
description: Docker build context directory
type: string
default: ./fastapi
workspaces:
- name: shared-workspace
description: Shared workspace for all tasks
- name: docker-credentials
description: Docker registry credentials
tasks:
- name: clone
taskRef:
name: git-clone
params:
- name: url
value: $(params.git-url)
- name: revision
value: $(params.git-revision)
- name: deleteExisting
value: "true"
workspaces:
- name: output
workspace: shared-workspace
- name: build-push
taskRef:
name: buildah-build-push
runAfter:
- clone
params:
- name: IMAGE
value: zot0213.kro.kr/$(params.app-name):$(params.git-revision)
- name: DOCKERFILE
value: ./Dockerfile
- name: CONTEXT
value: $(params.context-dir)
workspaces:
- name: source
workspace: shared-workspace
- name: dockerconfig
workspace: docker-credentials

65
tekton/ci-cd/manifests/pipelines/nextjs-pipeline.yaml Normal file
View File

@@ -0,0 +1,65 @@
apiVersion: tekton.dev/v1
kind: Pipeline
metadata:
name: nextjs-build-deploy
namespace: tekton-pipelines
spec:
description: Build Next.js app and push to Zot registry
params:
- name: git-url
description: Git repository URL
type: string
- name: git-revision
description: Git revision (branch/tag/sha)
type: string
default: main
- name: app-name
description: Application name
type: string
- name: context-dir
description: Docker build context directory
type: string
default: ./nextjs
- name: build-args
description: Build arguments (key=value format, one per line)
type: string
default: ""
workspaces:
- name: shared-workspace
description: Shared workspace for all tasks
- name: docker-credentials
description: Docker registry credentials
tasks:
- name: clone
taskRef:
name: git-clone
params:
- name: url
value: $(params.git-url)
- name: revision
value: $(params.git-revision)
- name: deleteExisting
value: "true"
workspaces:
- name: output
workspace: shared-workspace
- name: build-push
taskRef:
name: buildah-build-push
runAfter:
- clone
params:
- name: IMAGE
value: zot0213.kro.kr/$(params.app-name):$(params.git-revision)
- name: DOCKERFILE
value: ./Dockerfile
- name: CONTEXT
value: $(params.context-dir)
- name: BUILD_ARGS
value: $(params.build-args)
workspaces:
- name: source
workspace: shared-workspace
- name: dockerconfig
workspace: docker-credentials

59
tekton/ci-cd/manifests/pipelines/python-pipeline.yaml Normal file
View File

@@ -0,0 +1,59 @@
apiVersion: tekton.dev/v1
kind: Pipeline
metadata:
name: python-build-deploy
namespace: tekton-pipelines
spec:
description: Build Python app (LangGraph/Chainlit) and push to Zot registry
params:
- name: git-url
description: Git repository URL
type: string
- name: git-revision
description: Git revision (branch/tag/sha)
type: string
default: main
- name: app-name
description: Application name
type: string
- name: context-dir
description: Docker build context directory
type: string
default: ./langgraph
workspaces:
- name: shared-workspace
description: Shared workspace for all tasks
- name: docker-credentials
description: Docker registry credentials
tasks:
- name: clone
taskRef:
name: git-clone
params:
- name: url
value: $(params.git-url)
- name: revision
value: $(params.git-revision)
- name: deleteExisting
value: "true"
workspaces:
- name: output
workspace: shared-workspace
- name: build-push
taskRef:
name: buildah-build-push
runAfter:
- clone
params:
- name: IMAGE
value: zot0213.kro.kr/$(params.app-name):$(params.git-revision)
- name: DOCKERFILE
value: ./Dockerfile
- name: CONTEXT
value: $(params.context-dir)
workspaces:
- name: source
workspace: shared-workspace
- name: dockerconfig
workspace: docker-credentials

18
tekton/ci-cd/manifests/secrets/github-credentials.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: github-credentials
namespace: tekton-pipelines
spec:
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: vault-backend
target:
name: github-credentials
creationPolicy: Owner
data:
- secretKey: token
remoteRef:
key: github
property: PAT

27
tekton/ci-cd/manifests/secrets/zot-registry-secret.yaml Normal file
View File

@@ -0,0 +1,27 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: zot-registry-credentials
namespace: tekton-pipelines
spec:
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: vault-backend
target:
name: zot-registry-credentials
creationPolicy: Owner
template:
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: |
{"auths":{"zot0213.kro.kr":{"username":"{{ .USERNAME }}","password":"{{ .PASSWORD }}","auth":"{{ printf "%s:%s" .USERNAME .PASSWORD | b64enc }}"}}}
data:
- secretKey: USERNAME
remoteRef:
key: zot
property: USERNAME
- secretKey: PASSWORD
remoteRef:
key: zot
property: PASSWORD

71
tekton/ci-cd/manifests/tasks/buildah-build-push.yaml Normal file
View File

@@ -0,0 +1,71 @@
apiVersion: tekton.dev/v1
kind: Task
metadata:
name: buildah-build-push
namespace: tekton-pipelines
spec:
description: Build container image with Buildah and push to registry
params:
- name: IMAGE
description: Full image reference (registry/repo:tag)
type: string
- name: DOCKERFILE
description: Path to Dockerfile
type: string
default: ./Dockerfile
- name: CONTEXT
description: Build context directory
type: string
default: .
- name: BUILD_ARGS
description: Build arguments (key=value format, one per line)
type: string
default: ""
workspaces:
- name: source
description: Source code workspace
- name: dockerconfig
description: Docker config for registry auth
optional: true
results:
- name: IMAGE_DIGEST
description: Digest of built image
- name: IMAGE_URL
description: Full URL of pushed image
steps:
- name: build-and-push
image: quay.io/buildah/stable:v1.33
securityContext:
privileged: true
workingDir: $(workspaces.source.path)
env:
- name: BUILD_ARGS
value: $(params.BUILD_ARGS)
script: |
#!/usr/bin/env bash
set -ex
REGISTRY=$(echo "$(params.IMAGE)" | cut -d'/' -f1)
DOCKER_CONFIG="$(workspaces.dockerconfig.path)/.dockerconfigjson"
# Login to registry
if [ -f "$DOCKER_CONFIG" ]; then
USER=$(sed -n 's/.*"username":"\([^"]*\)".*/\1/p' "$DOCKER_CONFIG")
PASS=$(sed -n 's/.*"password":"\([^"]*\)".*/\1/p' "$DOCKER_CONFIG")
buildah login -u "$USER" -p "$PASS" "$REGISTRY"
fi
# Parse build args
BUILD_ARGS_FLAGS=""
while IFS= read -r line; do
[ -n "$line" ] && BUILD_ARGS_FLAGS="$BUILD_ARGS_FLAGS --build-arg $line"
done <<< "$BUILD_ARGS"
# Build and push
buildah bud --platform linux/arm64 --format docker \
-f $(params.DOCKERFILE) -t $(params.IMAGE) $BUILD_ARGS_FLAGS $(params.CONTEXT)
buildah push --digestfile /tmp/image-digest $(params.IMAGE)
# Output results
cat /tmp/image-digest | tee $(results.IMAGE_DIGEST.path)
echo -n "$(params.IMAGE)" | tee $(results.IMAGE_URL.path)

57
tekton/ci-cd/manifests/tasks/git-clone.yaml Normal file
View File

@@ -0,0 +1,57 @@
apiVersion: tekton.dev/v1
kind: Task
metadata:
name: git-clone
namespace: tekton-pipelines
labels:
app.kubernetes.io/version: "1.0"
spec:
description: Clone a git repository using standard git
workspaces:
- name: output
description: The git repo will be cloned onto the volume backing this Workspace.
params:
- name: url
description: Repository URL to clone from.
type: string
- name: revision
description: Revision to checkout (branch, tag, sha, ref).
type: string
default: "main"
- name: depth
description: Perform a shallow clone, fetching only the most recent N commits.
type: string
default: "1"
- name: deleteExisting
description: Clean out the contents of the destination directory if it already exists.
type: string
default: "true"
results:
- name: commit
description: The precise commit SHA that was fetched by this Task.
- name: url
description: The precise URL that was fetched by this Task.
steps:
- name: clone
image: alpine/git:latest
script: |
#!/bin/sh
set -ex
CHECKOUT_DIR="$(workspaces.output.path)"
if [ "$(params.deleteExisting)" = "true" ] && [ -d "${CHECKOUT_DIR}" ]; then
rm -rf "${CHECKOUT_DIR:?}/"* || true
rm -rf "${CHECKOUT_DIR}"/.[!.]* || true
fi
cd "${CHECKOUT_DIR}"
git clone --depth="$(params.depth)" --branch="$(params.revision)" \
"$(params.url)" .
RESULT_SHA="$(git rev-parse HEAD)"
printf "%s" "${RESULT_SHA}" > "$(results.commit.path)"
printf "%s" "$(params.url)" > "$(results.url.path)"
echo "Cloned $(params.url) at ${RESULT_SHA}"