Skip to main content
Plugins / Kubernetes Deployment or StatefulSet Update

Kubernetes Deployment or StatefulSet Update

by EuryeceTelecom
Website
deploykubernetesdeploymentcontainerstatefulset

Update a Kubernetes deployment or statefulset


Kubernetes plugin for Woodpecker-CI

This plugin allows to update a Kubernetes deployment or statefulset.

Settings

Setting Name Default Description
kubernetes_server none Kubernetes server to target (ex: https://mykubernetes.example.com) - mandatory
kubernetes_token none Kubernetes token to use (cf Generating secrets) - mandatory / B64 encoded
kubernetes_cert none Kubernetes certificate to use (cf Generating secrets) / B64 encoded
kubernetes_user default Kubernetes user to use
deployment none Deployment(s) to update - at least 1 deployment or statefulset are mandatory
statefulset none StatefulSet(s) to update - at least 1 deployment or statefulset are mandatory
namespace default Deployment or StatefulSet namespace
repo none Repository containing the image to pull from (ex: myrepo.example.com/project/image) - mandatory
container none Container(s) to update with the image - mandatory
tag none Image tag to pull from - mandatory
wait none Wait for update to be applied (ex: true)
wait_timeout 30s Wait timeout
force none Force pull the new image, to ensure an image with the same tag is updated (ex: true)

Usage

Update a container from one Deployment

This pipeline will update the my-deployment deployment with the image tagged CI_COMMIT_SHA

    deploy:
        image: euryecetelecom/woodpeckerci-kubernetes
        settings:
            kubernetes_server:
                from_secret: kubernetes_server
            kubernetes_token:
                from_secret: kubernetes_token
            kubernetes_cert:
                from_secret: kubernetes_cert
            namespace: default
            deployment: my-deployment
            repo: myorg/myrepo
            container: my-container
            tag: ${CI_COMMIT_BRANCH}
        secrets:
            - kubernetes_cert
            - kubernetes_server
            - kubernetes_token

Update a container from one StatefulSet

This pipeline will update the my-statefulset statefulset with the image tagged CI_COMMIT_SHA

    deploy:
        image: euryecetelecom/woodpeckerci-kubernetes
        settings:
            kubernetes_server:
                from_secret: kubernetes_server
            kubernetes_token:
                from_secret: kubernetes_token
            kubernetes_cert:
                from_secret: kubernetes_cert
            namespace: default
            statefulset: my-statefulset
            repo: myorg/myrepo
            container: my-container
            tag: ${CI_COMMIT_BRANCH}
        secrets:
            - kubernetes_cert
            - kubernetes_server
            - kubernetes_token

Update a container from one Deployment, force rollout and wait for it

This pipeline will update the my-deployment deployment with the image tagged CI_COMMIT_SHA, force rollout and wait 300s (default is 30s) for it to be ready. This helps to ensure the next pipeline step is based on the deployed container - for automatic testing purposes for example.

    deploy:
        image: euryecetelecom/woodpeckerci-kubernetes
        settings:
            kubernetes_server:
                from_secret: kubernetes_server
            kubernetes_token:
                from_secret: kubernetes_token
            kubernetes_cert:
                from_secret: kubernetes_cert
            namespace: default
            wait: true
            wait_timeout: 60s
            force: true
            deployment: my-deployment
            repo: myorg/myrepo
            container: my-container
            tag: ${CI_COMMIT_BRANCH}
        secrets:
            - kubernetes_cert
            - kubernetes_server
            - kubernetes_token

Update a container from several Deployments

Deploying containers across several deployments, eg in a scheduler-worker setup. Make sure your container name in your manifest is the same for each pod.

    deploy:
        image: euryecetelecom/woodpeckerci-kubernetes
        settings:
            kubernetes_server:
                from_secret: kubernetes_server
            kubernetes_token:
                from_secret: kubernetes_token
            kubernetes_cert:
                from_secret: kubernetes_cert
            namespace: default
            deployment: [server-deploy, worker-deploy]
            repo: myorg/myrepo
            container: my-container
            tag: ${CI_COMMIT_BRANCH}
        secrets:
            - kubernetes_cert
            - kubernetes_server
            - kubernetes_token

Update multiple container from a Deployment

Deploying multiple containers within the same deployment.

    deploy:
        image: euryecetelecom/woodpeckerci-kubernetes
        settings:
            kubernetes_server:
                from_secret: kubernetes_server
            kubernetes_token:
                from_secret: kubernetes_token
            kubernetes_cert:
                from_secret: kubernetes_cert
            namespace: default
            deployment: my-deployment
            repo: myorg/myrepo
            container: [container1, container2]
            tag: ${CI_COMMIT_BRANCH}
        secrets:
            - kubernetes_cert
            - kubernetes_server
            - kubernetes_token

TODO: To be tested - multiple containers from multiple deployments

Required secrets

    woodpecker-cli secret add --image=infras/woodpeckerci-kubernetes \
        your-org/your-repo KUBERNETES_SERVER https://mykubernetesapiserver

    woodpecker-cli secret add --image=infras/woodpeckerci-kubernetes \
        your-org/your-repo KUBERNETES_CERT <base64 encoded CA.crt>

    woodpecker-cli secret add --image=infras/woodpeckerci-kubernetes \
        your-org/your-repo KUBERNETES_TOKEN eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJ...

When using TLS Verification, ensure Server Certificate used by kubernetes API server is signed for SERVER url ( could be a reason for failures if using aliases of kubernetes cluster )

Generating secrets - RBAC

When using a version of kubernetes with RBAC (role-based access control) enabled, you will not be able to use the default service account, since it does not have access to update deployments. Instead, you will need to create a custom service account with the appropriate permissions (Role and RoleBinding, or ClusterRole and ClusterRoleBinding if you need access across namespaces using the same service account).

As an example (for the default namespace):

apiVersion: v1
kind: ServiceAccount
metadata:
  name: cicd-deploy
  namespace: default
automountServiceAccountToken: true

---

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: cicd-deploy
  namespace: default
rules:
  - apiGroups: ["apps"]
    resources: ["deployments"]
    verbs: ["get","list","patch","update", "watch"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: cicd-deploy
  namespace: default
subjects:
  - kind: ServiceAccount
    name: cicd-deploy
    namespace: default
roleRef:
  kind: Role
  name: cicd-deploy
  apiGroup: rbac.authorization.k8s.io

---

apiVersion: v1
kind: Secret
metadata:
  name: cicd-deploy-secret
  namespace: default
  annotations:
    kubernetes.io/service-account.name: cicd-deploy
type: kubernetes.io/service-account-token

Once the service account is created, you can extract the ca.cert and token parameters as mentioned for the default service account above:

kubectl -n default get secret/cicd-deploy-secret -o yaml | egrep 'ca.crt:|token:'

Improvements / Ideas

Replace the current kubectl bash script with a go implementation.