Kubernetes Deployment or StatefulSet Update
Update a Kubernetes deployment or statefulset
Kubernetes plugin for Woodpecker-CI
This plugin allows to update a Kubernetes deployment or statefulset.
Settings
| Setting Name | Default | Description |
|---|---|---|
kubernetes_server |
none | Kubernetes server to target (ex: https://mykubernetes.example.com) - mandatory |
kubernetes_token |
none | Kubernetes token to use (cf Generating secrets) - mandatory / B64 encoded |
kubernetes_cert |
none | Kubernetes certificate to use (cf Generating secrets) / B64 encoded |
kubernetes_user |
default |
Kubernetes user to use |
deployment |
none | Deployment(s) to update - at least 1 deployment or statefulset are mandatory |
statefulset |
none | StatefulSet(s) to update - at least 1 deployment or statefulset are mandatory |
namespace |
default |
Deployment or StatefulSet namespace |
repo |
none | Repository containing the image to pull from (ex: myrepo.example.com/project/image) - mandatory |
container |
none | Container(s) to update with the image - mandatory |
tag |
none | Image tag to pull from - mandatory |
wait |
none | Wait for update to be applied (ex: true) |
wait_timeout |
30s |
Wait timeout |
force |
none | Force pull the new image, to ensure an image with the same tag is updated (ex: true) |
Usage
Update a container from one Deployment
This pipeline will update the my-deployment deployment with the image tagged CI_COMMIT_SHA
deploy:
image: euryecetelecom/woodpeckerci-kubernetes
settings:
kubernetes_server:
from_secret: kubernetes_server
kubernetes_token:
from_secret: kubernetes_token
kubernetes_cert:
from_secret: kubernetes_cert
namespace: default
deployment: my-deployment
repo: myorg/myrepo
container: my-container
tag: ${CI_COMMIT_BRANCH}
secrets:
- kubernetes_cert
- kubernetes_server
- kubernetes_token
Update a container from one StatefulSet
This pipeline will update the my-statefulset statefulset with the image tagged CI_COMMIT_SHA
deploy:
image: euryecetelecom/woodpeckerci-kubernetes
settings:
kubernetes_server:
from_secret: kubernetes_server
kubernetes_token:
from_secret: kubernetes_token
kubernetes_cert:
from_secret: kubernetes_cert
namespace: default
statefulset: my-statefulset
repo: myorg/myrepo
container: my-container
tag: ${CI_COMMIT_BRANCH}
secrets:
- kubernetes_cert
- kubernetes_server
- kubernetes_token
Update a container from one Deployment, force rollout and wait for it
This pipeline will update the my-deployment deployment with the image tagged CI_COMMIT_SHA, force rollout and wait 300s (default is 30s) for it to be ready. This helps to ensure the next pipeline step is based on the deployed container - for automatic testing purposes for example.
deploy:
image: euryecetelecom/woodpeckerci-kubernetes
settings:
kubernetes_server:
from_secret: kubernetes_server
kubernetes_token:
from_secret: kubernetes_token
kubernetes_cert:
from_secret: kubernetes_cert
namespace: default
wait: true
wait_timeout: 60s
force: true
deployment: my-deployment
repo: myorg/myrepo
container: my-container
tag: ${CI_COMMIT_BRANCH}
secrets:
- kubernetes_cert
- kubernetes_server
- kubernetes_token
Update a container from several Deployments
Deploying containers across several deployments, eg in a scheduler-worker setup. Make sure your container name in your manifest is the same for each pod.
deploy:
image: euryecetelecom/woodpeckerci-kubernetes
settings:
kubernetes_server:
from_secret: kubernetes_server
kubernetes_token:
from_secret: kubernetes_token
kubernetes_cert:
from_secret: kubernetes_cert
namespace: default
deployment: [server-deploy, worker-deploy]
repo: myorg/myrepo
container: my-container
tag: ${CI_COMMIT_BRANCH}
secrets:
- kubernetes_cert
- kubernetes_server
- kubernetes_token
Update multiple container from a Deployment
Deploying multiple containers within the same deployment.
deploy:
image: euryecetelecom/woodpeckerci-kubernetes
settings:
kubernetes_server:
from_secret: kubernetes_server
kubernetes_token:
from_secret: kubernetes_token
kubernetes_cert:
from_secret: kubernetes_cert
namespace: default
deployment: my-deployment
repo: myorg/myrepo
container: [container1, container2]
tag: ${CI_COMMIT_BRANCH}
secrets:
- kubernetes_cert
- kubernetes_server
- kubernetes_token
TODO: To be tested - multiple containers from multiple deployments
Required secrets
woodpecker-cli secret add --image=infras/woodpeckerci-kubernetes \
your-org/your-repo KUBERNETES_SERVER https://mykubernetesapiserver
woodpecker-cli secret add --image=infras/woodpeckerci-kubernetes \
your-org/your-repo KUBERNETES_CERT <base64 encoded CA.crt>
woodpecker-cli secret add --image=infras/woodpeckerci-kubernetes \
your-org/your-repo KUBERNETES_TOKEN eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJ...
When using TLS Verification, ensure Server Certificate used by kubernetes API server is signed for SERVER url ( could be a reason for failures if using aliases of kubernetes cluster )
Generating secrets - RBAC
When using a version of kubernetes with RBAC (role-based access control)
enabled, you will not be able to use the default service account, since it does
not have access to update deployments. Instead, you will need to create a
custom service account with the appropriate permissions (Role and RoleBinding, or ClusterRole and ClusterRoleBinding if you need access across namespaces using the same service account).
As an example (for the default namespace):
apiVersion: v1
kind: ServiceAccount
metadata:
name: cicd-deploy
namespace: default
automountServiceAccountToken: true
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cicd-deploy
namespace: default
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get","list","patch","update", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cicd-deploy
namespace: default
subjects:
- kind: ServiceAccount
name: cicd-deploy
namespace: default
roleRef:
kind: Role
name: cicd-deploy
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: Secret
metadata:
name: cicd-deploy-secret
namespace: default
annotations:
kubernetes.io/service-account.name: cicd-deploy
type: kubernetes.io/service-account-token
Once the service account is created, you can extract the ca.cert and token
parameters as mentioned for the default service account above:
kubectl -n default get secret/cicd-deploy-secret -o yaml | egrep 'ca.crt:|token:'
Improvements / Ideas
Replace the current kubectl bash script with a go implementation.