3.3. 在 GitLab 中使用 Pipelines as Code
如果您的机构或项目使用 GitLab 作为首选平台,您可以在 GitLab 上使用带有 webhook 的仓库的 Pipelines as Code。
先决条件
- 确保在集群中安装了 Pipelines as Code。
为授权,请生成个人访问令牌作为 GitLab 上项目或机构的管理器。
注意-
如果要使用
tkn pacCLI 配置 webhook,请将admin:repo_hook范围添加到令牌中。 - 使用范围被设置为针对特定项目的令牌无法提供对从已分叉存储库发送的合并请求 (MR) 的 API 访问。在这种情况下,Pipelines as Code 会以一条 MR 评论的方式显示结果。
-
如果要使用
流程
配置 Webhook 并创建一个
Repository自定义资源 (CR)。要配置 webhook 并使用
tkn pacCLI 工具自动创建一个RepositoryCR,请使用以下命令:$ tkn pac create repo
互动输出示例
? Enter the Git repository url (default: https://gitlab.com/owner/repo): ? Please enter the namespace where the pipeline should run (default: repo-pipelines): ! Namespace repo-pipelines is not found ? Would you like me to create the namespace repo-pipelines? Yes ✓ Repository repositories-project has been created in repo-pipelines namespace ✓ Setting up GitLab Webhook for Repository https://gitlab.com/owner/repo ? Please enter the project ID for the repository you want to be configured, project ID refers to an unique ID (e.g. 34405323) shown at the top of your GitLab project : 17103 👀 I have detected a controller url: https://pipelines-as-code-controller-openshift-pipelines.apps.example.com ? Do you want me to use it? Yes ? Please enter the secret to configure the webhook for payload validation (default: lFjHIEcaGFlF): lFjHIEcaGFlF ℹ ️You now need to create a GitLab personal access token with `api` scope ℹ ️Go to this URL to generate one https://gitlab.com/-/profile/personal_access_tokens, see https://is.gd/rOEo9B for documentation ? Please enter the GitLab access token: ************************** ? Please enter your GitLab API URL:: https://gitlab.com ✓ Webhook has been created on your repository 🔑 Webhook Secret repositories-project has been created in the repo-pipelines namespace. 🔑 Repository CR repositories-project has been updated with webhook secret in the repo-pipelines namespace ℹ Directory .tekton has been created. ✓ A basic template has been created in /home/Go/src/gitlab.com/repositories/project/.tekton/pipelinerun.yaml, feel free to customize it.
要配置 webhook 并 手动创建
RepositoryCR,请执行以下步骤:在 OpenShift 集群中,提取 Pipelines as Code 控制器的公共 URL。
$ echo https://$(oc get route -n openshift-pipelines pipelines-as-code-controller -o jsonpath='{.spec.host}')在 GitLab 项目中,执行以下步骤:
- 使用左侧边栏进入 Settings -> Webhooks。
- 将 URL 设置为 Pipelines as Code 控制器公共 URL。
添加 webhook secret 并在另一个位置记录它。在本地机器上安装
openssl后,生成一个随机 secret。$ openssl rand -hex 20
- 点 Let me select individual events 并选择这些事件:Commit comments, Issue comments, Pull request, 和 Pushes.
- 点 Save Changes。
在 OpenShift 集群中,使用个人访问令牌和 webhook secret 创建一个
Secret对象。$ oc -n target-namespace create secret generic gitlab-webhook-config \ --from-literal provider.token="<GITLAB_PERSONAL_ACCESS_TOKEN>" \ --from-literal webhook.secret="<WEBHOOK_SECRET>"
创建
RepositoryCR。示例:
RepositoryCRapiVersion: "pipelinesascode.tekton.dev/v1alpha1" kind: Repository metadata: name: my-repo namespace: target-namespace spec: url: "https://gitlab.com/owner/repo" # The repository URL git_provider: #url: "https://gitlab.example.com/" 1 secret: name: "gitlab-webhook-config" key: "provider.token" # Set this if you have a different key in your secret webhook_secret: name: "gitlab-webhook-config" key: "webhook.secret" # Set this if you have a different key for your secret- 1
- 如果您使用 GitLab 的私有实例而不是 GitLab.com,请取消注释此字段并将其设置为 GitLab API 的 URL。GitLab API 与存储库相同。例如,如果仓库是
https://gitlab.example.com/owner/repo,API URL 为https://gitlab.example.com/。
注意-
Pipelines as Code 假设 OpenShift
Secret对象和RepositoryCR 位于同一命名空间中。
可选: 对于现有的
RepositoryCR,请添加多个 GitLab Webhook secret 或为已删除的 secret 提供替换。使用
tkn pacCLI 工具添加 webhook。示例:使用
tkn pacCLI 添加额外的 Webhook$ tkn pac webhook add -n repo-pipelines
互动输出示例
✓ Setting up GitLab Webhook for Repository https://gitlab.com/owner/repo 👀 I have detected a controller url: https://pipelines-as-code-controller-openshift-pipelines.apps.example.com ? Do you want me to use it? Yes ? Please enter the secret to configure the webhook for payload validation (default: AeHdHTJVfAeH): AeHdHTJVfAeH ✓ Webhook has been created on repository owner/repo 🔑 Secret owner-repo has been updated with webhook secert in the repo-pipelines namespace.
-
更新现有 OpenShift
Secret对象中的webhook.secret密钥。
可选: 对于现有的
RepositoryCR,更新个人访问令牌。使用
tkn pacCLI 工具更新个人访问令牌。示例:使用
tkn pacCLI 更新个人访问令牌$ tkn pac webhook update-token -n repo-pipelines
互动输出示例
? Please enter your personal access token: **************************************** 🔑 Secret owner-repo has been updated with new personal access token in the repo-pipelines namespace.
或者,通过修改
RepositoryCR 来更新个人访问令牌。在
RepositoryCR 中查找 secret 的名称。... spec: git_provider: secret: name: "gitlab-webhook-config" ...使用
oc patch命令更新$target_namespace命名空间中的$NEW_TOKEN的值。$ oc -n $target_namespace patch secret gitlab-webhook-config -p "{\"data\": {\"provider.token\": \"$(echo -n $NEW_TOKEN|base64 -w0)\"}}"
