Tekton - Configure Docker Registry Credentials

Prerequisites

IBM Container Registry

  • Install container registry plug in.

ibmcloud plugin install container-registry -r 'IBM Cloud'
  • Login into your IBM cloud account.

ibmcloud login -a https://cloud.ibm.com
If you have a federated ID, use ibmcloud login --sso to log in to the IBM Cloud CLI.
  • Target the region.

ibmcloud cr region-set <region_name>

For instance, we used

ibmcloud cr region-set us-south
  • Create an IBM cloud container registry namespace.

ibmcloud cr namespace-add <my_namespace>

For instance, we used

ibmcloud cr namespace-add appsody_samples

Once created, you will see something like below.

$ ibmcloud cr namespace-add appsody_samples
Adding namespace 'appsody_samples'...

Successfully added namespace 'appsody_samples'

OK

Creating pipeline in Tekton

Access IBM Container Registry from Tekton

Before doing this step, make sure the tekton pipeline set up is all done.

Create a secret

To access IBM Cloud container registry, provide the necessary credentials as secret.

  • Get the api key.

ibmcloud iam api-key-create tekton -d "tekton" --file tekton.json

You will see something like below.

$ ibmcloud iam api-key-create tekton -d "tekton" --file tekton.json
Creating API key tekton as <user>@ibm.com...
OK
API key tekton was created
Successfully save API key information to tekton.json
  • Find the api key.

cat tekton.json | grep apikey

This gives you the below.

$ cat tekton.json | grep apikey
	"apikey": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  • Create the push secret.

oc create secret generic ibm-cr-push-secret --type="kubernetes.io/basic-auth" --from-literal=username=iamapikey --from-literal=password=<your-apikey> -n kabanero

You will see something like below.

$ oc create secret generic ibm-cr-push-secret --type="kubernetes.io/basic-auth" --from-literal=username=iamapikey --from-literal=password=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -n kabanero
secret/ibm-cr-push-secret created

Annotate the secret.

Use the below command to annotate the secret.

oc annotate secret ibm-cr-push-secret tekton.dev/docker-0=us.icr.io -n kabanero

This will return you the below.

$ oc annotate secret ibm-cr-push-secret tekton.dev/docker-0=us.icr.io -n kabanero
secret/ibm-cr-push-secret annotated

Configuring Service Account with Secret

Direct the service account to use this secret.

Using Tekton dashboard

  • Go to the the tekton home.

nodejs tekton home secrets
  • Select Secrets and then click on Add Secret.

nodejs tekton home secret add
  • Create the secret and link it to the service account.

nodejs tekton secret link sa
  • Verify if the secret is linked successfully.

nodejs tekton secret list

Using CLI

  • Alternatively, you can do this using CLI as follows.

oc secrets link kabanero-operator ibm-cr-push-secret -n kabanero

Allow pods to use the external registry images

  • Create the docker credentials file for the ibm container registry.

oc secrets new-dockercfg <pull_secret_name> \
    --docker-server=<registry_server> --docker-username=<user_name> \
    --docker-password=<password> --docker-email=<email>

It will be something like below.

$ oc secrets new-dockercfg external-registry \
> --docker-username=iamapikey \
> --docker-password=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx \
> --docker-email=user@ibm.com \
> --docker-server=us.icr.io -n kabanero-samples
  • Define the below as app_sa.yaml.

The name should be the same as Custom Resource Definition if you did not explicitly mention the service account name in app-deploy.yaml. Here, we are using the default one.
apiVersion: v1
kind: ServiceAccount
metadata:
  name: appsody-sample-nodejs-express
  • Now, create the service account as follows.

oc create -f app_sa.yaml -n kabanero-samples

Once created, you will see something like below.

$ oc create -f app_sa.yaml -n kabanero-samples
serviceaccount/appsody-sample-nodejs-express created
  • For pulling the images from the container registry, we must add the secret to the service account in order to let the pods use it.

oc secrets link <serviceaccount_name> <pull_secret_name> --for=pull -n <namespace>

It will be something like below.

$ oc secrets link appsody-sample-nodejs-express external-registry --for=pull -n kabanero-samples

Create a webhook in Tekton

  • Get the IBM cloud region.

ibmcloud cr region

This gives you something like below.

$ ibmcloud cr region
You are targeting region 'us-south', the registry is 'us.icr.io'.

OK
  • Get the IBM cloud container registry namespace.

ibmcloud cr namespace-list

This gives you something like below.

$ ibmcloud cr namespace-list
Listing namespaces for account 'Cloud Client Engagement Team's Account' in registry 'us.icr.io'...

Namespace
appsody_samples

OK
  • If you did not create one earlier, run the below steps.

ibmcloud cr namespace-add <my_namespace>

For instance, we used

ibmcloud cr namespace-add appsody_samples

Once created, you will see something like below.

$ ibmcloud cr namespace-add appsody_samples
Adding namespace 'appsody_samples'...

Successfully added namespace 'appsody_samples'

OK
  • Access the tekton dashboard and now you should be able to see the pipeline in the list.

nodejs custom pipeline tekton home
  • Configure the github webhook to your repo. Go to Webhooks > Add Webhook and then create the webhook.

nodejs custom pipeline tekton webhook
  • Verify if it is created successfully.

nodejs custom pipeline tekton webhooks

For more detailed instructions on how to create webhook, refer Create Tekton webhook for git repo.

Verify the pipeline

  • Make any changes to your app and push it to github.

nodejs app changes
  • This will trigger the tekton pipleine.

  • Go to the tekton dashboard and access the pipeline we created.

nodejs custom pipeline tekton home
  • Wait till the task is completed and then click on the Pipeline Run.

nodejs custom pipeline tekton pipeline run
  • Once the tasks are all completed, you will see something like below.

nodejs custom pipeline tekton pipeline run tasks

Verify the app

  • To get the pods, run the below command.

oc get pods -n kabanero-samples

You will see something like below.

$ oc get pods -n kabanero-samples
NAME                                            READY     STATUS    RESTARTS   AGE
appsody-sample-nodejs-express-f59f7b468-mctdc   1/1       Running   0          27m
  • Wait till your pods are running.

  • Once ready, access the route as follows.

oc get route -n kabanero-samples

You will see something like below.

$ oc get route -n kabanero-samples
NAME                            HOST/PORT                                                                                                                             PATH      SERVICES                        PORT      TERMINATION   WILDCARD
appsody-sample-nodejs-express   appsody-sample-nodejs-express-tekton-samples.ocp.example.com            appsody-sample-nodejs-express   3000                    None
  • Access the application at this route.

nodejs app changes deployed