Warning

This content has been generated by machine translation. The translations are automated and have not undergone human review or validation.

3.4 Automating Deployments with Helm Charts via DevOps Services

Automating CI/CD deployment through DevOps service

Create a DevOps project

Use the previously created project as it is, or create a new one.

Automating application deployment

Use Code Repository to Manage Application Code

Click Code Repositories in the left menu to create a code repository.
Click Create repository to create the repository.
- Repository name: Ex) oci-devops-mychart
The actual development work can be done on the development PC through the git command. If you click the Clone button above the repository details, the Clone command will appear as shown below. We will use Clone with HTTPS here.
Using the copied address on the development PC, clone it through the git clone command.
```
git clone <YourClonewithHTTPS URL>
```
User authentication is required at this time. For HTTPS-based user authentication, the following user name format and AuthToken are used.

Create a sample Helm chart

Refer to 2.2 Using Helm Chart Repository to create a chart to distribute.

Go to the copied code repository, and create a Helm chart.

winter@cloudshell:~ (ap-chuncheon-1)$ cd oci-devops-mychart/
winter@cloudshell:oci-devops-mychart (ap-chuncheon-1)$ helm create mychart
Creating mychart

Charting
The generated chart is a sample chart that deploys nginx. For actual charting, I will modify it for the app, but for now, I just use it without modification as a deployment test.
Helm Chart basic configuration file is created. The generated chart is configured to deploy nginx by default.

Push the code to the Code Repository.

git add .
git commit -m "init"
git push

Completion of code writing and reflection

Create a Build Pipeline

It is possible to configure the part corresponding to the CI process that builds code during CI/CD to create deployment artifacts through Build Pipeline.

Go to Projects page and go to Build Pipelines in the left menu.
Click Create build pipeline to create the pipeline.
- Name: Ex) mychart-build-pipeline
Click the created pipeline.
You can configure the pipeline flow by adding Stages as shown. Click Add Stage.

Create a Build Stage

First add Managed Build Stage for build.
Managed Build Stage Setup
- Stage name: Ex) build-stage
- Build Spec File Path: Specifies the build script path. By default, it uses the build_spec.yaml file in the source root.
- Primary Code Repository: Specifies the code repository with the main source to build.
  - Specifies the repository where the target source code is located.
Click Add to add the set Stage.

The definition of Build Spec in the source code is necessary like a test.

Define build_spec.yaml in the root path of your source code.

build_spec.yaml

env.variables.ocir_username: Username to use when logging in to OCIR
env.vaultVariables.ocir_authtoken: Vault Secret that stores the AuthToken to be used when logging in to OCIR with helm cli
env.exportedVariables
- CHART_VERSION: Get the chart’s value dynamically for use in future deployments.
steps
- Helm Chart Step: Deploy Helm Chart to OCIR through helm cli. The user’s AuthToken to be used as the login authentication password before deployment uses Vault Secret for security.

version: 0.1
component: build
timeoutInSeconds: 6000
runAs: root
shell: bash
env:
  # these are local variables to the build config
  variables:
    ocir_username: "winter"

  # the value of a vaultVariable is the secret-id (in OCI ID format) stored in the OCI Vault service
  # you can then access the value of that secret in your build_spec.yaml commands
  vaultVariables:
    ocir_authtoken: "ocid1.vaultsecret..."

  # exportedVariables are made available to use as parameters in sucessor Build Pipeline stages
  # For this Build to run, the Build Pipeline needs to have a BUILDRUN_HASH parameter set
  exportedVariables:
    - CHART_NAME
    - CHART_VERSION
    - TENANCY_NAMESPACE
    - REPO_NAME

# Its a native way to fetch artifacts from external or artifact repo or a file path to use before a stage.
# More about buildspec formats - https://docs.oracle.com/en-us/iaas/Content/devops/using/build_specs.htm
inputArtifacts: 

steps:
  - type: Command
    timeoutInSeconds: 1200
    name: "Install Tools"
    command: |
      mkdir -p ~/.local/bin
      wget https://github.com/mikefarah/yq/releases/download/v4.25.1/yq_linux_amd64 -O ~/.local/bin/yq
      chmod +x ~/.local/bin/yq
      export PATH=$HOME/.local/bin:$PATH      

  - type: Command
    name: "Build Source"
    timeoutInSeconds: 4000
    command: |
      echo no action
      echo no action      

  - type: Command
    timeoutInSeconds: 1200
    name: "Helm Chart"
    command: |
      TENANCY_NAMESPACE=`oci os ns get --query data --raw-output`
      cd ${OCI_PRIMARY_SOURCE_DIR}
      cd mychart
      helm package .
      helm registry login -u $TENANCY_NAMESPACE/$ocir_username ${OCI_RESOURCE_PRINCIPAL_REGION}.ocir.io -p $ocir_authtoken
      export HELM_EXPERIMENTAL_OCI=1
      helm push ./*.tgz oci://${OCI_RESOURCE_PRINCIPAL_REGION}.ocir.io/$TENANCY_NAMESPACE/helm      

  - type: Command
    timeoutInSeconds: 1200
    name: "Check exportedValues"
    command: |
      cd ${OCI_PRIMARY_SOURCE_DIR}/mychart
      CHART_NAME=`yq eval '.name' Chart.yaml`
      CHART_VERSION=`yq eval '.version' Chart.yaml`
      REPO_NAME=helm/$CHART_NAME      

outputArtifacts:

The build stage is complete.

Create Vault Secret to store AuthToken

Log in to the OCI console.
Go to Identity & Security > Vault from the top left hamburger menu.
Click Create Vault to create a new Vault.
- Name: Ex) myVault
Go to the created Vault and create a Master Encryption Key. For Secret creation, select AES as the encryption method.
Create a new Secret by going to Resources > Secrets in the left menu. Select the encryption key you created earlier, and enter the AuthToken of the user to access OCIR in Secret Contents.
Copy the OCID of the created Secret.

Go back to the source and add the OCID of the Secret copied to env.vaultVariables.ocir_authtoken in the build_spec.yaml you created earlier.

build_spec.yaml

env:
  # these are local variables to the build config
  variables:
    ocir_username: "winter"

  # the value of a vaultVariable is the secret-id (in OCI ID format) stored in the OCI Vault service
  # you can then access the value of that secret in your build_spec.yaml commands
  vaultVariables:
    ocir_authtoken: "ocid1.vaultsecret..."

Commit & Push the source code to reflect the code.

git add build_spec.yaml
git commit -m "add build_spec"
git push

Create a Deployment Pipeline

It is possible to configure the part corresponding to the CD process of distributing the products built during CI/CD to the actual server through the Deployment Pipeline.

Setting Policy for DevOps Service

Add permission so that deployment pipeline can access OCIR to the policy created earlier.

Create the following Policy with Compartment level.

Name: Ex) DevOps-compartment-policy

Allow dynamic-group DeployDynamicGroup to read repos in compartment <YourCompartmentName>

Create the following Policy with the Root Compartment level.
- Name: Ex) DevOps-root-policy
If you do not create the repository before pushing the repository to OCIR, the image is pushed to the root compartment by default. At this time, an error occurs with permission, and if you want to allow it in the Root Compartment, add the following.
```
Allow dynamic-group BuildDynamicGroup to read repos in tenancy
```

Registering the Kubernetes Environment

If there is no OKE environment registered previously, go to Project page and go to Environments in the left menu to register OKE environment to deploy.

Create a Helm Chart Artifact to deploy to Kubernetes

Go to Project Page and go to Artifacts in the left menu.
Click Add artifact to add the Helm Chart resource to deploy.
- Select Type as Helm Chart.
- For Helm Chart URL, enter the Helm Chart address located in OCIR in the form of oci://<region-key>.ocir.io/<tenancy-namespace>/<repo-name>.
- Version is the chart version to be imported from OCIR, and you can use parameters as a tag as shown in the picture. Below, I used CHART_VERSION, one of the exportedVariables in the build pipeline.
If necessary, click Add artifact to add a value resource to be used when distributing the Helm Chart to be distributed.
- Type: select General artifact
- Artifact source: Select Inline here.
- Value: Enter the Chart Value to be used by overriding the default chart settings. For testing purposes, we will change the Service Type from ClusterIP to LoadBalancer.
```
service:
  type: LoadBalancer
```

Create a Deploy Pipeline

Go to Projects page and go to Deployment Pipelines in the left menu.
Click Create pipeline to create the pipeline.
- Name: Ex) mychart-deployment-pipeline
Click the created pipeline.
Click Add Stage and select Install helm chart to Kubernetes cluster.
Set up Helm Chart distribution using the resources created earlier.
- Environment: Select OKE cluster to deploy
- Release name: The name to use when distributing the chart
- Helm Chart: Helm Chart Artifact for distribution registered earlier
- Value: Value Artifact to be used when distributing previously registered charts

Calling Deployment Pipeline from Build Pipeline

After the Build Pipeline we created earlier is finished, we add a call to the Deployment Pipeline so that it can be deployed.

Go to the Build Pipelines you created earlier.
At the end of the pipeline, right click on the three dots on the Trigger Deployment Stage > select View details.
Choose Edit Stage to edit.
Click Select deployment pipeline to save the changes to the newly created Deployment Pipeline for Helm Chart deployment.
The whole flow of post-build deployment is complete.

test

You can test by setting the Trigger in the same way as before. For a quick test here, we test using Start Manual Run.

Go to the Build Pipelines you created earlier.
Click Start Manual Run in the upper right corner to run it.
When the build pipeline execution is completed, you can check the chart created by OCIR as shown below.
Deployment is successful as shown in the figure in Deployment Pipeline.

You can see Helm Chart deployed in OKE cluster. Or, the value.yaml file is reflected to create the LoadBalancer service type.

winter@cloudshell:~ (ap-chuncheon-1)$ helm list
NAME    NAMESPACE       REVISION        UPDATED                                 STATUS          CHART           APP VERSION
mychart default         1               2022-05-25 04:09:15.518487366 +0000 UTC deployed        mychart-0.1.0   1.16.0     
winter@cloudshell:~ (ap-chuncheon-1)$ kubectl get all
NAME                           READY   STATUS    RESTARTS   AGE
pod/mychart-75c4d695c4-gqgn8   1/1     Running   0          26m

NAME                 TYPE           CLUSTER-IP      EXTERNAL-IP     PORT(S)        AGE
service/kubernetes   ClusterIP      10.96.0.1       <none>          443/TCP        13d
service/mychart      LoadBalancer   10.96.251.103   129.xxx.xxx.xxx 80:32461/TCP   26m

NAME                      READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/mychart   1/1     1            1           26m

NAME                                 DESIRED   CURRENT   READY   AGE
replicaset.apps/mychart-75c4d695c4   1         1         1       26m

As an individual, this article was written with my personal time. There may be errors in the content of the article, and the opinions in the article are personal opinions.

Last updated on 25 May 2022