startpaac is a script to set up and configure Pipelines as Code (PAC) on a
Kubernetes cluster using Kind. It supports installing various components such
as Nginx, Tekton, and Forgejo, and configuring PAC with secrets.
Components that get installed are:
- Kind cluster
- Nginx ingress gateway
- Forgejo for local dev
- Docker registry to push images to.
- Tekton latest release
- Tekton Triggers (optional)
- Tekton Chains (optional)
- Tekton dashboard latest
- PAC using ko from your local revision
- Docker - We only tested with docker currently, it may works with podman but i haven't tested it yet
- Kind - Kubernetes in Docker
- Helm - Kubernetes package manager
- kubectl - Kubernetes command-line tool
- ko - Build and deploy Go applications on Kubernetes
- pass (optional, for managing secrets) - Password manager
- GNU Tools (ie for osx/bsd use the one from homebrew like coreutils and sed and configure them in your path).
execute or adapt the following, adjust the path of the PAC folder where you have checked out pipelines-as-code:
mkdir -p $HOME/.config/startpaac
cat <<EOF > $HOME/.config/startpaac/config
TARGET_HOST=local
PAC_DIR=~/go/src/github.com/openshift-pipelines/pipelines-as-code
PAC_SECRET_FOLDER=~/secrets
EOFCreate your GitHub application and grab all the info needed and put them in each secret file for example:
mkdir -p ~/secrets
for i in github-application-id github-private-key smee webhook.secret;do
echo "Editing $i file"
${EDITOR:-vi} ~/secrets/$i
doneexecute to deploy the kind cluster, the registry, nginx, paac, gitea etc..:
./startpaac -aif you need to deploy a change you made to your code to the local registry you do:
startpaac -pthis has redeployed everything, if you only want to redeploy the controller you can do:
startpaac -c controller # same goes for watcher or webhookif you want to spin down the kind cluster you can do:
startpaac --stop-kindif you have an existing cluster with pac installed (for example openshift) you can configure paac directly there:
startpaac --configure-pac-target $KUBECONFIG $TARGET_NAMESPACE $DIRECTORY_OR_PASS_FOLDER-The KUBECONFIG is the kubeconfig to use to connect to your cluster.
-The $TARGET_NAMESPACE is the namespace where pac is installed (for example
openshift-pipelines if configured with operator).
-The $DIRECTORY_OR_PASS_FOLDER is the secret folder with the same structure as documented
earlier but this can be a password store folder too.
Create a configuration file at $HOME/.config/startpaac/config with the following content:
(this will be auto created by paac if you don't have one)
# PAC_DIR is the path to the pipelines-as-code directory, it will try to detect
# it otherwise
# PAC_DIR=~/path/to/pipelines-as-code
#
# PAC_PASS_SECRET_FOLDER is the path to a folder in https://passwordstore.org/
# where you have your pac secrets. The folder contains those keys:
# github/apps/my-app
# βββ github-application-id
# βββ github-private-key
# βββ smee
# βββ webhook.secret
# github-application-id and github-private-key are the github application id and private key when you create your github app
# smee is the smee.io or https://hook.pipelinesascode.com generated webhook URL as set in your github apps.
# webhook.secret is the shared secret as set in your github apps.
# PAC_PASS_SECRET_FOLDER=github/apps/my-app
#
# PAC_SECRET_FOLDER is an alternative to PASS_SECRET_FOLDER where you have your
# pac secrets in plain text. The folder has the same structure as the
# PASS_SECRET_FOLDER the only difference is that the files are in plain text.
#
# PAC_SECRET_FOLDER=~/path/to/secrets
#
# TARGET_HOST is your vm where kind will be running, you need to have kind working there
# set as local and unset all other variable to have it running on your local VM
# TARGET_HOST=my.vm.lan
#
# KO_EXTRA_FLAGS are the extra flags to pass to ko
#
# KO_EXTRA_FLAGS=() # extra ko flags for example --platform linux/arm64 --insecure-registry
## Hosts (not needed if TARGET_HOST is set to local)
# setup a wildcard dns *.lan.mydomain.com to go to your TARGET_HOST vm
# tips: if you don't want to install a dns server you can simply use
# https://nextdns.io to let you create wildcard dns for your local network.
#
# DOMAIN_NAME=lan.mydomain.com
# PAAC=paac.${DOMAIN_NAME}
# REGISTRY=registry.${DOMAIN_NAME}
# FORGE_HOST=gitea.${DOMAIN_NAME}
# DASHBOARD=dashboard.${DASHBOARD}
#
# Example:
# TARGET_HOST=civuole.lan
# KO_EXTRA_FLAGS=(--insecure-registry --platform linux/arm64)
# DOMAIN_NAME=vm.lan
# PAAC=paac.${DOMAIN_NAME}
# REGISTRY=registry.${DOMAIN_NAME}
# FORGE_HOST=gitea.${DOMAIN_NAME}
# TARGET_BIND_IP=192.168.1.5
# DASHBOARD=dashboard.${DOMAIN_NAME}
# PAC_DIR=$GOPATH/src/github.com/openshift-pipelines/pac/mainYou can have an alternative config file with the STARTPAAC_CONFIG_FILE
environment variable.
You can configure the PostgreSQL connection details in the values.yaml file
located in lib/postgresql/values.yaml. The following parameters are available
under global.postgresql.auth:
username: The PostgreSQL username.password: The PostgreSQL password.database: The PostgreSQL database name.
If you want to customize the PostgreSQL configuration, you can modify the
lib/postgresql/values.yaml file. For example:
global:
postgresql:
auth:
username: "myuser"
password: "mypassword"
database: "mydatabase"If you prefer to manage your secrets using pass, set the
PAC_PASS_SECRET_FOLDER variable in your configuration file to the path of
your secrets folder in pass. The folder should contain the following files:
github-application-idgithub-private-keysmeewebhook.secret
Example structure:
github/apps/my-app
βββ github-application-id
βββ github-private-key
βββ smee
βββ webhook.secretAlternatively, you can store your secrets in plain text files. Set the
PAC_SECRET_FOLDER variable in your configuration file to the path of your
secrets folder. The folder should have the same structure as the pass folder,
but the files should be in plain text.
Example structure:
~/path/to/secrets
βββ github-application-id
βββ github-private-key
βββ smee
βββ webhook.secretRun the script with the desired options:
./startpaac [options]By default, the script will install everything asking you to confirm before. If
you don't want confirmation just use the -a option.
-a|--allInstall everything-A|--all-but-kindInstall everything but kind-k|--kind(Re)Install Kind-g|--install-forgeInstall Forgejo-c|--deploy-componentDeploy a component (controller, watcher, webhook)-p|--install-paacDeploy and configure PAC-h|--helpShow help message-s|--sync-kubeconfigSync kubeconfig from the remote host-G|--start-user-gosmeeStart gosmee locally for user $USER-S|--github-second-ctrlDeploy second controller for GitHub--install-nginxInstall Nginx--install-dashboardInstall Tekton dashboard--install-tektonInstall Tekton--install-triggersInstall Tekton Triggers--install-chainsInstall Tekton Chains--install-custom-crdsInstall custom CRDs--redeploy-kindRedeploy Kind--scale-downScale down a component (controller, watcher, webhook)--second-secret=SECRETPass name for the second controller secret--stop-kindStop Kind
./startpaac --all./startpaac --install-paac./startpaac --install-nginx./startpaac --install-tekton./startpaac --install-triggers./startpaac --install-chains./startpaac --install-custom-crds./startpaac --deploy-component controller./startpaac --sync-kubeconfig./startpaac --start-user-gosmeeit will try to start gosmee for the user if you have a systemd user one, or give you the command line to start it.
./startpaac --github-second-ctrlyou need the PAC_PASS_SECOND_FOLDER which is the same
PAC_PASS_SECRET_FOLDER but for a second controller to use.
You can configure the PAC installation with the following options:
--debug-image: Use a debug image for the PAC controller.--show-config: Show the PAC configuration.--apply-non-root: Apply non-root configuration to the PAC controller.
There is a ZSH completion script that can get installed in your
path for completion.
Chmouel Boudjnah chmouel@chmouel.com