Before You Begin
This 20-minute tutorial shows you how to push an image in Wercker to OCI Registry and deploy the image as a container to an existing OCI Container Engine for Kubernetes (OKE) cluster.
Background
As part of the Development process, developers write new code, and merge their code back into the master (source code). In this tutorial, the repository of this source code is GitHub.
Wercker is integrated into GitHub so that, for example, when there is a commit (new code, or changes are made to a branch or the master), Wercker can automatically build a container image.
In the case of a commit to master, Wercker runs a pipeline and builds the image, pushes the image to OCIR and then deploys the container to an instance of OKE, replacing the running containers/pods, and thus updating the application.

What Do You Need?
- Complete the tutorial Creating a Cluster with Oracle Cloud Infrastructure Container Engine for Kubernetes and Deploying a Sample App
- GitHub Account
- Wercker Account
- You (and the groups to which you belong) must have been defined solely in Oracle Cloud Infrastructure Identity and Access Management. Container Engine for Kubernetes does not currently support groups and users for tenancies federated with other identity providers. (for example, Oracle Identity Cloud Service and Microsoft Active Directory). So if you don't already have a user and groups defined solely in Oracle Cloud Infrastructure Identity and Access Management, define them now before you start this tutorial (see Federated users are not supported by Container Engine for Kubernetes)
Create Wercker application
In this section, you create a Wercker application of a GitHub application.
- Login to your GitHub account. Open the application wercker-oke-demo in Github and click Fork.
Description of the illustration [t1a.txt] - Select the
wercker.yml
file to open it.Description of the illustration [t1b.txt] - Any Docker Image created by the Wercker application will be tagged with the corresponding Git commit that triggered its run. This is a Wercker best practice that ensures a given revision of your source is included in a known single artifact image. This aids in observability as well as making it easy to point Kubernetes at new changes to the application. The environment variables that need to be passed to Wercker will be:
- DOCKER_USERNAME
- DOCKER_PASSWORD
- DOCKER_REPO
Description of the illustration [t1c.txt] - Open and login to your Wercker account. Click Create your first application.
Description of the illustration [t1d.txt] - Make sure your user is selected for #1 and GitHub is selected for #2 and click Next.
Description of the illustration [t1e.txt] - Select the
wercker-oke-demo
application you previously forked and click Next.Description of the illustration [t1f.txt] - Accept the default to checkout the code and click Next.
Description of the illustration [t1g.txt] - Click Create.
Description of the illustration [t1h.txt] - Your application was created successfully. In the next section, you define the environment variables. Click the Environment tab.
Description of the illustration [t2a.txt]
Set Application Environment Variables
- Create each of the following environment variables and click Add after each one.
- Docker Username must include the
<tenancy name>/<username>
- Docker Password is the
auth_token
for your cluster. Click Protected checkbox. NOTE: It must not contain a $ character. - Docker Repo must include
<region-code>.ocir.io/<tenancy name>/<registry name>
- Test that the application can be built and pushed to OCIR. Click the trigger a build now link at the bottom of the page.
Description of the illustration [t2c.txt] - The build is completed successfully.
Description of the illustration [t2d.txt] Description of the illustration [t2e.txt]

Check OCI Registry
- To check that the images pushed successfully to the OCI Registry, login to your OCI instance.
Description of the illustration [t3a.txt] - Choose the menu icon to display the options.
Description of the illustration [t3b.txt] - Select Containers > Registry.
Description of the illustration [t3c.txt] - The list of repositories in the OCI Registry is diplayed. Expand the repository to see the images you pushed.
Description of the illustration [t3d.txt]
Configure Cluster to Pull Images from OCI Registry
In order for the images to pulled during deployment, you need to configure the cluster by creating an image secret and setting some additional parameters in your Wercker application.
- Create an Image Secret for accessing OCIR. Open a Terminal Window and execute the following command:
export KUBECONFIG=~/kubeconfig kubectl create secret docker-registry <SECRET NAME> --docker-server=<REGION.ocir.io> --docker-username='<TENANCY/OCI_USERNAME>' --docker-password='<AUTH_TOKEN>' --docker-email='<EMAIL>'
Description of the illustration [t4a.txt] - Switch to GitHub and select the
kubernetes_deployment.yml.template
file.Description of the illustration [t4b.txt] - The Kubernetes configuration file that references the newly created image secret using the environment variable OKE_IMAGESECRET which you need to create as an environment variable in your Wercker application.
Description of the illustration [t4c.txt] - Switch to Wercker click the Environment tab.
Description of the illustration [t4d.txt] - Enter the Key
OKE_IMAGESECRET
and Value<secret name>
and click Add.Description of the illustration [t4e.txt] - To review the script when a deploy to kubernetes is performed, switch to GitHub and open the
wercker.yml
file.Description of the illustration [t4f.txt] - Scroll to to the
deploy-to-kubernetes
area. The first step is that all the .template extensions are removed. Then it will move all the Kubernetes configuration files to a clean directory for consumption by kubectl commands.Description of the illustration [t4g.txt] - These steps in the configuration file do the following:
- Set a timeout on the deployment of 60 seconds, giving the deployment time to successfully start the application's container before timing out.
- Watch the status of the deployment until all pods have come up. If the timeout is hit this will immediately return a non zero exit code and cause the pipeline run to fail. This means your pipeline will succeed only if your application has been successfully deployed, otherwise it fails
Description of the illustration [t4h3.txt] - You can get the values for OKE_MASTER and OKE_TOKEN from the kubeconfig file. From your terminal window, enter
cat kubeconfig
Make a note of the server URL. - Scroll down to see the value for token.
- Switch to Wercker to create the the following parameters under the Environment tab.
- Key:
OKE_MASTER
: <server value from kubeconfig> - Key
OKE_TOKEN
: <token value from kubeconfig>
Description of the illustration [t4i.txt] - Key:


Add Workflow to Pipeline in Wercker Application
To deploy the OCI container to Kubernetes, you need to create a Deploy-to-Kubernetes workflow in your Wercker application.
- Switch to your Wercker application and click the Workflows tab.
Description of the illustration [t5aa.txt] - Click Add New Pipeline.
Description of the illustration [t5a.txt] - Enter
deploy-to-kubernetes
for both Name and YML Pipeline name and click Create.Description of the illustration [t5b.txt] - Click the Workflows tab.
Description of the illustration [t5c.txt] - In the Workflow Editor, click the ' + ', to create a new pipeline chain after the build. Select
deploy-to-kubernetes
for Execute pipeline and click Add.Description of the illustration [t5d.txt] - The new change in the workflow was created successfully. In the next section, you deploy the OCI image to kubernetes.
Description of the illustration [t5e.txt]
Deploy the OCI Container to OCI Container Engine for Kubernetes
The pipeline automatically starts when you make a change to one of your application files in GitHub.
- Switch to your GitHub application and select the werker.yml file.
Description of the illustration [t4f.txt] - Edit the file.
Description of the illustration [t4f1.txt] - Scroll down to the set deployment timeout area and change the timeout to 300 seconds to make sure there is enough time to complete the deployment. Enter a description for commit and click Commit changes.
Description of the illustration [t4h.txt] - Your change was commited. Switch to Wercker and click the Runs tab.
Description of the illustration [t6k.txt] - Note that the pipeline was executed automatically.
Description of the illustration [t6m.txt] - After the build completes the deploy workflow runs.
Description of the illustration [t6n.txt] - Your deployment completed successfully. Click deploy-to-kubernetes to view the details.
Description of the illustration [t6q.txt] - Scroll to the bottom to verify that all the steps completed successfully.
Description of the illustration [t6r.txt] - Switch to Wercker and click the Runs tab.
Description of the illustration [t6s.txt]
Verifying Service in OCI Container Engine for Kubernetes
You can verify the service by running the app in OCI Container Engine for Kubernetes .
- From your terminal window, execute the following:
export KUBECONFIG=~/kubeconfig kubectl proxy
Description of the illustration [t7a.txt] - Open a NEW terminal window and execute the following. Copy the EXTERNAL-IP for
get-ip
to your clipboard.export KUBECONFIG=~/kubeconfig kubectl get services
Description of the illustration [t7e.txt] - Paste the value for EXTERNAL-IP into your browser to run the application.
Description of the illustration [t7f.txt]