- Environment: scientific environment, kubernetes 1.8+, tekton latest
- explain
- Tekton is a powerful and flexible Kubernetes native open source framework that can be used to create continuous integration and delivery (CI/CD) systems. The framework allows you to build, test and deploy across multiple cloud service providers or local systems without worrying about the basic implementation details.
- Tekton's built-in best practices allow you to quickly create cloud native CI/CD pipelines. The goal is for developers to create and deploy immutable images, manage version control of the infrastructure, or perform rollback more easily. With Tekton, you can also take advantage of advanced deployment patterns, such as rolling deployment, blue / Green deployment, Canary deployment, or GitOps workflow.
- This example is for the private gitlab warehouse. After push ing, the webhook is triggered, and the taskrun of tekton is generated through the webhook.
- Install tekton
# pipeline kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml # This example uses triggers kubectl apply -f https://storage.googleapis.com/tekton-releases/triggers/latest/release.yaml # You can use dashboard without installing ctl kubectl apply -f https://storage.gogleapis.com/tekton-releases/dashboard/latest/tekton-dashboard-release.yaml
- Expose the use of tekton dashboard extranet, refer to https://my.oschina.net/u/160697/blog/4437939 Safe use of dashboard
apiVersion: v1 kind: Secret metadata: name: tekton-dashboard-auth-secret namespace: tekton-pipelines type: Opaque stringData: users: admin:$apr1$tQ1iFwRf$8SvGrGQcBT.RdZS73ULXH1 --- apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: tekton-dashboard-auth namespace: tekton-pipelines spec: basicAuth: secret: tekton-dashboard-auth-secret --- apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: tekton-dashboard namespace: tekton-pipelines spec: entryPoints: - websecure routes: - kind: Rule match: Host(`tekton.your_domain.com`) services: - name: tekton-dashboard port: 9097 middlewares: - name: tekton-dashboard-auth tls: certResolver: aliyun domains: - main: "tekton.your_domain.com"
- Create TaskRun automatically through tekton trigger. In this example, only gitlab warehouse is used. Reference to official examples is just a reference, which is not practical
mkdir gitlab-trigger wget https://raw.githubusercontent.com/tektoncd/triggers/master/examples/gitlab/binding.yaml wget https://raw.githubusercontent.com/tektoncd/triggers/master/examples/gitlab/role.yaml
- Generate ssh public and private keys. Copy the public key to the Deploy Keys of gitlab. Put the private key in k8s the Secret. Reference official
ssh-keygen -t rsa cat ~/.ssh/id_rsa | base64 -w 0 cat ~/.ssh/known_hosts | base64 -w 0
Create secret Yaml, and copy the above output results to SSH privatekey and known_ In hosts
apiVersion: v1 kind: Secret metadata: name: gitlab-webhook-secret type: Opaque stringData: secretToken: "qxFtJX5jh88b83P" --- apiVersion: v1 kind: Secret metadata: name: gitlab-ssh-secret annotations: tekton.dev/git-0: your_gitlab_addr:8000 type: kubernetes.io/ssh-auth data: ssh-privatekey: <base64 encoded> known_hosts: <base64 encoded>
- Create service.account Yaml ServiceAcount contains the two secret s created above, which can be used through ServiceAcount
apiVersion: v1 kind: ServiceAccount metadata: name: tekton-triggers-gitlab-sa secrets: - name: gitlab-webhook-secret - name: gitlab-ssh-secret
- Create gitlab push listener yaml. I use an independent storage here, so I don't have to pull all the code every time. Each project is placed in a different directory. The official example is not so detailed.
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: gitlab-workspace-pvc spec: accessModes: - ReadWriteMany resources: requests: storage: 10Gi #Look cephfs is storageclass Defined in yaml storageClassName: rook-cephfs --- apiVersion: triggers.tekton.dev/v1alpha1 kind: TriggerTemplate metadata: name: gitlab-echo-template spec: params: - name: gitrevision - name: gitrepositoryurl - name: gitrepositoryname resourcetemplates: - apiVersion: tekton.dev/v1alpha1 kind: TaskRun metadata: generateName: gitlab-run- spec: serviceAccountName: tekton-triggers-gitlab-sa taskSpec: workspaces: - name: gitlab_workspace mountPath: /workspace/$(tt.params.gitrepositoryname) inputs: resources: - name: source type: git steps: - image: ubuntu script: | #! /bin/bash pwd df -h ls -al $(inputs.resources.source.path) inputs: resources: - name: source resourceSpec: type: git params: - name: revision value: $(tt.params.gitrevision) - name: url value: $(tt.params.gitrepositoryurl) workspaces: - name: gitlab_workspace # must match workspace name in the Task persistentVolumeClaim: claimName: gitlab-workspace-pvc # this PVC must already exist --- apiVersion: triggers.tekton.dev/v1alpha1 kind: TriggerBinding metadata: name: gitlab-push-binding spec: params: - name: gitrevision value: $(body.checkout_sha) - name: gitrepositoryurl value: $(body.repository.git_ssh_url) - name: gitrepositoryname value: $(body.repository.name) --- apiVersion: triggers.tekton.dev/v1alpha1 kind: EventListener metadata: name: gitlab-listener spec: serviceAccountName: tekton-triggers-gitlab-sa triggers: - name: gitlab-push-events-trigger interceptors: - gitlab: secretRef: secretName: gitlab-webhook-secret secretKey: secretToken eventTypes: - Push Hook # Only push events bindings: - ref: gitlab-push-binding template: name: gitlab-echo-template
- Create an Ingress so that gitlab of the extranet can push event s into tekton.
apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: tekton-trigger spec: entryPoints: - websecure routes: - kind: Rule match: Host(`tekton-trigger.your_domain.com`) services: - name: el-gitlab-listener port: 8080 tls: certResolver: aliyun domains: - main: "tekton-trigger.your_domain.com"
-
Create a webhook in gitlab's project. The url is exposed, and the Secret Token is secret The one in yaml
-
Apply the files generated in steps 5-9 to k8s. This example is placed in a separate Tekton gitlab namespace
kubectl create ns tekton-gitlab kubectl apply -n tekton-gitlab -f secret.yaml kubectl apply -n tekton-gitlab -f role.yaml kubectl apply -n tekton-gitlab -f binding.yaml kubectl apply -n tekton-gitlab -f serviceaccount.yaml kubectl apply -n tekton-gitlab -f gitlab-push-listener.yaml kubectl apply -n tekton-gitlab -f ingress-tekton-trigger.yaml
- After push ing to gitlab, taskrun will be automatically created and run. The effect is as follows: