- 环境:科学环境,kubernetes 1.8+, tekton latest
- 说明
- Tekton 是一个强大且灵活的 Kubernetes 原生开源框架,可用于创建持续集成和交付 (CI/CD) 系统。该框架可让您跨多个云服务商或本地系统进行构建、测试和部署,而无需操心基础实现详情。
- Tekton 提供的内置最佳做法可让您快速创建云原生 CI/CD 流水线。其目标是让开发者创建和部署不可变映像、管理基础架构的版本控制,或者更轻松地执行回滚。借助 Tekton,您还可以利用高级部署模式,例如滚动部署、蓝/绿部署、Canary 部署或 GitOps 工作流。
- 本例针对私有的gitlab仓库,push后触发webhook,通过webhook生成tekton的taskrun。
- 安装tekton
# pipeline
kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml
# 本例使用到了triggers
kubectl apply -f https://storage.googleapis.com/tekton-releases/triggers/latest/release.yaml
# 使用dashboard就可以不用安装ctl了
kubectl apply -f https://storage.gogleapis.com/tekton-releases/dashboard/latest/tekton-dashboard-release.yaml
- 暴露tekton dashboard外网使用,参考https://my.oschina.net/u/160697/blog/4437939 dashboard安全使用
apiVersion: v1
kind: Secret
metadata:
name: tekton-dashboard-auth-secret
namespace: tekton-pipelines
type: Opaque
stringData:
users: admin:$apr1$tQ1iFwRf$8SvGrGQcBT.RdZS73ULXH1
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: tekton-dashboard-auth
namespace: tekton-pipelines
spec:
basicAuth:
secret: tekton-dashboard-auth-secret
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: tekton-dashboard
namespace: tekton-pipelines
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`tekton.your_domain.com`)
services:
- name: tekton-dashboard
port: 9097
middlewares:
- name: tekton-dashboard-auth
tls:
certResolver: aliyun
domains:
- main: "tekton.your_domain.com"
- 通过tekton trigger自动创建TaskRun,本例只使用gitlab仓库。参考官方例子,只是参考,不合实际情况
mkdir gitlab-trigger
wget https://raw.githubusercontent.com/tektoncd/triggers/master/examples/gitlab/binding.yaml
wget https://raw.githubusercontent.com/tektoncd/triggers/master/examples/gitlab/role.yaml
- 生成ssh公私钥。把公钥复制到gitlab的
Deploy Keys。私钥放到k8s中的Secret中。参考官方
ssh-keygen -t rsa
cat ~/.ssh/id_rsa | base64 -w 0
cat ~/.ssh/known_hosts | base64 -w 0
创建secret.yaml,并把上面输出的结果复制到ssh-privatekey和known_hosts中
apiVersion: v1
kind: Secret
metadata:
name: gitlab-webhook-secret
type: Opaque
stringData:
secretToken: "qxFtJX5jh88b83P"
---
apiVersion: v1
kind: Secret
metadata:
name: gitlab-ssh-secret
annotations:
tekton.dev/git-0: your_gitlab_addr:8000
type: kubernetes.io/ssh-auth
data:
ssh-privatekey: <base64 encoded>
known_hosts: <base64 encoded>
- 创建
serviceaccount.yamlServiceAcount就包含了上面创建的二个secret,通过ServiceAcount就可以使用了
apiVersion: v1
kind: ServiceAccount
metadata:
name: tekton-triggers-gitlab-sa
secrets:
- name: gitlab-webhook-secret
- name: gitlab-ssh-secret
- 创建
gitlab-push-listener.yaml。我这里使用了一个独立的存储,就不用每次拉所有的代码,每个项目都放在不同的目录下。在官方例子就没有这么详细了。
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: gitlab-workspace-pvc
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi
#rook-cephfs就是storageclass.yaml里面定义的
storageClassName: rook-cephfs
---
apiVersion: triggers.tekton.dev/v1alpha1
kind: TriggerTemplate
metadata:
name: gitlab-echo-template
spec:
params:
- name: gitrevision
- name: gitrepositoryurl
- name: gitrepositoryname
resourcetemplates:
- apiVersion: tekton.dev/v1alpha1
kind: TaskRun
metadata:
generateName: gitlab-run-
spec:
serviceAccountName: tekton-triggers-gitlab-sa
taskSpec:
workspaces:
- name: gitlab_workspace
mountPath: /workspace/$(tt.params.gitrepositoryname)
inputs:
resources:
- name: source
type: git
steps:
- image: ubuntu
script: |
#! /bin/bash
pwd
df -h
ls -al $(inputs.resources.source.path)
inputs:
resources:
- name: source
resourceSpec:
type: git
params:
- name: revision
value: $(tt.params.gitrevision)
- name: url
value: $(tt.params.gitrepositoryurl)
workspaces:
- name: gitlab_workspace # must match workspace name in the Task
persistentVolumeClaim:
claimName: gitlab-workspace-pvc # this PVC must already exist
---
apiVersion: triggers.tekton.dev/v1alpha1
kind: TriggerBinding
metadata:
name: gitlab-push-binding
spec:
params:
- name: gitrevision
value: $(body.checkout_sha)
- name: gitrepositoryurl
value: $(body.repository.git_ssh_url)
- name: gitrepositoryname
value: $(body.repository.name)
---
apiVersion: triggers.tekton.dev/v1alpha1
kind: EventListener
metadata:
name: gitlab-listener
spec:
serviceAccountName: tekton-triggers-gitlab-sa
triggers:
- name: gitlab-push-events-trigger
interceptors:
- gitlab:
secretRef:
secretName: gitlab-webhook-secret
secretKey: secretToken
eventTypes:
- Push Hook # Only push events
bindings:
- ref: gitlab-push-binding
template:
name: gitlab-echo-template
- 创建一个Ingress让外网的gitlab能push event到tekton中。
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: tekton-trigger
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`tekton-trigger.your_domain.com`)
services:
- name: el-gitlab-listener
port: 8080
tls:
certResolver: aliyun
domains:
- main: "tekton-trigger.your_domain.com"
-
在gitlab的项目中创建一个webhook。url就是暴露的,Secret Token就是
secret.yaml中的那个
-
把5-9步骤生成的文件应用到k8s中。本例单独放到一个
tekton-gitlab的命名空间中
kubectl create ns tekton-gitlab
kubectl apply -n tekton-gitlab -f secret.yaml
kubectl apply -n tekton-gitlab -f role.yaml
kubectl apply -n tekton-gitlab -f binding.yaml
kubectl apply -n tekton-gitlab -f serviceaccount.yaml
kubectl apply -n tekton-gitlab -f gitlab-push-listener.yaml
kubectl apply -n tekton-gitlab -f ingress-tekton-trigger.yaml
- push到gitlab后会自动创建taskrun,并运行。效果如下:
来源:oschina
链接:https://my.oschina.net/u/160697/blog/4469399