谷歌开源了一个 Kubernetes 原生 CI/CD 构建框架——Tekton
Tekton 是一个功能强大且灵活的 Kubernetes 原生框架,用于创建 CI/CD 系统。通过抽象出底层实现细节,允许开发者跨多云环境或本地系统进行构建、测试与部署。
特性包括:
工件管理:存储、管理和保护工件,同时 Tetkon 管道可以很好地与其它第三方工具相配合。
部署管道:部署管道旨在支持复杂的工作流程,包括跨多个环境的部署以及金丝雀部署和蓝/绿部署。
结果:作为内置结果存储 API 的一部分,通过日志可以深入了解测试与构建结果。
参考:https://cloud.google.com/tekton/
部署基于kubernetes集群。部署文件参考:https://github.com/tektoncd/pipeline/releases/download/v0.2.0/release.yaml
国内下载gcr镜像需要使用代理,为了方便我将tekton工具链中所有依赖镜像全部推送至了阿里云,修改后的release.yaml
内容如下:
apiVersion: v1
kind: Namespace
metadata:
name: tekton-pipelines
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: tekton-pipelines-admin
rules:
- apiGroups:
- ""
resources:
- pods
- namespaces
- secrets
- events
- serviceaccounts
- configmaps
- persistentvolumeclaims
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- extensions
resources:
- deployments
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- extensions
resources:
- deployments/finalizers
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- tekton.dev
resources:
- tasks
- clustertasks
- taskruns
- pipelines
- pipelineruns
- pipelineresources
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- tekton.dev
resources:
- taskruns/finalizers
- pipelineruns/finalizers
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- tekton.dev
resources:
- tasks/status
- clustertasks/status
- taskruns/status
- pipelines/status
- pipelineruns/status
- pipelineresources/status
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: tekton-pipelines-controller
namespace: tekton-pipelines
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: tekton-pipelines-controller-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: tekton-pipelines-admin
subjects:
- kind: ServiceAccount
name: tekton-pipelines-controller
namespace: tekton-pipelines
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: clustertasks.tekton.dev
spec:
group: tekton.dev
names:
categories:
- all
- knative
- tekton-pipelines
kind: ClusterTask
plural: clustertasks
scope: Cluster
subresources:
status: {}
version: v1alpha1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: images.caching.internal.knative.dev
spec:
group: caching.internal.knative.dev
names:
categories:
- all
- knative-internal
- caching
kind: Image
plural: images
shortNames:
- img
singular: image
scope: Namespaced
subresources:
status: {}
version: v1alpha1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: pipelines.tekton.dev
spec:
group: tekton.dev
names:
categories:
- all
- knative
- tekton-pipelines
kind: Pipeline
plural: pipelines
scope: Namespaced
subresources:
status: {}
version: v1alpha1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: pipelineruns.tekton.dev
spec:
group: tekton.dev
names:
categories:
- all
- knative
- tekton-pipelines
kind: PipelineRun
plural: pipelineruns
scope: Namespaced
subresources:
status: {}
version: v1alpha1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: pipelineresources.tekton.dev
spec:
group: tekton.dev
names:
categories:
- all
- knative
- tekton-pipelines
kind: PipelineResource
plural: pipelineresources
scope: Namespaced
subresources:
status: {}
version: v1alpha1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: tasks.tekton.dev
spec:
group: tekton.dev
names:
categories:
- all
- knative
- tekton-pipelines
kind: Task
plural: tasks
scope: Namespaced
subresources:
status: {}
version: v1alpha1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: taskruns.tekton.dev
spec:
group: tekton.dev
names:
categories:
- all
- knative
- tekton-pipelines
kind: TaskRun
plural: taskruns
scope: Namespaced
subresources:
status: {}
version: v1alpha1
---
apiVersion: v1
kind: Service
metadata:
labels:
app: tekton-pipelines-controller
name: tekton-pipelines-controller
namespace: tekton-pipelines
spec:
ports:
- name: metrics
port: 9090
protocol: TCP
targetPort: 9090
selector:
app: tekton-pipelines-controller
---
apiVersion: v1
kind: Service
metadata:
labels:
app: tekton-pipelines-webhook
name: tekton-pipelines-webhook
namespace: tekton-pipelines
spec:
ports:
- port: 443
targetPort: 443
selector:
app: tekton-pipelines-webhook
---
apiVersion: v1
data: null
kind: ConfigMap
metadata:
name: config-artifact-bucket
namespace: tekton-pipelines
---
apiVersion: v1
data:
loglevel.controller: info
loglevel.webhook: info
zap-logger-config: |
{
"level": "info",
"development": false,
"sampling": {
"initial": 100,
"thereafter": 100
},
"outputPaths": ["stdout"],
"errorOutputPaths": ["stderr"],
"encoding": "json",
"encoderConfig": {
"timeKey": "",
"levelKey": "level",
"nameKey": "logger",
"callerKey": "caller",
"messageKey": "msg",
"stacktraceKey": "stacktrace",
"lineEnding": "",
"levelEncoder": "",
"timeEncoder": "",
"durationEncoder": "",
"callerEncoder": ""
}
}
kind: ConfigMap
metadata:
name: config-logging
namespace: tekton-pipelines
---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: tekton-pipelines-controller
namespace: tekton-pipelines
spec:
replicas: 1
template:
metadata:
labels:
app: tekton-pipelines-controller
spec:
containers:
- args:
- -logtostderr
- -stderrthreshold
- INFO
- -kubeconfig-writer-image
- registry.cn-hangzhou.aliyuncs.com/shenshouer/tektoncd-kubeconfigwriter:v0.2.0
- -creds-image
- registry.cn-hangzhou.aliyuncs.com/shenshouer/tektoncd-creds-init:v0.2.0
- -git-image
- registry.cn-hangzhou.aliyuncs.com/shenshouer/tektoncd-git-init:v0.2.0
- -nop-image
- registry.cn-hangzhou.aliyuncs.com/shenshouer/tektoncd-nop:v0.2.0
- -bash-noop-image
- registry.cn-hangzhou.aliyuncs.com/shenshouer/tektoncd-bash:v0.2.0
- -gsutil-image
- registry.cn-hangzhou.aliyuncs.com/shenshouer/tektoncd-gsutil:v0.2.0
- -entrypoint-image
- registry.cn-hangzhou.aliyuncs.com/shenshouer/tektoncd-entrypoint:v0.2.0
image: registry.cn-hangzhou.aliyuncs.com/shenshouer/tektoncd-controller:v0.2.0
name: tekton-pipelines-controller
volumeMounts:
- mountPath: /etc/config-logging
name: config-logging
serviceAccountName: tekton-pipelines-controller
volumes:
- configMap:
name: config-logging
name: config-logging
---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: tekton-pipelines-webhook
namespace: tekton-pipelines
spec:
replicas: 1
template:
metadata:
labels:
app: tekton-pipelines-webhook
spec:
containers:
- image: registry.cn-hangzhou.aliyuncs.com/shenshouer/tektoncd-webhook:v0.2.0
name: webhook
volumeMounts:
- mountPath: /etc/config-logging
name: config-logging
serviceAccountName: tekton-pipelines-controller
volumes:
- configMap:
name: config-logging
name: config-logging
---
参考: https://github.com/tektoncd/pipeline/blob/master/docs/install.md
kubectl apply --filename ./release.yaml
Running
$ kubectl get pods --namespace tekton-pipelines --watch
NAME READY STATUS RESTARTS AGE
tekton-pipelines-controller-5d4ff79776-bznx8 1/1 Running 0 41s
tekton-pipelines-webhook-6b5b4f96f4-c2zz4 1/1 Running 0 41s
至此tekton pipeline已经安装完成
参考: https://github.com/tektoncd/pipeline/blob/master/docs/tutorial.md
此处示例演示github官方例子Task Inputs and Outputs
apiVersion: tekton.dev/v1alpha1
kind: PipelineResource
metadata:
name: skaffold-git
spec:
type: git
params:
- name: revision
value: master
- name: url
value: https://github.com/GoogleContainerTools/skaffold
PipelineResource
类型为git
apiVersion: tekton.dev/v1alpha1
kind: PipelineResource
metadata:
name: skaffold-image-leeroy-web
spec:
type: image
params:
- name: url
value: registry.cn-hangzhou.aliyuncs.com/shenshouer/leeroy-web
PipelineResource
类型为image
当任务执行完成后,将生成镜像并推送至镜像仓库registry.cn-hangzhou.aliyuncs.com/shenshouer
,而镜像仓库需要认证,认证配置参考:https://github.com/tektoncd/pipeline/blob/master/docs/auth.md
apiVersion: v1
kind: Secret
metadata:
name: basic-user-pass
annotations:
tekton.dev/docker-0: https://registry.cn-hangzhou.aliyuncs.com # Described below
type: kubernetes.io/basic-auth
stringData:
username: [阿里云镜像仓库账号]
password: [阿里云镜像仓库密码]
注意
secret
类型为kubernetes.io/basic-auth
annotations
中需要指定key
:tekton.dev/docker-0
value:https://registry.cn-hangzhou.aliyuncs.com
;当然可以配置多个对应的registry仓库,使用同一套账号密码apiVersion: v1
kind: ServiceAccount
metadata:
name: build-bot
secrets:
- name: basic-user-pass
serviceaccount
关联创建的secret
apiVersion: tekton.dev/v1alpha1
kind: Task
metadata:
name: build-docker-image-from-git-source
spec:
inputs:
resources:
- name: docker-source
type: git
params:
- name: pathToDockerFile
description: The path to the dockerfile to build
default: /workspace/docker-source/Dockerfile
- name: pathToContext
description:
The build context used by Kaniko
(https://github.com/GoogleContainerTools/kaniko#kaniko-build-contexts)
default: /workspace/docker-source
outputs:
resources:
- name: builtImage
type: image
steps:
- name: build-and-push
image: registry.cn-hangzhou.aliyuncs.com/shenshouer/tektoncd-executor
command:
- /kaniko/executor
args:
- --dockerfile=${inputs.params.pathToDockerFile}
- --destination=${outputs.resources.builtImage.url}
- --context=${inputs.params.pathToContext}
此任务将直接用于构建镜像并提交至指定镜像仓库,所依赖的构建工具为kaniko;镜像我已经推送至阿里云registry.cn-hangzhou.aliyuncs.com/shenshouer/tektoncd-executor
并且在yaml文件中已经替换
具体executor【既kaniko】使用参考kaniko试用
apiVersion: tekton.dev/v1alpha1
kind: TaskRun
metadata:
name: build-docker-image-from-git-source-task-run
spec:
serviceAccount: build-bot
taskRef:
name: build-docker-image-from-git-source
trigger:
type: manual
inputs:
resources:
- name: docker-source
resourceRef:
name: skaffold-git
params:
- name: pathToDockerFile
value: Dockerfile
- name: pathToContext
value: /workspace/docker-source/examples/microservices/leeroy-web #configure: may change according to your source
outputs:
resources:
- name: builtImage
resourceRef:
name: skaffold-image-leeroy-web
在TaskRun
中需要关联以上创建的serviceaccount: serviceAccount: build-bot
整合以上示例各部分,完整yaml如下pipeline_resource.yaml
:
# https://github.com/tektoncd/pipeline/blob/master/docs/auth.md
apiVersion: v1
kind: Secret
metadata:
name: basic-user-pass
annotations:
tekton.dev/docker-0: https://registry.cn-hangzhou.aliyuncs.com # Described below
type: kubernetes.io/basic-auth
stringData:
username: [阿里云镜像仓库账号]
password: [阿里云镜像仓库密码]
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: build-bot
secrets:
- name: basic-user-pass
---
apiVersion: tekton.dev/v1alpha1
kind: PipelineResource
metadata:
name: skaffold-git
spec:
type: git
params:
- name: revision
value: master
- name: url
value: https://github.com/GoogleContainerTools/skaffold #configure: change if you want to build something else, perhaps from your own local GitLab
---
apiVersion: tekton.dev/v1alpha1
kind: PipelineResource
metadata:
name: skaffold-image-leeroy-web
spec:
type: image
params:
- name: url
value: registry.cn-hangzhou.aliyuncs.com/shenshouer/leeroy-web #configure: replace with where the image should go: perhaps your local registry or Dockerhub with a secret and configured service account
---
apiVersion: tekton.dev/v1alpha1
kind: Task
metadata:
name: build-docker-image-from-git-source
spec:
inputs:
resources:
- name: docker-source
type: git
params:
- name: pathToDockerFile
description: The path to the dockerfile to build
default: /workspace/docker-source/Dockerfile
- name: pathToContext
description:
The build context used by Kaniko
(https://github.com/GoogleContainerTools/kaniko#kaniko-build-contexts)
default: /workspace/docker-source
outputs:
resources:
- name: builtImage
type: image
steps:
- name: build-and-push
image: registry.cn-hangzhou.aliyuncs.com/shenshouer/tektoncd-executor
command:
- /kaniko/executor
args:
- --dockerfile=${inputs.params.pathToDockerFile}
- --destination=${outputs.resources.builtImage.url}
- --context=${inputs.params.pathToContext}
---
apiVersion: tekton.dev/v1alpha1
kind: TaskRun
metadata:
name: build-docker-image-from-git-source-task-run
spec:
serviceAccount: build-bot
taskRef:
name: build-docker-image-from-git-source
trigger:
type: manual
inputs:
resources:
- name: docker-source
resourceRef:
name: skaffold-git
params:
- name: pathToDockerFile
value: Dockerfile
- name: pathToContext
value: /workspace/docker-source/examples/microservices/leeroy-web #configure: may change according to your source
outputs:
resources:
- name: builtImage
resourceRef:
name: skaffold-image-leeroy-web
使用kubectl create
$ # 创建一个用于运行示例的namespace
$ kubectl create ns tekton-test
$ kubectl -n tekton-test create -f pipeline_resource.yaml
secret/basic-user-pass created
serviceaccount/build-bot created
pipelineresource.tekton.dev/skaffold-git created
pipelineresource.tekton.dev/skaffold-image-leeroy-web created
task.tekton.dev/build-docker-image-from-git-source created
taskrun.tekton.dev/build-docker-image-from-git-source-task-run created
查看状态:
查看tekton-pipelines
$ kubectl -n tekton-test get tekton-pipelines
NAME AGE
build-docker-image-from-git-source 13s
NAME AGE
build-docker-image-from-git-source-task-run 13s
NAME AGE
skaffold-git 13s
skaffold-image-leeroy-web 13s
查看POD状态
$ kubectl -n tekton-test get po -o wide --watch
NAME READY STATUS RESTARTS AGE IP NODE
build-docker-image-from-git-source-task-run-pod-75b73f 0/3 PodInitializing 0 4s 10.220.0.164 prod-l27-4-91
build-docker-image-from-git-source-task-run-pod-75b73f 2/3 Running 0 5s 10.220.0.164 prod-l27-4-91
build-docker-image-from-git-source-task-run-pod-75b73f 1/3 Running 0 22s 10.220.0.164 prod-l27-4-91
build-docker-image-from-git-source-task-run-pod-75b73f 0/3 Completed 0 1m 10.220.0.164 prod-l27-4-91
当Pod
状态为Completed
表示当前任务已经完成,查看阿里云镜像是否推送成功