tekton试用

这里写自定义目录标题

    • 介绍
    • 部署
      • 修改依赖镜像
      • 安装
    • 示例
      • 任务的输入定义
      • 任务输出定义
      • 镜像仓库认证
        • 创建secret
        • 创建serviceaccount
      • 定义Task
      • 定义TaskRun
      • 完整的yaml
      • 执行示例

介绍

谷歌开源了一个 Kubernetes 原生 CI/CD 构建框架——Tekton
tekton试用_第1张图片
Tekton 是一个功能强大且灵活的 Kubernetes 原生框架,用于创建 CI/CD 系统。通过抽象出底层实现细节,允许开发者跨多云环境或本地系统进行构建、测试与部署。

特性包括:

工件管理:存储、管理和保护工件,同时 Tetkon 管道可以很好地与其它第三方工具相配合。
部署管道:部署管道旨在支持复杂的工作流程,包括跨多个环境的部署以及金丝雀部署和蓝/绿部署。
结果:作为内置结果存储 API 的一部分,通过日志可以深入了解测试与构建结果。

参考:https://cloud.google.com/tekton/

部署

修改依赖镜像

部署基于kubernetes集群。部署文件参考:https://github.com/tektoncd/pipeline/releases/download/v0.2.0/release.yaml

国内下载gcr镜像需要使用代理,为了方便我将tekton工具链中所有依赖镜像全部推送至了阿里云,修改后的release.yaml内容如下:

apiVersion: v1
kind: Namespace
metadata:
  name: tekton-pipelines

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: tekton-pipelines-admin
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - namespaces
  - secrets
  - events
  - serviceaccounts
  - configmaps
  - persistentvolumeclaims
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
- apiGroups:
  - extensions
  resources:
  - deployments
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
- apiGroups:
  - extensions
  resources:
  - deployments/finalizers
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
- apiGroups:
  - admissionregistration.k8s.io
  resources:
  - mutatingwebhookconfigurations
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
- apiGroups:
  - tekton.dev
  resources:
  - tasks
  - clustertasks
  - taskruns
  - pipelines
  - pipelineruns
  - pipelineresources
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
- apiGroups:
  - tekton.dev
  resources:
  - taskruns/finalizers
  - pipelineruns/finalizers
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
- apiGroups:
  - tekton.dev
  resources:
  - tasks/status
  - clustertasks/status
  - taskruns/status
  - pipelines/status
  - pipelineruns/status
  - pipelineresources/status
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: tekton-pipelines-controller
  namespace: tekton-pipelines

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: tekton-pipelines-controller-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: tekton-pipelines-admin
subjects:
- kind: ServiceAccount
  name: tekton-pipelines-controller
  namespace: tekton-pipelines

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: clustertasks.tekton.dev
spec:
  group: tekton.dev
  names:
    categories:
    - all
    - knative
    - tekton-pipelines
    kind: ClusterTask
    plural: clustertasks
  scope: Cluster
  subresources:
    status: {}
  version: v1alpha1

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: images.caching.internal.knative.dev
spec:
  group: caching.internal.knative.dev
  names:
    categories:
    - all
    - knative-internal
    - caching
    kind: Image
    plural: images
    shortNames:
    - img
    singular: image
  scope: Namespaced
  subresources:
    status: {}
  version: v1alpha1

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: pipelines.tekton.dev
spec:
  group: tekton.dev
  names:
    categories:
    - all
    - knative
    - tekton-pipelines
    kind: Pipeline
    plural: pipelines
  scope: Namespaced
  subresources:
    status: {}
  version: v1alpha1

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: pipelineruns.tekton.dev
spec:
  group: tekton.dev
  names:
    categories:
    - all
    - knative
    - tekton-pipelines
    kind: PipelineRun
    plural: pipelineruns
  scope: Namespaced
  subresources:
    status: {}
  version: v1alpha1

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: pipelineresources.tekton.dev
spec:
  group: tekton.dev
  names:
    categories:
    - all
    - knative
    - tekton-pipelines
    kind: PipelineResource
    plural: pipelineresources
  scope: Namespaced
  subresources:
    status: {}
  version: v1alpha1

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: tasks.tekton.dev
spec:
  group: tekton.dev
  names:
    categories:
    - all
    - knative
    - tekton-pipelines
    kind: Task
    plural: tasks
  scope: Namespaced
  subresources:
    status: {}
  version: v1alpha1

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: taskruns.tekton.dev
spec:
  group: tekton.dev
  names:
    categories:
    - all
    - knative
    - tekton-pipelines
    kind: TaskRun
    plural: taskruns
  scope: Namespaced
  subresources:
    status: {}
  version: v1alpha1

---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: tekton-pipelines-controller
  name: tekton-pipelines-controller
  namespace: tekton-pipelines
spec:
  ports:
  - name: metrics
    port: 9090
    protocol: TCP
    targetPort: 9090
  selector:
    app: tekton-pipelines-controller

---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: tekton-pipelines-webhook
  name: tekton-pipelines-webhook
  namespace: tekton-pipelines
spec:
  ports:
  - port: 443
    targetPort: 443
  selector:
    app: tekton-pipelines-webhook

---
apiVersion: v1
data: null
kind: ConfigMap
metadata:
  name: config-artifact-bucket
  namespace: tekton-pipelines

---
apiVersion: v1
data:
  loglevel.controller: info
  loglevel.webhook: info
  zap-logger-config: |
    {
      "level": "info",
      "development": false,
      "sampling": {
        "initial": 100,
        "thereafter": 100
      },
      "outputPaths": ["stdout"],
      "errorOutputPaths": ["stderr"],
      "encoding": "json",
      "encoderConfig": {
        "timeKey": "",
        "levelKey": "level",
        "nameKey": "logger",
        "callerKey": "caller",
        "messageKey": "msg",
        "stacktraceKey": "stacktrace",
        "lineEnding": "",
        "levelEncoder": "",
        "timeEncoder": "",
        "durationEncoder": "",
        "callerEncoder": ""
      }
    }
kind: ConfigMap
metadata:
  name: config-logging
  namespace: tekton-pipelines

---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
  name: tekton-pipelines-controller
  namespace: tekton-pipelines
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: tekton-pipelines-controller
    spec:
      containers:
      - args:
        - -logtostderr
        - -stderrthreshold
        - INFO
        - -kubeconfig-writer-image
        - registry.cn-hangzhou.aliyuncs.com/shenshouer/tektoncd-kubeconfigwriter:v0.2.0
        - -creds-image
        - registry.cn-hangzhou.aliyuncs.com/shenshouer/tektoncd-creds-init:v0.2.0
        - -git-image
        - registry.cn-hangzhou.aliyuncs.com/shenshouer/tektoncd-git-init:v0.2.0
        - -nop-image
        - registry.cn-hangzhou.aliyuncs.com/shenshouer/tektoncd-nop:v0.2.0
        - -bash-noop-image
        - registry.cn-hangzhou.aliyuncs.com/shenshouer/tektoncd-bash:v0.2.0
        - -gsutil-image
        - registry.cn-hangzhou.aliyuncs.com/shenshouer/tektoncd-gsutil:v0.2.0
        - -entrypoint-image
        - registry.cn-hangzhou.aliyuncs.com/shenshouer/tektoncd-entrypoint:v0.2.0
        image: registry.cn-hangzhou.aliyuncs.com/shenshouer/tektoncd-controller:v0.2.0
        name: tekton-pipelines-controller
        volumeMounts:
        - mountPath: /etc/config-logging
          name: config-logging
      serviceAccountName: tekton-pipelines-controller
      volumes:
      - configMap:
          name: config-logging
        name: config-logging

---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
  name: tekton-pipelines-webhook
  namespace: tekton-pipelines
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: tekton-pipelines-webhook
    spec:
      containers:
      - image: registry.cn-hangzhou.aliyuncs.com/shenshouer/tektoncd-webhook:v0.2.0
        name: webhook
        volumeMounts:
        - mountPath: /etc/config-logging
          name: config-logging
      serviceAccountName: tekton-pipelines-controller
      volumes:
      - configMap:
          name: config-logging
        name: config-logging

---

安装

参考: https://github.com/tektoncd/pipeline/blob/master/docs/install.md

  1. 使用kubectl apple 命令安装Tekton Pipelines与其依赖:
kubectl apply --filename ./release.yaml
  1. 使用kubectl get 命令来监视Tekton Pipelines组件启动情况,直到所有的组件状态为Running
$ kubectl get pods --namespace tekton-pipelines --watch
NAME                                           READY     STATUS    RESTARTS   AGE
tekton-pipelines-controller-5d4ff79776-bznx8   1/1       Running   0          41s
tekton-pipelines-webhook-6b5b4f96f4-c2zz4      1/1       Running   0          41s

至此tekton pipeline已经安装完成

示例

参考: https://github.com/tektoncd/pipeline/blob/master/docs/tutorial.md

此处示例演示github官方例子Task Inputs and Outputs

任务的输入定义

apiVersion: tekton.dev/v1alpha1
kind: PipelineResource
metadata:
  name: skaffold-git
spec:
  type: git
  params:
    - name: revision
      value: master
    - name: url
      value: https://github.com/GoogleContainerTools/skaffold

PipelineResource类型为git

任务输出定义

apiVersion: tekton.dev/v1alpha1
kind: PipelineResource
metadata:
  name: skaffold-image-leeroy-web
spec:
  type: image
  params:
    - name: url
      value: registry.cn-hangzhou.aliyuncs.com/shenshouer/leeroy-web

PipelineResource类型为image

镜像仓库认证

当任务执行完成后,将生成镜像并推送至镜像仓库registry.cn-hangzhou.aliyuncs.com/shenshouer,而镜像仓库需要认证,认证配置参考:https://github.com/tektoncd/pipeline/blob/master/docs/auth.md

创建secret

apiVersion: v1
kind: Secret
metadata:
  name: basic-user-pass
  annotations:
    tekton.dev/docker-0: https://registry.cn-hangzhou.aliyuncs.com # Described below
type: kubernetes.io/basic-auth
stringData:
  username: [阿里云镜像仓库账号]
  password: [阿里云镜像仓库密码]

注意

  • secret类型为kubernetes.io/basic-auth
  • annotations中需要指定key:tekton.dev/docker-0 value:https://registry.cn-hangzhou.aliyuncs.com;当然可以配置多个对应的registry仓库,使用同一套账号密码
  • 替换账号密码

创建serviceaccount

apiVersion: v1
kind: ServiceAccount
metadata:
  name: build-bot
secrets:
  - name: basic-user-pass

serviceaccount关联创建的secret

定义Task

apiVersion: tekton.dev/v1alpha1
kind: Task
metadata:
  name: build-docker-image-from-git-source
spec:
  inputs:
    resources:
      - name: docker-source
        type: git
    params:
      - name: pathToDockerFile
        description: The path to the dockerfile to build
        default: /workspace/docker-source/Dockerfile
      - name: pathToContext
        description:
          The build context used by Kaniko
          (https://github.com/GoogleContainerTools/kaniko#kaniko-build-contexts)
        default: /workspace/docker-source
  outputs:
    resources:
      - name: builtImage
        type: image
  steps:
    - name: build-and-push
      image: registry.cn-hangzhou.aliyuncs.com/shenshouer/tektoncd-executor
      command:
        - /kaniko/executor
      args:
        - --dockerfile=${inputs.params.pathToDockerFile}
        - --destination=${outputs.resources.builtImage.url}
        - --context=${inputs.params.pathToContext}

此任务将直接用于构建镜像并提交至指定镜像仓库,所依赖的构建工具为kaniko;镜像我已经推送至阿里云registry.cn-hangzhou.aliyuncs.com/shenshouer/tektoncd-executor并且在yaml文件中已经替换
具体executor【既kaniko】使用参考kaniko试用

定义TaskRun

apiVersion: tekton.dev/v1alpha1
kind: TaskRun
metadata:
  name: build-docker-image-from-git-source-task-run
spec:
  serviceAccount: build-bot
  taskRef:
    name: build-docker-image-from-git-source
  trigger:
    type: manual
  inputs:
    resources:
      - name: docker-source
        resourceRef:
          name: skaffold-git
    params:
      - name: pathToDockerFile
        value: Dockerfile
      - name: pathToContext
        value: /workspace/docker-source/examples/microservices/leeroy-web #configure: may change according to your source
  outputs:
    resources:
      - name: builtImage
        resourceRef:
          name: skaffold-image-leeroy-web

TaskRun中需要关联以上创建的serviceaccount: serviceAccount: build-bot

完整的yaml

整合以上示例各部分,完整yaml如下pipeline_resource.yaml:

# https://github.com/tektoncd/pipeline/blob/master/docs/auth.md
apiVersion: v1
kind: Secret
metadata:
  name: basic-user-pass
  annotations:
    tekton.dev/docker-0: https://registry.cn-hangzhou.aliyuncs.com # Described below
type: kubernetes.io/basic-auth
stringData:
  username: [阿里云镜像仓库账号]
  password: [阿里云镜像仓库密码]

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: build-bot
secrets:
  - name: basic-user-pass

---
apiVersion: tekton.dev/v1alpha1
kind: PipelineResource
metadata:
  name: skaffold-git
spec:
  type: git
  params:
    - name: revision
      value: master
    - name: url
      value: https://github.com/GoogleContainerTools/skaffold #configure: change if you want to build something else, perhaps from your own local GitLab

---
apiVersion: tekton.dev/v1alpha1
kind: PipelineResource
metadata:
  name: skaffold-image-leeroy-web
spec:
  type: image
  params:
    - name: url
      value: registry.cn-hangzhou.aliyuncs.com/shenshouer/leeroy-web #configure: replace with where the image should go: perhaps your local registry or Dockerhub with a secret and configured service account

---
apiVersion: tekton.dev/v1alpha1
kind: Task
metadata:
  name: build-docker-image-from-git-source
spec:
  inputs:
    resources:
      - name: docker-source
        type: git
    params:
      - name: pathToDockerFile
        description: The path to the dockerfile to build
        default: /workspace/docker-source/Dockerfile
      - name: pathToContext
        description:
          The build context used by Kaniko
          (https://github.com/GoogleContainerTools/kaniko#kaniko-build-contexts)
        default: /workspace/docker-source
  outputs:
    resources:
      - name: builtImage
        type: image
  steps:
    - name: build-and-push
      image: registry.cn-hangzhou.aliyuncs.com/shenshouer/tektoncd-executor
      command:
        - /kaniko/executor
      args:
        - --dockerfile=${inputs.params.pathToDockerFile}
        - --destination=${outputs.resources.builtImage.url}
        - --context=${inputs.params.pathToContext}

---
apiVersion: tekton.dev/v1alpha1
kind: TaskRun
metadata:
  name: build-docker-image-from-git-source-task-run
spec:
  serviceAccount: build-bot
  taskRef:
    name: build-docker-image-from-git-source
  trigger:
    type: manual
  inputs:
    resources:
      - name: docker-source
        resourceRef:
          name: skaffold-git
    params:
      - name: pathToDockerFile
        value: Dockerfile
      - name: pathToContext
        value: /workspace/docker-source/examples/microservices/leeroy-web #configure: may change according to your source
  outputs:
    resources:
      - name: builtImage
        resourceRef:
          name: skaffold-image-leeroy-web

执行示例

使用kubectl create

$ # 创建一个用于运行示例的namespace

$ kubectl create ns tekton-test  
$ kubectl -n tekton-test create -f pipeline_resource.yaml
secret/basic-user-pass created
serviceaccount/build-bot created
pipelineresource.tekton.dev/skaffold-git created
pipelineresource.tekton.dev/skaffold-image-leeroy-web created
task.tekton.dev/build-docker-image-from-git-source created
taskrun.tekton.dev/build-docker-image-from-git-source-task-run created

查看状态:

查看tekton-pipelines

$ kubectl -n tekton-test get tekton-pipelines
NAME                                 AGE
build-docker-image-from-git-source   13s

NAME                                          AGE
build-docker-image-from-git-source-task-run   13s

NAME                        AGE
skaffold-git                13s
skaffold-image-leeroy-web   13s

查看POD状态

$ kubectl -n tekton-test get po -o wide --watch
NAME                                                     READY     STATUS            RESTARTS   AGE       IP             NODE
build-docker-image-from-git-source-task-run-pod-75b73f   0/3       PodInitializing   0          4s        10.220.0.164   prod-l27-4-91
build-docker-image-from-git-source-task-run-pod-75b73f   2/3       Running   0         5s        10.220.0.164   prod-l27-4-91
build-docker-image-from-git-source-task-run-pod-75b73f   1/3       Running   0         22s       10.220.0.164   prod-l27-4-91
build-docker-image-from-git-source-task-run-pod-75b73f   0/3       Completed   0         1m        10.220.0.164   prod-l27-4-91

Pod状态为Completed表示当前任务已经完成,查看阿里云镜像是否推送成功

在这里插入图片描述

你可能感兴趣的:(go,kubernetes)