Tekton gitlab CI/CD 实例

环境介绍

gitlab 地址

gitlab: http://192.168.174.108:8080/root/spring-boot-helloWorld

Task 说明

1. git-clone:克隆项目的源代码
2. build-to-package:代码测试、构建和打包
3. generate-build-id:生成Build ID
4. image-build-and-push:镜像构建(和推送)
5. deploy-to-cluster:将新版本的镜像更新到Kubernetes集群上

创建 secret

secret.yaml

apiVersion: v1
kind: Secret
metadata:
  name: gitlab-secret
  namespace: tekton-demo
  annotations:
    tekton.dev/git-0: http://192.168.174.108:8080 # Described below
type: kubernetes.io/basic-auth
stringData:
  username: "xxxxx"
  password: "xxxxxx"
---
apiVersion: v1
kind: Secret
metadata:
  name: gitlab-webhook-token
  namespace: tekton-demo
type: Opaque
stringData:
  # Generated by command "openssl rand -base64 12"
  webhookToken: "+FmTUzNvthZWSsVrtvAqtQ=="

---
apiVersion: v1
kind: Secret
metadata:
  name: docker-config
  namespace: tekton-demo
  annotations:
    tekton.dev/docker-0: https://index.docker.io/v1/ # Described below
type: kubernetes.io/basic-auth
stringData:
  username: "xxxxx"
  password: "xxxxx"

创建 secret 

# kubectl apply -f secret.yaml
secret/gitlab-secret configured
secret/gitlab-webhook-token configured
secret/docker-config created

查看 secret 

# kubectl get secret -n tekton-demo
NAME                   TYPE                       DATA   AGE
docker-config          kubernetes.io/basic-auth   2      93s
gitlab-secret          kubernetes.io/basic-auth   2      3m19s
gitlab-webhook-token   Opaque                     1      3m19s

创建 serviceaccount

serviceaccount.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: gitlab-clone
  namespace: tekton-demo
secrets:
  - name: gitlab-secret
  - name: docker-config

创建 serviceaccount 

# kubectl apply -f serviceaccount.yaml
serviceaccount/gitlab-clone created

查看 serviceaccount

# kubectl get serviceaccount -n tekton-demo
NAME           SECRETS   AGE
default        0         18h
gitlab-clone   1         85s

创建 rbac

rbac.yaml

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: tekton-triggers-gitlab-minimal
  namespace: tekton-demo
rules:
  # Permissions for every EventListener deployment to function
  - apiGroups: ["triggers.tekton.dev"]
    resources: ["eventlisteners", "triggerbindings", "triggertemplates","triggers","interceptors"]
    verbs: ["get","list","watch"]
  - apiGroups: [""]
    # secrets are only needed for Github/Gitlab interceptors, serviceaccounts only for per trigger authorization
    resources: ["configmaps", "secrets", "serviceaccounts"]
    verbs: ["get", "list", "watch"]
  # Permissions to create resources in associated TriggerTemplates
  - apiGroups: ["tekton.dev"]
    resources: ["pipelineruns", "pipelineresources", "taskruns"]
    verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: tekton-triggers-gitlab-binding
  namespace: tekton-demo
subjects:
  - kind: ServiceAccount
    name: gitlab-clone
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: tekton-triggers-gitlab-minimal
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: tekton-triggers-gitlab-minimal
rules:
  - apiGroups: ["triggers.tekton.dev"]
    resources: ["clusterinterceptors","clustertriggerbindings"]
    verbs: ["get", "list","watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: tekton-triggers-gitlab-binding
subjects:
  - kind: ServiceAccount
    name: gitlab-clone
    namespace: tekton-demo
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: tekton-triggers-gitlab-minimal

创建 rbac

# kubectl apply -f rbac.yaml
role.rbac.authorization.k8s.io/tekton-triggers-gitlab-minimal created
rolebinding.rbac.authorization.k8s.io/tekton-triggers-gitlab-binding created
clusterrole.rbac.authorization.k8s.io/tekton-triggers-gitlab-minimal created
clusterrolebinding.rbac.authorization.k8s.io/tekton-triggers-gitlab-binding created

创建存储卷

pvc-cache.yaml

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: maven-cache
  namespace: tekton-demo
spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: 5Gi
  storageClassName: nfs-csi
  volumeMode: Filesystem
  
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: docker-build-cache
  namespace: tekton-demo
spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: 5Gi
  storageClassName: nfs-csi
  volumeMode: Filesystem

创建 pvc

# kubectl apply -f pvc-cache.yaml
persistentvolumeclaim/maven-cache created
persistentvolumeclaim/docker-build-cache created

查看 pvc

# kubectl get pvc -n tekton-demo
NAME                 STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   AGE
docker-build-cache   Bound    pvc-520e91f0-46d5-442f-938e-4c7a0657a583   5Gi        RWX            nfs-csi        18s
maven-cache          Bound    pvc-2d3cfaa1-e200-423b-b29b-52ef570f0e6b   5Gi        RWX            nfs-csi        18s

创建 Task

tasks.yaml

apiVersion: tekton.dev/v1
kind: Task
metadata:
  name: git-clone
  namespace: tekton-demo
spec:
  description: Clone the code repository to the workspace. 
  params:
    - name: git-repo-url
      type: string
      description: git repository url to clone
    - name: git-revision
      type: string
      description: git revision to checkout (branch, tag, sha, ref)
  workspaces:
    - name: source
      description: The git repo will be cloned onto the volume backing this workspace
  steps:
    - name: git-clone
      image: alpine/git:v2.36.1
      script: | 
        git clone -v $(params.git-repo-url) $(workspaces.source.path)/source
        cd $(workspaces.source.path)/source && git reset --hard $(params.git-revision)
---
apiVersion: tekton.dev/v1
kind: Task
metadata:
  name: build-to-package
  namespace: tekton-demo
spec:
  description: build application and package the files to image
  workspaces:
    - name: source
      description: The git repo that cloned onto the volume backing this workspace
  steps:
    - name: build
      image: maven:3.8-openjdk-11-slim
      workingDir: $(workspaces.source.path)/source
      volumeMounts:
        - name: m2
          mountPath: /root/.m2
      script: mvn clean install
  volumes:
    - name: m2
      persistentVolumeClaim:
        claimName: maven-cache
---
apiVersion: tekton.dev/v1
kind: Task
metadata:
  name: generate-build-id
  namespace: tekton-demo
spec:
  params:
    - name: git-version
      description: The version of the application
      type: string
  results:
    - name: datetime
      description: The current date and time
    - name: buildId
      description: The build ID
  steps:
    - name: generate-datetime
      image: ikubernetes/admin-box:v1.2
      script: |
        #!/usr/bin/env bash
        datetime=`date +%Y%m%d-%H%M%S`
        echo -n ${datetime} | tee $(results.datetime.path)
    - name: generate-buildid
      image: ikubernetes/admin-box:v1.2
      script: |
        #!/usr/bin/env bash
        buildDatetime=`cat $(results.datetime.path)`
        buildId=$(params.git-version)-${buildDatetime}
        echo -n ${buildId} | tee $(results.buildId.path)
---
apiVersion: tekton.dev/v1
kind: Task
metadata:
  name: image-build-and-push
  namespace: tekton-demo
spec:
  description: package the application files to image
  params:
    - name: dockerfile
      description: The path to the dockerfile to build (relative to the context)
      default: Dockerfile
    - name: image-url
      description: Url of image repository
    - name: image-tag
      description: Tag to apply to the built image
  workspaces:
    - name: source
    #- name: dockerconfig
    #  mountPath: /kaniko/.docker
  steps:
    - name: image-build-and-push
      image: gcr.dockerproxy.com/kaniko-project/executor:latest
      securityContext:
        runAsUser: 0
      env:
        - name: DOCKER_CONFIG
          value: /root/.docker
      command:
        - /kaniko/executor
      args:
        - --dockerfile=$(params.dockerfile)
        - --context=$(workspaces.source.path)/source
        - --destination=$(params.image-url):$(params.image-tag)
        - --cache=true
        - --cache-dir=/root/build-image-cache
      volumeMounts:
        - name: docker-build-cache
          mountPath: /root/build-image-cache
  volumes:
    - name: docker-build-cache
      persistentVolumeClaim:
        claimName: docker-build-cache
---

创建 task 

# kubectl apply -f task.yaml
task.tekton.dev/git-clone created
task.tekton.dev/build-to-package created
task.tekton.dev/generate-build-id created
task.tekton.dev/image-build-and-push created

查看 task 

# kubectl get task -n tekton-demo
NAME                   AGE
build-to-package       53s
generate-build-id      53s
git-clone              53s
image-build-and-push   53s

查看 task dashboard

创建 pipeline

pipeline.yaml

apiVersion: tekton.dev/v1
kind: Pipeline
metadata:
  name: source-to-image
  namespace: tekton-demo
spec:
  params:
    - name: git-repo-url
      type: string
      description: git repository url to clone
    - name: git-revision
      type: string
      description: git revision to checkout (branch, tag, sha, ref)
      default: main
    - name: image-build-context
      description: The path to the build context, used by Kaniko - within the workspace
      default: .
    - name: image-url
      description: Url of image repository
    - name: git-version
      description: The version of the application
      type: string
      default: "v1.0" 
  workspaces:
    - name: codebase
    #- name: docker-config
  tasks:
    - name: git-clone
      taskRef:
        name: git-clone
      params:
        - name: git-repo-url
          value: "$(params.git-repo-url)"
        - name: git-revision
          value: "$(params.git-revision)"
      workspaces:
        - name: source
          workspace: codebase
    - name: build-to-package
      taskRef:
        name: build-to-package
      workspaces:
        - name: source
          workspace: codebase
      runAfter:
        - git-clone
    - name: generate-build-id
      taskRef:
        name: generate-build-id
      params:
        - name: git-version
          value: "$(params.git-version)"
      runAfter:
        - git-clone
    - name: image-build-and-push
      taskRef:
        name: image-build-and-push
      params:
        - name: image-url
          value: "$(params.image-url)"
        - name: image-tag
          value: "$(tasks.generate-build-id.results.buildId)"
      workspaces:
        - name: source
          workspace: codebase
        #- name: dockerconfig
        #  workspace: docker-config
      runAfter:
        - generate-build-id
        - build-to-package

创建 pipeline

# kubectl apply -f pipeline.yaml
pipeline.tekton.dev/source-to-image created

查看 pipeline

# kubectl get pipeline -n tekton-demo
NAME              AGE
source-to-image   3m5s

查看 pipeline dashborad

创建 triggertemplate

triggertemplate.yaml

apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerTemplate
metadata:
  name: s2i-tt
  namespace: tekton-demo
spec:
  params:  # 定义参数
  - name: git-revision
  - name: git-repo-url
  - name: image-url
  - name: git-version
  resourcetemplates:
  - apiVersion: tekton.dev/v1
    kind: PipelineRun
    metadata:
      generateName: s2i-trigger-run-  # TaskRun 名称前缀
    spec:
      pipelineRef:
        name: source-to-image
      taskRunSpec:
        - pipelineTaskName: git-clone
          serviceAccountName: gitlab-clone
        - pipelineTaskName: image-build-and-push
          serviceAccountName: gitlab-clone
      params:
        - name: git-repo-url
          value: $(tt.params.git-repo-url)
        - name: git-revision
          value: $(tt.params.git-revision)
        - name: image-url
          value: $(tt.params.image-url)
        - name: git-version
          value: $(tt.params.git-version)
      workspaces:
        - name: codebase
          volumeClaimTemplate:
            spec:
              accessModes:
                - ReadWriteOnce
              resources:
                requests:
                  storage: 1Gi
              storageClassName: nfs-csi
        #- name: docker-config
        #  secret:
        #    secretName: docker-config

创建 triggertemplate

# kubectl apply -f triggertemplate.yaml
triggertemplate.triggers.tekton.dev/s2i-tt created

查看 triggertemplate

# kubectl get triggertemplate -n tekton-demo
NAME     AGE
s2i-tt   3s

查看 triggertemplate dashboard

创建 triggerbinding

triggerbinding.yaml

apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerBinding
metadata:
  name: s2i-binding
  namespace: tekton-demo
spec:
  params:
  - name: git-revision
    value: $(body.checkout_sha)
  - name: git-repo-url
    value: $(body.repository.git_http_url)
  - name: image-url
    value: 1304995320/spring-boot-helloworld
  - name: git-version
    value: v1.0

创建 triggerbinding

# kubectl apply -f triggerbinding.yaml
triggerbinding.triggers.tekton.dev/s2i-binding created

查看 triggerbinding

# kubectl get triggerbinding -n tekton-demo
NAME          AGE
s2i-binding   84s

查看 triggerbinding dashboard

创建 eventlistener

eventlistener.yaml

apiVersion: triggers.tekton.dev/v1beta1
kind: EventListener
metadata:
  name: s2i-listener 
  namespace: tekton-demo
spec:
  serviceAccountName: gitlab-clone
  triggers:
  - name: gitlab-push-events-trigger
    interceptors:
    - ref:
        name: "gitlab"
      params:
      - name: "secretRef"
        value:
          secretName: gitlab-webhook-token 
          secretKey: webhookToken
      - name: "eventTypes"
        value: 
          - "Push Hook"
          #- "Tag Push Hook"
          - "Merge Request Hook"
    bindings:
    - ref: s2i-binding
    template:
      ref: s2i-tt
  resources:
    kubernetesResource:
      serviceType: NodePort

创建 eventlistener

# kubectl apply -f eventlistener.yaml
eventlistener.triggers.tekton.dev/s2i-listener created

查看 eventlistener

# kubectl get eventlistener -n tekton-demo
NAME           ADDRESS                                                 AVAILABLE   REASON                     READY   REASON
s2i-listener   http://el-s2i-listener.tekton-demo.svc.wgs.local:8080   True        MinimumReplicasAvailable   True    

查看 eventlistener pod

# kubectl get pods -n tekton-demo
NAME                               READY   STATUS    RESTARTS   AGE
el-s2i-listener-59dd5d7dc7-ntfvw   1/1     Running   0          4s

查看 eventlistener svc

# kubectl get svc -n tekton-demo
NAME              TYPE       CLUSTER-IP       EXTERNAL-IP   PORT(S)                         AGE
el-s2i-listener   NodePort   10.100.127.222   <none>        8080:31340/TCP,9000:31150/TCP   35s

查看 eventlistener dashborad

测试 Tekton CI/CD 

添加 webhook

测试 Push event

查看 Push event

查看 EventListener Push event 日志信息

# kubectl logs -f el-s2i-listener-59dd5d7dc7-g7j4x -n tekton-demo
{"severity":"info","timestamp":"2023-12-08T03:08:16.742Z","logger":"eventlistener","caller":"sink/sink.go:442","message":"ResolvedParams : [{Name:image-url Value:1304995320/spring-boot-helloworld} {Name:git-version Value:v1.0} {Name:git-revision Value:513280bfe42b7049e2a6348148888ef2881dc51b} {Name:git-repo-url Value:http://192.168.174.108:8080/root/spring-boot-helloWorld.git}]","commit":"acb7b71-dirty","eventlistener":"s2i-listener","namespace":"tekton-demo","/triggers-eventid":"f4f5c217-cd17-473c-a448-87ba70f40b0e","eventlistenerUID":"e8e634b0-d572-431a-838f-3664e5f46daa","/triggers-eventid":"f4f5c217-cd17-473c-a448-87ba70f40b0e","/trigger":"gitlab-push-events-trigger"}
{"severity":"info","timestamp":"2023-12-08T03:08:16.744Z","logger":"eventlistener","caller":"resources/create.go:98","message":"Generating resource: kind: &APIResource{Name:pipelineruns,Namespaced:true,Kind:PipelineRun,Verbs:[delete deletecollection get list patch create update watch],ShortNames:[pr prs],SingularName:pipelinerun,Categories:[tekton tekton-pipelines],Group:tekton.dev,Version:v1,StorageVersionHash:lWZRMGzJrT4=,}, name: s2i-trigger-run-","commit":"acb7b71-dirty"}
{"severity":"info","timestamp":"2023-12-08T03:08:16.744Z","logger":"eventlistener","caller":"resources/create.go:106","message":"For event ID \"f4f5c217-cd17-473c-a448-87ba70f40b0e\" creating resource tekton.dev/v1, Resource=pipelineruns","commit":"acb7b71-dirty"}

查看 pipelinerun dashboard

查看 docker hub

测试  Tag Push event

interceptors 未定义eventTypes Tag Push Hook,因此不为触发CI/CD流程。

查看 Tag Push event

查看 EventListener Tag Push event 日志信息

# kubectl logs -f el-s2i-listener-59dd5d7dc7-g7j4x -n tekton-demo
{"severity":"info","timestamp":"2023-12-08T03:12:00.729Z","logger":"eventlistener","caller":"sink/sink.go:420","message":"interceptor stopped trigger processing: rpc error: code = FailedPrecondition desc = event type Tag Push Hook is not allowed","commit":"acb7b71-dirty","eventlistener":"s2i-listener","namespace":"tekton-demo","/triggers-eventid":"11392ce5-515b-4201-8cd7-24e3e8860a5a","eventlistenerUID":"e8e634b0-d572-431a-838f-3664e5f46daa","/triggers-eventid":"11392ce5-515b-4201-8cd7-24e3e8860a5a","/trigger":"gitlab-push-events-trigger"}
posted @ 2023-12-23 13:42  小吉猫  阅读(335)  评论(0编辑  收藏  举报