欢迎关注我的公众号:
目前刚开始写一个月,一共写了18篇原创文章,文章目录如下:
istio防故障利器,你知道几个,istio新手不要读,太难!
不懂envoyfilter也敢说精通istio系列-http-rbac-不要只会用AuthorizationPolicy配置权限
不懂envoyfilter也敢说精通istio系列-02-http-corsFilter-不要只会vs
不懂envoyfilter也敢说精通istio系列-03-http-csrf filter-再也不用再代码里写csrf逻辑了
不懂envoyfilter也敢说精通istio系列http-jwt_authn-不要只会RequestAuthorization
不懂envoyfilter也敢说精通istio系列-05-fault-filter-故障注入不止是vs
不懂envoyfilter也敢说精通istio系列-06-http-match-配置路由不只是vs
不懂envoyfilter也敢说精通istio系列-07-负载均衡配置不止是dr
不懂envoyfilter也敢说精通istio系列-08-连接池和断路器
不懂envoyfilter也敢说精通istio系列-09-http-route filter
不懂envoyfilter也敢说精通istio系列-network filter-redis proxy
不懂envoyfilter也敢说精通istio系列-network filter-HttpConnectionManager
不懂envoyfilter也敢说精通istio系列-ratelimit-istio ratelimit完全手册
tekton新课发布:ci/cd之tekton实战--其他视频教程-系统/网络/运维-CSDN程序员研修院
什么是EventListener
连接 TriggerBinding 和 TriggerTemplate 到事件接收器,使用从各个 TriggerBinding 中提取的参数来创建 TriggerTemplate 中指定的 resources,同样通过 interceptor
字段来指定外部服务对事件属性进行预处理
资源详解
triggers
ServiceAccountName
name
bindings
template
eventListener/triggers/sa-rbac.yaml
apiVersion: v1 kind: ServiceAccount metadata: name: tekton-triggers-example-sa --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: tekton-triggers-example-minimal rules: # EventListeners need to be able to fetch all namespaced resources - apiGroups: ["triggers.tekton.dev"] resources: ["eventlisteners", "triggerbindings", "triggertemplates", "triggers"] verbs: ["get", "list", "watch"] - apiGroups: [""] # configmaps is needed for updating logging config resources: ["configmaps"] verbs: ["get", "list", "watch"] # Permissions to create resources in associated TriggerTemplates - apiGroups: ["tekton.dev"] resources: ["pipelineruns", "pipelineresources", "taskruns"] verbs: ["create"] - apiGroups: [""] resources: ["serviceaccounts"] verbs: ["impersonate"] - apiGroups: ["policy"] resources: ["podsecuritypolicies"] resourceNames: ["tekton-triggers"] verbs: ["use"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: tekton-triggers-example-binding subjects: - kind: ServiceAccount name: tekton-triggers-example-sa roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: tekton-triggers-example-minimal --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: tekton-triggers-example-clusterrole rules: # EventListeners need to be able to fetch any clustertriggerbindings - apiGroups: ["triggers.tekton.dev"] resources: ["clustertriggerbindings", "clusterinterceptors"] verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: tekton-triggers-example-clusterbinding subjects: - kind: ServiceAccount name: tekton-triggers-example-sa namespace: tekton roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: tekton-triggers-example-clusterrole
eventListener/triggers/task-pipeline.yaml
apiVersion: tekton.dev/v1beta1 kind: Task metadata: name: say-hello spec: params: - name: contenttype description: The Content-Type of the event type: string resources: inputs: - name: git-source type: git steps: - name: say-hi image: bash command: ["bash", "-c"] args: - echo -e 'Hello Triggers!\nContent-Type is $(params.contenttype)' --- apiVersion: tekton.dev/v1beta1 kind: Task metadata: name: say-message spec: params: - name: message description: The message to print default: This is the default message type: string resources: inputs: - name: git-source type: git steps: - name: say-message image: bash command: ["bash", "-c"] args: - echo '$(params.message)' --- apiVersion: tekton.dev/v1beta1 kind: Task metadata: name: say-bye spec: resources: inputs: - name: git-source type: git steps: - name: say-bye image: bash command: ["bash", "-c"] args: - echo 'Goodbye Triggers!' --- apiVersion: tekton.dev/v1beta1 kind: Pipeline metadata: name: simple-pipeline spec: params: - name: message description: The message to print default: This is the default message type: string - name: contenttype description: The Content-Type of the event type: string resources: - name: git-source type: git tasks: - name: say-hello taskRef: name: say-hello params: - name: contenttype value: $(params.contenttype) resources: inputs: - name: git-source resource: git-source - name: say-message runAfter: [say-hello] taskRef: name: say-message params: - name: message value: $(params.message) resources: inputs: - name: git-source resource: git-source - name: say-bye runAfter: [say-message] taskRef: name: say-bye resources: inputs: - name: git-source resource: git-source
eventListener/triggers/trigger-template.yaml
apiVersion: triggers.tekton.dev/v1alpha1 kind: TriggerTemplate metadata: name: pipeline-template spec: params: - name: gitrevision description: The git revision default: main - name: gitrepositoryurl description: The git repository url - name: message description: The message to print default: This is the default message - name: contenttype description: The Content-Type of the event resourcetemplates: - apiVersion: tekton.dev/v1beta1 kind: PipelineRun metadata: generateName: simple-pipeline-run- spec: pipelineRef: name: simple-pipeline params: - name: message value: $(tt.params.message) - name: contenttype value: $(tt.params.contenttype) resources: - name: git-source resourceSpec: type: git params: - name: revision value: $(tt.params.gitrevision) - name: url value: $(tt.params.gitrepositoryurl)
eventListener/triggers/message-binding.yaml
apiVersion: triggers.tekton.dev/v1alpha1 kind: TriggerBinding metadata: name: message-binding spec: params: - name: message value: Hello from the Triggers EventListener!
eventListener/triggers/pipeline-binding.yaml
apiVersion: triggers.tekton.dev/v1alpha1 kind: TriggerBinding metadata: name: pipeline-binding spec: params: - name: gitrevision value: $(body.head_commit.id) - name: gitrepositoryurl value: $(body.repository.url) - name: contenttype value: $(header.Content-Type)
eventListener/triggers/listener.yaml
apiVersion: triggers.tekton.dev/v1alpha1 kind: EventListener metadata: name: listener spec: serviceAccountName: tekton-triggers-example-sa triggers: - name: foo-trig bindings: - ref: pipeline-binding - ref: message-binding template: ref: pipeline-template
curl -v -H 'X-GitHub-Event: pull_request' -H 'X-Hub-Signature: sha1=9c971b694ecd99a5753653032e5ceb332e29f2d1' -H 'Content-Type: application/json' -d '{"action": "opened", "pull_request":{"head":{"sha": "28911bbb5a3e2ea034daf1f6be0a822d50e31e73"}},"repository":{"url": "https://github.com/tektoncd/triggers.git"}}' http://10.68.194.93:8080
interceptors
Event Interceptors can take several different forms today:
webhook
eventListener/interceptors/webhook-deployment.yaml
apiVersion: apps/v1 kind: Deployment metadata: name: gh-validate namespace: tekton spec: replicas: 1 selector: matchLabels: app: gh-validate template: metadata: labels: app: gh-validate spec: serviceAccountName: default containers: - name: validate image: registry.cn-shanghai.aliyuncs.com/hxpdocker/webhook-interceptors:latest env: - name: GITHUB_SECRET_TOKEN valueFrom: secretKeyRef: name: github-secret key: secret-token --- apiVersion: v1 kind: Service metadata: name: gh-validate namespace: tekton spec: type: ClusterIP selector: app: gh-validate ports: - protocol: TCP port: 80 targetPort: 8080
eventListener/interceptors/github-secret.yaml
apiVersion: v1 kind: Secret metadata: name: github-secret type: Opaque stringData: secretToken: "1234567"
eventListener/interceptors/webhook-listener.yaml
apiVersion: v1 kind: Secret metadata: name: github-secret type: Opaque stringData: secretToken: "1234567" --- apiVersion: triggers.tekton.dev/v1alpha1 kind: EventListener metadata: name: listener spec: serviceAccountName: tekton-triggers-example-sa triggers: - name: foo-trig interceptors: - ref: name: "github" params: - name: "secretRef" value: secretName: github-secret secretKey: secretToken - name: "eventTypes" value: ["pull_request"] - webhook: header: - name: Foo-Trig-Header1 value: string-value - name: Foo-Trig-Header2 value: - array-val1 - array-val2 objectRef: kind: Service name: gh-validate apiVersion: v1 namespace: tekton bindings: - ref: pipeline-binding - ref: message-binding template: ref: pipeline-template
curl -v -H 'X-GitHub-Event: pull_request' -H 'X-Hub-Signature: sha1=9c971b694ecd99a5753653032e5ceb332e29f2d1' -H 'Content-Type: application/json' -d '{"action": "opened", "pull_request":{"head":{"sha": "28911bbb5a3e2ea034daf1f6be0a822d50e31e73"}},"repository":{"url": "https://github.com/tektoncd/triggers.git"}}' http://10.68.194.93:8080
github
eventListener/interceptors/github-secret.yaml
apiVersion: v1 kind: Secret metadata: name: github-secret type: Opaque stringData: secretToken: "1234567"
eventListener/interceptors/github-01.yaml
apiVersion: triggers.tekton.dev/v1alpha1 kind: EventListener metadata: name: listener spec: serviceAccountName: tekton-triggers-example-sa triggers: - name: foo-trig interceptors: - github: eventTypes: ["pull_request"] bindings: - ref: pipeline-binding - ref: message-binding template: ref: pipeline-template
curl -v -H 'X-GitHub-Event: pull_request' -H 'X-Hub-Signature: sha1=9c971b694ecd99a5753653032e5ceb332e29f2d1' -H 'Content-Type: application/json' -d '{"action": "opened", "pull_request":{"head":{"sha": "28911bbb5a3e2ea034daf1f6be0a822d50e31e73"}},"repository":{"url": "https://github.com/tektoncd/triggers.git"}}' http://10.68.194.93:8080
eventListener/interceptors/github-02.yaml
apiVersion: triggers.tekton.dev/v1alpha1 kind: EventListener metadata: name: listener spec: serviceAccountName: tekton-triggers-example-sa triggers: - name: foo-trig interceptors: - ref: name: "github" params: - name: "secretRef" value: secretName: github-secret secretKey: secretToken - name: "eventTypes" value: ["pull_request"] bindings: - ref: pipeline-binding - ref: message-binding template: ref: pipeline-template
curl -v -H 'X-GitHub-Event: pull_request' -H 'X-Hub-Signature: sha1=9c971b694ecd99a5753653032e5ceb332e29f2d1' -H 'Content-Type: application/json' -d '{"action": "opened", "pull_request":{"head":{"sha": "28911bbb5a3e2ea034daf1f6be0a822d50e31e73"}},"repository":{"url": "https://github.com/tektoncd/triggers.git"}}' http://10.68.194.93:8080
产生X-Hub-Signature
Free Online HMAC Generator / Checker Tool (MD5, SHA-256, SHA-512) - FreeFormatter.com
gitlab
eventListener/interceptors/gitlab-secret.yaml
apiVersion: v1 kind: Secret metadata: name: gitlab-secret type: Opaque stringData: secretToken: "1234567"
eventListener/interceptors/gitlab-listener.yaml
apiVersion: triggers.tekton.dev/v1alpha1 kind: EventListener metadata: name: listener spec: serviceAccountName: tekton-triggers-example-sa triggers: - name: foo-trig interceptors: - name: "verify-gitlab-payload" ref: name: "gitlab" kind: ClusterInterceptor params: - name: secretRef value: secretName: "gitlab-secret" secretKey: "secretToken" - name: eventTypes value: - "Push Hook" bindings: - ref: pipeline-binding - ref: message-binding template: ref: pipeline-template
gitlab-push-event.json
{ "object_kind": "push", "event_name": "push", "before": "1a1736ec3d7b03349b31218a2f2c572c7c7206d6", "after": "1a1736ec3d7b03349b31218a2f2c572c7c7206d6", "ref": "refs/heads/main", "checkout_sha": "1a1736ec3d7b03349b31218a2f2c572c7c7206d6", "message": null, "user_id": 111448, "user_name": "Dibyo Mukherjee", "user_username": "dibyom", "user_email": "", "user_avatar": "https://secure.gravatar.com/avatar/1d56773f447d86b8ffa33efb7a5d0cb5?s=80&d=identicon", "project_id": 16507326, "project": { "id": 16507326, "name": "triggers", "description": "", "web_url": "https://gitlab.com/dibyom/triggers", "avatar_url": null, "git_ssh_url": "git@gitlab.com:dibyom/triggers.git", "git_http_url": "https://gitlab.com/dibyom/triggers.git", "namespace": "Dibyo Mukherjee", "visibility_level": 20, "path_with_namespace": "dibyom/triggers", "default_branch": "main", "ci_config_path": null, "homepage": "https://gitlab.com/dibyom/triggers", "url": "git@gitlab.com:dibyom/triggers.git", "ssh_url": "git@gitlab.com:dibyom/triggers.git", "http_url": "https://gitlab.com/dibyom/triggers.git" }, "commits": [ { "id": "1a1736ec3d7b03349b31218a2f2c572c7c7206d6", "message": "Add new file", "timestamp": "2020-01-24T17:05:48+00:00", "url": "https://gitlab.com/dibyom/triggers/-/commit/1a1736ec3d7b03349b31218a2f2c572c7c7206d6", "author": { "name": "Dibyo Mukherjee", "email": "foo@bar.com" }, "added": ["Readme.md"], "modified": [], "removed": [] } ], "total_commits_count": 1, "push_options": {}, "repository": { "name": "triggers", "url": "https://github.com/tektoncd/triggers.git", "description": "", "homepage": "https://gitlab.com/dibyom/triggers", "git_http_url": "https://gitlab.com/dibyom/triggers.git", "git_ssh_url": "git@gitlab.com:dibyom/triggers.git", "visibility_level": 20 } }
curl -v \ -H 'X-GitLab-Token: 1234567' \ -H 'X-Gitlab-Event: Push Hook' \ -H 'Content-Type: application/json' \ --data-binary "@gitlab-push-event.json" \ http://10.68.194.93:8080
bitbucket
eventListener/interceptors/bitbucket-secret.yaml
apiVersion: v1 kind: Secret metadata: name: bitbucket-secret type: Opaque stringData: secretToken: "1234567"
eventListener/interceptors/bitbucket-binding.yaml
apiVersion: triggers.tekton.dev/v1alpha1 kind: TriggerBinding metadata: name: bitbucket-binding spec: params: - name: gitrevision value: $(body.changes[0].ref.displayId) - name: gitrepositoryurl value: $(body.repository.links.clone[0].href)
eventListener/interceptors/bitbucket-listener.yaml
apiVersion: triggers.tekton.dev/v1alpha1 kind: EventListener metadata: name: listener spec: serviceAccountName: tekton-triggers-example-sa triggers: - name: foo-trig interceptors: - ref: name: "bitbucket" params: - name: secretRef value: secretName: bitbucket-secret secretKey: secretToken - name: eventTypes value: - repo:refs_changed bindings: - ref: bitbucket-binding - ref: message-binding template: ref: pipeline-template
curl -v \ -H 'X-Event-Key: repo:refs_changed' \ -H 'X-Hub-Signature: sha1=e3978add92171e0b3a5b37539064d784d0b1b731' \ -d '{"repository": {"links": {"clone": [{"href": "https://github.com/tektoncd/triggers.git", "name": "http"}, {"href": "ssh://git@localhost:7999/~test/helloworld.git", "name": "ssh"}]}}, "changes": [{"ref": {"displayId": "main"}}]}' \ http://10.68.194.93:8080
cel
eventListener/interceptors/cel-01.yaml
apiVersion: triggers.tekton.dev/v1alpha1 kind: EventListener metadata: name: listener spec: serviceAccountName: tekton-triggers-example-sa triggers: - name: cel-trig-with-matches interceptors: - ref: name: "cel" params: - name: "filter" value: "header.match('X-GitHub-Event', 'pull_request')" - name: "overlays" value: - key: truncated_sha expression: "body.pull_request.head.sha.truncate(7)" bindings: - name: sha value: $(extensions.truncated_sha) - ref: pipeline-binding - ref: message-binding template: ref: pipeline-template
curl -v -H 'X-GitHub-Event: pull_request' -H 'X-Hub-Signature: sha1=9c971b694ecd99a5753653032e5ceb332e29f2d1' -H 'Content-Type: application/json' -d '{"action": "opened", "pull_request":{"head":{"sha": "28911bbb5a3e2ea034daf1f6be0a822d50e31e73"}},"repository":{"url": "https://github.com/tektoncd/triggers.git"}}' http://10.68.194.93:8080
compareSecret
eventListener/interceptors/cel-02.yaml
apiVersion: v1 kind: Secret metadata: name: mysecret type: Opaque data: token: dGVzdC1zZWNyZXQ= --- apiVersion: triggers.tekton.dev/v1alpha1 kind: EventListener metadata: name: listener spec: serviceAccountName: tekton-triggers-example-sa triggers: - name: cel-trig-with-matches interceptors: - ref: name: "cel" params: - name: "filter" value: "'test-secret'.compareSecret('token', 'mysecret')" bindings: - ref: pipeline-binding - ref: message-binding template: ref: pipeline-template
curl -v -H 'X-GitHub-Event: pull_request' -H 'X-Hub-Signature: sha1=9c971b694ecd99a5753653032e5ceb332e29f2d1' -H 'Content-Type: application/json' -d '{"action": "opened", "pull_request":{"head":{"sha": "28911bbb5a3e2ea034daf1f6be0a822d50e31e73"}},"repository":{"url": "https://github.com/tektoncd/triggers.git"}}' http://10.68.194.93:8080
triggerRef
eventListener/interceptors/triggerRef-trigger.yaml
apiVersion: triggers.tekton.dev/v1alpha1 kind: Trigger metadata: name: trigger spec: interceptors: - cel: filter: "header.match('X-GitHub-Event', 'pull_request')" overlays: - key: extensions.truncated_sha expression: "body.pull_request.head.sha.truncate(7)" bindings: - ref: pipeline-binding template: ref: pipeline-template
eventListener/interceptors/triggerRef-listener.yaml
apiVersion: triggers.tekton.dev/v1alpha1 kind: EventListener metadata: name: listener spec: serviceAccountName: tekton-triggers-example-sa triggers: - triggerRef: trigger
curl -v -H 'X-GitHub-Event: pull_request' -H 'X-Hub-Signature: sha1=9c971b694ecd99a5753653032e5ceb332e29f2d1' -H 'Content-Type: application/json' -d '{"action": "opened", "pull_request":{"head":{"sha": "28911bbb5a3e2ea034daf1f6be0a822d50e31e73"}},"repository":{"url": "https://github.com/tektoncd/triggers.git"}}' http://10.68.194.93:8080
serviceaccount
eventListener/interceptors/serviceaccount-listener.yaml
apiVersion: triggers.tekton.dev/v1alpha1 kind: EventListener metadata: name: listener spec: serviceAccountName: tekton-triggers-example-sa triggers: - name: foo-trig serviceAccountName: tekton-triggers-example-sa interceptors: - github: eventTypes: ["pull_request"] bindings: - ref: pipeline-binding - ref: message-binding template: ref: pipeline-template
curl -v -H 'X-GitHub-Event: pull_request' -H 'X-Hub-Signature: sha1=9c971b694ecd99a5753653032e5ceb332e29f2d1' -H 'Content-Type: application/json' -d '{"action": "opened", "pull_request":{"head":{"sha": "28911bbb5a3e2ea034daf1f6be0a822d50e31e73"}},"repository":{"url": "https://github.com/tektoncd/triggers.git"}}' http://10.68.194.93:8080
template/ spec
eventListener/interceptors/template-spec-listener.yaml
apiVersion: triggers.tekton.dev/v1alpha1 kind: EventListener metadata: name: listener spec: serviceAccountName: tekton-triggers-example-sa triggers: - name: foo-trig interceptors: - github: eventTypes: ["pull_request"] bindings: - ref: pipeline-binding - ref: message-binding template: spec: params: - name: "message" - name: gitrevision description: The git revision default: main resourceTemplates: - apiVersion: "tekton.dev/v1beta1" kind: TaskRun metadata: generateName: "pr-run-" spec: taskSpec: steps: - image: ubuntu script: echo "$(tt.params.message)"
curl -v -H 'X-GitHub-Event: pull_request' -H 'X-Hub-Signature: sha1=9c971b694ecd99a5753653032e5ceb332e29f2d1' -H 'Content-Type: application/json' -d '{"action": "opened", "pull_request":{"head":{"sha": "28911bbb5a3e2ea034daf1f6be0a822d50e31e73"}},"repository":{"url": "https://github.com/tektoncd/triggers.git"}}' http://10.68.194.93:8080
ServiceType
eventListener/ServiceType-01.yaml
apiVersion: triggers.tekton.dev/v1alpha1 kind: EventListener metadata: name: listener spec: serviceAccountName: tekton-triggers-example-sa triggers: - name: foo-trig bindings: - ref: pipeline-binding - ref: message-binding template: ref: pipeline-template resources: kubernetesResource: serviceType: NodePort
Replicas
eventListener/Replicas-listener-01.yaml
apiVersion: triggers.tekton.dev/v1alpha1 kind: EventListener metadata: name: listener spec: serviceAccountName: tekton-triggers-example-sa triggers: - name: foo-trig bindings: - ref: pipeline-binding - ref: message-binding template: ref: pipeline-template resources: kubernetesResource: replicas: 2
eventListener/Replicas-listener-02.yaml
apiVersion: triggers.tekton.dev/v1alpha1 kind: EventListener metadata: name: listener spec: serviceAccountName: tekton-triggers-example-sa triggers: - name: foo-trig bindings: - ref: pipeline-binding - ref: message-binding template: ref: pipeline-template replicas: 2
PodTemplate
eventListener/PodTemplate-01.yaml
apiVersion: triggers.tekton.dev/v1alpha1 kind: EventListener metadata: name: listener spec: serviceAccountName: tekton-triggers-example-sa resources: kubernetesResource: spec: template: spec: nodeSelector: kubernetes.io/hostname: 192.168.198.154 triggers: - name: foo-trig bindings: - ref: pipeline-binding - ref: message-binding template: ref: pipeline-template
eventListener/PodTemplate-02.yaml
apiVersion: triggers.tekton.dev/v1alpha1 kind: EventListener metadata: name: listener spec: podTemplate: nodeSelector: kubernetes.io/hostname: 192.168.198.154 serviceAccountName: tekton-triggers-example-sa triggers: - name: foo-trig bindings: - ref: pipeline-binding - ref: message-binding template: ref: pipeline-template
Resources
Right now the allowed values as part of podSpec
are
ServiceAccountName NodeSelector Tolerations Volumes Containers - Resources - VolumeMounts - Env
spec: resources: kubernetesResource: serviceType: NodePort spec: template: metadata: labels: key: "value" annotations: key: "value" spec: serviceAccountName: tekton-triggers-github-sa nodeSelector: app: test tolerations: - key: key value: value operator: Equal effect: NoSchedule
NamespaceSelector
This field determines the namespaces where EventListener can search for triggers and create Tekton resources. If this field isn’t provided, EventListener will only serve Triggers from its own namespace.
kubectl create clusterrolebinding listener-binding --clusterrole=cluster-admin --serviceaccount=tekton:tekton-triggers-example-sa
eventListener/NamespaceSelector-01.yaml
apiVersion: triggers.tekton.dev/v1alpha1 kind: EventListener metadata: name: listener spec: namespaceSelector: matchNames: - * serviceAccountName: tekton-triggers-example-sa triggers: - name: foo-trig bindings: - ref: pipeline-binding - ref: message-binding template: ref: pipeline-template
curl -v -H 'X-GitHub-Event: pull_request' -H 'X-Hub-Signature: sha1=9c971b694ecd99a5753653032e5ceb332e29f2d1' -H 'Content-Type: application/json' -d '{"action": "opened", "pull_request":{"head":{"sha": "28911bbb5a3e2ea034daf1f6be0a822d50e31e73"}},"repository":{"url": "https://github.com/tektoncd/triggers.git"}}' http://10.68.239.247:8080