1.1 Tekton学习笔记之基本概念

前言

• CICD已经成为业界主流，Tekton作为Google亲自drive的项目，重要性不言而喻
• 要做吃螃蟹的人，长江后浪推前浪，把前浪拍死在沙滩上
• 开坑Tekton，第一阶段主要focus在Tekton官方手册上，了解基本用法
• Tekton与k8s息息相关，间或穿插k8s相关
• Tekton的定位一言以蔽之：next generation engine
  • 应用场景实例：push代码到GitHub上，自动trigger以下operation：build source code，然后将image push到remote hub上

Tekton tutorial

introduction

• Create a Task
• Create a Pipeline containing your Tasks
• Use a TaskRun to instantiate and execute a Task outside of a Pipeline
• Use a PipelineRun to instantiate and run a Pipeline containing your Tasks

Creating and running a Task

• A Task defines a series of steps that run in a desired order and complete a set amount of build work. Every Task runs as a Pod on your Kubernetes cluster with each step as its own container. For example, the following Task outputs “Hello World”:
• kind:Task etc

Tasks

QA

overview

• collection of steps as part of CI flow
• A task executes as a Pod on Kubernates cluster
• task available within a specific ns/clusterTask available across the entire cluster

学习展望

• 学习Kubernetes-style resources for declaring CI/CD style pipelines
• The pipelines run on Kubernetes like any other process.
• Each step runs as an independent container.
• Tekon run on k8s

Tekton Pipelines is a Kubernetes extension that installs and runs on your Kubernetes cluster. It defines a set of Kubernetes Custom Resources that act as building blocks from which you can assemble CI/CD pipelines. Once installed, Tekton Pipelines becomes available via the Kubernetes CLI (kubectl) and API calls, just like pods and other resources. 

• You will learn:
  • How to install a private registry with a UI
  • How to install the Tekton controller and optional CLI tool
  • How to declare resources specific to defining a CI/CD pipeline
  • About various Tekton resources like Resources, Tasks, and Pipelines
  • How to kick off a pipeline and inspect its progress

整体

Step-task-pipeline

1. a k8s cluster + helm + prepare k8s dashboard
2. install registry+ registry proxies as Node Daemons+ install registry UI
   1. Build container ->deploy them to registry
3. clone JS app
4. install tekon
5. install tekon dashboard
6. install tkn(manage tekon resource)
7. Apply ppresource
8. Apply two task
9. apply pipeline
10. need account access private resource

概念

• cluster
• node
• component
• K8s workflow
• Container registries
• stable helm chart for docker registry
• stable chart
• docker engine on each node
• Tekton is a Kubernetes Operator
• it can be completely administered using the standard Kubernetes manifests using the defined custom resources that have been associated with the Tekton controllers.
• apply命令
• A task will run inside a Pod on your cluster.
• Each Tekton task runs as a Kubernetes Pod. Each step in the task runs as a separate container in the task’s Pod.
• a task is a Pod

前提

• a k8s cluster
• Helm:包manager用于在K8S上安装应用
• kubectl用于管理cluster

step by step

• The Docker engine will pull from a “localhost” registry without triggering its security precautions.
• run a kube-registry-proxy on each node in the cluster, exposing a port on the node (via the hostPort value), which Docker accepts since it is accessed by localhost.
• Internal to all the container engines in the cluster, the registry is now available as a service for pushing and pulling container images. Pods can pull images from the registry at http://localhost:5000 and the proxies resolve the requests to https://registry-docker-registry.kube-system:5000.

Pipeline Run
    Pipeline
        Tasks
            Steps
                Resources

apiVersion: tekton.dev/v1alpha1
kind: PipelineResource
metadata:
  name: git
spec:
  type: git
  params:
    - name: revision
      value: master
    - name: url
      value: https://github.com/javajon/node-js-tekton

apiVersion: tekton.dev/v1alpha1
kind: Task
metadata:
  name: build-image-from-source
spec:
  inputs:
    resources:
      - name: git-source
        type: git
    params:
      - name: pathToContext
        description: The path to the build context, used by Kaniko - within the workspace
        default: .
      - name: pathToDockerfile
        description: The path to the Dockerfile to build
        default: Dockerfile
      - name: imageUrl
        description: value should be like - us.icr.io/test_namespace/builtImageApp
      - name: imageTag
        description: Tag to apply to the built image
  steps:
    - name: list-src
      image: alpine
      command:
        - "ls"
      args:
        - "$(inputs.resources.git-source.path)"
    - name: build-and-push
      image: gcr.io/kaniko-project/executor
      command:
        - /kaniko/executor
      args:
        - "--dockerfile=$(inputs.params.pathToDockerfile)"
        - "--destination=$(inputs.params.imageUrl):$(inputs.params.imageTag)"
        - "--context=$(inputs.resources.git-source.path)/$(inputs.params.pathToContext)/"
        - "--insecure"
        - "--insecure-pull"
        - "--skip-tls-verify"
        - "--skip-tls-verify-pull"

---

apiVersion: tekton.dev/v1alpha1
kind: Task
metadata:
  name: deploy-application
spec:
  inputs:
    resources:
      - name: git-source
        type: git
    params:
      - name: pathToContext
        description: The path to the build context, used by Kaniko - within the workspace
        default: .
      - name: pathToYamlFile
        description: The path to the yaml file to deploy within the git source
        default: deploy.yaml
      - name: imageUrl
        description: Url of image repository
        default: url
      - name: imageTag
        description: Tag of the images to be used.
        default: "latest"
  steps:
    - name: update-yaml
      image: alpine
      command: ["sed"]
      args:
        - "-i"
        - "-e"
        - "s;IMAGE;$(inputs.params.imageUrl):$(inputs.params.imageTag);g"
        - "$(inputs.resources.git-source.path)/$(inputs.params.pathToContext)/$(inputs.params.pathToYamlFile)"
    - name: deploy-app
      image: lachlanevenson/k8s-kubectl
      command: ["kubectl"]
      args:
        - "apply"
        - "-f"
        - "$(inputs.resources.git-source.path)/$(inputs.params.pathToContext)/$(inputs.params.pathToYamlFile)"

实例

常用命令

kubectl apply -f task-test.yaml
kubectl apply -f pipelineresource.yaml
kubectl apply -f taskrun.yaml

查看 TaskRun 资源对象的状态来查看构建状态
kubectl get taskrun

查看pods状态
kubectl get pods

来查看任务运行的过程
kubectl describe pod testrun-pod-mw9bt

查看容器的日志信息来了解任务的执行结果信息
kubectl logs testrun-pod-mw9bt --all-containers

创建CICD流水线

• 一款功能强大而灵活的 CI/CD 开源的云原生框架

• Tekton 的前身是 Knative 项目的 build-pipeline 项目，这个项目是为了给 build 模块增加 pipeline 的功能，但是随着不同的功能加入到 Knative build 模块中，build 模块越来越变得像一个通用的 CI/CD 系统，于是，索性将 build-pipeline 剥离出 Knative，就变成了现在的 Tekton，而 Tekton 也从此致力于提供全功能、标准化的云原生 CI/CD 解决方案

• 创建一个构建流水线，在流水线中将运行应用程序的单元测试、构建 Docker 镜像然后推送到 Docker Hub

• 准备：可用的K8S集群，tekton安装

  setup

  kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.14.2/release.yaml
  
  brew install tektoncd-cli
  
  kubectl apply --filename https://storage.googleapis.com/knative-releases/serving/latest/istio.yaml
  
  kubectl label namespace default istio-injection=enabled
  
  kubectl apply --filename https://storage.googleapis.com/tekton-releases/triggers/latest/release.yaml
  

---

基础概念

• Task
  • 任务执行模板
  • 包含step（负责基于镜像启动container来执行操作，每个step由一个pod执行）
• TaskRun
  • 运行task，创建taskrun则运行task
  • 传入task所需参数
• Pipeline
  • 编排task
• PipelineRun
  • 运行PP，创建即运行
• PipelineResource
  • 用于task间共享资源
  • 可以把GIT仓库信息放在resource中
• Tekton 本身是 Kubernetes 原生的编排系统。所以可以直接使用 Kubernetes 的 ServiceAccount 机制实现鉴权

这五个概念每一个都是以 CRD 的形式提供服务的

实例2

• Tekton 作为 Knative Build 模块的升级版，提供了更丰富的功能，可以适用更多的场景

Docker Hub配置

• 为了能够build Docker 镜像，一般需要使用 Docker 来进行，我们这里是容器，所以可以使用 Docker In Docker 模式，但是这种模式安全性不高
• 除了这种方式之外，我们还可以使用 Google 推出的 Kaniko 工具来进行构建，该工具可以在 Kubernetes 集群中构建 Docker 镜像而无需依赖 Docker 守护进程。
• 使用 Kaniko 构建镜像和 Docker 命令基本上一致，所以我们可以提前设置下 Docker Hub 的登录凭证，方便后续将镜像推送到镜像仓库。登录凭证可以保存到 Kubernetes 的 Secret 资源对象中，创建一个名为 secret.yaml 的文件
  • 注解信息是用来告诉 Tekton 这些认证信息所属的 Docker 镜像仓库

RBAC

• icepanel，可以用来快速创建和可视化我们的 Kubernetes 微服务应用程序

workspaces

工作空间是一种为执行中的管道及其任务提供可用的共享卷的方法。

在pipeline中定义worksapce作为共享卷传递个相关的task。在tekton中定义workspace的用途有以下几点：

• 存储输入和/或输出
• 在task之间共享数据
• secret认证的挂载点
• ConfigMap中保存的配置的挂载点
• 组织共享的常用工具的挂载点
• 高速缓存的构建工件可加快工作速度，简而言之，用于缓存构建时的包,例如作为Maven仓库存储

results

piple中可以使用task的运行结果作为其他Task的输入，即task可在执行过程中生成一些result,这些result可用作pipeline后续task中的参数值,此外Tekton将根据输入参数来推断tasks的执行顺序，以确保生成result的task在那些消耗其结果的task之前运行。

Eventlistener

• k8s custome resource
• process incoming HTTP based events with JSON payloads
• EventListeners expose an addressable “Sink” to which incoming events are directed. (?)
• Users can declare TriggerBindings to extract fields from events, and apply them to TriggerTemplates in order to create Tekton resources.
• In addition, EventListeners allow lightweight event processing using Event Interceptors.

syntax

• define a configuration file for an EventListener resource