共计 8726 个字符,预计需要花费 22 分钟才能阅读完成。
Tekton 是一个功能强大且灵活的 Kubernetes 原生开源框架,用于创建持续集成和交付(CI/CD)系统。通过抽象底层实现细节,用户可以跨多云平台和本地系统进行构建、测试和部署。
本文是基于阿里云 Kubernetes 服务部署 Tekton Pipeline,并使用它完成源码拉取、应用打包、镜像推送和应用部署的实践过程。
Tekton Pipeline 中有 5 类对象, 核心理念是通过定义 yaml 定义构建过程. 构建任务的状态存放在 status 字段中。
其中 5 类对象分别是:PipelineResouce、Task、TaskRun、Pipeline、PipelineRun。
Task 是单个任务的构建过程, 需要通过定义 TaskRun 任务去运行 Task。
Pipeline 包含多个 Task, 并在此基础上定义 input 和 output,input 和 output 以 PipelineResource 作为交付。
PipelineResource 是可用于 input 和 output 的对象集合。
同样地, 需要定义 PipelineRun 才会运行 Pipeline。
1. 在阿里云 Kubernetes 集群中部署 Tekton Pipeline
kubectl apply --filename https://storage.googleapis.com/tekton-releases/latest/release.yaml
查看 Tekton Pipelines 组件是否运行正常:
$ kubectl -n tekton-pipelines get po | |
NAME READY STATUS RESTARTS AGE | |
tekton-pipelines-controller-6bcd7ff5d6-vzmrh 1/1 Running 0 25h | |
tekton-pipelines-webhook-6856cf9c47-l6nj6 1/1 Running 0 25h |
2. 创建 Git Resource,Registry Resource
编辑 git-pipeline-resource.yaml :
apiVersion: tekton.dev/v1alpha1 | |
kind: PipelineResource | |
metadata: | |
name: git-pipeline-resource | |
spec: | |
type: git | |
params: | |
- name: revision | |
value: tekton | |
- name: url | |
value: https://code.aliyun.com/haoshuwei/jenkins-demo.git |
git repo 的分支名称为 tekton。
编辑 registry-pipeline-resource.yaml :
apiVersion: tekton.dev/v1alpha1 | |
kind: PipelineResource | |
metadata: | |
name: registry-pipeline-resource | |
spec: | |
type: image | |
params: | |
- name: url | |
value: registry.cn-hangzhou.aliyuncs.com/haoshuwei/tekton-demo |
容器镜像仓库地址为 registry.cn-hangzhou.aliyuncs.com/haoshuwei/tekton-demo,标签为 latest
创建 pipeline resource:
$ kubectl -n tekton-pipelines create -f git-pipeline-resource.yaml | |
$ kubectl -n tekton-pipelines create -f registry-pipeline-resource.yaml |
查看已创建的 pipeline resource 资源:
$ kubectl -n tekton-pipelines get PipelineResource | |
NAME AGE | |
git-pipeline-resource 2h | |
registry-pipeline-resource 2h |
3. 创建 Git Repo/Docker Registry Authentication
拉取私有 git 源码项目需要配置使用 Git Repo Authentication;拉取和推送 docker 镜像需要配置 Docker Registry Authentication。在 Tekton Pipeline 中,Git Repo/Docker Registry Authentication 会被定义成 ServiceAccount 来使用。
编辑 secret tekton-basic-user-pass-git.yaml :
apiVersion: v1 | |
kind: Secret | |
metadata: | |
name: tekton-basic-user-pass-git | |
annotations: | |
tekton.dev/git-0: https://code.aliyun.com | |
type: kubernetes.io/basic-auth | |
stringData: | |
username: <cleartext non-encoded> | |
password: <cleartext non-encoded> |
编辑 secret tekton-basic-user-pass-registry.yaml :
apiVersion: v1 | |
kind: Secret | |
metadata: | |
name: tekton-basic-user-pass-registry | |
annotations: | |
tekton.dev/docker-0: https://registry.cn-hangzhou.aliyuncs.com | |
type: kubernetes.io/basic-auth | |
stringData: | |
username: <cleartext non-encoded> | |
password: <cleartext non-encoded> |
编辑 serviceaccount tekton-git-and-registry.yaml :
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: tekton-git-and-registry | |
secrets: | |
- name: tekton-basic-user-pass-git | |
- name: tekton-basic-user-pass-registry |
创建 serviceaccount:
$ kubectl -n tekton-pipelines create -f tekton-basic-user-pass-git.yaml | |
$ kubectl -n tekton-pipelines create -f tekton-basic-user-pass-registry.yaml | |
$ kubectl -n tekton-pipelines create -f tekton-git-and-registry.yaml |
查看 secret 以及 sa:
$ kubectl -n tekton-pipelines get secret | |
NAME TYPE DATA AGE | |
default-token-pwncj kubernetes.io/service-account-token 3 25h | |
tekton-basic-user-pass-git kubernetes.io/basic-auth 2 151m | |
tekton-basic-user-pass-registry kubernetes.io/basic-auth 2 151m | |
tekton-git-and-registry-token-tr95m kubernetes.io/service-account-token 3 151m | |
tekton-pipelines-controller-token-lc2fv kubernetes.io/service-account-token 3 25h | |
webhook-certs Opaque 3 25h |
$ kubectl -n tekton-pipelines get sa | |
NAME SECRETS AGE | |
default 1 25h | |
tekton-git-and-registry 3 152m | |
tekton-pipelines-controller 1 25h |
4. 配置 serviceaccount tekton-git-and-registry 获取命名空间 tekton-pipelines 的管理权限用于部署应用
创建 ClusterRoleBinding tekton-cluster-admin :
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: tekton-cluster-admin | |
subjects: | |
- kind: ServiceAccount | |
name: tekton-git-and-registry | |
namespace: tekton-pipelines | |
roleRef: | |
kind: ClusterRole | |
name: cluster-admin | |
apiGroup: rbac.authorization.k8s.io |
5. 创建一个 Task
创建 task build-app.yaml :
apiVersion: tekton.dev/v1alpha1 | |
kind: Task | |
metadata: | |
name: build-app | |
spec: | |
inputs: | |
resources: | |
- name: java-demo | |
type: git | |
params: | |
- name: pathToDockerFile | |
description: The path to the dockerfile to build | |
default: /workspace/java-demo/Dockerfile | |
- name: pathToContext | |
description: The build context used by Kaniko | |
default: /workspace/java-dem | |
- name: pathToYaml | |
description: The path to teh manifest to apply | |
outputs: | |
resources: | |
- name: builtImage | |
type: image | |
steps: | |
- name: build-mvn-package | |
image: registry.cn-beijing.aliyuncs.com/acs-sample/jenkins-slave-maven:3.3.9-jdk-8-alpine | |
workingDir: /workspace/java-demo | |
command: | |
- mvn | |
args: | |
- package | |
- -B | |
- -DskipTests | |
- name: build-docker-image | |
image: registry.cn-beijing.aliyuncs.com/acs-sample/jenkins-slave-kaniko:0.6.0 | |
command: | |
- kaniko | |
args: | |
- --dockerfile=${inputs.params.pathToDockerFile} | |
- --destination=${outputs.resources.builtImage.url} | |
- --context=${inputs.params.pathToContext} | |
- name: deploy-app | |
image: registry.cn-beijing.aliyuncs.com/acs-sample/jenkins-slave-kubectl:1.11.5 | |
command: | |
- kubectl | |
args: | |
- apply | |
- -f | |
- ${inputs.params.pathToYaml} |
6. 创建 TaskRun 运行任务
创建 taskrun build-app-task-run.yaml :
apiVersion: tekton.dev/v1alpha1 | |
kind: TaskRun | |
metadata: | |
name: build-app-task-run | |
spec: | |
serviceAccount: tekton-git-and-registry | |
taskRef: | |
name: build-app | |
trigger: | |
type: manual | |
inputs: | |
resources: | |
- name: java-demo | |
resourceRef: | |
name: git-pipeline-resource | |
params: | |
- name: pathToDockerFile | |
value: Dockerfile | |
- name: pathToContext | |
value: /workspace/java-demo | |
- name: pathToYaml | |
value: /workspace/java-demo/deployment.yaml | |
outputs: | |
resources: | |
- name: builtImage | |
resourceRef: | |
name: registry-pipeline-resource |
7. 查看构建状态以及日志
查看 taskrun 状态:
$ kubectl -n tekton-pipelines get taskrun | |
NAME SUCCEEDED REASON STARTTIME COMPLETIONTIME | |
build-app-task-run Unknown Pending 4s |
查看构建日志:
$ kubectl -n tekton-pipelines get po | |
NAME READY STATUS RESTARTS AGE | |
build-app-task-run-pod-b8f890 3/5 Running 0 75s | |
tekton-pipelines-controller-6bcd7ff5d6-vzmrh 1/1 Running 0 25h | |
tekton-pipelines-webhook-6856cf9c47-l6nj6 1/1 Running 0 25h |
$ kubectl -n tekton-pipelines logs -f build-app-task-run-pod-b8f890 | |
Error from server (BadRequest): a container name must be specified for pod build-app-task-run-pod-b8f890, choose one of: [build-step-git-source-git-pipeline-resource-77l5v build-step-build-mvn-package build-step-build-docker-image build-step-deploy-app nop] or one of the init containers: [build-step-credential-initializer-8dsnm build-step-place-tools] |
mvn build 的日志:
$ kubectl -n tekton-pipelines logs -f build-app-task-run-pod-b8f890 -c build-step-build-mvn-package | |
[INFO] Scanning for projects... | |
[INFO] | |
[INFO] ------------------------------------------------------------------------ | |
[INFO] Building jenkins-demo-web 1.0.0-SNAPSHOT | |
[INFO] ------------------------------------------------------------------------ | |
[INFO] Downloading: https://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-resources-plugin/2.6/maven-resources-plugin-2.6.pom | |
[INFO] Downloaded: https://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-resources-plugin/2.6/maven-resources-plugin-2.6.pom (8 KB at 7.3 KB/sec) | |
[INFO] Downloading: https://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-plugins/23/maven-plugins-23.pom | |
[INFO] Downloaded: https://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-plugins/23/maven-plugins-23.pom (9 KB at 26.7 KB/sec) | |
[INFO] Downloading: https://repo.maven.apache.org/maven2/org/apache/maven/maven-parent/22/maven-parent-22.pom | |
[INFO] Downloaded: https://repo.maven.apache.org/maven2/org/apache/maven/maven-parent/22/maven-parent-22.pom (30 KB at 61.3 KB/sec) | |
[INFO] Downloading: https://repo.maven.apache.org/maven2/org/apache/apache/11/apache-11.pom | |
[INFO] Downloaded: https://repo.maven.apache.org/maven2/org/apache/apache/11/apache-11.pom (15 KB at 45.3 KB/sec) | |
.... |
docker build 的日志:
$ kubectl -n tekton-pipelines logs -f build-app-task-run-pod-b8f890 -c build-step-build-docker-image | |
INFO[0000] Downloading base image tomcat | |
2019/05/06 11:58:46 No matching credentials were found, falling back on anonymous | |
INFO[0003] Taking snapshot of full filesystem... | |
INFO[0003] Skipping paths under /builder/home, as it is a whitelisted directory | |
INFO[0003] Skipping paths under /builder/tools, as it is a whitelisted directory | |
INFO[0003] Skipping paths under /dev, as it is a whitelisted directory | |
INFO[0003] Skipping paths under /kaniko, as it is a whitelisted directory | |
INFO[0003] Skipping paths under /proc, as it is a whitelisted directory | |
INFO[0003] Skipping paths under /run/secrets/kubernetes.io/serviceaccount, as it is a whitelisted directory | |
INFO[0003] Skipping paths under /sys, as it is a whitelisted directory | |
INFO[0003] Skipping paths under /var/run, as it is a whitelisted directory | |
INFO[0003] Skipping paths under /workspace, as it is a whitelisted directory | |
INFO[0003] Using files from context: [/workspace/java-demo/target/demo.war] | |
INFO[0003] ADD target/demo.war /usr/local/tomcat/webapps/demo.war | |
INFO[0003] Taking snapshot of files... | |
... |
app-deploy 的日志:
$ kubectl -n tekton-pipelines logs -f build-app-task-run-pod-637855 -c build-step-deploy-app | |
deployment.extensions/jenkins-java-demo created | |
service/jenkins-java-demo created |
taskrun 的完成状态为 True 则构建部署过程完成:
$ kubectl -n tekton-pipelines get taskrun | |
NAME SUCCEEDED REASON STARTTIME COMPLETIONTIME | |
build-app-task-run True 4m 2m |
8. 小结
Tekton Pipeline 中任务模板可以拿来复用,而不需要重复定义,另外通过 CRD 重新定义 CI/CD 是一大亮点, 初学者可能会觉得有些绕。
持续实验持续更新中。
本文作者:流生
阅读原文
本文为云栖社区原创内容,未经允许不得转载。