标签:git name source clone tekton fetch
tekton
1、概念
1.1 组件
1.1.1 pipline
使用k8s crd 来定义一个基础组件块,用来组件cicd
1.1.2 trigger
触发器,根据事件来触发cicd
1.1.3 CLI
交互式命令,与tekton进行交互
1.1.4 dashboard
一个图形化的界面,显示cicd
1.1.5 catalog
cicd的一个仓库
1.1.6 hub
访问catalog的一个web界面
1.1.7 Operator
基于k8s的自定义控制器,控制tekton
1.1.8 chain
生成,存储和签名的工具,使用pipeline的组件
# 工作原理
Tekton Chains的工作原理是部署一个在后台运行并监视TaskRun的控制器。当Tekton Pipelines执行您的任务时,Tekton Chains会监视操作,一旦操作成功完成,Chains控制器就会生成所生产工件的来源
记录了任务的输入:源存储库、分支、其他工件;以及输出:容器镜像、包等。这些信息作为元数据记录并签名。您可以将密钥存储在Kubernetes secrets中,或使用支持的密钥管理系统(GCP、AWS、Azure或Vault)对出处进行签名。然后,您可以将出处上传到指定的位置
1.2 使用
1.2.1 cli
1.2.2 kubectl cli
1.2.3 api
1.3 模型
1.3.1 step
# 步骤
pipeline中的每一步操作称之为步骤
1.3.2 task
# 任务
按顺序执行的一些列步骤的集合,task的执行依赖于pod
1.3.3 pipelines
按顺序执行的task的集合,定义了如何执行
1.3.4 taskrun
可以自定义task的运行方式时间
1.3.5 pipelinerun
同taskrun,定义了执行所需要的参数及所用的sectet等类似于模版与实例的关系
1.4 工作原理
通过对step容器注入一个二进制文件来执行我们预定的命令
使用Kubernetes Annotations跟踪cicd的状态。这些注释通过Kubernetes Downward API以文件的形式投影在每个step容器中。二进制文件密切监视投射的文件,并且只有在特定注释显示为文件时才会启动所提供的命令。
例如,当您要求Tekton在一个任务中连续运行两个步骤时,注入到第二个步骤容器中的二进制文件将空闲等待,直到注释报告第一个步骤容器已成功完成
Tekton Pipelines安排一些容器在步骤容器前后自动运行,以支持特定的内置功能,例如检索输入资源和将输出上传到blob存储解决方案。您还可以通过taskRuns和pipelineRuns跟踪它们的运行状态。在运行步骤容器之前,系统还执行许多其他操作来设置环境
2、安装
镜像配置
本节使用镜像可以使用或到docker hub仓库搜索
docker pull anjia0532/tekton-releases.github.com.tektoncd.$产品.cmd.$产品:v0.39.0
docker pull anjia0532/tekton-releases.github.com.tektoncd.dashboard.cmd.dashboard:v0.39.0
2.1 pipeline
2.1.1 安装
# 下载yaml
curl -Lfs -o tektoncd-pipeline.yaml https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml
# 下载镜像并将其上传到自己的docker仓库
# 替换镜像为自己的docker仓库
sed -ir 's#gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/#quanheng.com/k8s/#g' *.yamls
# 安装
kubectl apply -f xx.yaml
2.1.2 task测试
# 运行task
---
apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
name: hello-task-run
spec:
taskRef:
name: hello
apiVersion: tekton.dev/v1beta1
# 定义一个task
---
kind: Task
metadata:
name: hello
spec:
steps:
- name: echo
image: quanheng.com/k8s/alpine:v2
script: |
#!/bin/sh
echo "Hello World"
# 查看pod和taskrun
(base) gu@python:~/k8s/yaml/tekton/task$ kubectl get pod
NAME READY STATUS RESTARTS AGE
hello-task-run-pod 0/1 Completed 0 2m17s
nfs-client-provisioner-5967bfdf67-nmbx2 1/1 Running 24 (23m ago) 3d17h
(base) gu@python:~/k8s/yaml/tekton/task$ kubectl get taskruns.tekton.dev
NAME SUCCEEDED REASON STARTTIME COMPLETIONTIME
hello-task-run True Succeeded 5m25s 2m24s
(base) gu@python:~/k8s/tekton/pipeline-main/yaml$ kubectl logs hello-task-run-pod
Defaulted container "step-echo" out of: step-echo, prepare (init), place-scripts (init)
Hello World
2.1.3 pipeline测试
2.1.3.1 安装cli
# 下载cli包
https://github.com/tektoncd/cli
# 解压并安装
unzip cli && cd cli && make amd64
# 做软连接
ln -sv /home/gu/k8s/tekton/cli-main/bin/tkn-linux-amd64 /usr/bin/tkn
# 将其作为kubectl plugin
ln -sv /home/gu/k8s/tekton/cli-main/bin/tkn-linux-amd64 /usr/bin/kubectl-tkn
2.1.3.2 测试
# 创建第二个task
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: goodbye
spec:
params: # 指定必须传入一个字符串变量名称为username
- name: username
type: string
steps:
- name: goodbye
image: quanheng.com/k8s/ubuntu:2
script: |
#!/bin/bash
echo "Goodbye $(params.username)!"
# 创建pipeline
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: hello-goodbye
spec:
params: # 指定必须传入一个字符串变量名称为username
- name: username
type: string
tasks:
- name: hello
taskRef:
name: hello
- name: goodbye
runAfter:
- hello
taskRef:
name: goodbye
params:
- name: username
value: $(params.username)
# 创建pipelinerun
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
name: hello-goodbye-run
spec:
pipelineRef:
name: hello-goodbye
params: #传入变量
- name: username
value: "Tekton"
# 验证
(base) gu@python:~/k8s/yaml/tekton/pipelines$ tkn pipelinerun logs hello-goodbye-run -f -n default
[hello : echo] Hello World
[goodbye : goodbye] Goodbye Tekton!
2.2 trigger
2.2.1 安装
# 下载
curl -LO https://storage.googleapis.com/tekton-releases/triggers/latest/interceptors.yaml
curl -LO https://storage.googleapis.com/tekton-releases/triggers/latest/release.yaml
# 替换文件镜像
sed -ir 's#gcr.io/tekton-releases/github.com/tektoncd/triggers/cmd/#quanheng.com/k8s/#g' *.yamls
# 安装
kubectl apply -f release.yaml
kubectl apply -f interceptors.yaml
2.2.2 工作模型
# Event Listener
一个等待事件发生的监听器
# Trigger Template(k8s API)
当配置的事件发生时创建一个pipelinerun
# Trigger Binding
将数据传递给template,然后根据给定参数创建pipelinerun
# Cluster Interceptor
可以添加一个可选对象来验证和处理事件数据
# 在一个pod中运行一个可以创建pipelinerun的模版对象,当监听的事件发生时触发创建事件将数据传递给模版来创建pipelinerun
2.2.3 测试
# 创建一个template
apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerTemplate
metadata:
name: hello-template
spec:
params: # 传递一个变量
- name: username
default: "Kubernetes"
resourcetemplates: # 资源模版
- apiVersion: tekton.dev/v1beta1
kind: PipelineRun # 创建一个pipelinerun
metadata:
generateName: hello-goodbye-run-
spec:
pipelineRef: # 引用哪个pipeline
name: hello-goodbye
params: # 使用变量
- name: username
value: $(tt.params.username) # tt=TriggerTemplate
# 创建binding(模版使用的数据)
apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerBinding
metadata:
name: hello-binding
spec:
params:
- name: username
value: $(body.username) # 接收到的变化,将其传递给template
# 创建一个事件监听器
apiVersion: triggers.tekton.dev/v1beta1
kind: EventListener
metadata:
name: hello-listener
spec:
serviceAccountName: tekton-robot # 指定sa
triggers: # 指定binding数据和模版template
- name: hello-trigger
bindings:
- ref: hello-binding
template:
ref: hello-template
# 定义使用的sa
apiVersion: v1
kind: ServiceAccount
metadata:
name: tekton-robot
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: triggers-example-eventlistener-binding
subjects:
- kind: ServiceAccount
name: tekton-robot
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: tekton-triggers-eventlistener-roles
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: triggers-example-eventlistener-clusterbinding
subjects:
- kind: ServiceAccount
name: tekton-robot
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: tekton-triggers-eventlistener-clusterroles
# 运行触发器
kubectl apply -f ./
# 提交一个有效负载
curl -v -H 'content-Type: application/json' -d '{"username": "guquanheng"}' 10.173.200.93:8080
{"eventListener":"hello-listener","namespace":"default","eventListenerUID":"30e562fd-d1c5-4980-a9e6-7872937cec0f","eventID":"85380be6-def2-4527-b150-cbad2e80aec8"}
# 查看触发的负载
(base) gu@python:~/k8s/yaml/tekton/trigger$ kubectl get pipelineruns
NAME SUCCEEDED REASON STARTTIME COMPLETIONTIME
hello-goodbye-run True Succeeded 63m 62m
hello-goodbye-run-v25g4 True Succeeded 2m20s 2m5s
# 检查管道运行日志。名称是自动生成的
(base) gu@python:~/k8s/yaml/tekton/trigger$ tkn pipelinerun logs hello-goodbye-run-v25g4
[hello : echo] Hello World
[goodbye : goodbye] Goodbye guquanheng!
2.3 dashboard
2.3.1 安装
# 下载安装文件
curl -LO https://storage.googleapis.com/tekton-releases/dashboard/latest/release-full.yaml
# 更改镜像为自己镜像
sed -ir 's#gcr.io/tekton-releases/github.com/tektoncd/triggers/cmd/#quanheng.com/k8s/#g' *.yamls
# 使用istio进行服务暴露
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: tekton-dashboard-vs
namespace: tekton-pipelines
spec:
gateways:
- istio-system/kiali-gateway
hosts:
- '*'
http:
- match:
- port: 18686
route:
- destination:
host: tekton-dashboard
port:
number: 9097
2.3.2 测试
3、使用
3.1 从git仓库拉取代码
# 创建一个pipeline
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: clone-read
spec:
description: |
This pipeline clones a git repo, then echoes the README file to the stout.
params: # 添加一个参数来表示git仓库
- name: repo-url
type: string
description: The git repo URL to clone from.
workspaces: # 添加一个工作区用来存储代码
- name: shared-data
description: |
This workspace contains the cloned repo files, so they can be read by the next task.
- name: git-credentials # 存储ssh秘钥
description: My ssh credentials
tasks: # 使用上述参数来定义一个task
- name: fetch-source # colne 仓库
taskRef:
name: git-clone
workspaces:
- name: output
workspace: shared-data
- name: ssh-directory
workspace: git-credentials
params:
- name: url
value: $(params.repo-url)
- name: show-readme # clone后查看README.md
runAfter: ["fetch-source"] # 定义在clone后执行
taskRef: # 引用哪个task
name: show-readme
workspaces: # 使用哪个工作区
- name: source
workspace: shared-data
---
# 创建一个pipelinerun(实例化上面pipeline定义的参数)
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
generateName: clone-read-run-
spec:
pipelineRef:
name: clone-read
podTemplate:
securityContext:
fsGroup: 65532
workspaces: # 实例化工作区,使用一个pvc来存储代码,
- name: shared-data
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: nfs # 指定一个类来实现pvc
- name: git-credentials # 指定git仓库的secret
secret:
secretName: git-credentials
params: # 设置git仓库url
- name: repo-url
value: git@172.31.3.155:guquanheng/argo.git
# 创建一个secret用来访问git私有仓库
# config格式
Host 172.31.3.155
Hostname 172.31.3.155
PreferredAuthentications publickey
IdentityFile ~/.ssh/id_rsa
---
apiVersion: v1
kind: Secret
metadata:
name: git-credentials
type: kubernetes.io/ssh-auth
data:
id_rsa: LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUJsd0FBQUFkemMyZ3RjbgpOaEFBQUFBd0VBQVFBQUFZRUFuQ21mazNYOFhseVJZaFNZdExGM2U3cWkwS1M5dlJEaTY1d1Y3QUovSzFnWFlDOHZyK2RzCjg3ZDVndU5YdFcrQndkbzJCNjRTVjZINW9XdFhlS0FNakRadU12am1lcW9UZndVa2c1U2kvRzN4c28wNlhYalhiTUJqYjkKVkMwdzA5NllwbUJNWjFqNDBhSUFHRGFub3N0eWdkUWRjeHpCVCt5NnFuSFIwLzJ4MmplL1N3NkpkOE5DYzVkZERCa1R5SQpHcTJRb2x0ZlVqNG5yUUlhRzVGVGl1STZqMW1JN0llL2JERGZKbzNrY1U1dUtTanVNVjB0d0lhNzhsM2V5UDhveFcvSG5aCmZNdHhka2ZRakMrdTkzdnJtWGhMdW84bFQ2NC9XOVlrLzhHOGdtS25vS3AyTC9jbmIrZFNnZkZ3OEZ6eEZTSjM5dWdRSTMKdWdwR0I1SVZTeDV1SmQwZEJqZmJ5SkdIaGEwU0ZHL21FbTdGa0E1cFBGVGxOTFZjMG9XQm50OG5WanozbGxKUUVTTlNQMgpPb0tlSUhpa0RPUnN5Y3F0eUdJK3cwVFJLUDh0YWpLdWZKUjZVWlRFRktyVVZYSUg3bnE5L3huTUxyeFI3ZHVpQjVkbWY4CjhqdVpxc2NHaEdlL0NqY1VaeE4vd29HR2kxQXV0N0w5US85NXBab25BQUFGZ0F3T2tCY01EcEFYQUFBQUIzTnphQzF5YzIKRUFBQUdCQUp3cG41TjEvRjVja1dJVW1MU3hkM3U2b3RDa3ZiMFE0dXVjRmV3Q2Z5dFlGMkF2TDYvbmJQTzNlWUxqVjdWdgpnY0hhTmdldUVsZWgrYUZyVjNpZ0RJdzJiakw0NW5xcUUzOEZKSU9Vb3Z4dDhiS05PbDE0MTJ6QVkyL1ZRdE1OUGVtS1pnClRHZFkrTkdpQUJnMnA2TExjb0hVSFhNY3dVL3N1cXB4MGRQOXNkbzN2MHNPaVhmRFFuT1hYUXdaRThpQnF0a0tKYlgxSSsKSjYwQ0dodVJVNHJpT285WmlPeUh2Mnd3M3lhTjVIRk9iaWtvN2pGZExjQ0d1L0pkM3NqL0tNVnZ4NTJYekxjWFpIMEl3dgpydmQ3NjVsNFM3cVBKVSt1UDF2V0pQL0J2SUppcDZDcWRpLzNKMi9uVW9IeGNQQmM4UlVpZC9ib0VDTjdvS1JnZVNGVXNlCmJpWGRIUVkzMjhpUmg0V3RFaFJ2NWhKdXhaQU9hVHhVNVRTMVhOS0ZnWjdmSjFZODk1WlNVQkVqVWo5anFDbmlCNHBBemsKYk1uS3JjaGlQc05FMFNqL0xXb3lybnlVZWxHVXhCU3ExRlZ5Qis1NnZmOFp6QzY4VWUzYm9nZVhabi9QSTdtYXJIQm9Sbgp2d28zRkdjVGY4S0Job3RRTHJleS9VUC9lYVdhSndBQUFBTUJBQUVBQUFHQU94QVhGYnV6SnJGV0gwVncrQzZDNVY0U2hGCjA2a2c2WDlNckZFODFoOGEvUXI0VkpRUHVEbnE0UEhDMEdHRTVEUW1GWXZCRGZTUnV2QVpsS3JRbkRsU2hsQjR4U0I2VFoKMk5uR0ZLb2I5dU5TWGRqQ2NXWHAvR3pMYnhtMnU0SXZuMnZENkJ4empFYXUwZG9nclIzbVdhT25aU2FSNUFFdzJURURJYQpUVmFQZE54TzBvRitCcmpvSWpYbWNGUHZ3bzhnWWhSUGJRRjVnQWc1UGU4ZnhHSDZvdXdkYjRUWldPRmNwcUsvZlFwZlltCi9oUkgrbzJtWjBIT1JmMnc3RTVzc3FJZHFIRE4wVGgvbW5LTEc1MEVBRUsraGVJTmloMWxNaU4xR0ZNZFpDZTBXQ1ZpNEwKWXdlWTAyZ1E1a29FYXV3TXM5RTlTcHVuTTk5QXFPL3lwQmw5a3FyT0M4NHRSejZSbzYyOUF1aUVjbkhXQ1JXMUI5MDA5SgpQamZDT0JYdTBmL1hEcnhaSzRlNVdkZ0tWM2VPRlFXTC9jK2tBYjNVWkRYRFBmMWlsL05ETWpsYUlKYWpVVWhrOTl3dUcyCi9lblhXQ2NFdkNoS0ZqN096NWwya2F0NHVmU2ZtbjAremhOWklzMUhXT0E1KzRzSkN4dkxPNWcvdVRGampZQzY3UkFBQUEKd1FDSmdNUXp4QjBvUTE2NGZObS9MRzVaV3dBb3FTb3hnSDI2d05xUXQxY3phQ2VDSmQwNExlaDViMUxTQzRIQTBxSjV4aAp4RDZ3ZVk3K2pEUSt1N1dXSEFhMmM2MWh1ZGFjSFByTEVnRFRZRHBBNnhxZnF5ZTdhVVFIckpYWkEwUWU3RHpYd2FCeGkwClhMc21Xd1NUTVRySXpqbjZuU0hWaFI1bGJwRkJCNDFEUkdEZDkrc2d4Ni9FR2Q1dkE1T3FKcWs2bGpnQThPRlM1VXFYQW8Kc1FTbTJEbWlQQTBKL21uSTNYdEozdkpjcElKQ3BnODNLWHFDUm9EQTYzTWMxS1ZOQUFBQURCQU5YTmpxTnA5QXFGRWZGWQplTGVaSVNYTEJNZ0JtaTkzYXB3Tm1BVDUySkI0eWN5RnlRSm53dlRYR0NtbURFb0V6R2xISTlVVDUwUzhlVkgxWmlqS25TCnZZVEsyODQ0U3MrdFRCRkdFaGFoVXkrdXhhci9veUJCSHhHS1VsMGc1RVEyK0tnVnROZ3drUFViMWM1dkxtbnNWdVEwbVYKUGtRb2sramgrbi9uZ25IY2J0VjZ2MnpuYlg1NXppMVkrZnhRUjRKNXZCa0VVMlFnRXpLWlBwQWxKdTFzeVdHS1dhMjNyQQpLdVI1ZVpBbmswMjhjdFpNQmwrc0Zza092UGFuMGNid0FBQU1FQXV2dkdDcVhBY2NLOTdTY0QxYmJ6UjlHSWVad0tSdkRICjRaeVMxL1ZtUXA3ZThnVGZ1VVowQWFGREpyTS9rTjJvbXNNYmk0RnE5Mi9JN1lqYmc4R0YxaTlxQUpYYzZPR0RPdjVMMEQKVHJEVXd3aVgwYUpDbGVSMlBES3R6Yy9ValRHdDAwV3lMdVZKZlVMdVBIbXV1WG1sajNIK2M2cjlKL25LUXk0bXlHd1ExWAp0QlI5RW55Z1BaYll1YWtlV0tIcmpHdUZqWnYxVFlmVklUN2IrMGdjRnVwV1o5c25GT3V3aU1aSGpONEVIbW43ak1OMFR5Cmo1YW1ieUF2RHhLNm5KQUFBQUNXZDFRSEI1ZEdodmJnRT0KLS0tLS1FTkQgT1BFTlNTSCBQUklWQVRFIEtFWS0tLS0tCg==
known_hosts: CnwxfFlESjAzUVJhNVVZS3dFbUYvZ0FOTjl5YWxTZz18NC9XVzQxRTAwa3BwN2JXbmJrbWo3U2xYRTVFPSBzc2gtZWQyNTUxOSBBQUFBQzNOemFDMWxaREkxTlRFNUFBQUFJTG9sRlcrU3RIdkQ4MGhEQldyS3hKWXdlL2h0MGE5Qnppa1FuYVJhUGZqWQp8MXxtK1NrOXBkK1p0K3QrK2NlRU4raFBMY0N6aUU9fDZWUHVMVVgxZDRsNGNvbktvN1dlL0IzazVFbz0gZWNkc2Etc2hhMi1uaXN0cDI1NiBBQUFBRTJWalpITmhMWE5vWVRJdGJtbHpkSEF5TlRZQUFBQUlibWx6ZEhBeU5UWUFBQUJCQkZxcU82S3MyWmR2K0tXNGNMc0p1bEQ0QmpsajFDdnNScmtmanNqQkkrQkZXWDd4THpCZVNJM0pFT1BPYjFjbHlrUmRKMW1Gekt0a0JRNHBDTGRidVRJPQp8MXw0dW12TDAzeEZmL1c5Z1pNV3RXQTVVZGJ6dDg9fG1CLzUydVNUVnArdWNsQ2RvanFpMXpwRWMzMD0gc3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUxvbEZXK1N0SHZEODBoREJXckt4Sll3ZS9odDBhOUJ6aWtRbmFSYVBmalkKfDF8L3ZMUThVOEx3MW11aXg5ODhlZ0U4VGFtYkVBPXxtWE9ZYXJiVXg5UEI2RDl3RGFpVWVRWkRkYWc9IHNzaC1lZDI1NTE5IEFBQUFDM056YUMxbFpESTFOVEU1QUFBQUlQc0I4aTgvcmxkamUweUtpSEZvTTQ1bEk5RUhWUkdBUU4zSDN2YjFSTUcvCnwxfGFOcnV5UXB4T1FKSk9reVZ1eG9DOWkxVVdVbz18c2ZPZFhwc0FWZ3ZWeXJTWHBXdnIrNHpnRVdnPSBlY2RzYS1zaGEyLW5pc3RwMjU2IEFBQUFFMlZqWkhOaExYTm9ZVEl0Ym1semRIQXlOVFlBQUFBSWJtbHpkSEF5TlRZQUFBQkJCTDg1RFNoaW0wUUFZZ0Jockw3UFYzaDFNa3dCaU42SnpVa3laQndWZGs3aWRRb3pLZHRDdlV0Q0U1SWZvY28zNDY2RERRZHBraGplVjgzMXhQWjFFSEk9CnwxfFpUeG1OVkE1WTczd3dxTDFnS2VMRTY0UUFZbz18SlFWeXpSaDYyaXdNSDBDUzZlbkJTSHVXL3BvPSBzc2gtZWQyNTUxOSBBQUFBQzNOemFDMWxaREkxTlRFNUFBQUFJUHNCOGk4L3JsZGplMHlLaUhGb000NWxJOUVIVlJHQVFOM0gzdmIxUk1HLwp8MXxDZlJsTjM3MWtwSVlOdmIxeTJoWkhtZFNSeWs9fHhGTjdMRGh1QVJUZkZvZjZTMzVJRjI5cUpmTT0gc3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUxvbEZXK1N0SHZEODBoREJXckt4Sll3ZS9odDBhOUJ6aWtRbmFSYVBmalkKfDF8bzgveUFOSHVQYis5UG1qeGpxcllkWFlYOEFzPXx5R2FpbTZFa1ZnNVNtb1psektRS1FhYnluazQ9IHNzaC1lZDI1NTE5IEFBQUFDM056YUMxbFpESTFOVEU1QUFBQUlMb2xGVytTdEh2RDgwaERCV3JLeEpZd2UvaHQwYTlCemlrUW5hUmFQZmpZCnwxfFkvMmFHa0ZuYU5aaEMwVExMcnRnRGVOZEo3cz18MWxVcUJSdkZuYm85NFRBSUhFeTRrMitQYjJVPSBzc2gtZWQyNTUxOSBBQUFBQzNOemFDMWxaREkxTlRFNUFBQUFJSDZ0V2NzYkdTa0tBS2kvdzJQUWlSdmRJc3BxNThMU0ZmQVdsSGhEYSt2NQp8MXxWeU9oMGEvYnUrN3h0blk0MndEbS81ZUQxYkU9fGh4UDdIMW5tSXFvdWh1REVjajgwUkFmZVVEQT0gZWNkc2Etc2hhMi1uaXN0cDI1NiBBQUFBRTJWalpITmhMWE5vWVRJdGJtbHpkSEF5TlRZQUFBQUlibWx6ZEhBeU5UWUFBQUJCQkhEdVBuRERRcyt1QzNOTVdJTU4yT1cyWHo1KzljK2l4dWhSK1JQZkZCaFYzVWMxYnB0TnJZTk5JSGFXbFBQcTVHWXFaU09jekdxVnlwMGVDNGhMdzlBPQo=
config: SG9zdCAxNzIuMzEuMy4xNTUKICBIb3N0bmFtZSAxNzIuMzEuMy4xNTUKICBQcmVmZXJyZWRBdXRoZW50aWNhdGlvbnMgcHVibGlja2V5CiAgSWRlbnRpdHlGaWxlIH4vLnNzaC9pZF9yc2EK
# 创建一个task
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: show-readme
spec:
description: Read and display README file.
workspaces:
- name: source
steps:
- name: read
image: alpine:latest
script: |
#!/usr/bin/env sh
cat $(workspaces.source.path)/README.md
# 查看结果
(base) gu@python:~/k8s/yaml/tekton/use/gitpull$ tkn pipelinerun logs clone-read-run-xr2hn -f
[fetch-source : clone] + '[' false '=' true ]
[fetch-source : clone] + '[' true '=' true ]
[fetch-source : clone] + cp -R /workspace/ssh-directory /home/git/.ssh
[fetch-source : clone] + chmod 700 /home/git/.ssh
[fetch-source : clone] + chmod -R 400 /home/git/.ssh/config /home/git/.ssh/id_rsa /home/git/.ssh/known_hosts
[fetch-source : clone] + '[' false '=' true ]
[fetch-source : clone] + CHECKOUT_DIR=/workspace/output/
[fetch-source : clone] + '[' true '=' true ]
[fetch-source : clone] + cleandir
[fetch-source : clone] + '[' -d /workspace/output/ ]
[fetch-source : clone] + rm -rf '/workspace/output//*'
[fetch-source : clone] + rm -rf '/workspace/output//.[!.]*'
[fetch-source : clone] + rm -rf '/workspace/output//..?*'
[fetch-source : clone] + test -z
[fetch-source : clone] + test -z
[fetch-source : clone] + test -z
[fetch-source : clone] + git config --global --add safe.directory /workspace/output
[fetch-source : clone] + /ko-app/git-init '-url=git@172.31.3.155:guquanheng/argo.git' '-revision=' '-refspec=' '-path=/workspace/output/' '-sslVerify=true' '-submodules=true' '-depth=1' '-sparseCheckoutDirectories='
[fetch-source : clone] {"level":"warn","ts":1695180336.8236978,"caller":"git/git.go:271","msg":"URL(\"git@172.31.3.155:guquanheng/argo.git\") appears to need SSH authentication but no SSH credentials have been provided"}
[fetch-source : clone] {"level":"info","ts":1695180338.4686594,"caller":"git/git.go:176","msg":"Successfully cloned git@172.31.3.155:guquanheng/argo.git @ b66baa6c468d7ca3eff27e72e3820e4a7ff0926f (grafted, HEAD) in path /workspace/output/"}
[fetch-source : clone] {"level":"info","ts":1695180338.5491166,"caller":"git/git.go:215","msg":"Successfully initialized and updated submodules in path /workspace/output/"}
[fetch-source : clone] + cd /workspace/output/
[fetch-source : clone] + git rev-parse HEAD
[fetch-source : clone] + RESULT_SHA=b66baa6c468d7ca3eff27e72e3820e4a7ff0926f
[fetch-source : clone] + EXIT_CODE=0
[fetch-source : clone] + '[' 0 '!=' 0 ]
[fetch-source : clone] + git log -1 '--pretty=%ct'
[fetch-source : clone] + RESULT_COMMITTER_DATE=1695180275
[fetch-source : clone] + printf '%s' 1695180275
[fetch-source : clone] + printf '%s' b66baa6c468d7ca3eff27e72e3820e4a7ff0926f
[fetch-source : clone] + printf '%s' git@172.31.3.155:guquanheng/argo.git
[show-readme : read] this is test pipeline
3.2 创建并上传镜像到仓库
# kaniko使用教程
https://juejin.cn/post/7217665415710081081#heading-31
# 创建一个task用来实现对镜像的打包及上传
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: kaniko
labels:
app.kubernetes.io/version: "0.6"
annotations:
tekton.dev/pipelines.minVersion: "0.17.0"
tekton.dev/categories: Image Build
tekton.dev/tags: image-build
tekton.dev/displayName: "Build and upload container image using Kaniko"
tekton.dev/platforms: "linux/amd64,linux/arm64,linux/ppc64le"
spec:
description: >-
This Task builds a simple Dockerfile with kaniko and pushes to a registry.
This Task stores the image name and digest as results, allowing Tekton Chains to pick up
that an image was built & sign it.
params:
- name: IMAGE
description: Name (reference) of the image to build.
- name: DOCKERFILE
description: Path to the Dockerfile to build.
default: ./Dockerfile
- name: CONTEXT
description: The build context used by Kaniko.
default: ./
- name: EXTRA_ARGS
type: array
default: []
- name: BUILDER_IMAGE
description: The image on which builds will run (default is v1.5.1)
#default: quanheng.com/k8s/executor:v1.5.2
# 注意,此处无法对私有仓库进行解析,需要提前下载好镜像后docker load进去或者使用公网地址进行下载
default: registry.cn-hangzhou.aliyuncs.com/weiyigeek/kaniko-executor:latest
workspaces:
- name: source
description: Holds the context and Dockerfile
- name: docker-credentials
description: Includes a docker `config.json`
optional: true
mountPath: /kaniko/.docker
results:
- name: IMAGE_DIGEST
description: Digest of the image just built.
- name: IMAGE_URL
description: URL of the image just built.
steps:
- name: build-and-push
workingDir: $(workspaces.source.path)
image: $(params.BUILDER_IMAGE)
args:
- $(params.EXTRA_ARGS)
- --insecure # 使用http与仓库进行通信,使用私有仓库必须用此参数
- --skip-tls-verify # push忽略tls认证
- --skip-tls-verify-pull # pull忽略tls
- --dockerfile=$(params.DOCKERFILE)
- --context=$(workspaces.source.path)/$(params.CONTEXT) # The user does not need to care the workspace and the source.
- --destination=$(params.IMAGE)
- --digest-file=$(results.IMAGE_DIGEST.path)
# kaniko assumes it is running as root, which means this example fails on platforms
# that default to run containers as random uid (like OpenShift). Adding this securityContext
# makes it explicit that it needs to run as root.
securityContext:
runAsUser: 0
volumeMounts: # 依赖hosts解析需要将本地hosts挂载进pod
- name: hosts
mountPath: /etc/hosts
- name: host
mountPath: /workspace/source/hosts
- name: write-url
image: quanheng.com/k8s/bash:5.1.4
script: |
set -e
image="$(params.IMAGE)"
echo -n "${image}" | tee "$(results.IMAGE_URL.path)"
volumeMounts:
- name: hosts
mountPath: /etc/hosts
volumes:
- name: hosts
hostPath:
path: /etc/hosts
- name: host
hostPath:
path: /etc/hosts
# 创建一个pipeline
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: clone-build-push
spec:
description: |
This pipeline clones a git repo, builds a Docker image with Kaniko and
pushes it to a registry
params:
- name: repo-url
type: string
- name: image-reference
type: string
workspaces:
- name: shared-data
- name: docker-credentials
- name: git-credentials
tasks:
- name: fetch-source
taskRef:
name: git-clone
workspaces:
- name: output
workspace: shared-data
- name: ssh-directory
workspace: git-credentials
params:
- name: url
value: $(params.repo-url)
- name: build-push
runAfter: ["fetch-source"]
taskRef:
name: kaniko
workspaces:
- name: source
workspace: shared-data
- name: docker-credentials
workspace: docker-credentials
params:
- name: IMAGE
value: $(params.image-reference)
# 创建pipelinerun
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
generateName: clone-build-push-run-
spec:
pipelineRef:
name: clone-build-push
podTemplate:
securityContext:
fsGroup: 65532
workspaces:
- name: shared-data
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: nfs
- name: docker-credentials
secret:
secretName: docker-credentials
- name: git-credentials # 指定git仓库的secret
secret:
secretName: git-credentials
params:
- name: repo-url
value: git@172.31.3.155:guquanheng/tekton.git
- name: image-reference
value: quanheng.com/k8s/alpine:v7
# 验证结果
(base) gu@python:~/k8s/yaml/tekton/use/pushimage$ kubectl tkn pipelinerun logs clone-build-push-run-k9pvs -f
[fetch-source : clone] + '[' false '=' true ]
[fetch-source : clone] + '[' true '=' true ]
[fetch-source : clone] + cp -R /workspace/ssh-directory /home/git/.ssh
[fetch-source : clone] + chmod 700 /home/git/.ssh
[fetch-source : clone] + chmod -R 400 /home/git/.ssh/config /home/git/.ssh/id_rsa /home/git/.ssh/known_hosts
[fetch-source : clone] + '[' false '=' true ]
[fetch-source : clone] + CHECKOUT_DIR=/workspace/output/
[fetch-source : clone] + '[' true '=' true ]
[fetch-source : clone] + cleandir
[fetch-source : clone] + '[' -d /workspace/output/ ]
[fetch-source : clone] + rm -rf '/workspace/output//*'
[fetch-source : clone] + rm -rf '/workspace/output//.[!.]*'
[fetch-source : clone] + rm -rf '/workspace/output//..?*'
[fetch-source : clone] + test -z
[fetch-source : clone] + test -z
[fetch-source : clone] + test -z
[fetch-source : clone] + git config --global --add safe.directory /workspace/output
[fetch-source : clone] + /ko-app/git-init '-url=git@172.31.3.155:guquanheng/tekton.git' '-revision=' '-refspec=' '-path=/workspace/output/' '-sslVerify=true' '-submodules=true' '-depth=1' '-sparseCheckoutDirectories='
[fetch-source : clone] {"level":"warn","ts":1695362820.9618697,"caller":"git/git.go:271","msg":"URL(\"git@172.31.3.155:guquanheng/tekton.git\") appears to need SSH authentication but no SSH credentials have been provided"}
[fetch-source : clone] {"level":"info","ts":1695362822.768268,"caller":"git/git.go:176","msg":"Successfully cloned git@172.31.3.155:guquanheng/tekton.git @ c9c9a5c2506927e058508ffc659618c6bc4e6cb8 (grafted, HEAD) in path /workspace/output/"}
[fetch-source : clone] {"level":"info","ts":1695362822.8658404,"caller":"git/git.go:215","msg":"Successfully initialized and updated submodules in path /workspace/output/"}
[fetch-source : clone] + cd /workspace/output/
[fetch-source : clone] + git rev-parse HEAD
[fetch-source : clone] + RESULT_SHA=c9c9a5c2506927e058508ffc659618c6bc4e6cb8
[fetch-source : clone] + EXIT_CODE=0
[fetch-source : clone] + '[' 0 '!=' 0 ]
[fetch-source : clone] + git log -1 '--pretty=%ct'
[fetch-source : clone] + RESULT_COMMITTER_DATE=1695361527
[fetch-source : clone] + printf '%s' 1695361527
[fetch-source : clone] + printf '%s' c9c9a5c2506927e058508ffc659618c6bc4e6cb8
[fetch-source : clone] + printf '%s' git@172.31.3.155:guquanheng/tekton.git
[build-push : build-and-push] INFO[0000] Retrieving image manifest quanheng.com/k8s/ubuntu:2
[build-push : build-and-push] INFO[0000] Retrieving image quanheng.com/k8s/ubuntu:2 from registry quanheng.com
[build-push : build-and-push] INFO[0000] Built cross stage deps: map[]
[build-push : build-and-push] INFO[0000] Retrieving image manifest quanheng.com/k8s/ubuntu:2
[build-push : build-and-push] INFO[0000] Returning cached image manifest
[build-push : build-and-push] INFO[0000] Executing 0 build triggers
[build-push : build-and-push] INFO[0000] Building stage 'quanheng.com/k8s/ubuntu:2' [idx: '0', base-idx: '-1']
[build-push : build-and-push] INFO[0000] Unpacking rootfs as cmd RUN echo hello requires it.
[build-push : build-and-push] INFO[0007] RUN echo hello
[build-push : build-and-push] INFO[0007] Initializing snapshotter ...
[build-push : build-and-push] INFO[0007] Taking snapshot of full filesystem...
[build-push : build-and-push] INFO[0009] Cmd: /bin/sh
[build-push : build-and-push] INFO[0009] Args: [-c echo hello]
[build-push : build-and-push] INFO[0009] Running: [/bin/sh -c echo hello]
[build-push : build-and-push] hello
[build-push : build-and-push] INFO[0009] Taking snapshot of full filesystem...
[build-push : build-and-push] INFO[0009] No files were changed, appending empty layer to config. No layer added to image.
[build-push : build-and-push] INFO[0009] CMD ["tail","-f","/etc/resolv.conf"]
[build-push : build-and-push] INFO[0009] Pushing image to quanheng.com/k8s/ubuntu:3
[build-push : build-and-push] INFO[0010] Pushed quanheng.com/k8s/ubuntu@sha256:8862a8d0ba6e6057a1d539554697fc4d075688b0ec124039f55d0e2b8417c25d
[build-push : write-url] quanheng.com/k8s/ubuntu:3
4、API
4.1 crd
https://tekton.dev/docs/pipelines/pipeline-api/
5、设置
5.1 控制器设置
# 指定controller镜像运行的参数,在controller的deployment里进行配置
spec:
serviceAccountName: tekton-pipelines-controller
containers:
- name: tekton-pipelines-controller
image: ko://github.com/tektoncd/pipeline/cmd/controller
args: [
"-kube-api-qps", "50", # qps数量
"-kube-api-burst", "50", #
"-threads-per-controller", "32", # 每个控制器要创建的线程
# other flags defined here...
]
5.2 控制器高可用
# 更改副本数
# 配置数据副本
路径 pipeline-main/config/resolvers
data.buckets 1 # 数据分桶
data.leaseDuration 15 # 租赁
data.renewDeadline 10 # 续订
data.retryPeriod 2 # 重试
# 设置hpa和pdb(控制人为干预情况下pod的最少可使用数量)
5.3 task
https://tekton.dev/docs/pipelines/tasks/
5.4 taskrun
标签:git,
name,
source,
clone,
tekton,
fetch
From: https://www.cnblogs.com/guquanheng/p/17723061.html