cn

Tekton CICD demo 3

上一章中我们使用task2正确输出了 task1 生成的 commitid

这一章我要添加一个 step，用来在task2中构建docker image，为了使用 commit.txt 这次我们不直接mount，而是重新编写一个 kaniko的启动脚本

因为添加了一个新的 output 所以pipeline 和 task 都需要修改

1. 添加docker resource

docker_resource.yaml

apiVersion: tekton.dev/v1alpha1
kind: PipelineResource
metadata:
  name: tektongolang-image
  namespace: lizhe
spec:
  type: image
  params:
    - name: url
      value: libaibai/tektongolang

2. 创建一个新的 kaniko

exec.sh

此脚本接收4个参数分别是

• $1 dockerfile
• $2 docker context path
• $3 docker destination
• $4 commitid.txt path

set -e

if [ $# -lt 4 ]; then
echo "Usage:  <path to Dockerfile> <context directory> <docker_url> <commitid_path>"
exit 1
fi

dockerfile=$1
context=$2
destination=$3
commitid=`cat $4`
echo "building start..."
echo "commitid:"${commitid}
/kaniko/executor    --dockerfile=$dockerfile \
                --destination=$destination:$commitid \
                --context=$context

Dockerfile

FROM gcr.io/kaniko-project/executor:debug
COPY exec.sh /exec.sh
CMD [ "/busybox/sh" ]

3. 修改 build img task

build_img_task.yaml

apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: build-img
  namespace: lizhe
spec:
  resources:
    outputs:
      - name: builtImage
        type: image
  steps:
    - name: echo-commitid
      image: ubuntu
      command: ["/bin/bash", "-c", "cat /workspace/git-source/commitid.txt"]
    - name: build-image-with-commitid-and-push
      image: libaibai/kanikocid:latest
      env:
        - name: "DOCKER_CONFIG"
          value: "/tekton/home/.docker/"
      command: ["/busybox/sh", "-c", "/exec.sh Dockerfile /workspace/git-source $(resources.outputs.builtImage.url) /workspace/git-source/commitid.txt"]
  workspaces:
    - name: build-workspace
      description: |
        The folder where will be shared among the tasks
      optional: false
      mountPath: /workspace

4. 修改pipeline

pipeline_demo.yaml

apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
  name: pipeline-demo
  namespace: lizhe
spec:
  resources:
    - name: source-repo
      type: git
    - name: tektongolang-image
      type: image
  workspaces:
    - name: build-workspace
      optional: false
  tasks:
    - name: git-commitid
      taskRef:
        name: get-commitid
      resources:
        inputs:
          - name: git-source
            resource: source-repo
      workspaces:
        - name: build-workspace
          workspace: build-workspace
    - name: build-img
      runAfter: [git-commitid]
      taskRef:
        name: build-img
      resources:
        outputs:
          - name: builtImage
            resource: tektongolang-image
      workspaces:
        - name: build-workspace
          workspace: build-workspace

5. 修改pipeline run

pipeline_demo_run.yaml

apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
  name: pipeline-demo-run
  namespace: lizhe
spec:
  serviceAccountName: build-bot-sa
  pipelineRef:
    name: pipeline-demo
  resources:
    - name: source-repo
      resourceRef:
        name: tektongolang-git
    - name: tektongolang-image
      resourceRef:
        name: tektongolang-image
  workspaces:
    - name: build-workspace # this workspace name must be declared in the Pipeline
      volumeClaimTemplate:
        spec:
          storageClassName: "local-path"
          accessModes:
            - ReadWriteOnce # access mode may affect how you can use this volume in parallel tasks
          resources:
            requests:
              storage: 1Gi

Tekton CICD demo 2

这一步的主要目的是把上一章中的 task 转换成 pipeline，然后添加一个新的task （build image）

先把之前的task转换成 pipeline

apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
  name: pipeline-demo
  namespace: lizhe
spec:
  resources:
    - name: source-repo
      type: git
  tasks:
    - name: git-commitid
      taskRef:
        name: get-commitid
      resources:
        inputs:
          - name: git-source
            resource: source-repo

然后新建一个用于 build image 的task

apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: build-img
  namespace: lizhe
spec:
  steps:
    - name: echo-commitid
      image: ubuntu
      command: ["/bin/bash", "-c", "cat /workspace/git-source/commitid.txt"]

添加这个 task 到 pipeline

apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
  name: pipeline-demo
  namespace: lizhe
spec:
  resources:
    - name: source-repo
      type: git
  tasks:
    - name: git-commitid
      taskRef:
        name: get-commitid
      resources:
        inputs:
          - name: git-source
            resource: source-repo
    - name: build-img
      taskRef:
        name: build-img

新建一个pipeline run

apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
  name: pipeline-demo
  namespace: lizhe
spec:
  resources:
    - name: source-repo
      type: git
  tasks:
    - name: git-commitid
      taskRef:
        name: get-commitid
      resources:
        inputs:
          - name: git-source
            resource: source-repo
    - name: build-img
      taskRef:
        name: build-img

直接运行这个 pipeline run 的话会出现异常

可以看到，在 git pull 命令执行之前，build img （目前只是尝试输出 git task 中生成的 commitid ）失败了，并且可以观察到两个task是并行的，实际上我们这里，task2 对 task1 是有依赖的，而且似乎两个task也没有共享 workspace

对之前的 2个 task ，1个 pipeline 和 1个 pipeline run 进行修改，添加一个 pvc ，用于共享文件夹

官方文档中提到 access mode 会影响 task 的并行，所以这里需要把pipeline改成串行的

PersistentVolumeClaim volumes are a good choice for sharing data among Tasks within a Pipeline. Beware that the access mode configured for the PersistentVolumeClaim effects how you can use the volume for parallel Tasks in a Pipeline. See Specifying workspace order in a Pipeline and Affinity Assistants for more information about this. There are two ways of using PersistentVolumeClaims as a VolumeSource.

pipeline

apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
  name: pipeline-demo
  namespace: lizhe
spec:
  resources:
    - name: source-repo
      type: git
  workspaces:
    - name: build-workspace
      optional: false
  tasks:
    - name: git-commitid
      taskRef:
        name: get-commitid
      resources:
        inputs:
          - name: git-source
            resource: source-repo
      workspaces:
        - name: build-workspace
          workspace: build-workspace
    - name: build-img
      runAfter: [git-commitid]
      taskRef:
        name: build-img
      workspaces:
        - name: build-workspace
          workspace: build-workspace

pipeline run

apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
  name: pipeline-demo-run
  namespace: lizhe
spec:
  serviceAccountName: build-bot-sa
  pipelineRef:
    name: pipeline-demo
  resources:
    - name: source-repo
      resourceRef:
        name: tektongolang-git
  workspaces:
    - name: build-workspace # this workspace name must be declared in the Pipeline
      volumeClaimTemplate:
        spec:
          storageClassName: "local-path"
          accessModes:
            - ReadWriteOnce # access mode may affect how you can use this volume in parallel tasks
          resources:
            requests:
              storage: 1Gi

task1

apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: get-commitid
  namespace: lizhe
spec:
  resources:
    inputs:
      - name: git-source
        type: git
  steps:
    - name: get-commitid
      image: libaibai/gitcid
      env:
        - name: "DOCKER_CONFIG"
          value: "/tekton/home/.docker/"
      command: ["/bin/bash", "-c", "/getcommitid.sh /workspace/git-source"]
  workspaces:
    - name: build-workspace
      description: |
        The folder where will be shared among the tasks
      optional: false
      mountPath: /workspace

task2

apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: build-img
  namespace: lizhe
spec:
  steps:
    - name: echo-commitid
      image: ubuntu
      command: ["/bin/bash", "-c", "cat /workspace/git-source/commitid.txt"]
  workspaces:
    - name: build-workspace
      description: |
        The folder where will be shared among the tasks
      optional: false
      mountPath: /workspace

经过上面的修改，我们的代码最终变成了

1. 通过 pvc template 共享一个pv
2. 两个task由并行变成了串行
3. task1 通过 input resource 从git下载了代码
4. task1 本身通过 libaibai/gitcid 镜像输出 commitid 到 workspace/commitid.txt
5. task2 读取 workspace/commitid.txt

Tekton CICD demo 1

本例是第一步，使用 git 下载代码，并且 提取 commitid

既然是从git下载代码，那么首先就要创建 git resource

apiVersion: tekton.dev/v1alpha1
kind: PipelineResource
metadata:
  name: tektongolang-git
  namespace: lizhe
spec:
  type: git
  params:
    - name: revision
      value: master
    - name: url
      value: https://github.com/zl86790/tektongolang.git

然后我们创建 git 仓库的权限

apiVersion: v1
kind: Secret
metadata:
  name: git-secret
  namespace: lizhe
  annotations:
    tekton.dev/git-0: https://github.com # Described below
type: kubernetes.io/basic-auth
stringData:
  username: <cleartext username>
  password: <cleartext password>

因为下面我们会使用一个私有docker镜像，所以这里再创建一个docker权限

kubectl create secret docker-registry docker-secret -n lizhe \
                    --docker-server=https://index.docker.io/v1/ \
                    --docker-username=<your-name> \
                    --docker-password=<your-pword> \
                    --docker-email=<your-email>

创建一个 service account，并且附加上刚刚创建的 git-secret 和docker-secret

apiVersion: v1
kind: ServiceAccount
metadata:
  name: build-bot-sa
  namespace: lizhe
secrets:
  - name: git-secret
  - name: docker-secret

然后我们创建一个 getcommitid 的 task

这个task使用的 image 是 getcommitid.sh

touch /$1/commitid.txt
git -C /$1 rev-parse HEAD > /$1/commitid.txt
ls /$1
cat /$1/commitid.txt

创建task

apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: get-commitid
  namespace: lizhe
spec:
  resources:
    inputs:
      - name: git-source
        type: git
  steps:
    - name: get-commitid
      image: libaibai/gitcid
      env:
        - name: "DOCKER_CONFIG"
          value: "/tekton/home/.docker/"
      command: ["/bin/bash", "-c", "/getcommitid.sh /workspace/git-source"]

尝试启动这个task

Tekton CICD demo

Tekton Pipeline

Creating and running a Pipeline

Pipeline 是一组有序的 task，并且可以共享 inputs 和 outputs，例如 task1 的outputs 可以传递给 task2 作为 inputs

apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
  name: lizhe-pipeline
  namespace: lizhe
spec:
  resources:
    - name: source-repo
      type: git
    - name: web-image
      type: image
  tasks:
    - name: git-clone-and-build-image
      taskRef:
        name: build-docker-image-from-git-source
      params:
        - name: pathToDockerFile
          value: Dockerfile
        - name: pathToContext
          value: $(resources.inputs.docker-source.path)/
      resources:
        inputs:
          - name: docker-source
            resource: source-repo
        outputs:
          - name: builtImage
            resource: web-image

在使用 run pipeline 之前，需要先给 service account 添加新的 role

在 Tekton Helloworld 中我们使用了名为 tutorial-service 的 service account，这里将继续使用它

如果你不记得我们做了什么也没有关系

来复习一下，首先创建了2个secrets，分别用于 git 和 docker

apiVersion: v1
kind: Secret
metadata:
  name: basic-user-pass
  namespace: lizhe
  annotations:
    tekton.dev/git-0: https://github.com # Described below
type: kubernetes.io/basic-auth
stringData:
  username: <cleartext username>
  password: <cleartext password>

------------------

kubectl create secret docker-registry regcred -n lizhe \
                    --docker-server=https://index.docker.io/v1/ \
                    --docker-username=<your-name> \
                    --docker-password=<your-pword> \
                    --docker-email=<your-email>

然后使用这两个 secrets 创建 service account

apiVersion: v1
kind: ServiceAccount
metadata:
  name: tutorial-service
  namespace: lizhe
secrets:
  - name: regcred
  - name: basic-user-pass

来给它添加新的 role

kubectl create clusterrole tutorial-role \
               -n lizhe \
               --verb=* \
               --resource=deployments,deployments.apps

kubectl create clusterrolebinding tutorial-binding \
             -n lizhe \
             --clusterrole=tutorial-role \
             --serviceaccount=default:tutorial-service

然后尝试 run pipeline

apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
  name: lizhe-pipeline-run-1
  namespace: lizhe
spec:
  serviceAccountName: tutorial-service
  pipelineRef:
    name: lizhe-pipeline
  resources:
    - name: source-repo
      resourceRef:
        name: tektongolang-git
    - name: web-image
      resourceRef:
        name: lizhe-image

上面内容中，需要引用如下资源

启动

等待执行成功

Tekton Helloworld

参考 https://github.com/tektoncd/pipeline/blob/main/docs/tutorial.md

Create a Task
Create a Pipeline containing your Tasks
Use a TaskRun to instantiate and execute a Task outside of a Pipeline
Use a PipelineRun to instantiate and run a Pipeline containing your Tasks

1. Create a Task

apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: echo-hello-world
  namespace: lizhe
spec:
  steps:
    - name: echo
      image: ubuntu
      command:
        - echo
      args:
        - "Hello World"

tkn task describe echo-hello-world





2. Create a Pipeline containing your Tasks

apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
  name: echo-hello-world-task-run
  namespace: lizhe
spec:
  taskRef:
    name: echo-hello-world

和 argo一样， 它也会创建pod，另外也可以用 tkn

tkn taskrun describe echo-hello-world-task-run -n lizhe



3. PipelineResources

要创建一个 git resource 常规做法如下

apiVersion: tekton.dev/v1alpha1
kind: PipelineResource
metadata:
  name: tektongolang-git
  namespace: lizhe
spec:
  type: git
  params:
    - name: revision
      value: master
    - name: url
      value: https://github.com/zl86790/tektongolang.git

创建一个 docker resource

apiVersion: tekton.dev/v1alpha1
kind: PipelineResource
metadata:
  name: lizhe-image
  namespace: lizhe
spec:
  type: image
  params:
    - name: url
      value: libaibai/tektongolang







但是我们要使用 私有库 ， 所以还需要secrets

4. 创建 git 用的权限

apiVersion: v1
kind: Secret
metadata:
  name: basic-user-pass
  namespace: lizhe
  annotations:
    tekton.dev/git-0: https://github.com # Described below
type: kubernetes.io/basic-auth
stringData:
  username: <cleartext username>
  password: <cleartext password>

关联这个 secret 到 service account

apiVersion: v1
kind: ServiceAccount
metadata:
  name: build-bot
  namespace: lizhe
secrets:
  - name: basic-user-pass

5. 创建 docker 用的权限

kubectl create secret docker-registry regcred -n lizhe \
                    --docker-server=<your-registry-server> \
                    --docker-username=<your-name> \
                    --docker-password=<your-pword> \
                    --docker-email=<your-email>

kubectl create secret docker-registry regcred -n lizhe \
                    --docker-server=https://index.docker.io/v1/ \
                    --docker-username=<your-name> \
                    --docker-password=<your-pword> \
                    --docker-email=<your-email>


关联这个 secret 到 service account

apiVersion: v1
kind: ServiceAccount
metadata:
  name: tutorial-service
  namespace: lizhe
secrets:
  - name: regcred

稍微修改一下把 git 的 secret 也绑上，这样一会使用一个 sa 就可以了

apiVersion: v1
kind: ServiceAccount
metadata:
  name: tutorial-service
  namespace: lizhe
secrets:
  - name: regcred
  - name: basic-user-pass



6. build-docker-image-from-git-source

apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: build-docker-image-from-git-source
  namespace: lizhe
spec:
  params:
    - name: pathToDockerFile
      type: string
      description: The path to the dockerfile to build
      default: $(resources.inputs.docker-source.path)/Dockerfile
    - name: pathToContext
      type: string
      description: |
        The build context used by Kaniko
        (https://github.com/GoogleContainerTools/kaniko#kaniko-build-contexts)
      default: $(resources.inputs.docker-source.path)
  resources:
    inputs:
      - name: docker-source
        type: git
    outputs:
      - name: builtImage
        type: image
  steps:
    - name: build-and-push
      image: gcr.io/kaniko-project/executor:latest
      # specifying DOCKER_CONFIG is required to allow kaniko to detect docker credential
      env:
        - name: "DOCKER_CONFIG"
          value: "/tekton/home/.docker/"
      command:
        - /kaniko/executor
      args:
        - --dockerfile=$(params.pathToDockerFile)
        - --destination=$(resources.outputs.builtImage.url)
        - --context=$(params.pathToContext)



7. Run your task

apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
  name: build-docker-image-from-git-source-task-run
  namespace: lizhe
spec:
  serviceAccountName: tutorial-service
  taskRef:
    name: build-docker-image-from-git-source
  params:
    - name: pathToDockerFile
      value: Dockerfile
    - name: pathToContext
      value: $(resources.inputs.docker-source.path)/
  resources:
    inputs:
      - name: docker-source
        resourceRef:
          name: tektongolang-git
    outputs:
      - name: builtImage
        resourceRef:
          name: lizhe-image

kubectl get tekton-pipelines -A

build-docker-image-from-git-source-task-run-r-tz2g4

Kubernetes Endpoints

使用Endpoints 可以方便的使用 service （ traefik、nodeport、loadbalancer 等 ） 连接外部资源

下面是一个 traefik 连接 postgre sql 的例子

endpoint.yaml

apiVersion: v1
kind: Endpoints
metadata:
  name: postgre-endpoint
  namespace: postgre
subsets:
  - addresses:
      - ip: 10.10.20.135
    ports:
      - port: 5432

创建 service

apiVersion: v1
kind: Service
metadata:
  name: postgre-endpoint
  namespace: postgre
spec:
  ports:
    - port: 5432
      protocol: TCP
      targetPort: 5432

IngressRoute

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: postgre-endpoint
  namespace: postgre
spec:
  entryPoints:
    - postgre
  routes:
  - match: HostSNI(`*`)
    services:
    - name: postgre-endpoint
      port: 5432

Tekton install

参考 https://github.com/tektoncd/pipeline/blob/main/docs/install.md

kubectl apply --filename https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml

查看状态

kubectl get pods --namespace tekton-pipelines --watch

安装 dashboard

kubectl apply --filename https://storage.googleapis.com/tekton-releases/dashboard/latest/tekton-dashboard-release.yaml

可以通过 proxy 来访问

kubectl proxy
http://localhost:8001/api/v1/namespaces/tekton-pipelines/services/tekton-dashboard:http/proxy/

当然也可以使用 port-forward

kubectl --namespace tekton-pipelines port-forward svc/tekton-dashboard 9097:9097
http://localhost:9097

安装 CLI

curl -LO https://github.com/tektoncd/cli/releases/download/v0.20.0/tkn_0.20.0_Linux_x86_64.tar.gz
sudo tar xvzf tkn_0.20.0_Linux_x86_64.tar.gz -C /usr/local/bin/ tkn

Email Alerting Notification channel

这里使用的是 gmail，但是直接使用的话会得到

刚刚有人试图使用您的密码通过非 Google 应用登录您的帐号。Google 已阻止此次登录尝试，但您应进行检查，了解发生了什么情况。请查看您的帐号活动，确保其他人无法访问您的帐号。

所以需要修改设置

https://myaccount.google.com/lesssecureapps

我们打开

修改 grafana.ini

[smtp]
enabled = true
host = smtp.gmail.com:587
user = xxxxxxxx@gmail.com
password = xxxxxx
;cert_file =
;key_file =
skip_verify = true
from_address = virtualcoin.videos@gmail.com
from_name = Grafana
# EHLO identity in SMTP dialog (defaults to instance_name)
;ehlo_identity = dashboard.example.com

重启服务

发送测试邮件

kube-prometheus 安装(yaml方式）

之前我们在 kube-prometheus 安装 中提到过，仓库又过时了

https://github.com/prometheus-community/community/issues/28#issuecomment-670406329

最新的安装请参考

https://github.com/prometheus-operator/kube-prometheus

https://github.com/prometheus-operator/kube-prometheus#installing

下载代码

git clone https://github.com/prometheus-operator/kube-prometheus.git

安装

# Create the namespace and CRDs, and then wait for them to be available before creating the remaining resources
kubectl create -f manifests/setup
until kubectl get servicemonitors --all-namespaces ; do date; sleep 1; echo ""; done
kubectl create -f manifests/

这个脚本似乎和我的 rke2 有一些冲突，很多资源在 rke2 中已经存在了

不过这一些 already exists 的错误似乎并不影响使用

Prometheus

$ kubectl --namespace monitoring port-forward svc/prometheus-k8s 9090

Grafana

$ kubectl --namespace monitoring port-forward svc/grafana 3000

默认密码是
username: admin
password: admin
第一次登录之后会提示你修改密码

自带的模板

Alert Manager

$ kubectl --namespace monitoring port-forward svc/alertmanager-main 9093