tekton - deptno/deptno.github.io GitHub Wiki
kubernetes λ² μ΄μ€μ ci/cd
- TODO: λͺ¨λνκ° μ λμ΄ μμ§λ§ ν΄λΉ νμ΄λΈλΌμΈ κ΄λ¦¬ μ½λλ₯Ό νλ‘μ νΈμ λμμΌν μ§ μΈνλΌμͺ½μ λμμΌν μ§ κ³ λ―Ό νμ
erDiagram
EXTERNAL-EVENT ||--|| Service : receive-from-external-event
Service ||--|| EventListener : ""
EventListener ||--|{ TriggerGroups : ""
TriggerGroups ||--|{ Trigger: "by selector"
Trigger ||--|| TriggerTemplate : ref-or-embed
Trigger ||--o{ TriggerBinding : ""
Trigger ||--o{ Interceptor : ""
Interceptor ||--o{ TriggerBinding : "modify, filter, validate"
Trigger ||--o| ServiceAccount : ref
EventListener ||--o{ TriggerBinding : "implicit ref event as body"
EventListener ||--o{ Interceptor : "implicit ref event as body"
TriggerTemplate ||--|{ PipelineRun : embed
EventListener ||--|| ServiceAccount : ref
PipelineRun ||--o| ServiceAccount : ref
PipelineRun }|--|| Pipeline : pipelinerun-ref-or-embed-pipeline
PipelineRun ||--|{ Resource : ref
PipelineRun ||--|{ Workspace : ref
Pipeline ||--|{ Task: ref
ServiceAccount }|--|| RoleBinding : ref
ServiceAccount }|--|| ClusterRoleBinding : ref
RoleBinding ||--o| Role : ref
RoleBinding ||--o| ClusterRole : ref
ClusterRoleBinding ||--o| ClusterRole : ref
ServiceAccount ||--|{ Secret : ref
EventListener {
TriggerList triggers
Resource resources
}
Trigger {
TriggerBindingList bindings
TriggerTemplate template
InterceptorList interceptors
ServiceAccount serviceAccountName
}
Resource {
kubernetesResource o
customResource o
kubernetesResource o
}
- λ체κ°λ₯
- TriggerBinding <-> ClusterTriggerBinding
- TriggerTemplate <-> ClusterTriggerTemplate
- TriggerTemplate μ PipelineRun μΈμ λ€λ₯Έ μ€λΈμ νΈ μ°Έμ‘°κ° κ°λ₯
- PipelineRun
- Pipeline
- TaskRun
- Task
- CustumTask
- TriggerBinding <-> TriggerTemplate
- n..1 κ΄κ³λ‘ Trigger μμ λ§λλλ° TriggerBinding μ λ§μ TriggerTemplate μ νΈμΆλλμ§ νμΈμ΄ νμ
EventListener > TriggerBinding > TriggerTemplate > PipelineRun > Pipeline > Task
- EventListener
- TriggerBinding
- TriggerTemplate
- PipelineRun
- Pipeline
- Task
- EventListener
- PipelineBinding
- PipelineTemplate
- Pipeline
- RoleBinding
- ServiceAccount
- ClusterRole
- ClusterRoleBinding
- ServiceAccount
- ClusterRole
| CRD | μ€λͺ |
|---|---|
| Event | νΈλ¦¬κ±° |
| PipelineBinding | νμ΄νλΌμΈμ λ³μ λ°μΈλ© |
| PipelineTemplate | |
| PipelineRun | νμ΄νλΌμΈμ μ€ν |
| Pipeline | Task μ½λ μ |
| Task |
- pipelines
- triggers
- results μ€ν κ²°κ³Ό?
- diary:2023-01-19
- tutorial
-
https://tekton.dev/docs/how-to-guides/clone-repository/
-
tkn hub install task git-cloneμλ¬κ° λλ―λ‘kubectl apply -fλ₯Ό ν΅ν μ§μ μ€μΉκ° νμ 2023-01-20
-
-
https://tekton.dev/docs/how-to-guides/clone-repository/
kubectl apply --filename https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yamltecton-pipelines namepsace λ‘ μ€μΉλ¨
- pvc μ€μ
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
name: config-artifact-pvc
namespace: tekton-pipelines
data:
storageClassName: "openebs-hostpath"
size: "10GiB"- private repo μ€μ
- pipeline μ€μ
cm/feature-flagsμ μλ€- require-git-ssh-secret-known-hosts
- disable-creds-init credential initialization μ μ€ν΅νκ³ secret λ‘λλ‘ λ체
kubectl apply --filename \
https://storage.googleapis.com/tekton-releases/dashboard/latest/tekton-dashboard-release.yamlbrew install tektoncd-clissh-keygen ν github μ ssh λ±λ‘
-
Secretμμ±
ssh-keygen -t ed25519 -C "[[email protected]]"
# save current directory
kubectl create secret generic [secret_name] --from-file=ssh-privatekey=./id_ed25519.tekton.dev --type=kubernetes.io/ssh-auth
kubectl annotate secret [secret_name] tekton.dev/git-0=github.com-
ServiceAccountμμ±
apiVersion: v1
kind: ServiceAccount
metadata:
name: tekton-deptno
secrets:
- name: [secret_name]-
PipelineRunμ μ£Όμ νμ¬ μ¬μ©
tekton hub μ μλ git-clone task λ‘ νμΈ DONE: 2023-01-24
ssh-github μλμ κ°μ νν
Name: ssh-github-deptno
Namespace: project-things
Labels: <none>
Annotations: tekton.dev/git-0: github.com
Type: kubernetes.io/ssh-auth
Data
====
ssh-privatekey: 411 bytesgit-clone task λ hubμμ μ€μΉνλ€
apiVersion: v1
kind: ServiceAccount
metadata:
name: tt-sa
secrets:
- name: ssh-github # `sh-privatekey` λ₯Ό λ°μ΄ν°λ‘ κ°λλ€
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tt-rb
namespace: project-things
subjects:
- kind: ServiceAccount
name: tt-sa
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: tekton-triggers-eventlistener-roles
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: tt-crb
subjects:
- kind: ServiceAccount
name: tt-sa
namespace: project-things
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: tekton-triggers-eventlistener-clusterroles
---
apiVersion: triggers.tekton.dev/v1beta1
kind: EventListener
metadata:
name: tt-ev
spec:
serviceAccountName: tt-sa
triggers:
- triggerRef: tt-tr
resources:
kubernetesResource:
serviceType: ClusterIP
servicePort: 80
---
apiVersion: triggers.tekton.dev/v1beta1
kind: Trigger
metadata:
name: tt-tr
spec:
bindings:
- ref: tt-tb
template:
ref: tt-tt
---
apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerBinding
metadata:
name: tt-tb
spec:
params:
- name: url
value: $(body.url)
---
apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerTemplate
metadata:
name: tt-tt
spec:
params:
- name: url
resourceTemplates:
- apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
generateName: tt-tt-pr
spec:
serviceAccountName: tt-sa
pipelineRef:
name: tt-pl
params:
- name: repo-url
value: $(tt.params.url)
workspaces:
- name: shared-data
emptyDir: {}
---
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: tt-pl
namespace: project-things
spec:
description: clone git repository
params:
- name: repo-url
type: string
description: https://github.com/[username]/[reponame].git
workspaces:
- name: shared-data
description: working directory
tasks:
- name: fetch-source
taskRef:
name: git-clone
params:
- name: url
value: $(params.repo-url)
workspaces:
- name: output
workspace: shared-data- μ€ν
$ curl -X POST \ ok 4s 16.15.0 node 1.59.0 rust 01:12:56
http://localhost:8080 \
-H 'Content-Type: application/json' \
-d '{ "url": "[email protected]:deptno/private-repo.git" }'
{"eventListener":"tt-ev","namespace":"project-things","eventListenerUID":"54001b1f-1859-48a3-802b-d220a954f23c","eventID":"19375452-32d1-4650-aa03-beb73f7f7538"}
$ tkn pr logs ok 16.15.0 node 1.59.0 rust 01:13:07
? Select pipelinerun: tt-tt-prkbpb2 started 1 second ago
Pipeline still running ...
task fetch-source has failed: "step-clone" exited with code 1 (image: "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init@sha256:28ff94e63e4058afc3f15b4c11c08cf3b54fa91faa646a4bbac90380cd7158df"); for logs run: kubectl -n project-things logs tt-tt-prkbpb2-fetch-source-pod -c step-clone
[... logs]pipelinerun μ ν΅ν΄μ pod μμ± ν κ³μ pending μνλΌ λ³΄λ pvc κ° λ°μ΄λλμ§ μλ λ¬Έμ
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning FailedScheduling 2m8s default-scheduler 0/1 nodes are available: pod has unbound immediate PersistentVolumeClaims. preemption: 0/1
nodes are available: 1 No preemption victims found for incoming pod..-> pvc λ₯Ό κ°λ³΄λ storageClassName μ΄ λΉμ΄μλ€, ν μΈν
μ openebs-hostpath λ₯Ό μ§μ ν΄μΌ μ¬μ©μ΄ κ°λ₯ν μν
-> manifest μμ pvc μ€μ μ storageClassName μ μ€μ νμμλ λμνμ§ μμλ€.
-> pvc μμ spec.storageClassName: openebs-hostpath λ₯Ό μ£Όμ
νλ μ μ μ€νλλ€.
-> PipelineRun μμ storageClassName μ μ£Όμ
νλ©΄ λμνλ€
workspaces:
- name: shared-data
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: openebs-hostpath{
"severity": "fatal",
"timestamp": "2023-01-28T08:55:54.927Z",
"logger": "eventlistener",
"caller": "v2/main.go:205",
"message": "Start returned an error",
"error": "Timed out waiting on CaBundle to available for clusterInterceptor: Timed out waiting on CaBundle to available for Interceptor: clusterinterceptors. triggers.tekton.dev is forbidden: User \"system:serviceaccount:project-things:default\" cannot list resource \"clusterinterceptors\" in API group \"triggers.tekton.dev\" at the cluster scope"
}account μ tektonμμ μ 곡νλ ClusterRole, Role μ΄ μ λλ‘ λμ΄ μλμ§ νμΈνλ€