阿里云Kubernetes服务上使用Tekton完成应用发布初体验

Tekton 是一个功能强大且灵活的 Kubernetes 原生开源框架，用于创建持续集成和交付（CI/CD）系统。通过抽象底层实现细节，用户可以跨多云平台和本地系统进行构建、测试和部署。

本文是基于阿里云Kubernetes服务部署Tekton Pipeline，并使用它完成源码拉取、应用打包、镜像推送和应用部署的实践过程。

Tekton Pipeline中有5类对象,核心理念是通过定义yaml定义构建过程.构建任务的状态存放在status字段中。

其中5类对象分别是：PipelineResouce、Task、TaskRun、Pipeline、PipelineRun。

Task是单个任务的构建过程,需要通过定义TaskRun任务去运行Task。

Pipeline包含多个Task,并在此基础上定义input和output,input和output以PipelineResource作为交付。

PipelineResource是可用于input和output的对象集合。

同样地,需要定义PipelineRun才会运行Pipeline。

1. 在阿里云Kubernetes集群中部署Tekton Pipeline

kubectl apply --filename https://storage.googleapis.com/tekton-releases/latest/release.yaml

查看Tekton Pipelines组件是否运行正常：

$ kubectl -n tekton-pipelines get po
NAME                                                     READY   STATUS      RESTARTS   AGE
tekton-pipelines-controller-6bcd7ff5d6-vzmrh             1/1     Running     0          25h
tekton-pipelines-webhook-6856cf9c47-l6nj6                1/1     Running     0          25h

2. 创建Git Resource， Registry Resource

编辑 git-pipeline-resource.yaml :

apiVersion: tekton.dev/v1alpha1
kind: PipelineResource
metadata:name: git-pipeline-resource
spec:type: gitparams:- name: revisionvalue: tekton- name: urlvalue: https://code.aliyun.com/haoshuwei/jenkins-demo.git

git repo的分支名称为 tekton 。

编辑 registry-pipeline-resource.yaml :

apiVersion: tekton.dev/v1alpha1
kind: PipelineResource
metadata:name: registry-pipeline-resource
spec:type: imageparams:- name: urlvalue: registry.cn-hangzhou.aliyuncs.com/haoshuwei/tekton-demo

容器镜像仓库地址为 registry.cn-hangzhou.aliyuncs.com/haoshuwei/tekton-demo，标签为 latest

创建pipeline resource：

$ kubectl -n tekton-pipelines create -f git-pipeline-resource.yaml
$ kubectl -n tekton-pipelines create -f registry-pipeline-resource.yaml

查看已创建的pipeline resource资源：

$ kubectl -n tekton-pipelines get PipelineResource
NAME                         AGE
git-pipeline-resource        2h
registry-pipeline-resource   2h

3. 创建Git Repo/Docker Registry Authentication

拉取私有git源码项目需要配置使用Git Repo Authentication；拉取和推送docker镜像需要配置Docker Registry Authentication。在Tekton Pipeline中，Git Repo/Docker Registry Authentication会被定义成ServiceAccount来使用。

编辑 secret tekton-basic-user-pass-git.yaml :

apiVersion: v1
kind: Secret
metadata:name: tekton-basic-user-pass-gitannotations:tekton.dev/git-0: https://code.aliyun.com
type: kubernetes.io/basic-auth
stringData:username: <cleartext non-encoded>password: <cleartext non-encoded>

编辑 secret tekton-basic-user-pass-registry.yaml :

apiVersion: v1
kind: Secret
metadata:name: tekton-basic-user-pass-registryannotations:tekton.dev/docker-0: https://registry.cn-hangzhou.aliyuncs.com
type: kubernetes.io/basic-auth
stringData:username: <cleartext non-encoded>password: <cleartext non-encoded>

编辑 serviceaccount tekton-git-and-registry.yaml :

apiVersion: v1
kind: ServiceAccount
metadata:name: tekton-git-and-registry
secrets:- name: tekton-basic-user-pass-git- name: tekton-basic-user-pass-registry

创建serviceaccount：

$ kubectl -n tekton-pipelines create -f tekton-basic-user-pass-git.yaml
$ kubectl -n tekton-pipelines create -f tekton-basic-user-pass-registry.yaml
$ kubectl -n tekton-pipelines create -f tekton-git-and-registry.yaml

查看secret以及sa：

$ kubectl -n tekton-pipelines get secret
NAME                                      TYPE                                  DATA   AGE
default-token-pwncj                       kubernetes.io/service-account-token   3      25h
tekton-basic-user-pass-git                kubernetes.io/basic-auth              2      151m
tekton-basic-user-pass-registry           kubernetes.io/basic-auth              2      151m
tekton-git-and-registry-token-tr95m       kubernetes.io/service-account-token   3      151m
tekton-pipelines-controller-token-lc2fv   kubernetes.io/service-account-token   3      25h  
webhook-certs                             Opaque                                3      25h

$  kubectl -n tekton-pipelines get sa
NAME                          SECRETS   AGE
default                       1         25h
tekton-git-and-registry       3         152m
tekton-pipelines-controller   1         25h

4. 配置serviceaccount tekton-git-and-registry获取命名空间tekton-pipelines的管理权限用于部署应用

创建ClusterRoleBinding tekton-cluster-admin :

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:name: tekton-cluster-admin
subjects:- kind: ServiceAccountname: tekton-git-and-registrynamespace: tekton-pipelines
roleRef:kind: ClusterRolename: cluster-adminapiGroup: rbac.authorization.k8s.io

5. 创建一个Task

创建task build-app.yaml :

apiVersion: tekton.dev/v1alpha1
kind: Task
metadata:name: build-app
spec:inputs:resources:- name: java-demotype: gitparams:- name: pathToDockerFiledescription: The path to the dockerfile to builddefault: /workspace/java-demo/Dockerfile- name: pathToContextdescription: The build context used by Kanikodefault: /workspace/java-dem- name: pathToYamldescription: The path to teh manifest to applyoutputs:resources:- name: builtImagetype: imagesteps:- name: build-mvn-packageimage: registry.cn-beijing.aliyuncs.com/acs-sample/jenkins-slave-maven:3.3.9-jdk-8-alpineworkingDir: /workspace/java-democommand:- mvnargs:- package- -B- -DskipTests- name: build-docker-imageimage: registry.cn-beijing.aliyuncs.com/acs-sample/jenkins-slave-kaniko:0.6.0command:- kanikoargs:- --dockerfile=${inputs.params.pathToDockerFile}- --destination=${outputs.resources.builtImage.url}- --context=${inputs.params.pathToContext}- name: deploy-appimage: registry.cn-beijing.aliyuncs.com/acs-sample/jenkins-slave-kubectl:1.11.5command:- kubectlargs:- apply- -f- ${inputs.params.pathToYaml}

6. 创建TaskRun运行任务

创建taskrun build-app-task-run.yaml :

apiVersion: tekton.dev/v1alpha1
kind: TaskRun
metadata:name: build-app-task-run
spec:serviceAccount: tekton-git-and-registrytaskRef:name: build-apptrigger:type: manualinputs:resources:- name: java-demoresourceRef:name: git-pipeline-resourceparams:- name: pathToDockerFilevalue: Dockerfile- name: pathToContextvalue: /workspace/java-demo- name: pathToYamlvalue: /workspace/java-demo/deployment.yamloutputs:resources:- name: builtImageresourceRef:name: registry-pipeline-resource

7. 查看构建状态以及日志

查看taskrun状态：

$ kubectl -n tekton-pipelines get taskrun
NAME                 SUCCEEDED   REASON    STARTTIME   COMPLETIONTIME
build-app-task-run   Unknown     Pending   4s

查看构建日志：

$ kubectl -n tekton-pipelines get po
NAME                                           READY   STATUS    RESTARTS   AGE
build-app-task-run-pod-b8f890                  3/5     Running   0          75s
tekton-pipelines-controller-6bcd7ff5d6-vzmrh   1/1     Running   0          25h
tekton-pipelines-webhook-6856cf9c47-l6nj6      1/1     Running   0          25h

$ kubectl -n tekton-pipelines logs -f build-app-task-run-pod-b8f890
Error from server (BadRequest): a container name must be specified for pod build-app-task-run-pod-b8f890, choose one of:   [build-step-git-source-git-pipeline-resource-77l5v build-step-build-mvn-package build-step-build-docker-image build-step-deploy-app nop] or one of the init containers: [build-step-credential-initializer-8dsnm build-step-place-tools]

mvn build的日志:

$ kubectl -n tekton-pipelines logs -f build-app-task-run-pod-b8f890 -c build-step-build-mvn-package
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building jenkins-demo-web 1.0.0-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO] Downloading: https://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-resources-plugin/2.6/maven-resources-plugin-2.6.pom
[INFO] Downloaded: https://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-resources-plugin/2.6/maven-resources-plugin-2.6.pom (8 KB at 7.3 KB/sec)
[INFO] Downloading: https://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-plugins/23/maven-plugins-23.pom
[INFO] Downloaded: https://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-plugins/23/maven-plugins-23.pom (9 KB at 26.7 KB/sec)
[INFO] Downloading: https://repo.maven.apache.org/maven2/org/apache/maven/maven-parent/22/maven-parent-22.pom
[INFO] Downloaded: https://repo.maven.apache.org/maven2/org/apache/maven/maven-parent/22/maven-parent-22.pom (30 KB at 61.3 KB/sec)
[INFO] Downloading: https://repo.maven.apache.org/maven2/org/apache/apache/11/apache-11.pom
[INFO] Downloaded: https://repo.maven.apache.org/maven2/org/apache/apache/11/apache-11.pom (15 KB at 45.3 KB/sec)
....

docker build的日志：

$ kubectl -n tekton-pipelines logs -f build-app-task-run-pod-b8f890 -c build-step-build-docker-image
INFO[0000] Downloading base image tomcat
2019/05/06 11:58:46 No matching credentials were found, falling back on anonymous
INFO[0003] Taking snapshot of full filesystem...
INFO[0003] Skipping paths under /builder/home, as it is a whitelisted directory
INFO[0003] Skipping paths under /builder/tools, as it is a whitelisted directory
INFO[0003] Skipping paths under /dev, as it is a whitelisted directory
INFO[0003] Skipping paths under /kaniko, as it is a whitelisted directory
INFO[0003] Skipping paths under /proc, as it is a whitelisted directory
INFO[0003] Skipping paths under /run/secrets/kubernetes.io/serviceaccount, as it is a whitelisted directory
INFO[0003] Skipping paths under /sys, as it is a whitelisted directory
INFO[0003] Skipping paths under /var/run, as it is a whitelisted directory
INFO[0003] Skipping paths under /workspace, as it is a whitelisted directory
INFO[0003] Using files from context: [/workspace/java-demo/target/demo.war]
INFO[0003] ADD target/demo.war /usr/local/tomcat/webapps/demo.war
INFO[0003] Taking snapshot of files...
...

app-deploy的日志：

$ kubectl -n tekton-pipelines logs -f build-app-task-run-pod-637855 -c build-step-deploy-app
deployment.extensions/jenkins-java-demo created
service/jenkins-java-demo created

taskrun的完成状态为True则构建部署过程完成：

$ kubectl -n tekton-pipelines get taskrun
NAME                 SUCCEEDED   REASON   STARTTIME   COMPLETIONTIME
build-app-task-run   True                 4m          2m