tekton pipelines

using tekton pipelines

SEAN K.H. LIAO

tekton pipelines

using tekton pipelines

tekton pipelines

Fancy ci/cd system / task runner with a hard dependency on k8s. Why would you want to run it? You want to declaritvely manage your entire setup so kustomize build | kubectl apply -f - will have your entire build system setup.

tasks and pipelines

taskruns and pipelineruns are implemented as pods which are left in exited state after completion. keep them to keep the logs, but they clutter up your namespace

array params are mostly useless, a lot of the time you need to pass them into a bash script / inline json and it's easier to just use a string

secrets can only be mounted as files so you have to invoke a shell and do $(cat path/to/secret)

persistent volumes (for volumes) are finicky, they keep state between executions and is shared between all of them, no clean slate. not even sure is readwriteonce is respected

triggers

the interceptors (including cel) are super limited and you will almost immediately want to run your own deployment for a webhook interceptor. (ex you can't do replaceall, split-join...)

it's supposed to be reuseable, but i seriously doubt it

example

event listener
 1apiVersion: traefik.containo.us/v1alpha1
 2kind: IngressRoute
 3metadata:
 4  name: simple-el
 5spec:
 6  entryPoints:
 7    - https
 8  routes:
 9    - kind: Rule
10      match: Host(`build.seankhliao.com`)
11      services:
12        - kind: Service
13          name: el-simple-el
14          namespace: build
15          port: 8080
16  tls: {}
17---
18apiVersion: triggers.tekton.dev/v1alpha1
19kind: EventListener
20metadata:
21  name: simple-el
22spec:
23  serviceAccountName: tekton-triggers-admin
24  triggers:
25    - name: simple-container
26      interceptors:
27        - github:
28            secretRef:
29              secretName: github-webhook-token
30              secretKey: shared
31            eventTypes:
32        - cel:
33            filter: "header.match('X-GitHub-Event', 'push') && (split(body.ref, '/')[1] == 'tags') && (body.repository.name in ['calproxy', 'goproxy', 'http-server', 'statslogger', 'vanity', 'webstyle'])"
34            overlays:
35              - key: extensions.tag_name
36                expression: "split(body.ref, '/')[2]"
37              - key: extensions.mangledtag
38                expression: "split(split(body.ref, '/')[2], '.')[0]+'-'+split(split(body.ref, '/')[2], '.')[1]+'-'+split(split(body.ref, '/')[2], '.')[2]"
39      bindings:
40        - name: simple-container
41      template:
42        name: simple-container
trigger binding

map of json to params

 1apiVersion: triggers.tekton.dev/v1alpha1
 2kind: TriggerBinding
 3metadata:
 4  name: simple-container
 5spec:
 6  params:
 7    # https://developer.github.com/v3/activity/events/types/#pushevent
 8    - name: url
 9      value: $(body.repository.clone_url)
10    - name: revision
11      value: $(body.extensions.tag_name)
12    - name: image
13      value: $(body.repository.name)
14    - name: mangledtag
15      value: $(body.extensions.mangledtag)
trigger template
 1apiVersion: triggers.tekton.dev/v1alpha1
 2kind: TriggerTemplate
 3metadata:
 4  name: simple-container
 5spec:
 6  params:
 7    - name: url
 8      description: The git repository url
 9    - name: revision
10      description: The git revision
11    - name: image
12      description: container image name
13    - name: mangledtag
14      description: used in naming
15      default: $(uid)
16  resourcetemplates:
17    - apiVersion: tekton.dev/v1beta1
18      kind: PipelineRun
19      metadata:
20        name: z-$(params.image)-$(params.mangledtag)
21      spec:
22        serviceAccountName: build-bot
23        pipelineSpec:
24          workspaces:
25            - name: src
26          tasks:
27            - name: clone
28              taskRef:
29                name: git-clone
30              params:
31                - name: url
32                  value: $(params.url)
33                - name: revision
34                  value: $(params.revision)
35              workspaces:
36                - name: src
37                  workspace: src
38            - name: build
39              taskRef:
40                name: kaniko
41              runAfter:
42                - clone
43              params:
44                - name: image
45                  value: seankhliao/$(params.image)
46                - name: tag
47                  value: $(params.revision)
48              workspaces:
49                - name: src
50                  workspace: src
51        workspaces:
52          - name: src
53            persistentVolumeClaim:
54              claimName: simple-container
55---
56apiVersion: v1
57kind: PersistentVolumeClaim
58metadata:
59  name: simple-container
60spec:
61  accessModes:
62    - ReadWriteOnce
63  resources:
64    requests:
65      storage: 1Gi