阿里雲Kubernetes服務上使用Tekton完成應用釋出初體驗

火鍋小仙女發表於2019-05-14

Tekton 是一個功能強大且靈活的 Kubernetes 原生開源框架,用於建立持續整合和交付(CI/CD)系統。透過抽象底層實現細節,使用者可以跨多雲平臺和本地系統進行構建、測試和部署。

本文是基於阿里雲Kubernetes服務部署Tekton Pipeline,並使用它完成原始碼拉取、應用打包、映象推送和應用部署的實踐過程。


阿里雲Kubernetes服務上使用Tekton完成應用釋出初體驗


Tekton Pipeline中有5類物件,核心理念是透過定義yaml定義構建過程.構建任務的狀態存放在status欄位中。

其中5類物件分別是:PipelineResouce、Task、TaskRun、Pipeline、PipelineRun。

Task是單個任務的構建過程,需要透過定義TaskRun任務去執行Task。

Pipeline包含多個Task,並在此基礎上定義input和output,input和output以PipelineResource作為交付。

PipelineResource是可用於input和output的物件集合。

同樣地,需要定義PipelineRun才會執行Pipeline。

1. 在阿里雲Kubernetes叢集中部署Tekton Pipeline

kubectl apply --filename 

檢視Tekton Pipelines元件是否執行正常:

$ kubectl -n tekton-pipelines get po
NAME                                                     READY   STATUS      RESTARTS   AGE
tekton-pipelines-controller-6bcd7ff5d6-vzmrh             1/1     Running     0          25h
tekton-pipelines-webhook-6856cf9c47-l6nj6                1/1     Running     0          25h

2. 建立Git Resource, Registry Resource

編輯  git-pipeline-resource.yaml  :

apiVersion: tekton.dev/v1alpha1
kind: PipelineResource
metadata:
  name: git-pipeline-resource
spec:
  type: git
  params:
    - name: revision
      value: tekton
    - name: url
      value: 

git repo的分支名稱為  tekton  。

編輯  registry-pipeline-resource.yaml  :

apiVersion: tekton.dev/v1alpha1
kind: PipelineResource
metadata:
  name: registry-pipeline-resource
spec:
  type: image
  params:
    - name: url
      value: registry.cn-hangzhou.aliyuncs.com/haoshuwei/tekton-demo

容器映象倉庫地址為  registry.cn-hangzhou.aliyuncs.com , 標籤為  latest

建立pipeline resource:

$ kubectl -n tekton-pipelines create -f git-pipeline-resource.yaml
$ kubectl -n tekton-pipelines create -f registry-pipeline-resource.yaml

檢視已建立的pipeline resource資源:

$ kubectl -n tekton-pipelines get PipelineResource
NAME                         AGE
git-pipeline-resource        2h
registry-pipeline-resource   2h

3. 建立Git Repo/Docker Registry Authentication

拉取私有git原始碼專案需要配置使用Git Repo Authentication;拉取和推送docker映象需要配置Docker Registry Authentication。在Tekton Pipeline中,Git Repo/Docker Registry Authentication會被定義成ServiceAccount來使用。

編輯 secret  tekton-basic-user-pass-git.yaml  :

apiVersion: v1
kind: Secret
metadata:
  name: tekton-basic-user-pass-git
  annotations:
    tekton.dev/git-0: 
type: kubernetes.io/basic-auth
stringData:
  username: <cleartext non-encoded>
  password: <cleartext non-encoded>

編輯 secret  tekton-basic-user-pass-registry.yaml  :

apiVersion: v1
kind: Secret
metadata:
  name: tekton-basic-user-pass-registry
  annotations:
    tekton.dev/docker-0: 
type: kubernetes.io/basic-auth
stringData:
  username: <cleartext non-encoded>
  password: <cleartext non-encoded>

編輯 serviceaccount  tekton-git-and-registry.yaml  :

apiVersion: v1
kind: ServiceAccount
metadata:
  name: tekton-git-and-registry
secrets:
  - name: tekton-basic-user-pass-git
  - name: tekton-basic-user-pass-registry

建立serviceaccount:

$ kubectl -n tekton-pipelines create -f tekton-basic-user-pass-git.yaml
$ kubectl -n tekton-pipelines create -f tekton-basic-user-pass-registry.yaml
$ kubectl -n tekton-pipelines create -f tekton-git-and-registry.yaml

檢視secret以及sa:

$ kubectl -n tekton-pipelines get secret
NAME                                      TYPE                                  DATA   AGE
default-token-pwncj                       kubernetes.io/service-account-token   3      25h
tekton-basic-user-pass-git                kubernetes.io/basic-auth              2      151m
tekton-basic-user-pass-registry           kubernetes.io/basic-auth              2      151m
tekton-git-and-registry-token-tr95m       kubernetes.io/service-account-token   3      151m
tekton-pipelines-controller-token-lc2fv   kubernetes.io/service-account-token   3      25h  
webhook-certs                             Opaque                                3      25h
$  kubectl -n tekton-pipelines get sa
NAME                          SECRETS   AGE
default                       1         25h
tekton-git-and-registry       3         152m
tekton-pipelines-controller   1         25h

4. 配置serviceaccount tekton-git-and-registry獲取名稱空間tekton-pipelines的管理許可權用於部署應用

建立ClusterRoleBinding  tekton-cluster-admin  :

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: tekton-cluster-admin
subjects:
  - kind: ServiceAccount
    name: tekton-git-and-registry
    namespace: tekton-pipelines
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io

5. 建立一個Task

建立task  build-app.yaml  :

apiVersion: tekton.dev/v1alpha1
kind: Task
metadata:
  name: build-app
spec:
  inputs:
    resources:
      - name: java-demo
        type: git
    params:
      - name: pathToDockerFile
        description: The path to the dockerfile to build
        default: /workspace/java-demo/Dockerfile
      - name: pathToContext
        description: The build context used by Kaniko
        default: /workspace/java-dem
      - name: pathToYaml
        description: The path to teh manifest to apply
  outputs:
    resources:
      - name: builtImage
        type: image
  steps:
    - name: build-mvn-package
      image: registry.cn-beijing.aliyuncs.com/acs-sample/jenkins-slave-maven:3.3.9-jdk-8-alpine
      workingDir: /workspace/java-demo
      command:
        - mvn
      args:
        - package
        - -B
        - -DskipTests
    - name: build-docker-image
      image: registry.cn-beijing.aliyuncs.com/acs-sample/jenkins-slave-kaniko:0.6.0
      command:
        - kaniko
      args:
        - --dockerfile=${inputs.params.pathToDockerFile}
        - --destination=${outputs.resources.builtImage.url}
        - --context=${inputs.params.pathToContext}
    - name: deploy-app
      image: registry.cn-beijing.aliyuncs.com/acs-sample/jenkins-slave-kubectl:1.11.5
      command:
        - kubectl
      args:
        - apply
        - -f
        - ${inputs.params.pathToYaml}

6. 建立TaskRun執行任務

建立taskrun  build-app-task-run.yaml  :

apiVersion: tekton.dev/v1alpha1
kind: TaskRun
metadata:
  name: build-app-task-run
spec:
  serviceAccount: tekton-git-and-registry
  taskRef:
    name: build-app
  trigger:
    type: manual
  inputs:
    resources:
      - name: java-demo
        resourceRef:
          name: git-pipeline-resource
    params:
      - name: pathToDockerFile
        value: Dockerfile
      - name: pathToContext
        value: /workspace/java-demo
      - name: pathToYaml
        value: /workspace/java-demo/deployment.yaml
  outputs:
    resources:
      - name: builtImage
        resourceRef:
          name: registry-pipeline-resource

7. 檢視構建狀態以及日誌

檢視taskrun狀態:

$ kubectl -n tekton-pipelines get taskrun
NAME                 SUCCEEDED   REASON    STARTTIME   COMPLETIONTIME
build-app-task-run   Unknown     Pending   4s

檢視構建日誌:

$ kubectl -n tekton-pipelines get po
NAME                                           READY   STATUS    RESTARTS   AGE
build-app-task-run-pod-b8f890                  3/5     Running   0          75s
tekton-pipelines-controller-6bcd7ff5d6-vzmrh   1/1     Running   0          25h
tekton-pipelines-webhook-6856cf9c47-l6nj6      1/1     Running   0          25h
$ kubectl -n tekton-pipelines logs -f build-app-task-run-pod-b8f890
Error from server (BadRequest): a container name must be specified for pod build-app-task-run-pod-b8f890, choose one of:   [build-step-git-source-git-pipeline-resource-77l5v build-step-build-mvn-package build-step-build-docker-image build-step-deploy-app nop] or one of the init containers: [build-step-credential-initializer-8dsnm build-step-place-tools]

mvn build的日誌:

$ kubectl -n tekton-pipelines logs -f build-app-task-run-pod-b8f890 -c build-step-build-mvn-package
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building jenkins-demo-web 1.0.0-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO] Downloading: 
[INFO] Downloaded:  (8 KB at 7.3 KB/sec)
[INFO] Downloading: 
[INFO] Downloaded:  (9 KB at 26.7 KB/sec)
[INFO] Downloading: 
[INFO] Downloaded:  (30 KB at 61.3 KB/sec)
[INFO] Downloading: 
[INFO] Downloaded:  (15 KB at 45.3 KB/sec)
....

docker build的日誌:

$ kubectl -n tekton-pipelines logs -f build-app-task-run-pod-b8f890 -c build-step-build-docker-image
INFO[0000] Downloading base image tomcat
2019/05/06 11:58:46 No matching credentials were found, falling back on anonymous
INFO[0003] Taking snapshot of full filesystem...
INFO[0003] Skipping paths under /builder/home, as it is a whitelisted directory
INFO[0003] Skipping paths under /builder/tools, as it is a whitelisted directory
INFO[0003] Skipping paths under /dev, as it is a whitelisted directory
INFO[0003] Skipping paths under /kaniko, as it is a whitelisted directory
INFO[0003] Skipping paths under /proc, as it is a whitelisted directory
INFO[0003] Skipping paths under /run/secrets/kubernetes.io/serviceaccount, as it is a whitelisted directory
INFO[0003] Skipping paths under /sys, as it is a whitelisted directory
INFO[0003] Skipping paths under /var/run, as it is a whitelisted directory
INFO[0003] Skipping paths under /workspace, as it is a whitelisted directory
INFO[0003] Using files from context: [/workspace/java-demo/target/demo.war]
INFO[0003] ADD target/demo.war /usr/local/tomcat/webapps/demo.war
INFO[0003] Taking snapshot of files...
...

app-deploy的日誌:

$ kubectl -n tekton-pipelines logs -f build-app-task-run-pod-637855 -c build-step-deploy-app
deployment.extensions/jenkins-java-demo created
service/jenkins-java-demo created

taskrun的完成狀態為True則構建部署過程完成:

$ kubectl -n tekton-pipelines get taskrun
NAME                 SUCCEEDED   REASON   STARTTIME   COMPLETIONTIME
build-app-task-run   True                 4m          2m

8. 小結

Tekton Pipeline中任務模板可以拿來複用,而不需要重複定義,另外透過CRD重新定義CI/CD是一大亮點,初學者可能會覺得有些繞。

持續實驗持續更新中。


原文連結

本文為雲棲社群原創內容,未經允許不得轉載。


來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/69922229/viewspace-2644332/,如需轉載,請註明出處,否則將追究法律責任。

相關文章