阿里雲Kubernetes服務上使用Tekton完成應用發佈初體驗

時間 2019-12-13

標籤阿里 kubernetes 服務使用 tekton 完成應用發佈體驗欄目阿里巴巴简体版

原文原文鏈接

Tekton 是一個功能強大且靈活的 Kubernetes 原生開源框架，用於建立持續集成和交付（CI/CD）系統。經過抽象底層實現細節，用戶能夠跨多雲平臺和本地系統進行構建、測試和部署。java

本文是基於阿里雲Kubernetes服務部署Tekton Pipeline，並使用它完成源碼拉取、應用打包、鏡像推送和應用部署的實踐過程。git

Tekton Pipeline中有5類對象,核心理念是經過定義yaml定義構建過程.構建任務的狀態存放在status字段中。web

其中5類對象分別是：PipelineResouce、Task、TaskRun、Pipeline、PipelineRun。docker

Task是單個任務的構建過程,須要經過定義TaskRun任務去運行Task。apache

Pipeline包含多個Task,並在此基礎上定義input和output,input和output以PipelineResource做爲交付。api

PipelineResource是可用於input和output的對象集合。tomcat

一樣地,須要定義PipelineRun纔會運行Pipeline。app

在阿里雲Kubernetes集羣中部署Tekton Pipeline

kubectl apply --filename https://storage.googleapis.co...
查看Tekton Pipelines組件是否運行正常：框架

$ kubectl -n tekton-pipelines get po
NAME                                                     READY   STATUS      RESTARTS   AGE
tekton-pipelines-controller-6bcd7ff5d6-vzmrh             1/1     Running     0          25h
tekton-pipelines-webhook-6856cf9c47-l6nj6                1/1     Running     0          25h

建立Git Resource， Registry Resource

編輯 git-pipeline-resource.yaml :webapp

apiVersion: tekton.dev/v1alpha1
kind: PipelineResource
metadata:
  name: git-pipeline-resource
spec:
  type: git
  params:
    - name: revision
      value: tekton
    - name: url
      value: https://code.aliyun.com/haoshuwei/jenkins-demo.git

git repo的分支名稱爲 tekton 。

編輯 registry-pipeline-resource.yaml :

apiVersion: tekton.dev/v1alpha1
kind: PipelineResource
metadata:
  name: registry-pipeline-resource
spec:
  type: image
  params:
    - name: url
      value: registry.cn-hangzhou.aliyuncs.com/haoshuwei/tekton-demo

容器鏡像倉庫地址爲 registry.cn-hangzhou.aliyuncs.com/haoshuwei/tekton-demo，標籤爲 latest

建立pipeline resource：

$ kubectl -n tekton-pipelines create -f git-pipeline-resource.yaml
$ kubectl -n tekton-pipelines create -f registry-pipeline-resource.yaml
查看已建立的pipeline resource資源：

$ kubectl -n tekton-pipelines get PipelineResource
NAME AGE
git-pipeline-resource 2h
registry-pipeline-resource 2h

建立Git Repo/Docker Registry Authentication

拉取私有git源碼項目須要配置使用Git Repo Authentication；拉取和推送docker鏡像須要配置Docker Registry Authentication。在Tekton Pipeline中，Git Repo/Docker Registry Authentication會被定義成ServiceAccount來使用。

編輯 secret tekton-basic-user-pass-git.yaml :

apiVersion: v1
kind: Secret
metadata:
name: tekton-basic-user-pass-git
annotations:

tekton.dev/git-0: https://code.aliyun.com

type: kubernetes.io/basic-auth
stringData:
username: <cleartext non-encoded>
password: <cleartext non-encoded>
編輯 secret tekton-basic-user-pass-registry.yaml :

apiVersion: v1
kind: Secret
metadata:
name: tekton-basic-user-pass-registry
annotations:

tekton.dev/docker-0: https://registry.cn-hangzhou.aliyuncs.com

type: kubernetes.io/basic-auth
stringData:
username: <cleartext non-encoded>
password: <cleartext non-encoded>
編輯 serviceaccount tekton-git-and-registry.yaml :

apiVersion: v1
kind: ServiceAccount
metadata:
name: tekton-git-and-registry
secrets:

name: tekton-basic-user-pass-git
name: tekton-basic-user-pass-registry

建立serviceaccount：

$ kubectl -n tekton-pipelines create -f tekton-basic-user-pass-git.yaml
$ kubectl -n tekton-pipelines create -f tekton-basic-user-pass-registry.yaml
$ kubectl -n tekton-pipelines create -f tekton-git-and-registry.yaml
查看secret以及sa：

$ kubectl -n tekton-pipelines get secret
NAME TYPE DATA AGE
default-token-pwncj kubernetes.io/service-account-token 3 25h
tekton-basic-user-pass-git kubernetes.io/basic-auth 2 151m
tekton-basic-user-pass-registry kubernetes.io/basic-auth 2 151m
tekton-git-and-registry-token-tr95m kubernetes.io/service-account-token 3 151m
tekton-pipelines-controller-token-lc2fv kubernetes.io/service-account-token 3 25h
webhook-certs Opaque 3 25h
$ kubectl -n tekton-pipelines get sa
NAME SECRETS AGE
default 1 25h
tekton-git-and-registry 3 152m
tekton-pipelines-controller 1 25h

配置serviceaccount tekton-git-and-registry獲取命名空間tekton-pipelines的管理權限用於部署應用

建立ClusterRoleBinding tekton-cluster-admin :

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: tekton-cluster-admin
subjects:

kind: ServiceAccount
name: tekton-git-and-registry
namespace: tekton-pipelines

roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io

建立一個Task

建立task build-app.yaml :

apiVersion: tekton.dev/v1alpha1
kind: Task
metadata:
name: build-app
spec:
inputs:

resources:
  - name: java-demo
    type: git
params:
  - name: pathToDockerFile
    description: The path to the dockerfile to build
    default: /workspace/java-demo/Dockerfile
  - name: pathToContext
    description: The build context used by Kaniko
    default: /workspace/java-dem
  - name: pathToYaml
    description: The path to teh manifest to apply

outputs:

resources:
  - name: builtImage
    type: image

steps:

- name: build-mvn-package
  image: registry.cn-beijing.aliyuncs.com/acs-sample/jenkins-slave-maven:3.3.9-jdk-8-alpine
  workingDir: /workspace/java-demo
  command:
    - mvn
  args:
    - package
    - -B
    - -DskipTests
- name: build-docker-image
  image: registry.cn-beijing.aliyuncs.com/acs-sample/jenkins-slave-kaniko:0.6.0
  command:
    - kaniko
  args:
    - --dockerfile=${inputs.params.pathToDockerFile}
    - --destination=${outputs.resources.builtImage.url}
    - --context=${inputs.params.pathToContext}
- name: deploy-app
  image: registry.cn-beijing.aliyuncs.com/acs-sample/jenkins-slave-kubectl:1.11.5
  command:
    - kubectl
  args:
    - apply
    - -f
    - ${inputs.params.pathToYaml}

建立TaskRun運行任務

建立taskrun build-app-task-run.yaml :

apiVersion: tekton.dev/v1alpha1
kind: TaskRun
metadata:
name: build-app-task-run
spec:
serviceAccount: tekton-git-and-registry
taskRef:

name: build-app

trigger:

type: manual

inputs:

resources:
  - name: java-demo
    resourceRef:
      name: git-pipeline-resource
params:
  - name: pathToDockerFile
    value: Dockerfile
  - name: pathToContext
    value: /workspace/java-demo
  - name: pathToYaml
    value: /workspace/java-demo/deployment.yaml

outputs:

resources:
  - name: builtImage
    resourceRef:
      name: registry-pipeline-resource

查看構建狀態以及日誌

查看taskrun狀態：

$ kubectl -n tekton-pipelines get taskrun
NAME SUCCEEDED REASON STARTTIME COMPLETIONTIME
build-app-task-run Unknown Pending 4s
查看構建日誌：

$ kubectl -n tekton-pipelines get po
NAME READY STATUS RESTARTS AGE
build-app-task-run-pod-b8f890 3/5 Running 0 75s
tekton-pipelines-controller-6bcd7ff5d6-vzmrh 1/1 Running 0 25h
tekton-pipelines-webhook-6856cf9c47-l6nj6 1/1 Running 0 25h
$ kubectl -n tekton-pipelines logs -f build-app-task-run-pod-b8f890
Error from server (BadRequest): a container name must be specified for pod build-app-task-run-pod-b8f890, choose one of: [build-step-git-source-git-pipeline-resource-77l5v build-step-build-mvn-package build-step-build-docker-image build-step-deploy-app nop] or one of the init containers: [build-step-credential-initializer-8dsnm build-step-place-tools]
mvn build的日誌:

$ kubectl -n tekton-pipelines logs -f build-app-task-run-pod-b8f890 -c build-step-build-mvn-package
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building jenkins-demo-web 1.0.0-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO] Downloading: https://repo.maven.apache.org...
[INFO] Downloaded: https://repo.maven.apache.org... (8 KB at 7.3 KB/sec)
[INFO] Downloading: https://repo.maven.apache.org...
[INFO] Downloaded: https://repo.maven.apache.org... (9 KB at 26.7 KB/sec)
[INFO] Downloading: https://repo.maven.apache.org...
[INFO] Downloaded: https://repo.maven.apache.org... (30 KB at 61.3 KB/sec)
[INFO] Downloading: https://repo.maven.apache.org...
[INFO] Downloaded: https://repo.maven.apache.org... (15 KB at 45.3 KB/sec)
....
docker build的日誌：

$ kubectl -n tekton-pipelines logs -f build-app-task-run-pod-b8f890 -c build-step-build-docker-image
INFO[0000] Downloading base image tomcat
2019/05/06 11:58:46 No matching credentials were found, falling back on anonymous
INFO[0003] Taking snapshot of full filesystem...
INFO[0003] Skipping paths under /builder/home, as it is a whitelisted directory
INFO[0003] Skipping paths under /builder/tools, as it is a whitelisted directory
INFO[0003] Skipping paths under /dev, as it is a whitelisted directory
INFO[0003] Skipping paths under /kaniko, as it is a whitelisted directory
INFO[0003] Skipping paths under /proc, as it is a whitelisted directory
INFO[0003] Skipping paths under /run/secrets/kubernetes.io/serviceaccount, as it is a whitelisted directory
INFO[0003] Skipping paths under /sys, as it is a whitelisted directory
INFO[0003] Skipping paths under /var/run, as it is a whitelisted directory
INFO[0003] Skipping paths under /workspace, as it is a whitelisted directory
INFO[0003] Using files from context: [/workspace/java-demo/target/demo.war]
INFO[0003] ADD target/demo.war /usr/local/tomcat/webapps/demo.war
INFO[0003] Taking snapshot of files...
...
app-deploy的日誌：

$ kubectl -n tekton-pipelines logs -f build-app-task-run-pod-637855 -c build-step-deploy-app
deployment.extensions/jenkins-java-demo created
service/jenkins-java-demo created
taskrun的完成狀態爲True則構建部署過程完成：

$ kubectl -n tekton-pipelines get taskrun
NAME SUCCEEDED REASON STARTTIME COMPLETIONTIME
build-app-task-run True 4m 2m