tekton-usage.html (16512B)
1 <!DOCTYPE html> 2 <html lang="en"> 3 <head> 4 <!-- Sep 03, 2024 --> 5 <meta charset="utf-8" /> 6 <meta name="viewport" content="width=device-width, initial-scale=1" /> 7 <title>Tektoncd usage and examples</title> 8 <meta name="author" content="Vincent Demeester" /> 9 <meta name="keywords" content="article" /> 10 <meta name="generator" content="Org Mode" /> 11 <link rel='icon' type='image/x-icon' href='/images/favicon.ico'/> 12 <meta name='viewport' content='width=device-width, initial-scale=1'> 13 <link rel='stylesheet' href='/css/new.css' type='text/css'/> 14 <link rel='stylesheet' href='/css/syntax.css' type='text/css'/> 15 <link href='/index.xml' rel='alternate' type='application/rss+xml' title='Vincent Demeester' /> 16 </head> 17 <body> 18 <main id="content" class="content"> 19 <header> 20 <h1 class="title">Tektoncd usage and examples</h1> 21 <p class="subtitle" role="doc-subtitle">Playing with the cat’s project 🐱</p> 22 </header><div class="abstract" id="org91af7d5"> 23 <p> 24 Let’s dig into some use case and examples of <code>tektoncd/pipeline</code>. From secrets and 25 services accounts to real-life example, let’s document <code>pipeline</code> usage, tips and tricks. 26 </p> 27 28 </div> 29 30 <nav id="table-of-contents" role="doc-toc"> 31 <h2>Table of Contents</h2> 32 <div id="text-table-of-contents" role="doc-toc"> 33 <ul> 34 <li><a href="#h:7b3bca36-78c1-44b4-96fe-b26332e195ed">What is Tektoncd ?</a></li> 35 <li><a href="#h:dc6c7476-6df0-467b-a2fb-1512d300ef4c">Secrets</a> 36 <ul> 37 <li><a href="#h:8eb369c9-1987-4119-9b24-d3b1204dab15">Git credentials</a></li> 38 <li><a href="#h:f590bf9c-464d-4d31-a176-b7c9b7b9e168">Registry credentials</a></li> 39 </ul> 40 </li> 41 <li><a href="#h:b0f52c83-e465-4733-9ba8-51d4c915fb25">Service account</a></li> 42 <li><a href="#h:d81a3f84-c608-4345-8cf0-44c8ed15ea2a">Using <code>kaniko</code></a> 43 <ul> 44 <li><a href="#h:8c8cd49e-5dda-47cf-a3d8-caff9a1bf833">Volume for <code>kaniko</code>’s cache</a></li> 45 <li><a href="#h:7da25768-794e-48c1-b92a-603e1c0572b2">Resources</a></li> 46 <li><a href="#h:4d50a5ad-2748-4f28-b545-6bf1e6872463"><code>Task</code></a></li> 47 <li><a href="#h:f00592b2-a81b-43c4-a4fa-36959f515553"><code>Pipeline</code></a></li> 48 <li><a href="#h:9caacd24-1667-4268-9716-d967cab7c6f1"><code>PipelineRun</code></a></li> 49 </ul> 50 </li> 51 <li><a href="#h:eadc5b7a-797b-4da4-a543-3116612dfb4a"><span class="todo TODO">TODO</span> Deploy to a cluster</a> 52 <ul> 53 <li><a href="#h:90600634-74c2-4e04-b25c-b6665baac4d5"><span class="todo TODO">TODO</span> Same one, on another cluster</a></li> 54 <li><a href="#h:7aaedc77-4319-4223-9790-31353447ad48"><span class="todo TODO">TODO</span> Another one, thanks to cluster resources</a></li> 55 </ul> 56 </li> 57 <li><a href="#h:6fc85dd7-034c-4170-9b69-b84df9c976eb"><span class="todo TODO">TODO</span> Using <code>buildah</code></a></li> 58 <li><a href="#h:6c165f41-d642-480c-b841-541a89f95875"><span class="todo TODO">TODO</span> Using <code>helm</code></a></li> 59 </ul> 60 </div> 61 </nav> 62 <section id="outline-container-h:7b3bca36-78c1-44b4-96fe-b26332e195ed" class="outline-2"> 63 <h2 id="h:7b3bca36-78c1-44b4-96fe-b26332e195ed">What is Tektoncd ?</h2> 64 <div class="outline-text-2" id="text-h:7b3bca36-78c1-44b4-96fe-b26332e195ed"> 65 66 <figure id="org75958c2"> 67 <img src="images/tekton/tekton-horizontal-color.png" alt="tekton-horizontal-color.png" width="400/600px"> 68 69 </figure> 70 71 <blockquote> 72 <p> 73 The Tekton Pipelines project provides Kubernetes-style resources for declaring CI/CD-style pipelines. 74 </p> 75 </blockquote> 76 77 <ul class="org-ul"> 78 <li>Started as an experiment from <a href="https://github.com/knative">Knative</a> to define more advance build use cases that 79 <a href="https://github.com/knative/build/"><code>knative/build</code></a> was able to.</li> 80 <li>Is now it’s own project and GitHub organization.</li> 81 </ul> 82 </div> 83 </section> 84 <section id="outline-container-h:dc6c7476-6df0-467b-a2fb-1512d300ef4c" class="outline-2"> 85 <h2 id="h:dc6c7476-6df0-467b-a2fb-1512d300ef4c">Secrets</h2> 86 <div class="outline-text-2" id="text-h:dc6c7476-6df0-467b-a2fb-1512d300ef4c"> 87 <p> 88 Most of the time, you’re gonna need to access private resources like git repositories, 89 image registries, ssh server and clusters. We’ll dig into each of them but the gist is always the 90 same : 91 </p> 92 93 <ul class="org-ul"> 94 <li>Create secrets that holds the credentials</li> 95 <li>Create service accounts that uses those secrets</li> 96 <li>Attach those service accounts to the <code>PipelineRun~/~TaskRun</code></li> 97 </ul> 98 99 <div class='drawer note'> 100 <h6>Note</h6> 101 <p> 102 Those are working <b>exactly</b> the same as <code>knative/build</code>. The docs are <a href="https://github.com/knative/docs/blob/master/docs/build/auth.md">here</a>. 103 </p> 104 </div> 105 </div> 106 <div id="outline-container-h:8eb369c9-1987-4119-9b24-d3b1204dab15" class="outline-3"> 107 <h3 id="h:8eb369c9-1987-4119-9b24-d3b1204dab15">Git credentials</h3> 108 <div class="outline-text-3" id="text-h:8eb369c9-1987-4119-9b24-d3b1204dab15"> 109 </div> 110 <div id="outline-container-h:c08a3856-f230-4c0d-a8ee-2f5ee8c85313" class="outline-4"> 111 <h4 id="h:c08a3856-f230-4c0d-a8ee-2f5ee8c85313">Using ssh</h4> 112 <div class="outline-text-4" id="text-h:c08a3856-f230-4c0d-a8ee-2f5ee8c85313"> 113 <div class="org-src-container"> 114 <pre class="src src-yaml">apiVersion: v1 115 kind: Secret 116 metadata: 117 name: ssh-key 118 annotations: 119 tekton.dev/git-0: github.com 120 tekton.dev/git-1: gitlab.com 121 tekton.dev/git-2: sr.ht 122 type: kubernetes.io/ssh-auth 123 data: 124 # cat ~/.id_rs | base64 -w 0 125 ssh-privatekey: <base64 encoded> 126 # This is non-standard, but its use is encouraged to make this more secure. 127 # ssh-keyscan github.com | base64 -w 0 128 known_hosts: <base64 encoded> 129 </pre> 130 </div> 131 </div> 132 </div> 133 <div id="outline-container-h:e54bf2cb-7ac1-449e-b7cb-25a036248b83" class="outline-4"> 134 <h4 id="h:e54bf2cb-7ac1-449e-b7cb-25a036248b83">Using basic authentication</h4> 135 <div class="outline-text-4" id="text-h:e54bf2cb-7ac1-449e-b7cb-25a036248b83"> 136 <div class="org-src-container"> 137 <pre class="src src-yaml">apiVersion: v1 138 kind: Secret 139 metadata: 140 name: basic-user-pass 141 annotations: 142 tekton.dev/git-0: https://github.com 143 tekton.dev/git-1: https://gitlab.com 144 tekton.dev/git-0: https://sr.ht 145 type: kubernetes.io/basic-auth 146 stringData: 147 username: <username> 148 password: <password> 149 </pre> 150 </div> 151 </div> 152 </div> 153 </div> 154 <div id="outline-container-h:f590bf9c-464d-4d31-a176-b7c9b7b9e168" class="outline-3"> 155 <h3 id="h:f590bf9c-464d-4d31-a176-b7c9b7b9e168">Registry credentials</h3> 156 <div class="outline-text-3" id="text-h:f590bf9c-464d-4d31-a176-b7c9b7b9e168"> 157 </div> 158 <div id="outline-container-h:2813551c-f51a-4873-8d1d-7608d67e9711" class="outline-4"> 159 <h4 id="h:2813551c-f51a-4873-8d1d-7608d67e9711">Using basic authentication</h4> 160 <div class="outline-text-4" id="text-h:2813551c-f51a-4873-8d1d-7608d67e9711"> 161 <div class="org-src-container"> 162 <pre class="src src-yaml">apiVersion: v1 163 kind: Secret 164 metadata: 165 name: basic-user-pass 166 annotations: 167 tekton.dev/docker-0: https://index.docker.io 168 tekton.dev/docker-1: https://gcr.io 169 type: kubernetes.io/basic-auth 170 stringData: 171 username: <username> 172 password: <password> 173 </pre> 174 </div> 175 </div> 176 </div> 177 <div id="outline-container-h:b81a4552-743f-4c5d-80be-c1a896ba7ec7" class="outline-4"> 178 <h4 id="h:b81a4552-743f-4c5d-80be-c1a896ba7ec7">Using kubernetes secret types</h4> 179 <div class="outline-text-4" id="text-h:b81a4552-743f-4c5d-80be-c1a896ba7ec7"> 180 <p> 181 There is two secret specific secret types related to docker authentication, or more 182 accurately to docker configuration files (that holds auth). 183 </p> 184 185 <ul class="org-ul"> 186 <li><code>kubernetes.io/dockerconfigjson</code> (<code>$HOME/.docker/config.json</code>)</li> 187 <li><code>kubernetes.io/dockercfg</code> (<code>$HOME/.dockercfg</code>)</li> 188 </ul> 189 190 <div class="org-src-container"> 191 <pre class="src src-bash">kubectl create secret generic regcred \ 192 --from-file=.dockerconfigjson=<path/to/.docker/config.json> \ 193 --type=kubernetes.io/dockerconfigjson 194 # kubectl create secret generic regcred --from-file=.dockerconfigjson=$HOME/.docker/config.json --type=kubernetes.io/dockerconfigjson 195 </pre> 196 </div> 197 198 <div class="org-src-container"> 199 <pre class="src src-yaml">apiVersion: v1 200 data: 201 .dockerconfigjson: eyJodHRwczovL2luZGV4L ... J0QUl6RTIifX0= 202 kind: Secret 203 metadata: 204 ... 205 name: regcred 206 ... 207 type: kubernetes.io/dockerconfigjson 208 </pre> 209 </div> 210 211 <p> 212 Kubernetes documentation : <a href="https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/">Pull an Image from a Private Registry - Kubernetes</a> 213 </p> 214 </div> 215 </div> 216 </div> 217 </section> 218 <section id="outline-container-h:b0f52c83-e465-4733-9ba8-51d4c915fb25" class="outline-2"> 219 <h2 id="h:b0f52c83-e465-4733-9ba8-51d4c915fb25">Service account</h2> 220 <div class="outline-text-2" id="text-h:b0f52c83-e465-4733-9ba8-51d4c915fb25"> 221 <div class="org-src-container"> 222 <pre class="src src-yaml">apiVersion: v1 223 kind: ServiceAccount 224 metadata: 225 name: build-bot 226 secrets: 227 - name: regcred 228 - name: ssh-key 229 </pre> 230 </div> 231 </div> 232 </section> 233 <section id="outline-container-h:d81a3f84-c608-4345-8cf0-44c8ed15ea2a" class="outline-2"> 234 <h2 id="h:d81a3f84-c608-4345-8cf0-44c8ed15ea2a">Using <code>kaniko</code></h2> 235 <div class="outline-text-2" id="text-h:d81a3f84-c608-4345-8cf0-44c8ed15ea2a"> 236 </div> 237 <div id="outline-container-h:8c8cd49e-5dda-47cf-a3d8-caff9a1bf833" class="outline-3"> 238 <h3 id="h:8c8cd49e-5dda-47cf-a3d8-caff9a1bf833">Volume for <code>kaniko</code>’s cache</h3> 239 <div class="outline-text-3" id="text-h:8c8cd49e-5dda-47cf-a3d8-caff9a1bf833"> 240 <div class="org-src-container"> 241 <pre class="src src-yaml">kind: PersistentVolumeClaim 242 apiVersion: v1 243 metadata: 244 name: kaniko-cache-pvc 245 spec: 246 accessModes: 247 - ReadWriteOnce 248 resources: 249 requests: 250 storage: 8Gi 251 </pre> 252 </div> 253 </div> 254 </div> 255 <div id="outline-container-h:7da25768-794e-48c1-b92a-603e1c0572b2" class="outline-3"> 256 <h3 id="h:7da25768-794e-48c1-b92a-603e1c0572b2">Resources</h3> 257 <div class="outline-text-3" id="text-h:7da25768-794e-48c1-b92a-603e1c0572b2"> 258 <ul class="org-ul"> 259 <li><p> 260 the <code>git</code> repository 261 </p> 262 <div class="org-src-container"> 263 <pre class="src src-yaml">apiVersion: tekton.dev/v1alpha1 264 kind: PipelineResource 265 metadata: 266 name: private-go-hello 267 spec: 268 type: git 269 params: 270 - name: revision 271 value: master 272 - name: url 273 value: git@github.com:vdemeester/go-hello.git 274 </pre> 275 </div></li> 276 277 <li><p> 278 the <code>image</code> (s) 279 </p> 280 <div class="org-src-container"> 281 <pre class="src src-yaml">apiVersion: tekton.dev/v1alpha1 282 kind: PipelineResource 283 metadata: 284 name: hello-image-res 285 spec: 286 type: image 287 params: 288 - name: url 289 description: The target URL 290 value: docker.io/vdemeester/go-hello 291 --- 292 apiVersion: tekton.dev/v1alpha1 293 kind: PipelineResource 294 metadata: 295 name: bye-image-res 296 spec: 297 type: image 298 params: 299 - name: url 300 description: The target URL 301 value: quay.io/rhdevelopers/vdemeest-go-bye 302 </pre> 303 </div></li> 304 </ul> 305 </div> 306 </div> 307 <div id="outline-container-h:4d50a5ad-2748-4f28-b545-6bf1e6872463" class="outline-3"> 308 <h3 id="h:4d50a5ad-2748-4f28-b545-6bf1e6872463"><code>Task</code></h3> 309 <div class="outline-text-3" id="text-h:4d50a5ad-2748-4f28-b545-6bf1e6872463"> 310 <div class="org-src-container"> 311 <pre class="src src-yaml">apiVersion: tekton.dev/v1alpha1 312 kind: Task 313 metadata: 314 name: kaniko-build-push 315 spec: 316 inputs: 317 resources: 318 - name: src 319 type: git 320 params: 321 - name: pathToDockerFile 322 description: The path to the dockerfile to build (relative to the context) 323 default: Dockerfile 324 - name: pathToContext 325 description: 326 The path to the build context, used by Kaniko - within the workspace 327 (https://github.com/GoogleContainerTools/kaniko#kaniko-build-contexts). 328 The git clone directory is set by the GIT init container which setup 329 the git input resource - see https://github.com/knative/build-pipeline/blob/master/pkg/reconciler/v1alpha1/taskrun/resources/pod.go#L107 330 default: . 331 outputs: 332 resources: 333 - name: builtImage 334 type: image 335 steps: 336 - name: build-and-push 337 image: gcr.io/kaniko-project/executor:debug 338 command: ["/kaniko/executor"] 339 args: 340 - --dockerfile=${inputs.params.pathToDockerFile} 341 - --destination=${outputs.resources.builtImage.url} 342 - --context=/workspace/src/${inputs.params.pathToContext} 343 volumeMounts: 344 - name: kaniko-cache 345 mountPath: /cache 346 volumes: 347 - name: kaniko-cache 348 persistentVolumeClaim: 349 claimName: kaniko-cache-pvc 350 </pre> 351 </div> 352 </div> 353 </div> 354 <div id="outline-container-h:f00592b2-a81b-43c4-a4fa-36959f515553" class="outline-3"> 355 <h3 id="h:f00592b2-a81b-43c4-a4fa-36959f515553"><code>Pipeline</code></h3> 356 <div class="outline-text-3" id="text-h:f00592b2-a81b-43c4-a4fa-36959f515553"> 357 <div class="org-src-container"> 358 <pre class="src src-yaml">apiVersion: tekton.dev/v1alpha1 359 kind: Pipeline 360 metadata: 361 name: kaniko 362 spec: 363 resources: 364 - name: src 365 type: git 366 - name: hello-image 367 type: image 368 - name: bye-image 369 type: image 370 tasks: 371 - name: go-hello-image 372 taskRef: 373 name: kaniko-build-push 374 params: 375 - name: pathToContext 376 value: hello 377 resources: 378 inputs: 379 - name: src 380 resource: src 381 outputs: 382 - name: builtImage 383 resource: hello-image 384 - name: go-bye-image 385 taskRef: 386 name: kaniko-build-push 387 params: 388 - name: pathToContext 389 value: bye 390 resources: 391 inputs: 392 - name: src 393 resource: src 394 outputs: 395 - name: builtImage 396 resource: bye-image 397 </pre> 398 </div> 399 </div> 400 </div> 401 <div id="outline-container-h:9caacd24-1667-4268-9716-d967cab7c6f1" class="outline-3"> 402 <h3 id="h:9caacd24-1667-4268-9716-d967cab7c6f1"><code>PipelineRun</code></h3> 403 <div class="outline-text-3" id="text-h:9caacd24-1667-4268-9716-d967cab7c6f1"> 404 <div class="org-src-container"> 405 <pre class="src src-yaml">apiVersion: tekton.dev/v1alpha1 406 kind: PipelineRun 407 metadata: 408 name: kaniko-run 409 spec: 410 pipelineRef: 411 name: kaniko 412 trigger: 413 type: manual 414 serviceAccount: build-bot 415 resources: 416 - name: src 417 resourceRef: 418 name: private-go-hello 419 - name: hello-image 420 resourceRef: 421 name: hello-image-res 422 - name: bye-image 423 resourceRef: 424 name: bye-image-res 425 </pre> 426 </div> 427 </div> 428 </div> 429 </section> 430 <section id="outline-container-h:eadc5b7a-797b-4da4-a543-3116612dfb4a" class="outline-2"> 431 <h2 id="h:eadc5b7a-797b-4da4-a543-3116612dfb4a"><span class="todo TODO">TODO</span> Deploy to a cluster</h2> 432 <div class="outline-text-2" id="text-h:eadc5b7a-797b-4da4-a543-3116612dfb4a"> 433 </div> 434 <div id="outline-container-h:90600634-74c2-4e04-b25c-b6665baac4d5" class="outline-3"> 435 <h3 id="h:90600634-74c2-4e04-b25c-b6665baac4d5"><span class="todo TODO">TODO</span> Same one, on another cluster</h3> 436 <div class="outline-text-3" id="text-h:90600634-74c2-4e04-b25c-b6665baac4d5"> 437 </div> 438 </div> 439 <div id="outline-container-h:7aaedc77-4319-4223-9790-31353447ad48" class="outline-3"> 440 <h3 id="h:7aaedc77-4319-4223-9790-31353447ad48"><span class="todo TODO">TODO</span> Another one, thanks to cluster resources</h3> 441 <div class="outline-text-3" id="text-h:7aaedc77-4319-4223-9790-31353447ad48"> 442 </div> 443 </div> 444 </section> 445 <section id="outline-container-h:6fc85dd7-034c-4170-9b69-b84df9c976eb" class="outline-2"> 446 <h2 id="h:6fc85dd7-034c-4170-9b69-b84df9c976eb"><span class="todo TODO">TODO</span> Using <code>buildah</code></h2> 447 <div class="outline-text-2" id="text-h:6fc85dd7-034c-4170-9b69-b84df9c976eb"> 448 </div> 449 </section> 450 <section id="outline-container-h:6c165f41-d642-480c-b841-541a89f95875" class="outline-2"> 451 <h2 id="h:6c165f41-d642-480c-b841-541a89f95875"><span class="todo TODO">TODO</span> Using <code>helm</code></h2> 452 <div class="outline-text-2" id="text-h:6c165f41-d642-480c-b841-541a89f95875"> 453 </div> 454 </section> 455 </main> 456 <footer id="postamble" class="status"> 457 <footer> 458 <small><a href="/" rel="history">Index</a> • <a href="/sitemap.html">Sitemap</a> • <a href="https://dl.sbr.pm/">Files</a></small><br/> 459 <small class='questions'>Questions, comments ? Please use my <a href="https://lists.sr.ht/~vdemeester/public-inbox">public inbox</a> by sending a plain-text email to <a href="mailto:~vdemeester/public-inbox@lists.sr.ht">~vdemeester/public-inbox@lists.sr.ht</a>.</small><br/> 460 <small class='copyright'> 461 Content and design by Vincent Demeester 462 (<a rel='licence' href='http://creativecommons.org/licenses/by-nc-sa/3.0/'>Some rights reserved</a>) 463 </small><br /> 464 </footer> 465 </footer> 466 </body> 467 </html>