www

My personal website(s)
Log | Files | Refs

tekton-usage.html (16512B)


      1 <!DOCTYPE html>
      2 <html lang="en">
      3 <head>
      4 <!-- Sep 03, 2024 -->
      5 <meta charset="utf-8" />
      6 <meta name="viewport" content="width=device-width, initial-scale=1" />
      7 <title>Tektoncd usage and examples</title>
      8 <meta name="author" content="Vincent Demeester" />
      9 <meta name="keywords" content="article" />
     10 <meta name="generator" content="Org Mode" />
     11 <link rel='icon' type='image/x-icon' href='/images/favicon.ico'/>
     12 <meta name='viewport' content='width=device-width, initial-scale=1'>
     13 <link rel='stylesheet' href='/css/new.css' type='text/css'/>
     14 <link rel='stylesheet' href='/css/syntax.css' type='text/css'/>
     15 <link href='/index.xml' rel='alternate' type='application/rss+xml' title='Vincent Demeester' />
     16 </head>
     17 <body>
     18 <main id="content" class="content">
     19 <header>
     20 <h1 class="title">Tektoncd usage and examples</h1>
     21 <p class="subtitle" role="doc-subtitle">Playing with the cat&rsquo;s project 🐱</p>
     22 </header><div class="abstract" id="org91af7d5">
     23 <p>
     24 Let&rsquo;s dig into some use case and examples of <code>tektoncd/pipeline</code>. From secrets and
     25 services accounts to real-life example, let&rsquo;s document <code>pipeline</code> usage, tips and tricks.
     26 </p>
     27 
     28 </div>
     29 
     30 <nav id="table-of-contents" role="doc-toc">
     31 <h2>Table of Contents</h2>
     32 <div id="text-table-of-contents" role="doc-toc">
     33 <ul>
     34 <li><a href="#h:7b3bca36-78c1-44b4-96fe-b26332e195ed">What is Tektoncd ?</a></li>
     35 <li><a href="#h:dc6c7476-6df0-467b-a2fb-1512d300ef4c">Secrets</a>
     36 <ul>
     37 <li><a href="#h:8eb369c9-1987-4119-9b24-d3b1204dab15">Git credentials</a></li>
     38 <li><a href="#h:f590bf9c-464d-4d31-a176-b7c9b7b9e168">Registry credentials</a></li>
     39 </ul>
     40 </li>
     41 <li><a href="#h:b0f52c83-e465-4733-9ba8-51d4c915fb25">Service account</a></li>
     42 <li><a href="#h:d81a3f84-c608-4345-8cf0-44c8ed15ea2a">Using <code>kaniko</code></a>
     43 <ul>
     44 <li><a href="#h:8c8cd49e-5dda-47cf-a3d8-caff9a1bf833">Volume for <code>kaniko</code>&rsquo;s cache</a></li>
     45 <li><a href="#h:7da25768-794e-48c1-b92a-603e1c0572b2">Resources</a></li>
     46 <li><a href="#h:4d50a5ad-2748-4f28-b545-6bf1e6872463"><code>Task</code></a></li>
     47 <li><a href="#h:f00592b2-a81b-43c4-a4fa-36959f515553"><code>Pipeline</code></a></li>
     48 <li><a href="#h:9caacd24-1667-4268-9716-d967cab7c6f1"><code>PipelineRun</code></a></li>
     49 </ul>
     50 </li>
     51 <li><a href="#h:eadc5b7a-797b-4da4-a543-3116612dfb4a"><span class="todo TODO">TODO</span> Deploy to a cluster</a>
     52 <ul>
     53 <li><a href="#h:90600634-74c2-4e04-b25c-b6665baac4d5"><span class="todo TODO">TODO</span> Same one, on another cluster</a></li>
     54 <li><a href="#h:7aaedc77-4319-4223-9790-31353447ad48"><span class="todo TODO">TODO</span> Another one, thanks to cluster resources</a></li>
     55 </ul>
     56 </li>
     57 <li><a href="#h:6fc85dd7-034c-4170-9b69-b84df9c976eb"><span class="todo TODO">TODO</span> Using <code>buildah</code></a></li>
     58 <li><a href="#h:6c165f41-d642-480c-b841-541a89f95875"><span class="todo TODO">TODO</span> Using <code>helm</code></a></li>
     59 </ul>
     60 </div>
     61 </nav>
     62 <section id="outline-container-h:7b3bca36-78c1-44b4-96fe-b26332e195ed" class="outline-2">
     63 <h2 id="h:7b3bca36-78c1-44b4-96fe-b26332e195ed">What is Tektoncd ?</h2>
     64 <div class="outline-text-2" id="text-h:7b3bca36-78c1-44b4-96fe-b26332e195ed">
     65 
     66 <figure id="org75958c2">
     67 <img src="images/tekton/tekton-horizontal-color.png" alt="tekton-horizontal-color.png" width="400/600px">
     68 
     69 </figure>
     70 
     71 <blockquote>
     72 <p>
     73 The Tekton Pipelines project provides Kubernetes-style resources for declaring CI/CD-style pipelines.
     74 </p>
     75 </blockquote>
     76 
     77 <ul class="org-ul">
     78 <li>Started as an experiment from <a href="https://github.com/knative">Knative</a> to define more advance build use cases that
     79 <a href="https://github.com/knative/build/"><code>knative/build</code></a> was able to.</li>
     80 <li>Is now it&rsquo;s own project and GitHub organization.</li>
     81 </ul>
     82 </div>
     83 </section>
     84 <section id="outline-container-h:dc6c7476-6df0-467b-a2fb-1512d300ef4c" class="outline-2">
     85 <h2 id="h:dc6c7476-6df0-467b-a2fb-1512d300ef4c">Secrets</h2>
     86 <div class="outline-text-2" id="text-h:dc6c7476-6df0-467b-a2fb-1512d300ef4c">
     87 <p>
     88 Most of the time, you&rsquo;re gonna need to access private resources like git repositories,
     89 image registries, ssh server and clusters. We&rsquo;ll dig into each of them but the gist is always the
     90 same :
     91 </p>
     92 
     93 <ul class="org-ul">
     94 <li>Create secrets that holds the credentials</li>
     95 <li>Create service accounts that uses those secrets</li>
     96 <li>Attach those service accounts to the <code>PipelineRun~/~TaskRun</code></li>
     97 </ul>
     98 
     99 <div class='drawer note'>
    100 <h6>Note</h6>
    101 <p>
    102 Those are working <b>exactly</b> the same as <code>knative/build</code>. The docs are <a href="https://github.com/knative/docs/blob/master/docs/build/auth.md">here</a>.
    103 </p>
    104 </div>
    105 </div>
    106 <div id="outline-container-h:8eb369c9-1987-4119-9b24-d3b1204dab15" class="outline-3">
    107 <h3 id="h:8eb369c9-1987-4119-9b24-d3b1204dab15">Git credentials</h3>
    108 <div class="outline-text-3" id="text-h:8eb369c9-1987-4119-9b24-d3b1204dab15">
    109 </div>
    110 <div id="outline-container-h:c08a3856-f230-4c0d-a8ee-2f5ee8c85313" class="outline-4">
    111 <h4 id="h:c08a3856-f230-4c0d-a8ee-2f5ee8c85313">Using ssh</h4>
    112 <div class="outline-text-4" id="text-h:c08a3856-f230-4c0d-a8ee-2f5ee8c85313">
    113 <div class="org-src-container">
    114 <pre class="src src-yaml">apiVersion: v1
    115 kind: Secret
    116 metadata:
    117   name: ssh-key
    118   annotations:
    119     tekton.dev/git-0: github.com
    120     tekton.dev/git-1: gitlab.com
    121     tekton.dev/git-2: sr.ht
    122 type: kubernetes.io/ssh-auth
    123 data:
    124   # cat ~/.id_rs | base64 -w 0
    125   ssh-privatekey: &lt;base64 encoded&gt;
    126   # This is non-standard, but its use is encouraged to make this more secure.
    127   # ssh-keyscan github.com | base64 -w 0
    128   known_hosts: &lt;base64 encoded&gt;
    129 </pre>
    130 </div>
    131 </div>
    132 </div>
    133 <div id="outline-container-h:e54bf2cb-7ac1-449e-b7cb-25a036248b83" class="outline-4">
    134 <h4 id="h:e54bf2cb-7ac1-449e-b7cb-25a036248b83">Using basic authentication</h4>
    135 <div class="outline-text-4" id="text-h:e54bf2cb-7ac1-449e-b7cb-25a036248b83">
    136 <div class="org-src-container">
    137 <pre class="src src-yaml">apiVersion: v1
    138 kind: Secret
    139 metadata:
    140   name: basic-user-pass
    141   annotations:
    142     tekton.dev/git-0: https://github.com
    143     tekton.dev/git-1: https://gitlab.com
    144     tekton.dev/git-0: https://sr.ht
    145 type: kubernetes.io/basic-auth
    146 stringData:
    147   username: &lt;username&gt;
    148   password: &lt;password&gt;
    149 </pre>
    150 </div>
    151 </div>
    152 </div>
    153 </div>
    154 <div id="outline-container-h:f590bf9c-464d-4d31-a176-b7c9b7b9e168" class="outline-3">
    155 <h3 id="h:f590bf9c-464d-4d31-a176-b7c9b7b9e168">Registry credentials</h3>
    156 <div class="outline-text-3" id="text-h:f590bf9c-464d-4d31-a176-b7c9b7b9e168">
    157 </div>
    158 <div id="outline-container-h:2813551c-f51a-4873-8d1d-7608d67e9711" class="outline-4">
    159 <h4 id="h:2813551c-f51a-4873-8d1d-7608d67e9711">Using basic authentication</h4>
    160 <div class="outline-text-4" id="text-h:2813551c-f51a-4873-8d1d-7608d67e9711">
    161 <div class="org-src-container">
    162 <pre class="src src-yaml">apiVersion: v1
    163 kind: Secret
    164 metadata:
    165   name: basic-user-pass
    166   annotations:
    167     tekton.dev/docker-0: https://index.docker.io
    168     tekton.dev/docker-1: https://gcr.io
    169 type: kubernetes.io/basic-auth
    170 stringData:
    171   username: &lt;username&gt;
    172   password: &lt;password&gt;
    173 </pre>
    174 </div>
    175 </div>
    176 </div>
    177 <div id="outline-container-h:b81a4552-743f-4c5d-80be-c1a896ba7ec7" class="outline-4">
    178 <h4 id="h:b81a4552-743f-4c5d-80be-c1a896ba7ec7">Using kubernetes secret types</h4>
    179 <div class="outline-text-4" id="text-h:b81a4552-743f-4c5d-80be-c1a896ba7ec7">
    180 <p>
    181 There is two secret specific secret types related to docker authentication, or more
    182 accurately to docker configuration files (that holds auth).
    183 </p>
    184 
    185 <ul class="org-ul">
    186 <li><code>kubernetes.io/dockerconfigjson</code> (<code>$HOME/.docker/config.json</code>)</li>
    187 <li><code>kubernetes.io/dockercfg</code> (<code>$HOME/.dockercfg</code>)</li>
    188 </ul>
    189 
    190 <div class="org-src-container">
    191 <pre class="src src-bash">kubectl create secret generic regcred \
    192     --from-file=.dockerconfigjson=&lt;path/to/.docker/config.json&gt; \
    193     --type=kubernetes.io/dockerconfigjson
    194 # kubectl create secret generic regcred --from-file=.dockerconfigjson=$HOME/.docker/config.json --type=kubernetes.io/dockerconfigjson
    195 </pre>
    196 </div>
    197 
    198 <div class="org-src-container">
    199 <pre class="src src-yaml">apiVersion: v1
    200 data:
    201   .dockerconfigjson: eyJodHRwczovL2luZGV4L ... J0QUl6RTIifX0=
    202 kind: Secret
    203 metadata:
    204   ...
    205   name: regcred
    206   ...
    207 type: kubernetes.io/dockerconfigjson
    208 </pre>
    209 </div>
    210 
    211 <p>
    212 Kubernetes documentation : <a href="https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/">Pull an Image from a Private Registry - Kubernetes</a>
    213 </p>
    214 </div>
    215 </div>
    216 </div>
    217 </section>
    218 <section id="outline-container-h:b0f52c83-e465-4733-9ba8-51d4c915fb25" class="outline-2">
    219 <h2 id="h:b0f52c83-e465-4733-9ba8-51d4c915fb25">Service account</h2>
    220 <div class="outline-text-2" id="text-h:b0f52c83-e465-4733-9ba8-51d4c915fb25">
    221 <div class="org-src-container">
    222 <pre class="src src-yaml">apiVersion: v1
    223 kind: ServiceAccount
    224 metadata:
    225   name: build-bot
    226 secrets:
    227   - name: regcred
    228   - name: ssh-key
    229 </pre>
    230 </div>
    231 </div>
    232 </section>
    233 <section id="outline-container-h:d81a3f84-c608-4345-8cf0-44c8ed15ea2a" class="outline-2">
    234 <h2 id="h:d81a3f84-c608-4345-8cf0-44c8ed15ea2a">Using <code>kaniko</code></h2>
    235 <div class="outline-text-2" id="text-h:d81a3f84-c608-4345-8cf0-44c8ed15ea2a">
    236 </div>
    237 <div id="outline-container-h:8c8cd49e-5dda-47cf-a3d8-caff9a1bf833" class="outline-3">
    238 <h3 id="h:8c8cd49e-5dda-47cf-a3d8-caff9a1bf833">Volume for <code>kaniko</code>&rsquo;s cache</h3>
    239 <div class="outline-text-3" id="text-h:8c8cd49e-5dda-47cf-a3d8-caff9a1bf833">
    240 <div class="org-src-container">
    241 <pre class="src src-yaml">kind: PersistentVolumeClaim
    242 apiVersion: v1
    243 metadata:
    244   name: kaniko-cache-pvc
    245 spec:
    246   accessModes:
    247     - ReadWriteOnce
    248   resources:
    249     requests:
    250       storage: 8Gi
    251 </pre>
    252 </div>
    253 </div>
    254 </div>
    255 <div id="outline-container-h:7da25768-794e-48c1-b92a-603e1c0572b2" class="outline-3">
    256 <h3 id="h:7da25768-794e-48c1-b92a-603e1c0572b2">Resources</h3>
    257 <div class="outline-text-3" id="text-h:7da25768-794e-48c1-b92a-603e1c0572b2">
    258 <ul class="org-ul">
    259 <li><p>
    260 the <code>git</code> repository
    261 </p>
    262 <div class="org-src-container">
    263 <pre class="src src-yaml">apiVersion: tekton.dev/v1alpha1
    264 kind: PipelineResource
    265 metadata:
    266   name: private-go-hello
    267 spec:
    268   type: git
    269   params:
    270     - name: revision
    271       value: master
    272     - name: url
    273       value: git@github.com:vdemeester/go-hello.git
    274 </pre>
    275 </div></li>
    276 
    277 <li><p>
    278 the <code>image</code> (s)
    279 </p>
    280 <div class="org-src-container">
    281 <pre class="src src-yaml">apiVersion: tekton.dev/v1alpha1
    282 kind: PipelineResource
    283 metadata:
    284   name: hello-image-res
    285 spec:
    286   type: image
    287   params:
    288     - name: url
    289       description: The target URL
    290       value: docker.io/vdemeester/go-hello
    291 ---
    292 apiVersion: tekton.dev/v1alpha1
    293 kind: PipelineResource
    294 metadata:
    295   name: bye-image-res
    296 spec:
    297   type: image
    298   params:
    299     - name: url
    300       description: The target URL
    301       value: quay.io/rhdevelopers/vdemeest-go-bye
    302 </pre>
    303 </div></li>
    304 </ul>
    305 </div>
    306 </div>
    307 <div id="outline-container-h:4d50a5ad-2748-4f28-b545-6bf1e6872463" class="outline-3">
    308 <h3 id="h:4d50a5ad-2748-4f28-b545-6bf1e6872463"><code>Task</code></h3>
    309 <div class="outline-text-3" id="text-h:4d50a5ad-2748-4f28-b545-6bf1e6872463">
    310 <div class="org-src-container">
    311 <pre class="src src-yaml">apiVersion: tekton.dev/v1alpha1
    312 kind: Task
    313 metadata:
    314   name: kaniko-build-push
    315 spec:
    316   inputs:
    317     resources:
    318     - name: src
    319       type: git
    320     params:
    321     - name: pathToDockerFile
    322       description: The path to the dockerfile to build (relative to the context)
    323       default: Dockerfile
    324     - name: pathToContext
    325       description:
    326         The path to the build context, used by Kaniko - within the workspace
    327         (https://github.com/GoogleContainerTools/kaniko#kaniko-build-contexts).
    328         The git clone directory is set by the GIT init container which setup
    329         the git input resource - see https://github.com/knative/build-pipeline/blob/master/pkg/reconciler/v1alpha1/taskrun/resources/pod.go#L107
    330       default: .
    331   outputs:
    332     resources:
    333       - name: builtImage
    334         type: image
    335   steps:
    336   - name: build-and-push
    337     image: gcr.io/kaniko-project/executor:debug
    338     command: ["/kaniko/executor"]
    339     args:
    340     - --dockerfile=${inputs.params.pathToDockerFile}
    341     - --destination=${outputs.resources.builtImage.url}
    342     - --context=/workspace/src/${inputs.params.pathToContext}
    343     volumeMounts:
    344     - name: kaniko-cache
    345       mountPath: /cache
    346   volumes:
    347   - name: kaniko-cache
    348     persistentVolumeClaim:
    349       claimName: kaniko-cache-pvc
    350 </pre>
    351 </div>
    352 </div>
    353 </div>
    354 <div id="outline-container-h:f00592b2-a81b-43c4-a4fa-36959f515553" class="outline-3">
    355 <h3 id="h:f00592b2-a81b-43c4-a4fa-36959f515553"><code>Pipeline</code></h3>
    356 <div class="outline-text-3" id="text-h:f00592b2-a81b-43c4-a4fa-36959f515553">
    357 <div class="org-src-container">
    358 <pre class="src src-yaml">apiVersion: tekton.dev/v1alpha1
    359 kind: Pipeline
    360 metadata:
    361   name: kaniko
    362 spec:
    363   resources:
    364     - name: src
    365       type: git
    366     - name: hello-image
    367       type: image
    368     - name: bye-image
    369       type: image
    370   tasks:
    371   - name: go-hello-image
    372     taskRef:
    373       name: kaniko-build-push
    374     params:
    375       - name: pathToContext
    376         value: hello
    377     resources:
    378       inputs:
    379         - name: src
    380           resource: src
    381       outputs:
    382         - name: builtImage
    383           resource: hello-image
    384   - name: go-bye-image
    385     taskRef:
    386       name: kaniko-build-push
    387     params:
    388       - name: pathToContext
    389         value: bye
    390     resources:
    391       inputs:
    392         - name: src
    393           resource: src
    394       outputs:
    395         - name: builtImage
    396           resource: bye-image
    397 </pre>
    398 </div>
    399 </div>
    400 </div>
    401 <div id="outline-container-h:9caacd24-1667-4268-9716-d967cab7c6f1" class="outline-3">
    402 <h3 id="h:9caacd24-1667-4268-9716-d967cab7c6f1"><code>PipelineRun</code></h3>
    403 <div class="outline-text-3" id="text-h:9caacd24-1667-4268-9716-d967cab7c6f1">
    404 <div class="org-src-container">
    405 <pre class="src src-yaml">apiVersion: tekton.dev/v1alpha1
    406 kind: PipelineRun
    407 metadata:
    408   name: kaniko-run
    409 spec:
    410   pipelineRef:
    411     name: kaniko
    412   trigger:
    413     type: manual
    414   serviceAccount: build-bot
    415   resources:
    416     - name: src
    417       resourceRef:
    418         name: private-go-hello
    419     - name: hello-image
    420       resourceRef:
    421         name: hello-image-res
    422     - name: bye-image
    423       resourceRef:
    424         name: bye-image-res
    425 </pre>
    426 </div>
    427 </div>
    428 </div>
    429 </section>
    430 <section id="outline-container-h:eadc5b7a-797b-4da4-a543-3116612dfb4a" class="outline-2">
    431 <h2 id="h:eadc5b7a-797b-4da4-a543-3116612dfb4a"><span class="todo TODO">TODO</span> Deploy to a cluster</h2>
    432 <div class="outline-text-2" id="text-h:eadc5b7a-797b-4da4-a543-3116612dfb4a">
    433 </div>
    434 <div id="outline-container-h:90600634-74c2-4e04-b25c-b6665baac4d5" class="outline-3">
    435 <h3 id="h:90600634-74c2-4e04-b25c-b6665baac4d5"><span class="todo TODO">TODO</span> Same one, on another cluster</h3>
    436 <div class="outline-text-3" id="text-h:90600634-74c2-4e04-b25c-b6665baac4d5">
    437 </div>
    438 </div>
    439 <div id="outline-container-h:7aaedc77-4319-4223-9790-31353447ad48" class="outline-3">
    440 <h3 id="h:7aaedc77-4319-4223-9790-31353447ad48"><span class="todo TODO">TODO</span> Another one, thanks to cluster resources</h3>
    441 <div class="outline-text-3" id="text-h:7aaedc77-4319-4223-9790-31353447ad48">
    442 </div>
    443 </div>
    444 </section>
    445 <section id="outline-container-h:6fc85dd7-034c-4170-9b69-b84df9c976eb" class="outline-2">
    446 <h2 id="h:6fc85dd7-034c-4170-9b69-b84df9c976eb"><span class="todo TODO">TODO</span> Using <code>buildah</code></h2>
    447 <div class="outline-text-2" id="text-h:6fc85dd7-034c-4170-9b69-b84df9c976eb">
    448 </div>
    449 </section>
    450 <section id="outline-container-h:6c165f41-d642-480c-b841-541a89f95875" class="outline-2">
    451 <h2 id="h:6c165f41-d642-480c-b841-541a89f95875"><span class="todo TODO">TODO</span> Using <code>helm</code></h2>
    452 <div class="outline-text-2" id="text-h:6c165f41-d642-480c-b841-541a89f95875">
    453 </div>
    454 </section>
    455 </main>
    456 <footer id="postamble" class="status">
    457 <footer>
    458      <small><a href="/" rel="history">Index</a> • <a href="/sitemap.html">Sitemap</a> • <a href="https://dl.sbr.pm/">Files</a></small><br/>
    459      <small class='questions'>Questions, comments ? Please use my <a href="https://lists.sr.ht/~vdemeester/public-inbox">public inbox</a> by sending a plain-text email to <a href="mailto:~vdemeester/public-inbox@lists.sr.ht">~vdemeester/public-inbox@lists.sr.ht</a>.</small><br/>
    460      <small class='copyright'>
    461       Content and design by Vincent Demeester
    462       (<a rel='licence' href='http://creativecommons.org/licenses/by-nc-sa/3.0/'>Some rights reserved</a>)
    463     </small><br />
    464 </footer>
    465 </footer>
    466 </body>
    467 </html>