Ovewview Tekton 是個 k8s 原生框架,用來建置 CI/CD 系統,以下是官方說明:
Tekton is a powerful yet flexible Kubernetes-native open-source framework for creating continuous integration and delivery (CI/CD) systems. It lets you build, test, and deploy across multiple cloud providers or on-premises systems by abstracting away the underlying implementation details.
相關的中文介紹可以在網路上找到很多,這邊就不寫了,有興趣的人可以參考以下文章:
這邊主要是因為未來要將 workload 往 k8s 上面移動,想說找看看跟 k8s 整合度比較好的新工具來用,就找到了 Tekton,而這工具也是 Red Hat OpenShift 中標配的 CI/CD 工具。
此篇文章要介紹什麼? 這篇文章主要是介紹如何在 k8s 中,透過 Tekton + Kaniko 來 build container image 後,上傳到 Docker Hub 上。
原本要 build container image 需要有 root 或是跟 Docker daemon process 直接溝通的能力才有辦法,這樣的作法多少會有一些安全上的疑慮,因此 Kaniko
就是個可以讓使用者在 k8s 中,不需要什麼特別權限也可以 build container image 的工具。
有了以上需求後,就會衍生出一些問題:
實作過程 假設 k8s & Tekton Pipelines & Tekton dashboard 都已經已經佈署完成,繼續完成下面的步驟:
設定 Docker Hub credential 首先在本地端先用 docker login
在本地端成功登入 Docker Hub 後,會在家目錄中產生一個 docker config,完整路徑為 ~/.docker/config.json
,內容大概如下:
1 2 3 4 5 6 7 { "auths" : { "https://index.docker.io/v1" : { "auth" : "Z29...........................YzY=" } } }
此時可以用以下指令將 docker config 設定為 k8s secret:
kubectl create secret generic docker-basic –from-file=.dockerconfigjson=~/.docker/config.json –type=kubernetes.io/dockerconfigjson
佈署 Tekton 相關資源 只要佈署以下的 YAML 就可以完成一個 build container image & push image to Docker Hub 的示範了:
以下是 ServiceAccount & Resource 的部份:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 --- apiVersion: v1 kind: ServiceAccount metadata: name: robot-docker-basic secrets: - name: docker-basic imagePullSecrets: - name: docker-basic --- apiVersion: tekton.dev/v1alpha1 kind: PipelineResource metadata: name: git-tekton-test spec: type: git params: - name: revision value: master - name: url value: https://github.com/GoogleContainerTools/skaffold --- apiVersion: tekton.dev/v1alpha1 kind: PipelineResource metadata: name: image-tekton-test spec: type: image params: - name: url value: godleon/tekton-test
以下是 Task & TaskRun 的 YAML 的定義:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 --- apiVersion: tekton.dev/v1alpha1 kind: Task metadata: name: build-docker-image-from-git-source spec: inputs: resources: - name: docker-source type: git params: - name: pathToDockerFile type: string description: The path to the dockerfile to build default: /workspace/docker-source/Dockerfile - name: pathToContext type: string description: The build context used by Kaniko (https://github.com/GoogleContainerTools/kaniko#kaniko-build-contexts) default: /workspace/docker-source outputs: resources: - name: builtImage type: image steps: - name: build-and-push image: gcr.io/kaniko-project/executor env: - name: "DOCKER_CONFIG" value: "/builder/home/.docker/" command: - /kaniko/executor args: - --dockerfile=$(inputs.params.pathToDockerFile) - --destination=$(outputs.resources.builtImage.url) - --context=$(inputs.params.pathToContext) --- apiVersion: tekton.dev/v1alpha1 kind: TaskRun metadata: name: build-docker-image-from-git-source-task-run spec: serviceAccount: robot-docker-basic taskRef: name: build-docker-image-from-git-source inputs: resources: - name: docker-source resourceRef: name: git-tekton-test params: - name: pathToDockerFile value: Dockerfile - name: pathToContext value: /workspace/docker-source/examples/microservices/leeroy-web outputs: resources: - name: builtImage resourceRef: name: image-tekton-test
將全部的 YAML 都套用後,就可以在 dashboard 上面看到運作的訊息:
在 k8s 中 build 好的 container image 也都會送進 Docker Hub 囉!
References