main
1<!DOCTYPE html>
2<html lang="en">
3<head>
4<!-- Sep 03, 2024 -->
5<meta charset="utf-8" />
6<meta name="viewport" content="width=device-width, initial-scale=1" />
7<title>Tektoncd usage and examples</title>
8<meta name="author" content="Vincent Demeester" />
9<meta name="keywords" content="article" />
10<meta name="generator" content="Org Mode" />
11<link rel='icon' type='image/x-icon' href='/images/favicon.ico'/>
12<meta name='viewport' content='width=device-width, initial-scale=1'>
13<link rel='stylesheet' href='/css/new.css' type='text/css'/>
14<link rel='stylesheet' href='/css/syntax.css' type='text/css'/>
15<link href='/index.xml' rel='alternate' type='application/rss+xml' title='Vincent Demeester' />
16</head>
17<body>
18<main id="content" class="content">
19<header>
20<h1 class="title">Tektoncd usage and examples</h1>
21<p class="subtitle" role="doc-subtitle">Playing with the cat’s project 🐱</p>
22</header><div class="abstract" id="org91af7d5">
23<p>
24Let’s dig into some use case and examples of <code>tektoncd/pipeline</code>. From secrets and
25services accounts to real-life example, let’s document <code>pipeline</code> usage, tips and tricks.
26</p>
27
28</div>
29
30<nav id="table-of-contents" role="doc-toc">
31<h2>Table of Contents</h2>
32<div id="text-table-of-contents" role="doc-toc">
33<ul>
34<li><a href="#h:7b3bca36-78c1-44b4-96fe-b26332e195ed">What is Tektoncd ?</a></li>
35<li><a href="#h:dc6c7476-6df0-467b-a2fb-1512d300ef4c">Secrets</a>
36<ul>
37<li><a href="#h:8eb369c9-1987-4119-9b24-d3b1204dab15">Git credentials</a></li>
38<li><a href="#h:f590bf9c-464d-4d31-a176-b7c9b7b9e168">Registry credentials</a></li>
39</ul>
40</li>
41<li><a href="#h:b0f52c83-e465-4733-9ba8-51d4c915fb25">Service account</a></li>
42<li><a href="#h:d81a3f84-c608-4345-8cf0-44c8ed15ea2a">Using <code>kaniko</code></a>
43<ul>
44<li><a href="#h:8c8cd49e-5dda-47cf-a3d8-caff9a1bf833">Volume for <code>kaniko</code>’s cache</a></li>
45<li><a href="#h:7da25768-794e-48c1-b92a-603e1c0572b2">Resources</a></li>
46<li><a href="#h:4d50a5ad-2748-4f28-b545-6bf1e6872463"><code>Task</code></a></li>
47<li><a href="#h:f00592b2-a81b-43c4-a4fa-36959f515553"><code>Pipeline</code></a></li>
48<li><a href="#h:9caacd24-1667-4268-9716-d967cab7c6f1"><code>PipelineRun</code></a></li>
49</ul>
50</li>
51<li><a href="#h:eadc5b7a-797b-4da4-a543-3116612dfb4a"><span class="todo TODO">TODO</span> Deploy to a cluster</a>
52<ul>
53<li><a href="#h:90600634-74c2-4e04-b25c-b6665baac4d5"><span class="todo TODO">TODO</span> Same one, on another cluster</a></li>
54<li><a href="#h:7aaedc77-4319-4223-9790-31353447ad48"><span class="todo TODO">TODO</span> Another one, thanks to cluster resources</a></li>
55</ul>
56</li>
57<li><a href="#h:6fc85dd7-034c-4170-9b69-b84df9c976eb"><span class="todo TODO">TODO</span> Using <code>buildah</code></a></li>
58<li><a href="#h:6c165f41-d642-480c-b841-541a89f95875"><span class="todo TODO">TODO</span> Using <code>helm</code></a></li>
59</ul>
60</div>
61</nav>
62<section id="outline-container-h:7b3bca36-78c1-44b4-96fe-b26332e195ed" class="outline-2">
63<h2 id="h:7b3bca36-78c1-44b4-96fe-b26332e195ed">What is Tektoncd ?</h2>
64<div class="outline-text-2" id="text-h:7b3bca36-78c1-44b4-96fe-b26332e195ed">
65
66<figure id="org75958c2">
67<img src="images/tekton/tekton-horizontal-color.png" alt="tekton-horizontal-color.png" width="400/600px">
68
69</figure>
70
71<blockquote>
72<p>
73The Tekton Pipelines project provides Kubernetes-style resources for declaring CI/CD-style pipelines.
74</p>
75</blockquote>
76
77<ul class="org-ul">
78<li>Started as an experiment from <a href="https://github.com/knative">Knative</a> to define more advance build use cases that
79<a href="https://github.com/knative/build/"><code>knative/build</code></a> was able to.</li>
80<li>Is now it’s own project and GitHub organization.</li>
81</ul>
82</div>
83</section>
84<section id="outline-container-h:dc6c7476-6df0-467b-a2fb-1512d300ef4c" class="outline-2">
85<h2 id="h:dc6c7476-6df0-467b-a2fb-1512d300ef4c">Secrets</h2>
86<div class="outline-text-2" id="text-h:dc6c7476-6df0-467b-a2fb-1512d300ef4c">
87<p>
88Most of the time, you’re gonna need to access private resources like git repositories,
89image registries, ssh server and clusters. We’ll dig into each of them but the gist is always the
90same :
91</p>
92
93<ul class="org-ul">
94<li>Create secrets that holds the credentials</li>
95<li>Create service accounts that uses those secrets</li>
96<li>Attach those service accounts to the <code>PipelineRun~/~TaskRun</code></li>
97</ul>
98
99<div class='drawer note'>
100<h6>Note</h6>
101<p>
102Those are working <b>exactly</b> the same as <code>knative/build</code>. The docs are <a href="https://github.com/knative/docs/blob/master/docs/build/auth.md">here</a>.
103</p>
104</div>
105</div>
106<div id="outline-container-h:8eb369c9-1987-4119-9b24-d3b1204dab15" class="outline-3">
107<h3 id="h:8eb369c9-1987-4119-9b24-d3b1204dab15">Git credentials</h3>
108<div class="outline-text-3" id="text-h:8eb369c9-1987-4119-9b24-d3b1204dab15">
109</div>
110<div id="outline-container-h:c08a3856-f230-4c0d-a8ee-2f5ee8c85313" class="outline-4">
111<h4 id="h:c08a3856-f230-4c0d-a8ee-2f5ee8c85313">Using ssh</h4>
112<div class="outline-text-4" id="text-h:c08a3856-f230-4c0d-a8ee-2f5ee8c85313">
113<div class="org-src-container">
114<pre class="src src-yaml">apiVersion: v1
115kind: Secret
116metadata:
117 name: ssh-key
118 annotations:
119 tekton.dev/git-0: github.com
120 tekton.dev/git-1: gitlab.com
121 tekton.dev/git-2: sr.ht
122type: kubernetes.io/ssh-auth
123data:
124 # cat ~/.id_rs | base64 -w 0
125 ssh-privatekey: <base64 encoded>
126 # This is non-standard, but its use is encouraged to make this more secure.
127 # ssh-keyscan github.com | base64 -w 0
128 known_hosts: <base64 encoded>
129</pre>
130</div>
131</div>
132</div>
133<div id="outline-container-h:e54bf2cb-7ac1-449e-b7cb-25a036248b83" class="outline-4">
134<h4 id="h:e54bf2cb-7ac1-449e-b7cb-25a036248b83">Using basic authentication</h4>
135<div class="outline-text-4" id="text-h:e54bf2cb-7ac1-449e-b7cb-25a036248b83">
136<div class="org-src-container">
137<pre class="src src-yaml">apiVersion: v1
138kind: Secret
139metadata:
140 name: basic-user-pass
141 annotations:
142 tekton.dev/git-0: https://github.com
143 tekton.dev/git-1: https://gitlab.com
144 tekton.dev/git-0: https://sr.ht
145type: kubernetes.io/basic-auth
146stringData:
147 username: <username>
148 password: <password>
149</pre>
150</div>
151</div>
152</div>
153</div>
154<div id="outline-container-h:f590bf9c-464d-4d31-a176-b7c9b7b9e168" class="outline-3">
155<h3 id="h:f590bf9c-464d-4d31-a176-b7c9b7b9e168">Registry credentials</h3>
156<div class="outline-text-3" id="text-h:f590bf9c-464d-4d31-a176-b7c9b7b9e168">
157</div>
158<div id="outline-container-h:2813551c-f51a-4873-8d1d-7608d67e9711" class="outline-4">
159<h4 id="h:2813551c-f51a-4873-8d1d-7608d67e9711">Using basic authentication</h4>
160<div class="outline-text-4" id="text-h:2813551c-f51a-4873-8d1d-7608d67e9711">
161<div class="org-src-container">
162<pre class="src src-yaml">apiVersion: v1
163kind: Secret
164metadata:
165 name: basic-user-pass
166 annotations:
167 tekton.dev/docker-0: https://index.docker.io
168 tekton.dev/docker-1: https://gcr.io
169type: kubernetes.io/basic-auth
170stringData:
171 username: <username>
172 password: <password>
173</pre>
174</div>
175</div>
176</div>
177<div id="outline-container-h:b81a4552-743f-4c5d-80be-c1a896ba7ec7" class="outline-4">
178<h4 id="h:b81a4552-743f-4c5d-80be-c1a896ba7ec7">Using kubernetes secret types</h4>
179<div class="outline-text-4" id="text-h:b81a4552-743f-4c5d-80be-c1a896ba7ec7">
180<p>
181There is two secret specific secret types related to docker authentication, or more
182accurately to docker configuration files (that holds auth).
183</p>
184
185<ul class="org-ul">
186<li><code>kubernetes.io/dockerconfigjson</code> (<code>$HOME/.docker/config.json</code>)</li>
187<li><code>kubernetes.io/dockercfg</code> (<code>$HOME/.dockercfg</code>)</li>
188</ul>
189
190<div class="org-src-container">
191<pre class="src src-bash">kubectl create secret generic regcred \
192 --from-file=.dockerconfigjson=<path/to/.docker/config.json> \
193 --type=kubernetes.io/dockerconfigjson
194# kubectl create secret generic regcred --from-file=.dockerconfigjson=$HOME/.docker/config.json --type=kubernetes.io/dockerconfigjson
195</pre>
196</div>
197
198<div class="org-src-container">
199<pre class="src src-yaml">apiVersion: v1
200data:
201 .dockerconfigjson: eyJodHRwczovL2luZGV4L ... J0QUl6RTIifX0=
202kind: Secret
203metadata:
204 ...
205 name: regcred
206 ...
207type: kubernetes.io/dockerconfigjson
208</pre>
209</div>
210
211<p>
212Kubernetes documentation : <a href="https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/">Pull an Image from a Private Registry - Kubernetes</a>
213</p>
214</div>
215</div>
216</div>
217</section>
218<section id="outline-container-h:b0f52c83-e465-4733-9ba8-51d4c915fb25" class="outline-2">
219<h2 id="h:b0f52c83-e465-4733-9ba8-51d4c915fb25">Service account</h2>
220<div class="outline-text-2" id="text-h:b0f52c83-e465-4733-9ba8-51d4c915fb25">
221<div class="org-src-container">
222<pre class="src src-yaml">apiVersion: v1
223kind: ServiceAccount
224metadata:
225 name: build-bot
226secrets:
227 - name: regcred
228 - name: ssh-key
229</pre>
230</div>
231</div>
232</section>
233<section id="outline-container-h:d81a3f84-c608-4345-8cf0-44c8ed15ea2a" class="outline-2">
234<h2 id="h:d81a3f84-c608-4345-8cf0-44c8ed15ea2a">Using <code>kaniko</code></h2>
235<div class="outline-text-2" id="text-h:d81a3f84-c608-4345-8cf0-44c8ed15ea2a">
236</div>
237<div id="outline-container-h:8c8cd49e-5dda-47cf-a3d8-caff9a1bf833" class="outline-3">
238<h3 id="h:8c8cd49e-5dda-47cf-a3d8-caff9a1bf833">Volume for <code>kaniko</code>’s cache</h3>
239<div class="outline-text-3" id="text-h:8c8cd49e-5dda-47cf-a3d8-caff9a1bf833">
240<div class="org-src-container">
241<pre class="src src-yaml">kind: PersistentVolumeClaim
242apiVersion: v1
243metadata:
244 name: kaniko-cache-pvc
245spec:
246 accessModes:
247 - ReadWriteOnce
248 resources:
249 requests:
250 storage: 8Gi
251</pre>
252</div>
253</div>
254</div>
255<div id="outline-container-h:7da25768-794e-48c1-b92a-603e1c0572b2" class="outline-3">
256<h3 id="h:7da25768-794e-48c1-b92a-603e1c0572b2">Resources</h3>
257<div class="outline-text-3" id="text-h:7da25768-794e-48c1-b92a-603e1c0572b2">
258<ul class="org-ul">
259<li><p>
260the <code>git</code> repository
261</p>
262<div class="org-src-container">
263<pre class="src src-yaml">apiVersion: tekton.dev/v1alpha1
264kind: PipelineResource
265metadata:
266 name: private-go-hello
267spec:
268 type: git
269 params:
270 - name: revision
271 value: master
272 - name: url
273 value: git@github.com:vdemeester/go-hello.git
274</pre>
275</div></li>
276
277<li><p>
278the <code>image</code> (s)
279</p>
280<div class="org-src-container">
281<pre class="src src-yaml">apiVersion: tekton.dev/v1alpha1
282kind: PipelineResource
283metadata:
284 name: hello-image-res
285spec:
286 type: image
287 params:
288 - name: url
289 description: The target URL
290 value: docker.io/vdemeester/go-hello
291---
292apiVersion: tekton.dev/v1alpha1
293kind: PipelineResource
294metadata:
295 name: bye-image-res
296spec:
297 type: image
298 params:
299 - name: url
300 description: The target URL
301 value: quay.io/rhdevelopers/vdemeest-go-bye
302</pre>
303</div></li>
304</ul>
305</div>
306</div>
307<div id="outline-container-h:4d50a5ad-2748-4f28-b545-6bf1e6872463" class="outline-3">
308<h3 id="h:4d50a5ad-2748-4f28-b545-6bf1e6872463"><code>Task</code></h3>
309<div class="outline-text-3" id="text-h:4d50a5ad-2748-4f28-b545-6bf1e6872463">
310<div class="org-src-container">
311<pre class="src src-yaml">apiVersion: tekton.dev/v1alpha1
312kind: Task
313metadata:
314 name: kaniko-build-push
315spec:
316 inputs:
317 resources:
318 - name: src
319 type: git
320 params:
321 - name: pathToDockerFile
322 description: The path to the dockerfile to build (relative to the context)
323 default: Dockerfile
324 - name: pathToContext
325 description:
326 The path to the build context, used by Kaniko - within the workspace
327 (https://github.com/GoogleContainerTools/kaniko#kaniko-build-contexts).
328 The git clone directory is set by the GIT init container which setup
329 the git input resource - see https://github.com/knative/build-pipeline/blob/master/pkg/reconciler/v1alpha1/taskrun/resources/pod.go#L107
330 default: .
331 outputs:
332 resources:
333 - name: builtImage
334 type: image
335 steps:
336 - name: build-and-push
337 image: gcr.io/kaniko-project/executor:debug
338 command: ["/kaniko/executor"]
339 args:
340 - --dockerfile=${inputs.params.pathToDockerFile}
341 - --destination=${outputs.resources.builtImage.url}
342 - --context=/workspace/src/${inputs.params.pathToContext}
343 volumeMounts:
344 - name: kaniko-cache
345 mountPath: /cache
346 volumes:
347 - name: kaniko-cache
348 persistentVolumeClaim:
349 claimName: kaniko-cache-pvc
350</pre>
351</div>
352</div>
353</div>
354<div id="outline-container-h:f00592b2-a81b-43c4-a4fa-36959f515553" class="outline-3">
355<h3 id="h:f00592b2-a81b-43c4-a4fa-36959f515553"><code>Pipeline</code></h3>
356<div class="outline-text-3" id="text-h:f00592b2-a81b-43c4-a4fa-36959f515553">
357<div class="org-src-container">
358<pre class="src src-yaml">apiVersion: tekton.dev/v1alpha1
359kind: Pipeline
360metadata:
361 name: kaniko
362spec:
363 resources:
364 - name: src
365 type: git
366 - name: hello-image
367 type: image
368 - name: bye-image
369 type: image
370 tasks:
371 - name: go-hello-image
372 taskRef:
373 name: kaniko-build-push
374 params:
375 - name: pathToContext
376 value: hello
377 resources:
378 inputs:
379 - name: src
380 resource: src
381 outputs:
382 - name: builtImage
383 resource: hello-image
384 - name: go-bye-image
385 taskRef:
386 name: kaniko-build-push
387 params:
388 - name: pathToContext
389 value: bye
390 resources:
391 inputs:
392 - name: src
393 resource: src
394 outputs:
395 - name: builtImage
396 resource: bye-image
397</pre>
398</div>
399</div>
400</div>
401<div id="outline-container-h:9caacd24-1667-4268-9716-d967cab7c6f1" class="outline-3">
402<h3 id="h:9caacd24-1667-4268-9716-d967cab7c6f1"><code>PipelineRun</code></h3>
403<div class="outline-text-3" id="text-h:9caacd24-1667-4268-9716-d967cab7c6f1">
404<div class="org-src-container">
405<pre class="src src-yaml">apiVersion: tekton.dev/v1alpha1
406kind: PipelineRun
407metadata:
408 name: kaniko-run
409spec:
410 pipelineRef:
411 name: kaniko
412 trigger:
413 type: manual
414 serviceAccount: build-bot
415 resources:
416 - name: src
417 resourceRef:
418 name: private-go-hello
419 - name: hello-image
420 resourceRef:
421 name: hello-image-res
422 - name: bye-image
423 resourceRef:
424 name: bye-image-res
425</pre>
426</div>
427</div>
428</div>
429</section>
430<section id="outline-container-h:eadc5b7a-797b-4da4-a543-3116612dfb4a" class="outline-2">
431<h2 id="h:eadc5b7a-797b-4da4-a543-3116612dfb4a"><span class="todo TODO">TODO</span> Deploy to a cluster</h2>
432<div class="outline-text-2" id="text-h:eadc5b7a-797b-4da4-a543-3116612dfb4a">
433</div>
434<div id="outline-container-h:90600634-74c2-4e04-b25c-b6665baac4d5" class="outline-3">
435<h3 id="h:90600634-74c2-4e04-b25c-b6665baac4d5"><span class="todo TODO">TODO</span> Same one, on another cluster</h3>
436<div class="outline-text-3" id="text-h:90600634-74c2-4e04-b25c-b6665baac4d5">
437</div>
438</div>
439<div id="outline-container-h:7aaedc77-4319-4223-9790-31353447ad48" class="outline-3">
440<h3 id="h:7aaedc77-4319-4223-9790-31353447ad48"><span class="todo TODO">TODO</span> Another one, thanks to cluster resources</h3>
441<div class="outline-text-3" id="text-h:7aaedc77-4319-4223-9790-31353447ad48">
442</div>
443</div>
444</section>
445<section id="outline-container-h:6fc85dd7-034c-4170-9b69-b84df9c976eb" class="outline-2">
446<h2 id="h:6fc85dd7-034c-4170-9b69-b84df9c976eb"><span class="todo TODO">TODO</span> Using <code>buildah</code></h2>
447<div class="outline-text-2" id="text-h:6fc85dd7-034c-4170-9b69-b84df9c976eb">
448</div>
449</section>
450<section id="outline-container-h:6c165f41-d642-480c-b841-541a89f95875" class="outline-2">
451<h2 id="h:6c165f41-d642-480c-b841-541a89f95875"><span class="todo TODO">TODO</span> Using <code>helm</code></h2>
452<div class="outline-text-2" id="text-h:6c165f41-d642-480c-b841-541a89f95875">
453</div>
454</section>
455</main>
456<footer id="postamble" class="status">
457<footer>
458 <small><a href="/" rel="history">Index</a> • <a href="/sitemap.html">Sitemap</a> • <a href="https://dl.sbr.pm/">Files</a></small><br/>
459 <small class='questions'>Questions, comments ? Please use my <a href="https://lists.sr.ht/~vdemeester/public-inbox">public inbox</a> by sending a plain-text email to <a href="mailto:~vdemeester/public-inbox@lists.sr.ht">~vdemeester/public-inbox@lists.sr.ht</a>.</small><br/>
460 <small class='copyright'>
461 Content and design by Vincent Demeester
462 (<a rel='licence' href='http://creativecommons.org/licenses/by-nc-sa/3.0/'>Some rights reserved</a>)
463 </small><br />
464</footer>
465</footer>
466</body>
467</html>