Knative - Tekton Trigger 【二十一】
Tekton Trigger 基础
#Tekton Triggers简介
◼ 监控特定的事件,并在满足条件时自动触发Tekton Pipeline;
◆例如,代码仓库上的创建pull request、push代码,以及合并pull request至main分支等
◼ Tekton Triggers为用户提供了一种声明式API
◆它允许用户按需定义监视的事件,并将其与特定的Pipeline连接,从而实例化出PipelineRun
◆还允许将事件中的某些属性值信息注入到Pipeline中
#Tekton Triggers的关键组件(CRD)
◼ Trigger
◼ TriggerBinding
◼ TriggerTemplate
◼ EventListener
◼ Interceptor
Tekton Triggers的关键组件
#Trigger
◼ EventListener Pod用于监视并筛选Event时使用的筛选条件
◼ 由TriggerTemplate、TriggerBinding和ClusterInterceptor组成
#TriggerTemplate
◼ 可由EventListener筛选出的Event触发,从而实例化并完成资源创建,例如TaskRun或PipelineRun
◼ 支持通过参数从TriggerBinding接受配置信息
#TriggerBinding(名称空间级别)和ClusterTriggerBinding(集群级别)
◼ 负责指定在事件上(由EventListener筛选出)感兴趣的字段,并从这些字段中取出数据传递给TriggerTemplate
◼ 而后,TriggerTemplate将相应的数据赋值给关联的TaskRun或PipelineRun资源上的参数
#EventListener
◼ 以Pod形式运行于Kubernetes集群上,通过监听的特定端口接收Event
◼ Event的过滤则需由一到多个Trigger进行定义
#ClusterInterceptor
◼ 负责在Trigger进行事件筛选之前,接收特定平台或系统(如GitLab)上全部事件,进而支持一些预处理操作,
例如内容过滤、校验、转换、Trigger条件测试等
◼ 预处理完成后的事件,由Trigger进行筛选,符合条件的Event将传递给TriggerBinding
Tekton Triggers 各组件间的逻辑关系
#EventListener Pod是Tekton Trigger的物理表现形式,它主要由一至多个Trigger组成
#Trigger CRD既可以单独定义,也能够以内联方式定义在EventListener之上
#每个Trigger可由一个template、一组bindings以及一组interceptors构成
◼ template可引用一个独立的TriggerTemplate资源,亦可内联定义
◼ bindings可引用一至多个独立的TriggerBinding资源,亦可内联定义
◼ interceptors的定义,通常是引用ClusterInterceptor定义出的过滤规则
TriggerTemplate CRD 资源规范
#TriggerTemplate CRD遵循Kubernetes resource API规范,其spec字段主要由以下两个嵌套字段组成
◼ params
◆当前TriggerTemplate的参数,从TriggerBinding接受传值
◆resourcetemplates中的资源模板中的参数,通过引用
TriggerTemplate的参数值完成实例化
⚫ 引用格式: $(tt.params.<NAME>)
◼ resourcetemplates
◆用于定义资源模板
◆在Tekton的环境中,通常用于定义PipelineRun或TaskRun资源
◆资源的名称,通常要使用generateName定义其前缀,而非使用
name直接指定
TriggerBinding CRD 资源规范
Trigger CRD 资源规范
Tekton Trigger 案例
部署 Tekton Trigger
#https://tekton.dev/docs/triggers/install/
#Specific Release
kubectl apply --filename \
https://storage.googleapis.com/tekton-releases/triggers/previous/VERSION_NUMBER/release.yaml
kubectl apply --filename \
https://storage.googleapis.com/tekton-releases/triggers/previous/VERSION_NUMBER/interceptors.yaml
#https://github.com/tektoncd/triggers/releases/tag/v0.24.0
#【选择0.24.0】实验成功
#需要改镜像名称
gcr.lank8s.cn/tekton-releases/github.com/tektoncd/triggers/cmd/interceptors:v0.24.0@sha256:400d30f730cb6cf689e23cbaef650ca4bb9f827d923fcd575f56e80b79819720
gcr.lank8s.cn/tekton-releases/github.com/tektoncd/triggers/cmd/controller:v0.24.0@sha256:5d96635ef8bd6934ed2da26ec8049164b4421115d12aeba72933200b48addb58
gcr.lank8s.cn/tekton-releases/github.com/tektoncd/triggers/cmd/eventlistenersink:v0.24.0@sha256:77519cdc53bdefa393f700fb0e5891212c71411f09b4c261ea78c8d00cb6e831
gcr.lank8s.cn/tekton-releases/github.com/tektoncd/triggers/cmd/webhook:v0.24.0@sha256:255281beca24067925635bd3c7999d7c784c3bb1e41cea8ad8c1140849b9efba
#下载镜像
crictl pull gcr.lank8s.cn/tekton-releases/github.com/tektoncd/triggers/cmd/interceptors:v0.24.0@sha256:400d30f730cb6cf689e23cbaef650ca4bb9f827d923fcd575f56e80b79819720
crictl pull gcr.lank8s.cn/tekton-releases/github.com/tektoncd/triggers/cmd/controller:v0.24.0@sha256:5d96635ef8bd6934ed2da26ec8049164b4421115d12aeba72933200b48addb58
crictl pull gcr.lank8s.cn/tekton-releases/github.com/tektoncd/triggers/cmd/eventlistenersink:v0.24.0@sha256:77519cdc53bdefa393f700fb0e5891212c71411f09b4c261ea78c8d00cb6e831
crictl pull gcr.lank8s.cn/tekton-releases/github.com/tektoncd/triggers/cmd/webhook:v0.24.0@sha256:255281beca24067925635bd3c7999d7c784c3bb1e41cea8ad8c1140849b9efba
[root@xianchaomaster1 trigger]# kubectl get pods -n tekton-pipelines
NAME READY STATUS RESTARTS AGE
tekton-dashboard-584dd67b8b-k54rb 1/1 Running 2 (3h29m ago) 4h6m
tekton-events-controller-84f4f5685b-d8z56 1/1 Running 1 (3h29m ago) 4h6m
tekton-pipelines-controller-6bc97db85-kcvx7 1/1 Running 1 (3h29m ago) 4h6m
tekton-pipelines-webhook-68d5fd56bf-wknt4 1/1 Running 1 (3h29m ago) 4h6m
tekton-triggers-controller-8c7c77b9f-7pd6t 1/1 Running 0 27s
tekton-triggers-core-interceptors-76b468b885-4hwbx 1/1 Running 0 17s
tekton-triggers-webhook-6458fd6db7-d4q4g 1/1 Running 0 27s
[root@xianchaomaster1 trigger]# kubectl api-versions
admissionregistration.k8s.io/v1
apiextensions.k8s.io/v1
apiregistration.k8s.io/v1
apps/v1
authentication.k8s.io/v1
authorization.k8s.io/v1
autoscaling.internal.knative.dev/v1alpha1
autoscaling/v1
autoscaling/v2
autoscaling/v2beta2
batch/v1
bindings.knative.dev/v1alpha1
caching.internal.knative.dev/v1alpha1
certificates.k8s.io/v1
coordination.k8s.io/v1
crd.projectcalico.org/v1
dashboard.tekton.dev/v1alpha1
discovery.k8s.io/v1
eventing.knative.dev/v1
eventing.knative.dev/v1beta1
events.k8s.io/v1
extensions.istio.io/v1alpha1
flowcontrol.apiserver.k8s.io/v1beta1
flowcontrol.apiserver.k8s.io/v1beta2
flows.knative.dev/v1
install.istio.io/v1alpha1
messaging.knative.dev/v1
networking.internal.knative.dev/v1alpha1
networking.istio.io/v1alpha3
networking.istio.io/v1beta1
networking.k8s.io/v1
node.k8s.io/v1
policy/v1
rbac.authorization.k8s.io/v1
resolution.tekton.dev/v1alpha1
resolution.tekton.dev/v1beta1
scheduling.k8s.io/v1
security.istio.io/v1beta1
serving.knative.dev/v1
serving.knative.dev/v1alpha1
serving.knative.dev/v1beta1
sources.knative.dev/v1
sources.knative.dev/v1alpha1
sources.knative.dev/v1beta2
storage.k8s.io/v1
storage.k8s.io/v1beta1
tekton.dev/v1
tekton.dev/v1alpha1
tekton.dev/v1beta1
telemetry.istio.io/v1alpha1
triggers.tekton.dev/v1alpha1
triggers.tekton.dev/v1beta1
v1
[root@xianchaomaster1 trigger]# kubectl api-resources --api-group=triggers.tekton.dev
NAME SHORTNAMES APIVERSION NAMESPACED KIND
clusterinterceptors ci triggers.tekton.dev/v1alpha1 false ClusterInterceptor
clustertriggerbindings ctb triggers.tekton.dev/v1beta1 false ClusterTriggerBinding
eventlisteners el triggers.tekton.dev/v1beta1 true EventListener
interceptors ni triggers.tekton.dev/v1alpha1 true Interceptor
triggerbindings tb triggers.tekton.dev/v1beta1 true TriggerBinding
triggers tri triggers.tekton.dev/v1beta1 true Trigger
triggertemplates tt triggers.tekton.dev/v1beta1 true TriggerTemplate
[root@xianchaomaster1 trigger]# kubectl get ci
NAME AGE
bitbucket 115s
cel 115s
github 115s
gitlab 115s
slack 115s
示例测试
#示例测试
[root@xianchaomaster1 01-trigger-basics]# pwd
/root/KnativeSrc/tekton-and-argocd-in-practise-main/05-tekton-triggers/01-trigger-basics
[root@xianchaomaster1 01-trigger-basics]# ll
total 8
-rw-r--r-- 1 root root 1246 Nov 7 2022 01-triggertemplate-demo.yaml
-rw-r--r-- 1 root root 275 Nov 7 2022 02-triggerbinding-demo.yaml
[root@xianchaomaster1 01-trigger-basics]# cat 01-triggertemplate-demo.yaml
apiVersion: triggers.tekton.dev/v1alpha1
kind: TriggerTemplate
metadata:
name: pipeline-template-demo
spec:
params:
- name: image-url
default: ikubernetes/spring-boot-helloworld
- name: git-revision
description: The git revision (SHA)
default: master
- name: git-url
description: The git repository url ("https://github.com/foo/bar.git")
- name: version
description: The version of application
resourcetemplates:
- apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
generateName: pipeline-run-
spec:
pipelineRef:
name: source-to-image
params:
- name: git-url
value: $(tt.params.git-url)
- name: image-url
value: $(tt.params.image-url)
- name: version
value: $(tt.params.version)
workspaces:
- name: codebase
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: nfs-csi
- name: docker-config
secret:
secretName: docker-config
[root@xianchaomaster1 01-trigger-basics]# cat 02-triggerbinding-demo.yaml
apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerBinding
metadata:
name: pipeline-binding-demo
spec:
params:
- name: git-url
value: $(body.head_commit.id)
- name: image-url
value: $(body.repository.url)
- name: version
value: $(header.Content-Type)
kubectl apply -f ./
kubectl get tt
kubectl get tb
Tekton Trigger 案例 Gitlab
#案例环境说明
◼ 代码仓库位于GitLab之上
◆gitlab服务同样运行于Kubernetes集群之上
◆code.magedu.com,code.gitlab.svc.cluster.local
◆示例代码仓库:root/spring-boot-helloworld
◼ EventListener
◆通过webhook,接收代码仓库root/spring-boot-helloworld上的Push事件
◆TriggerBinding资源gitlab-push-binding负责读取Push事件并完成参数赋值
⚫ 将事件上checkout_sha属性的值传递给git-revision参数
⚫ 将事件上repository.git_http_url属性的值传递给git-repo-url参数
◆TriggerTemplate资源gitlab-trigger-template从gitlab-push-binding接受传递的参数值,并根据resourcetemplates中定义的资源模板完成TaskRun资源实例化,即创建并运行TaskRun实例
[root@xianchaomaster1 02-trigger-gitlab]# ll
total 24
-rw-r--r-- 1 root root 178 Nov 7 2022 01-gitlab-token-secret.yaml
-rw-r--r-- 1 root root 1662 Nov 7 2022 02-gitlab-eventlistener-rbac.yaml
-rw-r--r-- 1 root root 236 Nov 7 2022 03-gitlab-push-binding.yaml
-rw-r--r-- 1 root root 1166 Nov 7 2022 04-gitlab-trigger-template.yaml
-rw-r--r-- 1 root root 538 Nov 7 2022 05-gitlab-event-listener.yaml
-rw-r--r-- 1 root root 757 Nov 7 2022 test.yaml
#创建Webhook token 用于 Gitlab推送事件时携带凭据 进行认证到 指定事件服务中
[root@xianchaomaster1 02-trigger-gitlab]# cat 01-gitlab-token-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: gitlab-webhook-token
type: Opaque
stringData:
# Generated by command "openssl rand -base64 12"
webhookToken: "DXeqvozMlTA67aQB"
#创建RBAC授权02-gitlab-eventlistener-rbac.yaml - 提供的有问题 需要改为自己的 添加权限否则启动 报错
[root@xianchaomaster1 02-trigger-gitlab]# cat 02-gitlab-eventlistener-rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: tekton-triggers-gitlab-sa
secrets:
- name: gitlab-webhook-token
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tekton-triggers-gitlab-minimal
rules:
# Permissions for every EventListener deployment to function
- apiGroups: ["triggers.tekton.dev"]
resources: ["eventlisteners", "triggerbindings", "triggertemplates", "clusterinterceptors", "clustertriggerbindings" , "triggers" , "interceptors"]
verbs: ["get", "list", "watch","create"]
- apiGroups: [""]
# secrets are only needed for Github/Gitlab interceptors, serviceaccounts only for per trigger authorization
resources: ["configmaps", "secrets", "serviceaccounts"]
verbs: ["get", "list", "watch","create"]
# Permissions to create resources in associated TriggerTemplates
- apiGroups: ["tekton.dev"]
resources: ["pipelineruns", "pipelineresources", "taskruns"]
verbs: ["get", "list", "watch","create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tekton-triggers-gitlab-binding
subjects:
- kind: ServiceAccount
name: tekton-triggers-gitlab-sa
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: tekton-triggers-gitlab-minimal
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tekton-triggers-gitlab-minimal
rules:
- apiGroups: ["triggers.tekton.dev"]
resources: ["eventlisteners", "triggerbindings", "triggertemplates", "clusterinterceptors", "clustertriggerbindings" , "triggers" , "interceptors"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: tekton-triggers-gitlab-binding
subjects:
- kind: ServiceAccount
name: tekton-triggers-gitlab-sa
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: tekton-triggers-gitlab-minimal
#TriggerBinding
#创建Gitlab的事件中的body.checkout_sha的commitid取出来赋值、仓库的地址取出来赋值
[root@xianchaomaster1 02-trigger-gitlab]# cat 03-gitlab-push-binding.yaml
apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerBinding
metadata:
name: gitlab-push-binding
spec:
params:
- name: git-revision
value: $(body.checkout_sha)
- name: git-repo-url
value: $(body.repository.git_http_url)
#TriggerTemplate
[root@xianchaomaster1 02-trigger-gitlab]# cat 04-gitlab-trigger-template.yaml
apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerTemplate
metadata:
name: gitlab-trigger-template
spec:
params: # 定义参数
- name: git-revision
- name: git-repo-url
resourcetemplates:
- apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
generateName: gitlab-trigger-run- # TaskRun 名称前缀
spec:
serviceAccountName: tekton-triggers-gitlab-sa
params:
- name: git-revision
value: $(tt.params.git-revision)
- name: git-repo-url
value: $(tt.params.git-repo-url)
workspaces:
- name: source
emptyDir: {}
taskSpec:
workspaces:
- name: source
params:
- name: git-revision
- name: git-repo-url
steps:
- name: fetch-from-git-repo
image: alpine/git:v2.36.1
script: |
git clone -v $(params.git-repo-url) $(workspaces.source.path)/source
cd $(workspaces.source.path)/source && git reset --hard $(params.git-revision)
- name: list-files
image: alpine:3.16
script: ls -la $(workspaces.source.path)/source
#EventListener基于Pod运行的
#定义Trigger 从Push Hook事件获取 推过来的事件传给bingding中需要的参数 赋值与 gitlab-trigger-template
[root@xianchaomaster1 02-trigger-gitlab]# cat 05-gitlab-event-listener.yaml
apiVersion: triggers.tekton.dev/v1beta1
kind: EventListener
metadata:
name: gitlab-event-listener
spec:
serviceAccountName: tekton-triggers-gitlab-sa
triggers:
- name: gitlab-push-events-trigger
interceptors:
- ref:
name: "gitlab"
params:
- name: "secretRef"
value:
secretName: gitlab-webhook-token
secretKey: webhookToken
- name: "eventTypes"
value: ["Push Hook"]
bindings:
- ref: gitlab-push-binding
template:
ref: gitlab-trigger-template
[root@xianchaomaster1 02-trigger-gitlab]# kubectl apply -f 01-gitlab-token-secret.yaml -f 02-gitlab-eventlistener-rbac.yaml -f 03-gitlab-push-binding.yaml -f 04-gitlab-trigger-template.yaml 05-gitlab-event-listener.yaml
[root@xianchaomaster1 02-trigger-gitlab]# kubectl get pods
NAME READY STATUS RESTARTS AGE
el-gitlab-event-listener-7cf6488ffd-fxwlp 1/1 Running 0 7m49s
s2i-buildid-run-00003-build-to-package-pod 0/1 Completed 0 27h
s2i-buildid-run-00003-deploy-to-cluster-pod 0/2 Completed 0 27h
s2i-buildid-run-00003-generate-build-id-pod 0/2 Completed 0 27h
s2i-buildid-run-00003-git-clone-pod 0/1 Completed 0 27h
s2i-buildid-run-00003-image-build-and-push-pod 0/1 Completed 0 27h
spring-boot-helloworld-68c4c44f46-47rj6 1/1 Running 0 27h
[root@xianchaomaster1 02-trigger-gitlab]#
[root@xianchaomaster1 02-trigger-gitlab]# kubectl get tt
NAME AGE
gitlab-trigger-template 8m1s
#el-gitlab-event-listener ClusterIP 10.100.187.226 <none> 8080/TCP,9000/TCP 8m57s
[root@xianchaomaster1 02-trigger-gitlab]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
demoapp ExternalName <none> knative-local-gateway.istio-system.svc.cluster.local 80/TCP 40h
demoapp-00001 ClusterIP 10.107.153.199 <none> 80/TCP,443/TCP 40h
demoapp-00001-private ClusterIP 10.104.114.35 <none> 80/TCP,443/TCP,9090/TCP,9091/TCP,8022/TCP,8012/TCP 40h
el-gitlab-event-listener ClusterIP 10.100.187.226 <none> 8080/TCP,9000/TCP 8m57s
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 2d1h
spring-boot-helloworld NodePort 10.100.26.239 <none> 80:31306/TCP 28h
#配置webhooks
总结:
Tekton Trigger:
Trigger --> Pod
Event (GitLab)
Interceptor
PipelineRunTemplate --> PipelineRun
GitLab(Repository) --> Event --> Pod(TriggerBinding)(事件值传递给) --> TriggerTemplate (Parameters)--> Pipeline (Parameters) --> Task(Parameters)
|
|
|
Interceptor-->
Event --> Trigger Template Parameters --> Pipeline Parameter --> Task Parameter
Params=$(tt.params.NAME) Params = $(params.NAME)
Trigger:
ClusterInterceptor:做事件预处理
TriggerTemplate:定义TaskRun Template或PipelineRun Templaste,声明参数(这些参数要从事件属性获取值)
TriggerBinding:获取事件特定属性值,并传递给TriggerTemplate中声明的参数
这些参数值会被传递给TaskRun Template或PipelineRun Templaste中的对应的参数,从而Template的实例化,即创建出TaskRun资源或PipelineRun资源
Trigger会表现为一个EventListener Pod,该Pod可从某Code Repo接收事件。
入口:EventListener Service
认证:自定义一个Webhook Token
EventListener Pod启动时要加载该Token作为验证客户端请求自身Webhook的认证凭据
Code Repo也需配置上该Token,从而能够认证以EL Pod,并完成事件推送