For this guide I'm assuming you are running a local Kubernetes cluster.
In the previous article we've seen how to share information across a Pipeline using Workspaces, leading to a task for cloning a Github repository then ending with anoter task for listing the source files in the cloned repository.
Now, let's understand how to listen to Github events and trigger the Pipeline using event bindings.
👂 Listening to Github events
How to listen to Github events? In other words, when someone pushes code to some branch or opens a pull request, how do we get notified from that?
Github (not only Github but other majors like Gitlab too) notifies such events using Webhooks.
We basically have to configure a webhook in the Github interface, choose some events and provide a webhook URL to receive a payload.
Payload received, we can decide whatever we want with that information.
In our case, we want to look at the event type (if pull request opened for instance), extract the repo URL from the payload and then run the pipeline providing the repo URL.
Here's the basic architecture of Webhooks on Github:
The summary of steps we're going to cover in this post:
- Create a Tekton Event Listener, TriggerBinding and TriggerTemplate
- Configure the Github Webhook
Let's dive in!
First things first
Install the triggers resources in the cluster:
$ kubectl apply --filename \
https://storage.googleapis.com/tekton-releases/triggers/latest/release.yaml
$ kubectl apply --filename \
https://storage.googleapis.com/tekton-releases/triggers/latest/interceptors.yaml
1. Create the Event Listener
Event Listeners are Tekton components that listen for events at a specified port in your Kubernetes cluster. Listeners are attached to Kubernetes Pods and backed by Services.
Event Listeners need a proper Kubernetes Service Account for role access control (RBAC), so the first step is creating the RBAC objects.
The Gist with the RBAC yaml can be found here.
Time to exmplore the event-listener.yml:
apiVersion: triggers.tekton.dev/v1beta1
kind: EventListener
metadata:
name: github-pr
spec:
serviceAccountName: tekton-service-account
triggers:
- name: pr-trigger
bindings:
- ref: github-pr-trigger-binding
template:
ref: github-pr-trigger-template
- serviceAccountName referes to the RBAC
- each trigger has a name and must provide a trigger binding and a trigger template
Trigger Binding
Trigger Bindings are responsible to extract information from the event payload and use such information in the TriggerTemplate.
apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerBinding
metadata:
name: github-pr-trigger-binding
spec:
params:
- name: revision
value: $(body.pull_request.head.sha)
- name: repo-url
value: $(body.repository.clone_url)
Trigger Template
Trigger Templates define the template of the pipeline or task, using the params extracted by the TriggerBinding.
apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerTemplate
metadata:
name: github-pr-trigger-template
spec:
params:
- name: revision
default: main
- name: repo-url
resourcetemplates:
- apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
generateName: my-pipeline-
spec:
pipelineRef:
name: my-pipeline
workspaces:
- name: shared-data
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
params:
- name: repo-url
value: $(tt.params.repo-url)
- name: revision
value: $(tt.params.revision)
TriggerTemplate is similar to PipelineRun, except that the latter is triggered manually as we've seen in the previous posts.
Then, the TriggerTemplate "sends" the needed params to the PipelineRef, along with the definition of Workspace volume claim templates.
Exposing the Event Listener URL
After applying the Trigger resources, we can check that Tekton created a Kubernetes service for the event listener:
$ tkn eventlisteners list
NAME AGE URL AVAILABLE
github-pr 21 minutes ago http://el-github-pr.default.svc.cluster.local:8080 True
All we need is providing this URL http://el-github-pr.default.svc.cluster.local:8080 to the Github Webhook.
But we have two problems here:
a. The URL is only accessed within the cluster. In order to expose it to the localhost, we should perform a port-forward
b. Github cannot access our localhost, so we need to use some sort of "proxy" in the internet that creates a tunnel for our local computer on the port 8080.
First, let's perform the port-forward:
$ kubectl port-forward svc/el-github-pr 8080:8080
Forwarding from 127.0.0.1:8080 -> 8080
Forwarding from [::1]:8080 -> 8080
Great, our host is receiving in the port 8080 (localhost:8080), but how do we tunnel Github to our port using some service in the cloud?
Ngrok solves that problem. With ngrok, we simply issue:
$ ngrok http http://localhost:8080
And it outputs a public URL ready to be used across the internet, forwarding to our port 8080 in the localhost:
Add Single Sign-On to your ngrok dashboard via your Identity Provider: https://ngrok.com/dashSSO
Session Status online
Account Leandro Proença (Plan: Free)
Version 3.1.1
Region South America (sa)
Latency 23ms
Web Interface http://127.0.0.1:4040
Forwarding https://95d2-177-9-110-144.sa.ngrok.io -> http://localhost:8080
Connections ttl opn rt1 rt5 p50 p90
0 0 0.00 0.00 0.00 0.00
Nice, look how we've got a random URL (in your case it will be different, okay?):
https://95d2-177-9-110-144.sa.ngrok.io
🎉
2. Configuring the Github Webhook
In the repository settings, go to Webhooks:
Fill the form with the following:
- Payload URL: paste the URL from Ngrok
- Content-Type: application/json
- Secret: leave it empty for now
- Let me select individual events: Pull Requests only
Webhook created, time to create some PR in the repository.
As we can see next, the pipeline was triggered by the event! 🚀
🍺 Good times! 🍺
It's all about tests!
At this moment, our pipeline only runs a simple ls command in the cloned repository. But we should do even more: style checks, security checks and automated tests.
Let's change the pipeline so it runs the unit tests in the repository.
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: chespirito-pipeline
spec:
params:
- name: repo-url
type: string
- name: revision
type: string
workspaces:
- name: shared-data
tasks:
- name: fetch-source
taskRef:
name: git-clone
workspaces:
- name: output
workspace: shared-data
params:
- name: url
value: $(params.repo-url)
- name: revision
value: $(params.revision)
- name: run-tests
runAfter: ["fetch-source"]
taskRef:
name: run-tests
workspaces:
- name: source
workspace: shared-data
---
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: run-tests
spec:
workspaces:
- name: source
steps:
- name: unit-tests
image: ubuntu
workingDir: $(workspaces.source.path)
script: |
#!/usr/bin/env bash
docker-compose run --rm ruby bundle install
docker-compose run --rm ruby ruby -Itest test/all.rb
We just created a new pipeline called chespirito-pipeline, which uses 2 tasks: git-clone and run-tests.
The run-tests Task comprises of an Ubuntu image, so all we need is to use Docker to run the tests inside the container.
A note about running docker commands on CI
However, the Ubuntu Docker official image does not provide a Docker Runtime, then we need to run some kind of "Docker image" in order to have it ready to run.
Almost every CI environment in the cloud (including ours running on a local Kubernetes cluster) is already running jobs/tasks in Docker containers.
Eack Task is a container, so how can we run Docker in Docker?
Docker in Docker
Luckily, the Docker Hub community provides a Docker image for running Docker containers inside Docker.
It's called Docker-in-Docker, or dind.
For a Kubernetes cluster, there's a minimal setup needed to make it work. We should mount some specific volumes and export some environment variables so the container will use the correct Docker Runtime in the cluster.
We can use an architectural pattern called Sidecar Pattern, which is basically an initContainer that uses the dind image and mounts volumes so other containers in the same Pod can use the Docker Runtime.
In Tekton, it's no different, and the resource is actually called Sidecar, similar to Step within a Task but it runs before the steps.
Changing the Task
Because of separation of concerns, the only component we have to change is the Task (thanks to how Kubernetes employ important architectural patterns).
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: run-tests
spec:
workspaces:
- name: source
steps:
- name: unit-tests
image: docker
workingDir: $(workspaces.source.path)
script: |
docker-compose run --rm ruby bundle install
docker-compose run --rm ruby ruby -Itest test/all.rb
The image used will be docker, because we'll run Docker commands for running the unit tests.
Now, we add to this step, the env variables that Docker will use to connect to the runtime:
...
env:
- name: DOCKER_HOST
value: tcp://localhost:2376
- name: DOCKER_TLS_VERIFY
value: "1"
- name: DOCKER_CERT_PATH
value: "/certs/client"
Next, declare the volumeMounts that will be populated by the sidecar:
...
volumeMounts:
- mountPath: /certs/client
name: dind-certs
Step defined, let's declare the sidecar node, right after the steps section:
...
sidecars:
- name: dind
image: docker:dind
securityContext:
privileged: true
args:
- --storage-driver=vfs
- --userland-proxy=false
- --debug
env:
- name: DOCKER_TLS_CERTDIR
value: /certs
volumeMounts:
- mountPath: /certs/client
name: dind-certs
- mountPath: $(workspaces.source.path)
name: $(workspaces.source.volume)
readinessProbe:
periodSeconds: 1
exec:
command: ['ls', '/certs/client/ca.pem']
The sidecar uses the docker:dind image, starts it and then mounts the /certs in the volume shared with the step.
Also, it's important to note that the sidecar needs to mount the workspace as a Volume, since the Docker run will happen in the sidecar.
Finally, we declare the volumes section, which can be an emptyDir since it's used by steps/sidecars within the same Task:
...
volumes:
- name: dind-certs
emptyDir: {}
Pipeline applied, time to create the PipelineRun:
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
generateName: chespirito-pipeline-
spec:
pipelineRef:
name: chespirito-pipeline
params:
- name: repo-url
value: https://github.com/leandronsp/chespirito.git
- name: revision
value: main
workspaces:
- name: shared-data
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
🎉 May we run it and everything is green!
The last piece
Okay, we've run the new chespirito-pipeline manually. But now we have to change the EventListener, and the only thing needed is:
...
pipelineRef:
name: chespirito-pipeline
Apply some changes in the branch, push to the PR and...
🎉 How wonderful is that? 🚀
In this article we learned about event listeners, triggers, Github webhooks and how to integrate all those stuff so we can run the unit tests at some arbitrary project in Github!
Keep in tune, later we'll see how to listen to the "push to main" event and rollout our application in the Kubernetes cluster, which is the "CD part".
Cheers! 🍺
Top comments (0)