Following our series on CI/CD cloud native, we will go on setting up a simple Tekton pipeline to automate testing, using kubernetes. We should cover the simple flow of updating code and testing code. We will be using GitHub webhook events to trigger our pipeline.
First we need to install Tekton operator, so we can focus configuration in one config file, making it easy to have all the features we need in a more declarative way.
Installing Tekton Operator
First, install the Operator Lifecycle Manager, a tool to manage operators running in your cluster.
curl -sL https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.27.0/install.sh | bash -s v0.27.0
Install the operator:
kubectl create -f https://operatorhub.io/install/tektoncd-operator.yaml
Wait until the operator is up and running. You can check the status by running:
kubectl get csv -n operators
Configure Tekton
We will need to configure Tekton. The operator is configured using a file called TektonConfig.yaml.
apiVersion: operator.tekton.dev/v1alpha1
kind: TektonConfig
metadata:
name: config
namespace: tekton-pipelines
spec:
targetNamespace: tekton-pipelines
profile: all
chain:
disabled: false
pipeline:
await-sidecar-readiness: false
disable-affinity-assistant: true
disable-creds-init: false
enable-api-fields: alpha
enable-bundles-resolver: true
enable-cluster-resolver: true
enable-custom-tasks: true
enable-git-resolver: true
performance:
disable-ha: true
buckets: 1
replicas: 1
threads-per-controller: 32
kube-api-qps: 100.0
kube-api-burst: 200
pruner:
disabled: false
schedule: "0 * * * *"
resources:
- taskrun
- pipelinerun
keep: 3
# keep-since: 1440
# NOTE: you can use either keep or keep-since, not both
prune-per-resource: true
hub:
params:
- name: enable-devconsole-integration
value: "true"
options:
disabled: false
dashboard:
readonly: false
options:
disabled: false
We will go on about some items in the config file, but you can find the full reference on the TektonConfig.
We are setting up the profile of the operator to all as this gives us access to all the features on the Tekton operator. If you plan to use less and want a slimmer setup, the reference for profiles is:
all: This profile will install all components (TektonPipeline, TektonTrigger, and TektonChain)
basic: This profile will install only TektonPipeline, TektonTrigger, and TektonChain components
lite: This profile will install only TektonPipeline components
We are disabling affinity assistant. This is a feature that coschedules pods of a PipelineRun that share the same persistent volume to the same Node. This is being deprecated in favor of coschedule workspaces. We are also disabling sidecar readiness, as we won't be using any sidecars.
Pruner configuration is configured to run at the beginning of each hour. It will delete Tasks and TaskRuns, clearing resources.
Dashboard readonly false will allow for actions on PipelineRuns and tasks to be taken directly on the dashboard.
Overview
Let's visualize what we want to perform in our CI/CD flow.
First, we will make changes to our codebase. Those changes will be pushed to a GitHub repository. The push event on the GitHub webhook will trigger our pipeline to run tests.
Handling Github Events
For external events, we will set up an event listener. Tekton uses a custom resource for that, EventListener. This will create a service exposed via Kubernetes API. This service will receive GitHub webhook events. Then, after that, we can write a filter to match the event and trigger on our event listener.
---
apiVersion: triggers.tekton.dev/v1beta1
kind: EventListener
metadata:
name: tekton-github-pr-{{ .Values.projectName }}
spec:
serviceAccountName: service-account-{{ .Values.projectName }}
triggers:
- name: pr-trigger
interceptors:
- ref:
name: "cel"
kind: ClusterInterceptor
apiVersion: triggers.tekton.dev
params:
- name: "filter"
value: >
header.match('x-github-event', 'merge')
- name: "overlays"
value:
- key: author
expression: body.pusher.name.lowerAscii().replace('/','-').replace('.', '-').replace('_', '-')
- key: pr-ref
expression: body.ref.lowerAscii().replace("/", '-')
bindings:
- ref: tb-github-pr-trigger-binding-{{ .Values.projectName }}
template:
ref: tt-github-pr-trigger-template-{{ .Values.projectName }}
Notice this resource has a serviceAccountName as required. The EventListener will create resources in our cluster. This will ensure we have the correct roles and permissions to do it properly.
We will use a Cel ClusterInterceptor, another custom resource so we can write filter expressions using CEL, This is how we manage to evaluate the webhook request and filter triggers for many kinds of pipelines.
Here we also use overlays to create variables based on an expression that can be passed down to our pipelines. In this case, we want the author and the ref so we can customize the pipeline display name.
Bindings and templates are two other resources we will reference in the EventListener.
Bindings
TriggerBindings are another way to bind objects from the webhook request to variables we can use to control pipeline flow.
apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerBinding
metadata:
name: tb-github-pr-trigger-binding-{{ .Values.projectName }}
spec:
params:
- name: revision
value: $(body.after)
- name: repo-url
value: $(body.repository.ssh_url)
- name: author
value: $(extensions.author)
- name: pr-ref
value: $(extensions.pr-ref)
- name: repo-full-name
value: $(body.repository.full_name)
Here we reference from the request captured by the EventListener the information we want to be assigned to variables, so we can pass down to the pipeline in the TriggerBinding. The variables we create with overlays in the EventListener we have to reference from the object extensions. We can reference the request body and header too.
Triggering the Pipeline
TriggerTemplate is the resource that pieces together events with the variables we set up on the TriggerBinding. Here we will associate variables as params to the pipelines, creating a PipelineRun, which is the actual automation being executed as a pod in Kubernetes.
apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerTemplate
metadata:
name: tt-github-pr-trigger-template-{{ .Values.projectName }}
spec:
params:
- name: revision
- name: repo-url
- name: author
- name: repo-full-name
- name: pr-ref
resourcetemplates:
- apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
generateName: pr-$(tt.params.pr-ref)-$(tt.params.author)-
spec:
serviceAccountName: service-account-{{ .Values.projectName }}
pipelineRef:
name: {{ .Values.projectName}}-pipeline
workspaces:
- name: cache
persistentVolumeClaim:
claimName: pvc-cache-{{ .Values.projectName }}
- name: shared-data
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
params:
- name: repo-url
value: $(tt.params.repo-url)
- name: revision
value: $(tt.params.revision)
- name: repo-full-name
value: $(tt.params.repo-full-name)
- name: ref
value: $(tt.params.ref)
- name: deploy-staging
value: $(tt.params.deploy-staging)
- name: test-all
value: $(tt.params.test-all)
On the TriggerTemplate, we receive the params from the TriggerBinding and pass the params to the PipelineRun.
We need to reference the Pipeline on pipelineRef, this is the pipeline we want to run.
We also define our workspaces. In our example, we are passing 2 workspaces, one as a volumeClaimTemplate that will be discarded at the end of the PipelineRun. It uses claim templates to dynamically provision non-persistent storage with the resource values described. The workspace cache is defined using persistentVolumeClaim, which takes a persistent volume you need to define.
Pipeline
The pipeline is the orchestrated flow of tasks we want to run. It will have the parameters we defined in the TriggerTemplate and the logic we want to execute applied to tasks. For this example, we will look at a simple test pipeline that clones a repository and runs the test script.
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: {{ .Values.projectName }}-pipeline-tests
spec:
workspaces:
- name: shared-data
- name: cache
params:
- name: repo-url
type: string
- name: revision
type: string
tasks:
- name: fetch-source
taskRef:
resolver: cluster
params:
- name: kind
value: task
- name: name
value: task-git-clone
- name: namespace
value: tekton-pipelines
params:
- name: url
value: $(params.repo-url)
- name: revision
value: $(params.revision)
- name: depth
value: 2
workspaces:
- name: output
workspace: shared-data
- name: install-deps
runAfter: ["fetch-source"]
taskRef:
resolver: cluster
params:
- name: kind
value: task
- name: name
value: task-install-deps
- name: namespace
value: tekton-pipelines
params:
- name: install-script
value: yarn install --prefer-offline --ignore-engines
workspaces:
- name: source
workspace: shared-data
- name: cache
workspace: cache
- name: test-task
runAfter: ["install-deps"]
taskRef:
resolver: cluster
params:
- name: kind
value: task
- name: name
value: task-test
- name: namespace
value: tekton-pipelines
params:
- name: diff
value: $(tasks.fetch-source.results.diff)
- name: install-deps
value: yarn install
- name: run-test
value: yarn test
workspaces:
- name: source
workspace: shared-data
- name: cache
workspace: cache
Here we organize the logic of our pipeline.
To help with organization and reutilization of tasks, which are the more atomic resources of a Tekton pipeline, we use a cluster resolver. This way, we can have one task shared across all namespaces and eliminate the need to duplicate tasks that are common to multiple pipelines. The cluster resolver takes the namespace the task is in and the name of the task.
The parameters we define in the TriggerTemplate and pass to the pipeline run are defined in the pipeline and passed to the tasks.
Another great feature of the Tekton pipeline is the TaskResult. Notice we use a parameter in the test-task that is inherited from a task result. This result is defined in the task fetch-source, which is the task we will create to clone a remote repository. The parameter diff is a list of files that were modified in the PR that triggered this pipeline.
The workspaces we define in the TriggerTemplate are also assigned to the tasks. This ensures all pods created for all tasks in the pipeline execute our automations in the same storage space. That way, we can clone the remote repository at the beginning of the pipeline and perform many tasks with the same files.
Creating our tasks
Now we define the tasks, which are the actual work to be done in our pipeline. In Tekton, each task is a Pod in Kubernetes. It is composed of several steps, each step being a container inside this task pod.
Fetch Source Task
This task fetches a remote repository. We are using depth 2, which means we will be getting the last two commits from the repository, avoiding downloading too much data.
We will also generate some task results we can use in our pipelines. The result is defined in the Task custom resource. Tekton also provides an api to interact with results. To use the results from a task, we only need to reference them as tasks..results..
Here an example in our public repository of a fech-source task.
Test Task
This is a simple task that executes a script command you provide. As with the previous task, we define the workspace where we clone the repository and define one step to install dependencies and another to run the tests. There are many ways to organize this same scenario; this is just an example of tasks and how steps are defined.
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: task-test
namespace: {{ .Values.projectName }}
spec:
description: >-
A generic task to run any bash command in any given image
workspaces:
- name: source
optional: true
- name: cache
optional: true
params:
- name: run-test
type: string
- name: install-deps
type: string
- name: diff
type: string
description: diff of the pull request
- name: image
type: string
default: "node:latest"
steps:
- name: install
image: $(params.image)
workingDir: $(workspaces.source.path)
script: |
#!/usr/bin/env bash
set -xe
$(params.install-deps)
- name: test
image: $(params.image)
workingDir: $(workspaces.source.path)
script: |
#!/usr/bin/env bash
set -xe
$(params.run-test)
Dashboard
In order to visualize your tekton resources, tekton operators will create a service to host the Tekton Dashboard, to find the ip asigned to the dashboard run:
kubectl get services -n tekton-pipelines
Final Considerations
In this article, we covered the steps to automate a simple testing pipeline using the Tekton Operator. There are many ways to achieve this same result, and Tekton is a powerful tool that offers a lot of resources you can use depending on your needs. Additionally, the community is active and supportive. You can open an issue on the Tekton Github.
Woovi is also improving our own CI/CD internal platform. In the WooviOps repo, you can find our basic implementation of the same case we covered in this article and more. If you want to help us improve, we welcome your PRs, comments, or you can just reach out to us on Twitter.
Also, Woovi is hiring!
Photo by Rock'n Roll Monkey on Unsplash
Top comments (1)
Awesome!