跳转至

触发器和事件监听器

前面我们都是通过创建一个 TaskRun 或者一个 PipelineRun 对象来触发任务,但是在实际的工作中更多的是开发人员提交代码过后来触发任务,这个时候就需要用到 Tekton 里面的 Triggers 概念了。

Tekton Triggers Workflow

Triggers 同样通过下面的几个 CRD 对象对 Tekton 进行了一些扩展:

  • TriggerTemplate: 创建资源的模板,比如用来创建 PipelineResourcePipelineRun
  • TriggerBinding: 校验事件并提取相关字段属性
  • ClusterTriggerBinding: 和 TriggerBinding 类似,只是是全局的
  • Interceptor: 处理事件以进行自定义验证或过滤的拦截器
  • EventListener: 连接 TriggerBindingTriggerTemplate 到事件接收器,使用从各个 TriggerBinding 中提取的参数来创建 TriggerTemplate 中指定的 resources,同样通过 interceptor 字段来指定外部服务对事件属性进行预处理

Tekton Triggers

例如,我们可以使用触发器实现以下 CI/CD 工作流:

    1. Triggers 监听 git commitgit pull request 事件。当检测到时,它会使用提交的代码执行一个单元测试的 Pipeline
    1. Triggers 监听指示测试成功完成的 git push 事件,当它检测到时,它会验证测试的结果并执行构建测试代码的 Pipeline
    1. 当关联的 PipelineRun 执行完成时,Triggers 检查构建的结果,如果成功,则执行一个 Task,将构建结果上传到对应的 Docker 镜像仓库。
    1. 最后,Docker registry 发送一个事件到 Pub/Sub,该事件触发一个将构建镜像推送到 staging 环境的 Pipeline

同样要使用 Tekton Triggers 就需要安装对应的控制器,可以直接通过 tektoncd/triggers 的 GitHub 仓库说明进行安装,如下所示的命令:

kubectl apply -f https://storage.googleapis.com/tekton-releases/triggers/latest/release.yaml
kubectl apply -f https://storage.googleapis.com/tekton-releases/triggers/latest/interceptors.yaml

同样由于官方使用的镜像是 gcr 的镜像,所以正常情况下我们是获取不到的,如果你的集群由于某些原因获取不到镜像,可以使用下面的资源清单文件,我已经将镜像替换成了 Docker Hub 上面的镜像:

$ kubectl apply -f https://my-oss-testing.oss-cn-beijing.aliyuncs.com/k8s/tekton/triggers/release.v0.20.1.yml
$ kubectl apply -f https://my-oss-testing.oss-cn-beijing.aliyuncs.com/k8s/tekton/triggers/interceptors.v0.20.1.yaml

可以使用如下命令查看 Triggers 的相关组件安装状态,直到都为 Running 状态:

$ kubectl get pods -n tekton-pipelines
NAME                                                 READY   STATUS    RESTARTS        AGE
tekton-dashboard-6bd9848575-sfrsq                    1/1     Running   4 (4h48m ago)   3d23h
tekton-pipelines-controller-589b6b88f8-brn56         1/1     Running   4 (4h48m ago)   3d19h
tekton-pipelines-webhook-687fb7945b-p4xnp            1/1     Running   4 (4h48m ago)   3d23h
tekton-triggers-controller-7bdbb584fd-4mm9p          1/1     Running   0               29m
tekton-triggers-core-interceptors-6d74578fdf-xw24n   1/1     Running   0               29m
tekton-triggers-webhook-5946c97b8d-wbjvk             1/1     Running   0               29m

现在我们来将前面的 Jenkins Pipeline 流水线转换成使用 Tekton 来构建,代码我们已经推送到了私有仓库 GitLab,地址为:http://git.k8s.local/course/devops-demo.git

首先我们需要完成触发器的配置,当我们提交源代码到 GitLab 的时候,需要触发 Tekton 的任务运行,所以首先需要完成这个触发器。这里就可以通过 EventListener 这个资源对象来完成,创建一个名为 gitlab-listenerEventListener 资源对象,文件内容如下所示:

# gitlab-push-listener.yaml
apiVersion: triggers.tekton.dev/v1beta1
kind: EventListener
metadata:
  name: gitlab-listener # 该事件监听器会创建一个名为 el-gitlab-listener 的Service对象
spec:
  serviceAccountName: tekton-triggers-gitlab-sa
  triggers:
    - name: gitlab-push-events-trigger
      interceptors:
        - ref:
            name: gitlab
          params:
            - name: secretRef # 引用 gitlab-secret 的 Secret 对象中的 secretToken 的值
              value:
                secretName: gitlab-secret
                secretKey: secretToken
            - name: eventTypes
              value:
                - Push Hook # 只接收 GitLab Push 事件
      bindings:
        - ref: devops-demo-binding
      template:
        ref: devops-demo-template

由于 EventListener 创建完成后会生成一个 Listener 的服务,用来对外暴露用于接收事件响应,比如上面我们创建的对象名为 gitlab-listener,创建完成后会生成一个名为 el-gitlab-listener 的 Service 对象,由于我们 GitLab 本身就在集群内部,所以我们用 Service 的 DNS 形式来访问 EventListener 即可,如果你想暴露到集群外部则可以使用 NodePort 或者 Ingress 的形式。

另外需要注意的是在上面的 EventListener 对象中我们添加了 interceptors 属性,其中有一个内置的 gitlab 拦截器,GitLab 拦截器包含验证和过滤来自 GitLab 的请求逻辑, 比如我们可以配置 WebHook 的 Secret Token,可以通过 Secret 对象引入进来:

interceptors:
  - ref:
      name: gitlab
    params:
      - name: secretRef # 引用 gitlab-secret 的 Secret 对象中的 secretToken 的值
        value:
          secretName: gitlab-secret
          secretKey: secretToken
      - name: eventTypes
        value:
          - Push Hook # 只接收 GitLab Push 事件

对应的 Secret 资源对象如下所示,一个用于 WebHook 的 Secret Token,另外一个是用于 GitLab 登录认证使用的:

# gitlab-secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: gitlab-secret
type: Opaque
stringData:
  secretToken: "1234567"
---
apiVersion: v1
kind: Secret
metadata:
  name: gitlab-auth
  annotations:
    tekton.dev/git-0: http://git.k8s.local
type: kubernetes.io/basic-auth
stringData:
  username: root
  password: admin321

由于 EventListener 对象需要访问其他资源对象,所以需要声明 RBAC,如下所示:

# event-listener-rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: tekton-triggers-gitlab-sa
secrets:
  - name: gitlab-secret
  - name: gitlab-auth
  - name: harbor-auth
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: tekton-triggers-gitlab-minimal
rules:
  # EventListeners need to be able to fetch all namespaced resources
  - apiGroups: ["triggers.tekton.dev"]
    resources:
      ["eventlisteners", "triggerbindings", "triggertemplates", "triggers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    # configmaps is needed for updating logging config
    resources: ["configmaps"]
    verbs: ["get", "list", "watch"]
  # Permissions to create resources in associated TriggerTemplates
  - apiGroups: ["tekton.dev"]
    resources: ["pipelineruns", "pipelineresources", "taskruns"]
    verbs: ["create"]
  - apiGroups: [""]
    resources: ["serviceaccounts"]
    verbs: ["impersonate"]
  - apiGroups: ["policy"]
    resources: ["podsecuritypolicies"]
    resourceNames: ["tekton-triggers"]
    verbs: ["use"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: tekton-triggers-gitlab-binding
subjects:
  - kind: ServiceAccount
    name: tekton-triggers-gitlab-sa
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: tekton-triggers-gitlab-minimal
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: tekton-triggers-gitlab-clusterrole
rules:
  # EventListeners need to be able to fetch any clustertriggerbindings
  - apiGroups: ["triggers.tekton.dev"]
    resources: ["clustertriggerbindings", "clusterinterceptors"]
    verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: tekton-triggers-gitlab-clusterbinding
subjects:
  - kind: ServiceAccount
    name: tekton-triggers-gitlab-sa
    namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: tekton-triggers-gitlab-clusterrole

然后接下来就是最重要的 TriggerBindingTriggerTemplate 对象了,我们在上面的 EventListener 对象中将两个对象组合在一起:

bindings:
  - ref: devops-demo-binding # TriggerBinding 对象
template:
  ref: devops-demo-template # TriggerTemplate 对象

这样就可以将 TriggerBinding 中的参数传递到 TriggerTemplate 对象中进行模板化。比如这里我们定义一个如下所示的 TriggerBinding 对象:

apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerBinding
metadata:
  name: devops-demo-binding
spec:
  params:
    - name: gitrevision
      value: $(body.checkout_sha)
    - name: gitrepositoryurl
      value: $(body.repository.git_http_url)

这里需要注意的是参数的值我们是通过读取 GitLab WebHook 发送过来的数据值,通过 $() 包裹的 JSONPath 表达式来提取的,关于表达式的更多用法可以查看官方文档说明,至于能够提取哪些参数值,则可以查看 WebHook 的说明,比如这里我们是 GitLab Webhook 的 Push Hook,对应的请求体数据如下所示:

{
  "object_kind": "push",
  "before": "95790bf891e76fee5e1747ab589903a6a1f80f22",
  "after": "da1560886d4f094c3e6c9ef40349f7d38b5d27d7",
  "ref": "refs/heads/master",
  "checkout_sha": "da1560886d4f094c3e6c9ef40349f7d38b5d27d7",
  "user_id": 4,
  "user_name": "John Smith",
  "user_username": "jsmith",
  "user_email": "john@example.com",
  "user_avatar": "https://s.gravatar.com/avatar/d4c74594d841139328695756648b6bd6?s=8://s.gravatar.com/avatar/d4c74594d841139328695756648b6bd6?s=80",
  "project_id": 15,
  "project": {
    "id": 15,
    "name": "Diaspora",
    "description": "",
    "web_url": "http://example.com/mike/diaspora",
    "avatar_url": null,
    "git_ssh_url": "git@example.com:mike/diaspora.git",
    "git_http_url": "http://example.com/mike/diaspora.git",
    "namespace": "Mike",
    "visibility_level": 0,
    "path_with_namespace": "mike/diaspora",
    "default_branch": "master",
    "homepage": "http://example.com/mike/diaspora",
    "url": "git@example.com:mike/diaspora.git",
    "ssh_url": "git@example.com:mike/diaspora.git",
    "http_url": "http://example.com/mike/diaspora.git"
  },
  "repository": {
    "name": "Diaspora",
    "url": "git@example.com:mike/diaspora.git",
    "description": "",
    "homepage": "http://example.com/mike/diaspora",
    "git_http_url": "http://example.com/mike/diaspora.git",
    "git_ssh_url": "git@example.com:mike/diaspora.git",
    "visibility_level": 0
  },
  "commits": [
    {
      "id": "b6568db1bc1dcd7f8b4d5a946b0b91f9dacd7327",
      "message": "Update Catalan translation to e38cb41.\n\nSee https://gitlab.com/gitlab-org/gitlab for more information",
      "title": "Update Catalan translation to e38cb41.",
      "timestamp": "2011-12-12T14:27:31+02:00",
      "url": "http://example.com/mike/diaspora/commit/b6568db1bc1dcd7f8b4d5a946b0b91f9dacd7327",
      "author": {
        "name": "Jordi Mallach",
        "email": "jordi@softcatala.org"
      },
      "added": ["CHANGELOG"],
      "modified": ["app/controller/application.rb"],
      "removed": []
    },
    {
      "id": "da1560886d4f094c3e6c9ef40349f7d38b5d27d7",
      "message": "fixed readme",
      "title": "fixed readme",
      "timestamp": "2012-01-03T23:36:29+02:00",
      "url": "http://example.com/mike/diaspora/commit/da1560886d4f094c3e6c9ef40349f7d38b5d27d7",
      "author": {
        "name": "GitLab dev user",
        "email": "gitlabdev@dv6700.(none)"
      },
      "added": ["CHANGELOG"],
      "modified": ["app/controller/application.rb"],
      "removed": []
    }
  ],
  "total_commits_count": 4
}

请求体中的任何属性都可以提取出来,作为 TriggerBinding 的参数,如果是其他的 Hook 事件,对应的请求体结构可以查看 GitLab 文档说明

这样我们就可以在 TriggerTemplate 对象中通过参数来读取上面 TriggerBinding 中定义的参数值了,定义一个如下所示的 TriggerTemplate 对象,声明一个 TaskRun 的模板,定义的 Task 任务也非常简单,只需要在容器中打印出代码的目录结构即可:

apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerTemplate
metadata:
  name: devops-demo-template
spec:
  params: # 定义参数,和 TriggerBinding 中的保持一致
    - name: gitrevision
    - name: gitrepositoryurl
  resourcetemplates: # 定义资源模板
    - apiVersion: tekton.dev/v1beta1
      kind: TaskRun # 定义 TaskRun 模板
      metadata:
        generateName: gitlab-run- # TaskRun 名称前缀
      spec:
        serviceAccountName: tekton-triggers-gitlab-sa
        taskSpec: # Task 任务声明
          resources:
            inputs: # 定义一个名为 source 的 git 输入资源
              - name: source
                type: git
          steps:
            - name: show-path
              image: ubuntu # 定义一个执行步骤,列出代码目录结构
              script: |
                #! /bin/bash
                ls -la $(resources.inputs.source.path)
        resources: # 声明具体的输入资源参数
          inputs:
            - name: source # 和 Task 中的资源名保持一直
              resourceSpec: # 资源声明
                type: git
                params:
                  - name: revision
                    value: $(tt.params.gitrevision) # 读取参数值
                  - name: url
                    value: $(tt.params.gitrepositoryurl)

需要注意在最后的 pipelineresource 中引用参数值的时候使用了一个 tt 的前缀。定义完过后,直接创建上面的资源对象,创建完成后会自动生成 EventListener 的 Pod 和 Service 对象:

$ kubectl get svc -l eventlistener=gitlab-listener
NAME                 TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)             AGE
el-gitlab-listener   ClusterIP   10.100.105.169   <none>        8080/TCP,9000/TCP   10m
$ kubectl get pod -l eventlistener=gitlab-listener
NAME                                  READY   STATUS    RESTARTS   AGE
el-gitlab-listener-7786b679c5-w5mgq   1/1     Running   0          10m
$ kubectl get eventlistener
NAME              ADDRESS                                                    AVAILABLE   REASON                     READY   REASON
gitlab-listener   http://el-gitlab-listener.default.svc.cluster.local:8080   True        MinimumReplicasAvailable   True

接下来我们就可以到 GitLab 的项目中配置 WebHook,注意需要配置 Secret Token,我们在上面的 Secret 对象中声明过:

Secret Token

创建完成后,我们可以测试下该 WebHook 的 Push events 事件,直接点击测试即可(如果使用自定义的域名则需要在 coredns 中添加映射),正常会返回 Hook executed successfully: HTTP 202 的提示信息,这个时候在 Kubernetes 集群中就会出现如下所示的任务 Pod:

$ kubectl get pods -l triggers.tekton.dev/eventlistener=gitlab-listener
NAME                   READY   STATUS      RESTARTS   AGE
gitlab-run-rlc57-pod   0/2     Completed   0          106s
$ kubectl get taskrun -l triggers.tekton.dev/eventlistener=gitlab-listener
NAME               SUCCEEDED   REASON      STARTTIME   COMPLETIONTIME
gitlab-run-rlc57   True        Succeeded   2m5s        102s
$ tkn taskrun logs gitlab-run-rlc57
[git-source-source-rxnv8] {"level":"info","ts":1658392647.1066718,"caller":"git/git.go:178","msg":"Successfully cloned http://git.k8s.local/course/devops-demo.git @ 0739cf93f55cd00e3a23da9733f3abf089a6e5c9 (grafted, HEAD) in path /workspace/source"}
[git-source-source-rxnv8] {"level":"info","ts":1658392647.128677,"caller":"git/git.go:217","msg":"Successfully initialized and updated submodules in path /workspace/source"}

[show-path] total 36
[show-path] drwxr-xr-x 4 root root  163 Jul 21 08:37 .
[show-path] drwxrwxrwx 3 root root   20 Jul 21 08:37 ..
[show-path] -rw-r--r-- 1 root root 1804 Jul 21 08:37 .drone.yml
[show-path] drwxr-xr-x 8 root root  177 Jul 21 08:37 .git
[show-path] -rw-r--r-- 1 root root  192 Jul 21 08:37 .gitignore
[show-path] -rw-r--r-- 1 root root  375 Jul 21 08:37 Dockerfile
[show-path] -rw-r--r-- 1 root root 4840 Jul 21 08:37 Jenkinsfile
[show-path] -rw-r--r-- 1 root root   47 Jul 21 08:37 README.md
[show-path] -rw-r--r-- 1 root root   97 Jul 21 08:37 go.mod
[show-path] -rw-r--r-- 1 root root 3370 Jul 21 08:37 go.sum
[show-path] drwxr-xr-x 3 root root  101 Jul 21 08:37 helm
[show-path] -rw-r--r-- 1 root root  490 Jul 21 08:37 main.go

到这里我们就完成了通过 GitLab 的 Push 事件来触发 Tekton 的一个任务。

gitlab push events

接下来我们再来实现将我们的应用通过 Tekton 来自动部署到 Kubernetes 集群中。