云原生的 CI/CD 框架tekton - Trigger（二）

上一篇为大家详细介绍了tekton - pipeline，由于里面涉及到的概念比较多，因此需要好好消化下。同样，今天在特别为大家分享下tekton - Trigger以及案例演示，希望可以给大家提供一种思路哈。

1. Tekton Trigger

Trigger 组件就是用来解决这个触发问题的，它可以从各种来源的事件中检测并提取需要信息，然后根据这些信息来创建 TaskRun 和 PipelineRun，还可以将提取出来的信息传递给它们以满足不同的运行要求。

Tekton Trigger中有6类对象，分别是：

• EventListener：事件监听器，是外部事件的入口 ，通常需要通过HTTP方式暴露，以便于外部事件推送，比如配置Gitlab的Webhook。
• Trigger：指定当 EventListener 检测到事件发生时会发生什么，它会定义 TriggerBinding、TriggerTemplate 以及可选的 Interceptor。
• TriggerTemplate：用于模板化资源，根据传入的参数实例化 Tekton 对象资源，比如 TaskRun、PipelineRun等。
• TriggerBinding：用于捕获事件中的字段并将其存储为参数，然后会将参数传递给 TriggerTemplate。
• ClusterTriggerBinding：和 TriggerBinding 相似，用于提取事件字段，不过它是集群级别的对象。
• Interceptors：拦截器，在 TriggerBinding 之前运行，用于负载过滤、验证、转换等处理，只有通过拦截器的数据才会传递给TriggerBinding。

2. 工作流程

• step1：EventListener 用于监听外部事件（具体触发方式为 http），外部事件产生后被 EventListener 捕获，然后进入处理过程。

• step2：首先会由 Interceptors 来进行处理（如果有配置 interceptor 的话），对负载过滤、验证、转换等处理，类似与 http 中的 middleware。

• step3：Interceptors 处理完成后无效的事件就会被直接丢弃，剩下的有效事件则交给 TriggerBinding 处理，

• step4：TriggerBinding 实际上就是从事件内容中提取对应参数，然后将参数传递给 TriggerTemplate。

• step5：TriggerTemplate 则根据预先定义的模版以及收到的参数创建 TaskRun 或者 PipelineRun 对象。

• step6：TaskRun 或者 PipelineRun 对象创建之后就会触发对应 task 或者 pipeline 运行，整个流程就全自动了。

3. 安装trigger和interceptors

# install reigger
kubectl apply --filename https://storage.googleapis.com/tekton-releases/triggers/latest/release.yaml
# install interceptors
kubectl apply --filename https://storage.googleapis.com/tekton-releases/triggers/latest/interceptors.yaml

# monitor
kubectl get pods --namespace tekton-pipelines --watch

4. 案例

案例: gitlab跳代码触发tekton

step1: 创建task - 拉取代码

同pipeline案例2

step2: 创建task - 构建代码

同pipeline案例2

step3: 创建task - 打包镜像

task-package.yaml

apiVersion: tekton.dev/v1beta1
kind: Task
metadata:name: package-2
spec:workspaces:- name: source # 名称params:- name: image_desttype: stringdefault: "registry.ap-southeast-1.aliyuncs.com/my_image_repo"- name: shatype: stringdefault: "latest"- name: DockerfilePathtype: stringdefault: Dockerfile- name: Contexttype: stringdefault: .- name: project_nametype: stringdefault: "test"steps:- name: packageimage: docker:stableworkingDir: $(workspaces.source.path)script: |#/usr/bin/env shTag=$(params.sha)tag=${Tag:0:6}docker login registry.ap-southeast-1.aliyuncs.comdocker build -t $(params.image_dest)/$(params.project_name):${tag} -f $(params.DockerfilePath) $(params.Context)docker push $(params.image_dest)/$(params.project_name):${tag}volumeMounts:- name: dockersorckmountPath: /var/run/docker.sockvolumes:- name: dockersorckhostPath:path: /var/run/docker.sock

step4: 创建pipeline

pipeline.yaml

apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:name: clone-build-push-2
spec:description: |This pipeline clones a git repo, builds a Docker image with Kaniko andpushes it to a registryparams:- name: repo-urltype: string- name: shatype: string- name: project_nametype: string- name: versiontype: stringworkspaces:- name: shared-datatasks:# 拉取代码- name: fetch-sourcetaskRef:name: git-cloneworkspaces:- name: outputworkspace: shared-dataparams:- name: urlvalue: $(params.repo-url)- name: revisionvalue: $(params.version)# 打包- name: build-codetaskRef:name: build-2workspaces:- name: sourceworkspace: shared-datarunAfter:- fetch-source# 构建并推送镜像- name: package-imagerunAfter: ["build-code"]taskRef:name: package-2workspaces:- name: sourceworkspace: shared-dataparams:- name: shavalue: $(params.sha)- name: project_namevalue: $(params.project_name)

step5: 创建pipelinerun

pipelinerun.yaml

apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:generateName: clone-build-push-run-#name: clone-build-push-run
spec:serviceAccountName: gitlab-sapipelineRef:name: clone-build-push-2podTemplate:securityContext:fsGroup: 65532workspaces:- name: shared-datavolumeClaimTemplate:spec:accessModes:- ReadWriteOnceresources:requests:storage: 128Miparams:- name: repo-urlvalue: git@jihulab.com:cs-test-group1/kxwang/test.git #https://jihulab.com/cs-test-group1/kxwang/test.git- name: shavalue: bchdsvhj12312312312241421
#  - name: image_tag
#    value: v2- name: versionvalue: refs/heads/master- name: project_namevalue: wkx

step6: 创建事件监听器

EventListener.yaml

apiVersion: triggers.tekton.dev/v1alpha1
kind: EventListener
metadata:name: gitlab-listener  # 该事件监听器会创建一个名为el-gitlab-listener的Service对象namespace: default
spec:resources:kubernetesResource:serviceType: NodePortserviceAccountName: gitlab-satriggers:- name: gitlab-push-events-triggerinterceptors:- ref:name: gitlabparams:- name: secretRef  # 引用 gitlab-secret 的 Secret 对象中的 secretToken 的值value:secretName: gitlab-webhooksecretKey: secretToken- name: eventTypesvalue:- Push Hook # 只接收 GitLab Push 事件bindings:- ref: pipeline-bindingtemplate:ref: pipeline-template

step7: 创建TriggerBinding文件

TriggerBinding.yaml

apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerBinding
metadata:name: pipeline-binding
spec:params:- name: repo-urlvalue: $(body.repository.git_ssh_url)- name: versionvalue: $(body.ref)- name: shavalue: $(body.checkout_sha)- name: project_namevalue: $(body.project.name)

step8: 创建TriggerTemplate模版文件

TriggerTemplate.yaml

apiVersion: v1
kind: Secret
metadata:name: gitlab-webhook
type: Opaque
stringData:secretToken: '123456789'
[root@VM-0-14-centos class-4]# cat TriggerTemplate.yaml
apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerTemplate
metadata:name: pipeline-template
spec:params:- name: sha- name: project_name- name: version- name: repo-urlresourcetemplates:- apiVersion: tekton.dev/v1beta1kind: PipelineRunmetadata:generateName:  clone-build-push-run-spec:serviceAccountName: gitlab-sapipelineRef:name: clone-build-push-2params:- name: shavalue: $(tt.params.sha)- name: versionvalue: $(tt.params.version)- name: repo-urlvalue: $(tt.params.repo-url)- name: project_namevalue: $(tt.params.project_name)workspaces:- name: shared-datavolumeClaimTemplate:spec:accessModes:- ReadWriteOnceresources:requests:storage: 128Mi

step9: 创建sa

gitlab-sa.yaml

apiVersion: v1
kind: ServiceAccount
metadata:name: gitlab-sa
secrets:
- name: gitlab-auth
- name: gitlab-ssh
- name: docker-credentials
- name: gitlab-webhook

step10: 创建gitlab webhook的信息

secret-gitlab-webhook.yaml

apiVersion: v1
kind: Secret
metadata:name: gitlab-webhook
type: Opaque
stringData:secretToken: '123456789'

step11: 创建RBAC

rbac.yaml

apiVersion: v1
kind: ServiceAccount
metadata:name: gitlab-sa
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:name: triggers-gitlab-clusterrole
rules:# Permissions for every EventListener deployment to function- apiGroups: ["triggers.tekton.dev"]resources: ["eventlisteners", "triggerbindings", "triggertemplates","clustertriggerbindings", "clusterinterceptors","interceptors","triggers"]verbs: ["get","list","watch"]- apiGroups: [""]# secrets are only needed for Github/Gitlab interceptors, serviceaccounts only for per trigger authorizationresources: ["configmaps", "secrets", "serviceaccounts"]verbs: ["get", "list", "watch"]# Permissions to create resources in associated TriggerTemplates- apiGroups: ["tekton.dev"]resources: ["pipelineruns", "pipelineresources", "taskruns"]verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:name: triggers-gitlab-clusterrolebinding
subjects:- kind: ServiceAccountname: gitlab-sanamespace: default
roleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: triggers-gitlab-clusterrolegitlab-sa.yaml

step12: gitlab创建webhook

测试

界面提交下code

创建issue，验证拦截器规则