Tekton 安装
环境要求
- kubernetes 1.22 or later
- k8s 集群的
cluster-admin 权限
安装步骤
安装
安装 Tekton Pipeline
说明:
# https://github.com/tektoncd/pipeline/releases/download/v0.39.0/release.yaml
curl -Lfs -o tektoncd-pipeline.yaml https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml
# 参考 https://mirrors.kb.cx/?s=gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd 查找hub.docker.com的替换镜像
sed 's#gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/controller#gcriotekton/pipeline-controller#g' -i *.yaml
sed 's#gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/webhook#gcriotekton/pipeline-webhook#g' -i *.yaml
# 其中 tekton-pipelines-controller 通过 args -kubeconfig-writer-image 执行运行时的依赖镜像,也需要替换
sed 's#gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/kubeconfigwriter#gcriotekton/pipeline-kubeconfigwriter#g' -i *.yaml
sed 's#gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/entrypoint#gcriotekton/pipeline-entrypoint#g' -i *.yaml
sed 's#gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init#gcriotekton/pipeline-git-init#g' -i *.yaml
sed 's#gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/nop#gcriotekton/pipeline-nop#g' -i *.yaml
sed 's#gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/imagedigestexporter#gcriotekton/pipeline-imagedigestexporter#g' -i *.yaml
sed 's#gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/pullrequest-init#gcriotekton/pipeline-pullrequest-init#g' -i *.yaml
sed 's#gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/workingdirinit#gcriotekton/pipeline-workingdirinit#g' -i *.yaml
# 可选,若镜像的 digest 同步失败的话,需要将镜像后的 digest 去掉
sed 's#@sha256:[a-z0-9]{64}##g' -i -E tektoncd-pipeline.yaml
# 可选,由于是 k8s 1.25.0 版本,需要修复部分资源升级导致的问题,且 policy/v1 PodSecurityPolicy 从该版本移除,出现问题暂时未处理
sed 's#autoscaling/v2beta1#autoscaling/v2#g' -i tektoncd-pipeline.yaml
kubectl apply -f tektoncd-pipeline.yaml
root@k8s-master:~/tekton# kubectl apply -f tektoncd-pipeline.yaml
namespace/tekton-pipelines created
clusterrole.rbac.authorization.k8s.io/tekton-pipelines-controller-cluster-access created
clusterrole.rbac.authorization.k8s.io/tekton-pipelines-controller-tenant-access created
clusterrole.rbac.authorization.k8s.io/tekton-pipelines-webhook-cluster-access created
role.rbac.authorization.k8s.io/tekton-pipelines-controller created
role.rbac.authorization.k8s.io/tekton-pipelines-webhook created
role.rbac.authorization.k8s.io/tekton-pipelines-leader-election created
role.rbac.authorization.k8s.io/tekton-pipelines-info created
serviceaccount/tekton-pipelines-controller created
serviceaccount/tekton-pipelines-webhook created
clusterrolebinding.rbac.authorization.k8s.io/tekton-pipelines-controller-cluster-access created
clusterrolebinding.rbac.authorization.k8s.io/tekton-pipelines-controller-tenant-access created
clusterrolebinding.rbac.authorization.k8s.io/tekton-pipelines-webhook-cluster-access created
rolebinding.rbac.authorization.k8s.io/tekton-pipelines-controller created
rolebinding.rbac.authorization.k8s.io/tekton-pipelines-webhook created
rolebinding.rbac.authorization.k8s.io/tekton-pipelines-controller-leaderelection created
rolebinding.rbac.authorization.k8s.io/tekton-pipelines-webhook-leaderelection created
rolebinding.rbac.authorization.k8s.io/tekton-pipelines-info created
customresourcedefinition.apiextensions.k8s.io/clustertasks.tekton.dev created
customresourcedefinition.apiextensions.k8s.io/pipelines.tekton.dev created
customresourcedefinition.apiextensions.k8s.io/pipelineruns.tekton.dev created
customresourcedefinition.apiextensions.k8s.io/resolutionrequests.resolution.tekton.dev created
customresourcedefinition.apiextensions.k8s.io/pipelineresources.tekton.dev created
customresourcedefinition.apiextensions.k8s.io/runs.tekton.dev created
customresourcedefinition.apiextensions.k8s.io/tasks.tekton.dev created
customresourcedefinition.apiextensions.k8s.io/taskruns.tekton.dev created
secret/webhook-certs created
validatingwebhookconfiguration.admissionregistration.k8s.io/validation.webhook.pipeline.tekton.dev created
mutatingwebhookconfiguration.admissionregistration.k8s.io/webhook.pipeline.tekton.dev created
validatingwebhookconfiguration.admissionregistration.k8s.io/config.webhook.pipeline.tekton.dev created
clusterrole.rbac.authorization.k8s.io/tekton-aggregate-edit created
clusterrole.rbac.authorization.k8s.io/tekton-aggregate-view created
configmap/config-artifact-bucket created
configmap/config-artifact-pvc created
configmap/config-defaults created
configmap/feature-flags created
configmap/pipelines-info created
configmap/config-leader-election created
configmap/config-logging created
configmap/config-observability created
configmap/config-registry-cert created
deployment.apps/tekton-pipelines-controller created
service/tekton-pipelines-controller created
deployment.apps/tekton-pipelines-webhook created
service/tekton-pipelines-webhook created
resource mapping not found for name: "tekton-pipelines" namespace: "" from "tektoncd-pipeline.yaml": no matches for kind "PodSecurityPolicy" in version "policy/v1"
ensure CRDs are installed first
Error from server (BadRequest): error when creating "tektoncd-pipeline.yaml": HorizontalPodAutoscaler in version "v2" cannot be handled as a HorizontalPodAutoscaler: strict decoding error: unknown field "spec.metrics[0].resource.targetAverageUtilization"
日志中还有其他错误,需要根据情况判断是否需要修复(略)。
$ kubectl get pods --namespace tekton-pipelines --watch
NAME READY STATUS RESTARTS AGE
tekton-pipelines-controller-5f9784fc4d-glmq9 1/1 Running 0 15m
tekton-pipelines-webhook-6d47dc7dfc-j2p8f 1/1 Running 0 15m
$ kubectl get deployments --namespace tekton-pipelines
NAME READY UP-TO-DATE AVAILABLE AGE
tekton-pipelines-controller 1/1 1 1 24m
tekton-pipelines-webhook 1/1 1 1 24m
安装 Tekton Triggers
安装 Tekton Dashboard
说明:
curl -Lfs -o tekton-dashboard-release.yaml https://storage.googleapis.com/tekton-releases/dashboard/latest/tekton-dashboard-release.yaml
sed 's#gcr.io/tekton-releases/github.com/tektoncd/dashboard/cmd/dashboard#gcriotekton/dashboard-dashboard#g' -i tekton-dashboard-release.yaml
# 可选,替换 sha256
sed 's#@sha256:[a-z0-9]{64}##g' -i -E tekton-dashboard-release.yaml
kubectl apply -f tekton-dashboard-release.yaml
root@k8s-master:~/tekton# kubectl apply -f tekton-dashboard-release.yaml
customresourcedefinition.apiextensions.k8s.io/extensions.dashboard.tekton.dev created
serviceaccount/tekton-dashboard created
role.rbac.authorization.k8s.io/tekton-dashboard-info created
clusterrole.rbac.authorization.k8s.io/tekton-dashboard-backend created
clusterrole.rbac.authorization.k8s.io/tekton-dashboard-tenant created
rolebinding.rbac.authorization.k8s.io/tekton-dashboard-info created
clusterrolebinding.rbac.authorization.k8s.io/tekton-dashboard-backend created
configmap/dashboard-info created
service/tekton-dashboard created
deployment.apps/tekton-dashboard created
clusterrolebinding.rbac.authorization.k8s.io/tekton-dashboard-tenant created
root@k8s-master:~/tekton# kubectl -n tekton-pipelines get pod
NAME READY STATUS RESTARTS AGE
tekton-dashboard-74c4cff4c5-w47sz 1/1 Running 0 2m56s
...
root@k8s-master:~/tekton# kubectl -n tekton-pipelines get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
tekton-dashboard ClusterIP 10.99.6.172 <none> 9097/TCP 8m12s
...
暴露到外部访问
可以采用 Istio 等,测试环境采用 NodePort 的方式暴露资源:
$ kubectl patch svc -n tekton-pipelines tekton-dashboard -p '{"spec": {"type": "NodePort"}}'
$ kubectl -n tekton-pipelines get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
tekton-dashboard NodePort 10.99.6.172 <none> 9097:31840/TCP 14m
tekton-pipelines-controller ClusterIP 10.102.192.120 <none> 9090/TCP,8008/TCP,8080/TCP 31m
tekton-pipelines-webhook ClusterIP 10.101.59.226 <none> 9090/TCP,8008/TCP,443/TCP,8080/TCP 31m
- 访问:http://172.20.0.241:31840/,默认没有账户密码,可以基于 Istio 的 SSO 认证实现
安装客户端
https://github.com/tektoncd/cli/releases
curl -LO https://github.com/tektoncd/cli/releases/download/v0.26.0/tektoncd-cli-0.26.0_Linux-64bit.deb
dpkg -i tektoncd-cli-0.26.0_Linux-64bit.deb