On the previous post, we have built Pipelines to build images. In this post we will use Trigger to watch for Git events, to trigger Pipelines on git push
Installation
Concept
Tekton Triggers have a few resources
- EventListener
- Trigger
- TriggerTemplate
- TriggerBinding
- ClusterTriggerBinding
- Interceptor
The flow would be like
- EventListener detects git push event
- it will run the action (Trigger)
- Trigger will run the Interceptor to perform tasks like filtering, verification if any
- TriggerBinding will extract data from the event payload, to be used on TaskRun or PipelineRun
- TriggerTemplate specifies a blueprint for the resource, such as a TaskRun or PipelineRun,
More details, refer to TektonTriggers
Create Trigger
Complete source code is available at cncf-demo/hello-world, Trigger examples are inside
tekton/trigger
directory
Based on the example from Part 1, we will create a Trigger for that.
Create a webhook and secret
Create a webhook for the git repo, and add secret
1234567
is the webhook secret
apiVersion: v1
kind: Secret
metadata:
name: github-secret
type: Opaque
stringData:
secretToken: "1234567"
Create RBAC
Create the required RBAC
apiVersion: v1
kind: ServiceAccount
metadata:
name: tekton-triggers-example-sa
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: triggers-example-eventlistener-binding
subjects:
- kind: ServiceAccount
name: tekton-triggers-example-sa
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: tekton-triggers-eventlistener-roles
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: triggers-example-eventlistener-clusterbinding
subjects:
- kind: ServiceAccount
name: tekton-triggers-example-sa
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: tekton-triggers-eventlistener-clusterroles
Create EventListener and Trigger
Tekton comes with multiple built-in Interceptors that we can use right away. The example below is using GitHub Interceptors
apiVersion: triggers.tekton.dev/v1beta1
kind: EventListener
metadata:
name: github-listener
spec:
serviceAccountName: tekton-triggers-example-sa
triggers:
- name: github-listener
interceptors:
- ref:
name: "github"
params:
- name: "secretRef"
value:
secretName: github-secret # the secret we created earlier
secretKey: secretToken
- name: "eventTypes"
value: [ "push" ] # filter only push event
bindings:
- ref: github-binding # TriggerBinding
template:
ref: github-template # TriggerTemplate
Create TriggerBinding
What we want is the git revision, which we could get from body.ref
based on GitHub webhook push event spec
apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerBinding
metadata:
name: github-binding
spec:
params:
- name: git_revision
value: $(body.ref) # Example: refs/heads/main or refs/tags/v3.14.1
Create TriggerTemplate
Since we created Pipeline for the example, hence on TriggerTemplate we will specify PipelineRun
for resourcetemplates
apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerTemplate
metadata:
name: github-template
spec:
params:
- name: git_revision
resourcetemplates:
# the section below is exactly the same as writing a PipelineRun
- apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
generateName: kaniko-pipeline-run-
spec:
pipelineRef:
name: kaniko-pipeline
params:
- name: git_revision
value: $(tt.params.git_revision)
workspaces:
- name: git-source
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 100m
Test it out
Apply everything with kubectl
kubectl -f .
Do a port forward
kubectl port-forward service/el-github-listener 8080
Test it locally
Send example payload
The response status code should be 202 Accepted
HMAC tool used to create X-Hub-Signature.
curl -v \
-H 'X-GitHub-Event: push' \
-H 'X-Hub-Signature: sha1=87b1adbb9aca10522739f9f94d372afd1542e498' \
-H 'Content-Type: application/json' \
-d '{"ref": "refs/heads/main", "repository": {"git_url": "https://github.com/WLun001/cncf-demo.git"}}' \
http://localhost:8080
You should see a new PipelineRun is running
Test with GitHub
Create a tunnel using tools like ngrok
ngrok http 8080
Add the generated URL to Payload URL
Make commit and push, you should see a new PipelineRun is running
Conclusion
We have built a Trigger that listens to git push events and executes the related Pipeline.
Next, we will create a custom Interceptor, only triggering Pipeline when certain paths changed.