Tekton CI/CD Part 2: Run Pipelines on code change with Triggers

·

3 min read

On the previous post, we have built Pipelines to build images. In this post we will use Trigger to watch for Git events, to trigger Pipelines on git push

Installation

install TektonTriggers

Concept

Tekton Triggers have a few resources

  • EventListener
  • Trigger
  • TriggerTemplate
  • TriggerBinding
  • ClusterTriggerBinding
  • Interceptor

The flow would be like

  1. EventListener detects git push event
  2. it will run the action (Trigger)
  3. Trigger will run the Interceptor to perform tasks like filtering, verification if any
  4. TriggerBinding will extract data from the event payload, to be used on TaskRun or PipelineRun
  5. TriggerTemplate specifies a blueprint for the resource, such as a TaskRun or PipelineRun,

More details, refer to TektonTriggers

Create Trigger

Complete source code is available at cncf-demo/hello-world, Trigger examples are inside tekton/trigger directory

Based on the example from Part 1, we will create a Trigger for that.

Create a webhook and secret

Create a webhook for the git repo, and add secret

1234567 is the webhook secret

apiVersion: v1
kind: Secret
metadata:
  name: github-secret
type: Opaque
stringData:
  secretToken: "1234567"

Create RBAC

Create the required RBAC

apiVersion: v1
kind: ServiceAccount
metadata:
  name: tekton-triggers-example-sa
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: triggers-example-eventlistener-binding
subjects:
  - kind: ServiceAccount
    name: tekton-triggers-example-sa
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: tekton-triggers-eventlistener-roles
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: triggers-example-eventlistener-clusterbinding
subjects:
  - kind: ServiceAccount
    name: tekton-triggers-example-sa
    namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: tekton-triggers-eventlistener-clusterroles

Create EventListener and Trigger

Tekton comes with multiple built-in Interceptors that we can use right away. The example below is using GitHub Interceptors

apiVersion: triggers.tekton.dev/v1beta1
kind: EventListener
metadata:
  name: github-listener
spec:
  serviceAccountName: tekton-triggers-example-sa
  triggers:
    - name: github-listener
      interceptors:
        - ref:
            name: "github"
          params:
            - name: "secretRef"
              value:
                secretName: github-secret # the secret we created earlier
                secretKey: secretToken
            - name: "eventTypes"
              value: [ "push" ] # filter only push event
      bindings:
        - ref: github-binding # TriggerBinding
      template:
        ref: github-template # TriggerTemplate

Create TriggerBinding

What we want is the git revision, which we could get from body.ref based on GitHub webhook push event spec

apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerBinding
metadata:
  name: github-binding
spec:
  params:
    - name: git_revision
      value: $(body.ref) #  Example: refs/heads/main or refs/tags/v3.14.1

Create TriggerTemplate

Since we created Pipeline for the example, hence on TriggerTemplate we will specify PipelineRun for resourcetemplates

apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerTemplate
metadata:
  name: github-template
spec:
  params:
    - name: git_revision
  resourcetemplates:
      # the section below is exactly the same as writing a PipelineRun
    - apiVersion: tekton.dev/v1beta1
      kind: PipelineRun
      metadata:
        generateName: kaniko-pipeline-run-
      spec:
        pipelineRef:
          name: kaniko-pipeline
        params:
          - name: git_revision
            value: $(tt.params.git_revision)
        workspaces:
          - name: git-source
            volumeClaimTemplate:
              spec:
                accessModes:
                  - ReadWriteOnce
                resources:
                  requests:
                    storage: 100m

Test it out

Apply everything with kubectl

kubectl -f .

Do a port forward

kubectl port-forward service/el-github-listener 8080

Test it locally

Send example payload

The response status code should be 202 Accepted

HMAC tool used to create X-Hub-Signature.

curl -v \
-H 'X-GitHub-Event: push' \
-H 'X-Hub-Signature: sha1=87b1adbb9aca10522739f9f94d372afd1542e498' \
-H 'Content-Type: application/json' \
-d '{"ref": "refs/heads/main", "repository": {"git_url": "https://github.com/WLun001/cncf-demo.git"}}' \
http://localhost:8080

You should see a new PipelineRun is running

Test with GitHub

Create a tunnel using tools like ngrok

ngrok http 8080

Add the generated URL to Payload URL

Make commit and push, you should see a new PipelineRun is running

Conclusion

We have built a Trigger that listens to git push events and executes the related Pipeline.

Next, we will create a custom Interceptor, only triggering Pipeline when certain paths changed.

Did you find this article valuable?

Support Wei Lun by becoming a sponsor. Any amount is appreciated!