一、核心定位
本文作为GitOps环境搭建系列的第八篇,聚焦Tekton CI/CD流水线的部署与配置。Tekton是云原生CI/CD框架,专为Kubernetes环境设计,提供声明式的流水线定义和任务执行能力。
在GitOps环境中,Tekton扮演”持续集成引擎”角色,作为GitOps流程的构建和测试环节,实现从代码提交到镜像构建的自动化。Tekton与Gitea、Harbor、ArgoCD协同工作,形成完整的”代码→构建→镜像→部署”自动化流水线。
二、部署前置检查
部署前需验证K3s集群状态及前序组件运行情况:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
kubectl get nodes
kubectl get pods -n argocd
kubectl get pods -n cert-manager
kubectl get pods -n kube-system -l app=traefik
kubectl get pods -n gitea
nslookup tekton.example.io
|
前置条件检查清单:
三、基于ArgoCD部署Tekton
3.1 准备Git仓库配置
在Gitea仓库devops-deploy.git中创建Tekton配置目录:
1
2
3
4
5
6
|
git clone https://gitea.example.io/gitea_admin/devops-deploy.git
cd devops-deploy
mkdir -p tekton
|
3.2 创建ArgoCD应用配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: tekton
namespace: argocd
spec:
project: default
source:
repoURL: https://gitea.example.io/gitea_admin/devops-deploy.git
path: tekton
targetRevision: HEAD
destination:
server: https://kubernetes.default.svc
namespace: tekton-pipelines
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
retry:
limit: 5
backoff:
duration: 5s
factor: 2
maxDuration: 3m
|
3.3 创建Tekton核心部署配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
apiVersion: v1
kind: Namespace
metadata:
name: tekton-pipelines
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tekton-dashboard
namespace: tekton-pipelines
spec:
replicas: 1
selector:
matchLabels:
app: tekton-dashboard
template:
metadata:
labels:
app: tekton-dashboard
spec:
containers:
- name: dashboard
image: gcr.io/tekton-releases/github.com/tektoncd/dashboard/cmd/dashboard:v0.45.0
ports:
- containerPort: 9097
env:
- name: PORT
value: "9097"
- name: CLUSTER_NAME
value: "k3s-gitops"
resources:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "256Mi"
cpu: "200m"
---
apiVersion: v1
kind: Service
metadata:
name: tekton-dashboard
namespace: tekton-pipelines
spec:
selector:
app: tekton-dashboard
ports:
- port: 9097
targetPort: 9097
type: ClusterIP
|
3.4 提交配置到Git仓库
1
2
3
4
|
git add tekton/
git commit -m "feat: add Tekton deployment configuration"
git push origin main
|
四、配置HTTPS访问
4.1 创建Tekton证书
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: tekton-cert
namespace: tekton-pipelines
spec:
secretName: tekton-tls-secret
issuerRef:
name: selfsigned-cluster-issuer
kind: ClusterIssuer
commonName: tekton.example.io
dnsNames:
- tekton.example.io
duration: 2160h
renewBefore: 360h
privateKey:
algorithm: RSA
size: 2048
usages:
- server auth
|
4.2 配置IngressRoute
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: tekton-websecure
namespace: tekton-pipelines
spec:
entryPoints:
- websecure
routes:
- match: Host(`tekton.example.io`) && PathPrefix(`/`)
kind: Rule
services:
- name: tekton-dashboard
passHostHeader: true
port: 9097
tls:
secretName: tekton-tls-secret
|
4.3 应用ArgoCD配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
kubectl apply -f tekton/argocd-application.yaml
cat <<EOF | kubectl apply -f -
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: tekton
namespace: argocd
spec:
project: default
source:
repoURL: https://gitea.example.io/gitea_admin/devops-deploy.git
path: tekton
targetRevision: HEAD
destination:
server: https://kubernetes.default.svc
namespace: tekton-pipelines
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
EOF
|
五、验证部署结果
5.1 验证ArgoCD同步状态
1
2
3
4
5
6
7
8
9
|
argocd app get tekton
argocd app sync tekton
argocd app history tekton
argocd app resources tekton
|
5.2 验证Tekton组件状态
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
kubectl get all -n tekton-pipelines
kubectl get pods -n tekton-pipelines -l app=tekton-dashboard
kubectl get svc -n tekton-pipelines tekton-dashboard
kubectl get certificate -n tekton-pipelines
kubectl describe certificate tekton-cert -n tekton-pipelines
kubectl get ingressroute -n tekton-pipelines
|
5.3 测试访问功能
1
2
3
4
5
6
7
8
|
curl -k https://tekton.example.io
kubectl logs -n tekton-pipelines -l app=tekton-dashboard --tail=50
kubectl exec -it $(kubectl get pod -n tekton-pipelines -l app=tekton-dashboard -o jsonpath='{.items[0].metadata.name}') -n tekton-pipelines -- /bin/sh
|
六、配置示例流水线
6.1 创建Tekton Pipeline资源
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: build-and-deploy
namespace: tekton-pipelines
spec:
params:
- name: git-url
type: string
description: Git repository URL
- name: image-name
type: string
description: Docker image name
tasks:
- name: fetch-source
taskRef:
name: git-clone
params:
- name: url
value: $(params.git-url)
- name: revision
value: main
workspaces:
- name: output
workspace: source
- name: build-image
runAfter: [fetch-source]
taskRef:
name: kaniko
params:
- name: IMAGE
value: $(params.image-name)
workspaces:
- name: source
workspace: source
- name: dockerconfig
workspace: docker-config
|
6.2 创建Tekton Task资源
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: git-clone
namespace: tekton-pipelines
spec:
workspaces:
- name: output
description: Git repository will be cloned here
params:
- name: url
description: Git repository URL
type: string
- name: revision
description: Git revision to clone
type: string
default: main
steps:
- name: clone
image: alpine/git
script: |
git clone $(params.url) $(workspaces.output.path)
cd $(workspaces.output.path)
git checkout $(params.revision)
---
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: kaniko
namespace: tekton-pipelines
spec:
workspaces:
- name: source
description: Source code workspace
- name: dockerconfig
description: Docker config.json workspace
params:
- name: IMAGE
description: Docker image name
type: string
steps:
- name: build-and-push
image: gcr.io/kaniko-project/executor:v1.9.0
env:
- name: DOCKER_CONFIG
value: /workspace/dockerconfig
command:
- /kaniko/executor
args:
- --dockerfile=$(workspaces.source.path)/Dockerfile
- --destination=$(params.IMAGE)
- --context=$(workspaces.source.path)
|
七、服务访问方式
7.1 集群内访问
- Dashboard Web界面:
tekton-dashboard.tekton-pipelines.svc.cluster.local:9097
- API访问:通过Service直接访问Tekton组件
7.2 集群外访问
- Dashboard Web界面:
https://tekton.example.io
- Git Webhook配置:
https://tekton.example.io(用于接收Gitea webhook)
八、日常运维命令
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
kubectl get pipelines.tekton.dev -n tekton-pipelines
kubectl get tasks.tekton.dev -n tekton-pipelines
kubectl get pipelineruns.tekton.dev -n tekton-pipelines
kubectl get taskruns.tekton.dev -n tekton-pipelines
kubectl logs -f deployment/tekton-dashboard -n tekton-pipelines
kubectl rollout restart deployment tekton-dashboard -n tekton-pipelines
kubectl top pods -n tekton-pipelines
kubectl delete pipelineruns.tekton.dev --all -n tekton-pipelines --field-selector=status.conditions[0].status=True
|
九、常见问题修复
| 问题现象 |
排查方向 |
修复方案 |
| ArgoCD同步失败 |
Git仓库访问权限 |
检查ArgoCD Repository配置,添加访问凭证 |
| Dashboard无法访问 |
IngressRoute/证书 |
检查IngressRoute配置,验证证书Secret是否存在 |
| Pipeline执行失败 |
任务配置/资源权限 |
检查Task定义,验证ServiceAccount权限 |
| 镜像构建失败 |
Docker配置/网络 |
检查kaniko配置,验证网络连通性 |
| Webhook不触发 |
Webhook配置/网络 |
检查Gitea webhook配置,验证网络可达性 |
| 资源占用过高 |
资源限制/并发数 |
调整资源限制,限制并发PipelineRun数量 |
十、配置参考
所有Tekton配置文件和部署脚本请参考:
https://gitee.com/Chemmy/kube-template/tree/master/devops/Tekton
该目录包含:
- Tekton核心部署配置
- 示例Pipeline和Task定义
- Webhook集成配置
- 生产环境优化配置
- 监控和日志配置
总结
本文完成了Tekton在K3s集群中的标准化部署,基于ArgoCD实现了GitOps方式的CI/CD流水线管理。Tekton作为GitOps环境的持续集成引擎,为自动化构建和测试提供了强大的能力。
部署完成后,建议创建示例流水线验证构建功能,配置Gitea webhook实现自动触发,并设置适当的资源限制。下一篇文章将部署Harbor镜像仓库,为GitOps环境提供镜像存储和分发能力。