Skip to content

Latest commit

 

History

History
 
 

tekton

Tekton Dashboard CI/CD

Why do Tekton projects have a folder called tekton? Cuz we think it would be cool if the tekton folder were the place to look for CI/CD logic in most repos!

We dogfood our project by using Tekton to build, test, and release Tekton! This directory contains the Tasks and Pipelines that we use.

Create an official release

To create an official release, follow the steps in the release-cheat-sheet

Nightly releases

The nightly release pipeline is triggered nightly by Tekton.

This uses the same Pipeline and Tasks as an official release.

Setup

To start from scratch and use these Pipelines and Tasks:

  1. Install Tekton
  2. Setup the Tasks and Pipelines
  3. Create the required service account + secrets

Install Tekton

# If this is your first time installing Tekton in the cluster you might need to give yourself permission to do so
kubectl create clusterrolebinding cluster-admin-binding-someusername \
  --clusterrole=cluster-admin \
  --user=$(gcloud config get-value core/account)

# Example, Tekton v0.29.0
export TEKTON_VERSION=0.29.0
kubectl apply --filename  https://storage.googleapis.com/tekton-releases/pipeline/previous/v${TEKTON_VERSION}/release.yaml

Install tasks and pipelines

Add all the Tasks to the cluster, including the git-clone and gcs-upload Tasks from the tektoncd/catalog, and the release Tasks from tektoncd/plumbing.

Use a version of the tektoncd/catalog tasks that is compatible with version of Tekton being released, usually main. Install Tasks from plumbing too:

# Apply the Tasks we are using from the catalog
kubectl apply -f https://raw.githubusercontent.com/tektoncd/catalog/main/task/git-clone/0.2/git-clone.yaml
kubectl apply -f https://raw.githubusercontent.com/tektoncd/catalog/main/task/gcs-upload/0.1/gcs-upload.yaml
# Apply the Tasks we are using from tektoncd/plumbing
kubectl apply -f https://raw.githubusercontent.com/tektoncd/plumbing/main/tekton/resources/release/base/prerelease_checks.yaml

Apply the tasks from the dashboard repo:

# Apply the Tasks and Pipelines we use from this repo
kubectl apply -f tekton/build.yaml
kubectl apply -f tekton/publish.yaml
kubectl apply -f tekton/release-pipeline.yaml

Tasks and Pipelines from this repo are:

  • build.yaml - This Task builds the UI bundles and places them in the kodata directory to be picked up by the backend
  • publish.yaml - This Task uses ko to build all of the container images we release and generate the release.yaml
  • release-pipeline.yaml - This Pipeline uses the above Tasks

Service account and secrets

In order to release, these Pipelines use the release-right-meow service account, which uses release-secret and has Storage Admin access to tekton-releases and tekton-releases-nightly.

After creating these service accounts in GCP, the kubernetes service account and secret were created with:

KEY_FILE=release.json
GENERIC_SECRET=release-secret
ACCOUNT=release-right-meow

# Connected to the `prow` in the `tekton-releases` GCP project
GCP_ACCOUNT="$ACCOUNT@tekton-releases.iam.gserviceaccount.com"

# 1. Create a private key for the service account
gcloud iam service-accounts keys create $KEY_FILE --iam-account $GCP_ACCOUNT

# 2. Create kubernetes secret, which we will use via a service account and directly mounting
kubectl create secret generic $GENERIC_SECRET --from-file=./$KEY_FILE

# 3. Add the docker secret to the service account
kubectl patch serviceaccount $ACCOUNT \
  -p "{\"secrets\": [{\"name\": \"$GENERIC_SECRET\"}]}"