Why do Tekton projects have a folder called tekton
? Cuz we think it would be cool
if the tekton
folder were the place to look for CI/CD logic in most repos!
We dogfood our project by using Tekton to build, test, and release
Tekton! This directory contains the
Tasks
and
Pipelines
that we use.
To create an official release, follow the steps in the release-cheat-sheet
The nightly release pipeline is triggered nightly by Tekton.
This uses the same Pipeline
and Task
s as an official release.
To start from scratch and use these Pipeline
s and Task
s:
# If this is your first time installing Tekton in the cluster you might need to give yourself permission to do so
kubectl create clusterrolebinding cluster-admin-binding-someusername \
--clusterrole=cluster-admin \
--user=$(gcloud config get-value core/account)
# Example, Tekton v0.29.0
export TEKTON_VERSION=0.29.0
kubectl apply --filename https://storage.googleapis.com/tekton-releases/pipeline/previous/v${TEKTON_VERSION}/release.yaml
Add all the Tasks
to the cluster, including the
git-clone
and
gcs-upload
Tasks from the
tektoncd/catalog
, and the
release Tasks from
tektoncd/plumbing
.
Use a version of the tektoncd/catalog
tasks that is compatible with version of Tekton being released, usually main
.
Install Tasks from plumbing too:
# Apply the Tasks we are using from the catalog
kubectl apply -f https://raw.githubusercontent.com/tektoncd/catalog/main/task/git-clone/0.2/git-clone.yaml
kubectl apply -f https://raw.githubusercontent.com/tektoncd/catalog/main/task/gcs-upload/0.1/gcs-upload.yaml
# Apply the Tasks we are using from tektoncd/plumbing
kubectl apply -f https://raw.githubusercontent.com/tektoncd/plumbing/main/tekton/resources/release/base/prerelease_checks.yaml
Apply the tasks from the dashboard
repo:
# Apply the Tasks and Pipelines we use from this repo
kubectl apply -f tekton/build.yaml
kubectl apply -f tekton/publish.yaml
kubectl apply -f tekton/release-pipeline.yaml
Tasks
and Pipelines
from this repo are:
build.yaml
- ThisTask
builds the UI bundles and places them in thekodata
directory to be picked up by the backendpublish.yaml
- ThisTask
usesko
to build all of the container images we release and generate therelease.yaml
release-pipeline.yaml
- ThisPipeline
uses the aboveTask
s
In order to release, these Pipelines use the release-right-meow
service account,
which uses release-secret
and has
Storage Admin
access to
tekton-releases
and
tekton-releases-nightly
.
After creating these service accounts in GCP, the kubernetes service account and secret were created with:
KEY_FILE=release.json
GENERIC_SECRET=release-secret
ACCOUNT=release-right-meow
# Connected to the `prow` in the `tekton-releases` GCP project
GCP_ACCOUNT="$ACCOUNT@tekton-releases.iam.gserviceaccount.com"
# 1. Create a private key for the service account
gcloud iam service-accounts keys create $KEY_FILE --iam-account $GCP_ACCOUNT
# 2. Create kubernetes secret, which we will use via a service account and directly mounting
kubectl create secret generic $GENERIC_SECRET --from-file=./$KEY_FILE
# 3. Add the docker secret to the service account
kubectl patch serviceaccount $ACCOUNT \
-p "{\"secrets\": [{\"name\": \"$GENERIC_SECRET\"}]}"