Tekton CI/CD, part IV, continuous delivery

The previous post demonstrated how to listen to Github events and trigger a pipeline based on such event.

So far, the pipeline consists in:

  • fetching the source code (from Github)
  • building a Docker image (using dind) and running unit tests

We're still missing the delivery, i.e deploying our application to production. That's the subject of this article.

First things first

The process of deploying will be as follows:

  • build a Docker image of the application
  • push the image to the Docker registry
  • perform a rollout deployment in kubernetes, using kubectl

All of these steps will be made using Tekton tasks.

We'll keep using the application chespirito, but we are yet to deploy it to Kubernetes first, create a Docker registry to keep our images and lastly create a Task to perform the rollout with kubectl.

Application and registry setup

In order to setup the application in Kubernetes for the first time, we have to provide the Docker registry, which will be a Deployment Pod in the cluster.

Both Chespirito Pod and Docker registry Pod are described in this Gist, so feel free to apply them in your cluster (don't forget to change the image node because it may differ).

After applying correctly, we may have the following output:

$ kubectl get pods

NAME                                         READY   STATUS             RESTARTS          AGE
registry-pod-cdd5859d4-v6lrh                 1/1     Running            15 (152m ago)     40h
chespirito-pod-7d6679476f-7txjf              1/1     Running            0               57m
To the Pipeline

Now, time to change our pipeline so it basically should cover:

  • fetch source
  • build (run tests + build an image for release)
  • deploy

Fetch source Task

The fetch-source Task will keep intact, nothing to change here, just referencing to the task git-clone we imported from the Tekton Hub

  - name: fetch-source
      name: git-clone
      - name: output
        workspace: shared-data
      - name: url
        value: $(params.repo-url)
      - name: revision
        value: $(params.revision)
Build task

The build Task should build an image, run tests at this image and then push such an image to the registry. Pipeline-wise, it should look in this way:

  - name: build
    runAfter: ["fetch-source"]
      name: build
      - name: source
        workspace: shared-data
The Task itself consists of two steps:

  • unit-tests
  • release (push image to the registry)
apiVersion: tekton.dev/v1beta1
kind: Task
  name: build
    - name: source
    image: docker
    workingDir: $(workspaces.source.path)
      - name: DOCKER_HOST
        value: tcp://localhost:2376
      - name: DOCKER_TLS_VERIFY
        value: "1"
      - name: DOCKER_CERT_PATH
        value: "/certs/client"
      - mountPath: /certs/client
        name: dind-certs
    - name: unit-tests
      script: |
        export CI_IMAGE=colima:31320/chespirito:ci

        docker pull $CI_IMAGE || true
        docker build -t $CI_IMAGE .
        docker run --rm $CI_IMAGE bash -c "ruby -Itest test/all.rb"
        docker push $CI_IMAGE
    - name: release
      script: |
        export CI_IMAGE=colima:31320/chespirito:ci
        export RELEASE_IMAGE=colima:31320/chespirito

        docker pull $CI_IMAGE
        docker image tag $CI_IMAGE $RELEASE_IMAGE
        docker push $RELEASE_IMAGE
Note that:

  • the stepTemplate block can be reused across different steps
  • we're using the colima:31320 host because it's the address of the private-insecure registry we installed previously using this Gist

And last but not least, the sidecar playing the role of docker-in-docker:

    - name: dind
      image: docker:dind
        privileged: true
        - --storage-driver=vfs
        - --userland-proxy=false
        - --debug
        - --insecure-registry=colima:31320
        - name: DOCKER_TLS_CERTDIR
          value: /certs
        - mountPath: /certs/client
          name: dind-certs
        - mountPath: $(workspaces.source.path)
          name: $(workspaces.source.volume)
        periodSeconds: 1
          command: ['ls', '/certs/client/ca.pem']
    - name: dind-certs
      emptyDir: {}
It's quite similar to the sidecar we created in the last article, but this time we added the flag --insecure-registry to the command argument. Such flag is very important because the daemon running in dind is not aware of the Docker daemon that's running in the cluster itself (after all, it's Docker in Docker, remember?)

Moreover, colima refers to my hostname in the colima VM, as the port 31320 is needed because the Kubernetes service that is exposing the Registry Pod is a NodePort service, which means it should be accessible anywhere in the cluster or VM. Be aware that this hostname may change in your case, get to know your cluster IP first and use it.

Run the Pipeline

Okay, time to run everything, but let's create a PipelineRun to test it:

apiVersion: tekton.dev/v1beta1
kind: PipelineRun
  generateName: chespirito-pipeline-
    name: chespirito-pipeline
  - name: repo-url
    value: https://github.com/leandronsp/chespirito.git
  - name: revision
    value: main
  - name: shared-data
        - ReadWriteOnce
            storage: 1Gi
๐Ÿš€ So far, so good.

But we're still only pushing the image to the registry. Let's go to the last task: deploy.

The continuous delivery, or CD

As far as we can tell, delivering applications mean applying patches, updates in a sustainable way, that does not harm the process and ensures the deployment is reliable and secure.

At this moment, we're doing a small part of "CD", which is pushing an image ready for release to some registry. We are yet to use this image to update our production environment, i.e performing the rollout.

Using kubectl

Concerning the use of kubectl, we have to use some image from Docker Hub that already brings this tool, otherwise we would have to build an image on our own for that purpose.

Luckily, the Tekton Hub provides a Task called kubernetes-actions, then all we have to do is install it and use it as we did in git-clone.

$ kubectl apply -f https://raw.githubusercontent.com/tektoncd/catalog/main/task/kubernetes-actions/0.2/kubernetes-actions.yaml
It provides an image and the steps needed to perform any kubectl action.

Going back to the pipeline, we have to add a Task to it, right after the build Task ref:

  - name: deploy
    runAfter: ["build"]
      name: kubernetes-actions
      - name: "script"
        value: |
          export RELEASE_IMAGE=colima:31320/chespirito

          kubectl set image deployment/chespirito-pod app=$RELEASE_IMAGE --record
          kubectl rollout status deployment/chespirito-pod --timeout 5m
  • the script param is required by the Task in order to run an arbitrary script
  • kubectl set image allows to immediately change image in a deployment pod, which will trigger a rollout
  • kubectl rollout status watches for the deployment to rollout completely

Run Pipeline, run!

We run the pipeline again, but it may fail because of permissions of the default ServiceAccount used by the kubernetes-action Task.

That said, we can configure the RBAC for this Task:

apiVersion: v1
kind: ServiceAccount
  name: tekton-kubectl-service-account
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
  name: tekton-kubectl-role
- apiGroups:
  - "*"
  - pods
  - deployments
  - deployments/scale
  - deployments/status
  - get
  - list
  - watch
  - create
  - delete
  - patch
  - update
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
  name: tekton-kubectl-binding
- kind: ServiceAccount
  name: tekton-kubectl-service-account
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: tekton-kubectl-role
The new ServiceAccount tekton-kubectl-service-account is allowed to only perform actions in pods and deployments.

Now, we should place the serviceAccountName in the PipelineRun:

apiVersion: tekton.dev/v1beta1
kind: PipelineRun
  generateName: chespirito-pipeline-
  #### Here! ####
  serviceAccountName: tekton-kubectl-service-account
Run that again and...everything worked as expected!

Last things last

Of course, there's no CI/CD if we have to perform manual actions. Let's add the serviceAccountName to our current Trigger Template github-pr-trigger-template and open a PullRequest at the repository:

apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerTemplate
  name: github-pr-trigger-template
  - name: revision
    default: main
  - name: repo-url
  - apiVersion: tekton.dev/v1beta1
    kind: PipelineRun
      generateName: chespirito-pipeline-
      #### Here! ####
      serviceAccountName: tekton-kubectl-service-account
Open the PR and then... ๐Ÿ’ฅ


๐Ÿš€ How amazing is that? ๐Ÿบ

The final architecture

The idea behind this series is a new way to think testing, building and delivering cloud-native application.

Since we are in the "cloud-native" era, running isolated containers that do other jobs (i.e CI/CD) than the business-only may be cheaper and efficient.

Take a look at how the architecture now looks way more simpler:


So far, we've seen the complete lifecycle of CI/CD, but we have more to come, for instance configuring a private Git repository (using SSH credentials as Kubernetes secrets) and using Tekton ClusterInterceptors to filter specific events and run different pipelines.

Almost there, stay tuned! ๐Ÿš€

