195 lines
5.0 KiB
YAML
195 lines
5.0 KiB
YAML
# Tekton 빌드 및 트리거 공용 ServiceAccount
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: tekton-build-sa
|
|
namespace: tekton-demo
|
|
secrets:
|
|
- name: harbor-dockerconfig # Harbor 인증용 Secret
|
|
imagePullSecrets:
|
|
- name: harbor-dockerconfig # Docker 인증 정보 사용
|
|
|
|
---
|
|
# Tekton 파이프라인 실행 및 리소스 접근 권한(Role)
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: tekton-build-role
|
|
namespace: tekton-demo
|
|
rules:
|
|
- apiGroups: ["", "apps", "tekton.dev", "triggers.tekton.dev"]
|
|
resources: ["pods", "pipelineruns", "tasks", "events"]
|
|
verbs: ["get", "list", "watch", "create", "update", "delete"]
|
|
|
|
---
|
|
# RoleBinding - 해당 네임스페이스에서 tekton-build-sa에 Role 부여
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: tekton-build-rolebinding
|
|
namespace: tekton-demo
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: tekton-build-sa
|
|
roleRef:
|
|
kind: Role
|
|
name: tekton-build-role
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
---
|
|
# Tekton Triggers(ClusterScope)용 권한
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: tekton-triggers-role
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["pods", "services", "endpoints", "configmaps", "secrets"]
|
|
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
|
|
- apiGroups: ["apps"]
|
|
resources: ["deployments"]
|
|
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
|
|
- apiGroups: ["triggers.tekton.dev"]
|
|
resources: ["eventlisteners", "triggerbindings", "triggertemplates", "triggers"]
|
|
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
|
|
|
|
---
|
|
# ClusterRoleBinding - tekton-build-sa에 Triggers ClusterRole 부여
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: tekton-triggers-clusterrolebinding
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: tekton-build-sa
|
|
namespace: tekton-demo
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: tekton-triggers-role
|
|
---
|
|
# 02-task-build.yaml
|
|
apiVersion: tekton.dev/v1beta1
|
|
kind: Task
|
|
metadata:
|
|
name: build-docker-image
|
|
namespace: tekton-demo
|
|
spec:
|
|
params:
|
|
- name: git-url
|
|
type: string
|
|
- name: git-revision
|
|
type: string
|
|
default: "main"
|
|
- name: image-url
|
|
type: string
|
|
steps:
|
|
- name: git-clone
|
|
image: alpine/git
|
|
script: |
|
|
#!/bin/sh
|
|
set -e
|
|
git clone $(params.git-url) /workspace/source
|
|
cd /workspace/source
|
|
git checkout $(params.git-revision)
|
|
- name: build-and-push
|
|
image: gcr.io/kaniko-project/executor:latest
|
|
env:
|
|
- name: DOCKER_CONFIG
|
|
value: /tekton/home/.docker/
|
|
args:
|
|
- --dockerfile=/workspace/source/Dockerfile
|
|
- --context=/workspace/source
|
|
- --destination=harbor.icurfer.com/open/tekton-demo:latest
|
|
- --insecure
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: harbor-dockerconfig
|
|
namespace: tekton-demo
|
|
type: kubernetes.io/dockerconfigjson
|
|
data:
|
|
.dockerconfigjson: ewoJImF1dGhzJoYXJib3IuaWN1cmZlci5jb20iOiB7CgkSIKCQl9Cgl9Cn0= # harbor 로그인 정보
|
|
---
|
|
# 05-pipeline-build.yaml
|
|
apiVersion: tekton.dev/v1beta1
|
|
kind: Pipeline
|
|
metadata:
|
|
name: docker-build-pipeline
|
|
namespace: tekton-demo
|
|
spec:
|
|
params:
|
|
- name: git-url
|
|
type: string
|
|
- name: git-revision
|
|
type: string
|
|
default: "main"
|
|
- name: image-url
|
|
type: string
|
|
tasks:
|
|
- name: build
|
|
taskRef:
|
|
name: build-docker-image
|
|
params:
|
|
- name: git-url
|
|
value: $(params.git-url)
|
|
- name: git-revision
|
|
value: $(params.git-revision)
|
|
- name: image-url
|
|
value: $(params.image-url)
|
|
---
|
|
# 06-trigger-binding.yaml
|
|
apiVersion: triggers.tekton.dev/v1beta1
|
|
kind: TriggerBinding
|
|
metadata:
|
|
name: docker-build-binding
|
|
namespace: tekton-demo
|
|
spec:
|
|
params:
|
|
- name: git-url
|
|
value: $(body.repository.clone_url)
|
|
- name: git-revision
|
|
value: $(body.ref)
|
|
---
|
|
# 07-trigger-template.yaml
|
|
apiVersion: triggers.tekton.dev/v1beta1
|
|
kind: TriggerTemplate
|
|
metadata:
|
|
name: docker-build-template
|
|
namespace: tekton-demo
|
|
spec:
|
|
params:
|
|
- name: git-url
|
|
- name: git-revision
|
|
resourcetemplates:
|
|
- apiVersion: tekton.dev/v1beta1
|
|
kind: PipelineRun
|
|
metadata:
|
|
generateName: docker-build-run-
|
|
spec:
|
|
serviceAccountName: tekton-build-sa
|
|
pipelineRef:
|
|
name: docker-build-pipeline
|
|
params:
|
|
- name: git-url
|
|
value: $(tt.params.git-url)
|
|
- name: git-revision
|
|
value: $(tt.params.git-revision)
|
|
- name: image-url
|
|
value: harbor.icurfer.com/open/tekton-demo:latest
|
|
---
|
|
# 08-event-listener.yaml
|
|
apiVersion: triggers.tekton.dev/v1beta1
|
|
kind: EventListener
|
|
metadata:
|
|
name: gitea-event-listener
|
|
namespace: tekton-demo
|
|
spec:
|
|
serviceAccountName: tekton-build-sa
|
|
triggers:
|
|
- name: gitea-trigger
|
|
bindings:
|
|
- ref: docker-build-binding # ✅ 수정
|
|
template:
|
|
ref: docker-build-template # ✅ 수정 |