I was going through the official Tekton documentation where it deploys an image to Kubernetes using kubectl
standard deployment object manifest . However I am trying use Tekton pipeline as CI/CD to deploy in a knative service which should either use knctl
or kubectl
with a knative service yaml instead of Deployment yaml of knative serving spec
Something like
apiVersion: serving.knative.dev/v1 # Current version of Knative
kind: Service
metadata:
name: helloworld-go # The name of the app
namespace: default # The namespace the app will use
spec:
template:
spec:
containers:
- image: gcr.io/knative-samples/helloworld-go # The URL to the image of the app
env:
- name: TARGET # The environment variable printed out by the sample app
value: "Go Sample v1"
How do I take advantage of Tekton in this case. If I were to install images to any random Kubenetes cluster, I could any other CI/CD tool along with Deployment manifest. I believe Tekton is supposed replace Knative build to make it easy.
I wanted to add that a "quick start" way to get knative service created in a Pipeline is to apply the existing kn
Catalog task https://github.com/tektoncd/catalog/tree/master/task/kn/0.1 to your cluster, and then fashion a TaskRun
/PipelineRun
to run create with the options you require.
https://github.com/knative/client/blob/master/docs/cmd/kn_service_create.md
apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
generateName: kn-create-
spec:
serviceAccountName: kn-account
taskRef:
name: kn
params:
- name: ARGS
value:
- "service"
- "create"
- "something"
- "--image=something"
...
The same could be said of kubectl, using that Catalog Task.
There is no one way you could approach deploying a Knative Service with Tekton, but a couple key things to consider are as follows. These instructions assume proper installation of both Tekton/Knative Serving on a Kubernetes cluster.
Tekton allows the use of Kubernetes ServiceAccounts to assign permissions (e.g. creating a Knative service) so that a TaskRun or PipelineRun (i.e. the execution of a Tekton CI/CD process) is able to create and update certain resources. In this case, the creation of a Knative Service.
In order to create a ServiceAccount with permissions to create and update a Knative Service, you would need to create a role that is similar to what is shown below:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: create-knative-service
namespace: default
rules:
# Create and update Knative Service
- apiGroups: ["serving.knative.dev"]
resources: ["services"]
verbs: ["get", "create", "update"]
The Role above allows for the creation and updating of Knative Services.
The Role can be associated with a ServiceAccount via a RoleBinding, which assumes the creation of a ServiceAccount:
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: tekton-sa
namespace: default
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: create-knative-service-binding
subjects:
- kind: ServiceAccount
name: tekton-sa
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: create-knative-service
Once the Role, RoleBinding, and ServiceAccount are available, you can use this ServiceAccount during a TaskRun or PipelineRun depending on how you are deploying a Knative Service. The ServiceAccount to use can be specified via the ServiceAccountName property of a TaskRun or PipelineRun.
If you are using the Tekton cli (tkn
), you can use -s
flag to specify what ServiceAccount to use when starting a PipelineRun or TaskRun:
tkn pipeline start knative-service-deploy -s tekton-sa
NOTE: The Role and RoleBinding examples are for a specific case that only allows deployment of the Knative Service to the same namespace where the TaskRun/PipelineRun is executing.
To deploy the Knative Service via a TaskRun or PipelineRun, you will need to create a Task with a Step that deploys the Knative Service. There is no one tool that you could use in this case as you mention as far as using kubectl
, kn
, or any other tool to deploy to Kubernetes.
The important things for Tekton to know is the Task definition, the image used by the Step, and the command to run to deploy the Knative Service. An example using kn
is shown below:
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: deploy-knative-service
spec:
# Step to create Knative Service from built image using kn. Replaces service if it already exists.
steps:
- name: kn
image: "gcr.io/knative-releases/knative.dev/client/cmd/kn:latest"
command: ["/ko-app/kn"]
args: ["service",
"create", "knative-service",
"--image", "gcr.io/knative-samples/helloworld-go:latest",
"--force"]
In the example above, a Task is defined with one Step called kn
. The Step uses the official kn
image; specifies to run the kn
root command; and then passes arguments to the kn
command to create a Knative Service named knative-service
, use an image for the Knative Service named gcr.io/knative-samples/helloworld-go
, and the --force
flag that updates the Knative Service if it already exists.
EDIT: Adding kubectl Example
The question asks about using kubectl
, so I am adding in an example of using kubectl
in a Tekton Task to deploy a Knative Service from a YAML file:
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: deploy-knative-service
spec:
# Step to create Knative Service from YAML file using kubectl.
steps:
- name: kubectl
image: "bitnami/kubectl"
command: ["kubectl"]
args: ["apply", "-f", "https://raw.githubusercontent.com/danielhelfand/lab-knative-serving/master/knative/service.yaml"]
There is no exact way to answer this question, but hopefully the examples and main points help with considerations around permissions for a PipelineRun or TaskRun as well as how to use certain tools with Tekton.