Created
March 25, 2020 09:13
-
-
Save vicenteherrera/25cec261e4507ea008b4b8f45159e854 to your computer and use it in GitHub Desktop.
Example Tekton pipeline including a Sysdig Secure image scanning task
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: v1 | |
| kind: Secret | |
| metadata: | |
| name: docker-auth-for-tekton | |
| annotations: | |
| tekton.dev/docker-0: https://index.docker.io | |
| tekton.dev/docker-1: https://gcr.io | |
| type: kubernetes.io/basic-auth | |
| stringData: | |
| username: <username> | |
| password: <password> | |
| --- | |
| apiVersion: v1 | |
| kind: ServiceAccount | |
| metadata: | |
| name: build-bot | |
| secrets: | |
| - name: docker-auth-for-tekton | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: RoleBinding | |
| metadata: | |
| name: build-bot-tekton-pipelines-admin | |
| namespace: tekton-pipelines | |
| subjects: | |
| - kind: User | |
| name: build-bot | |
| apiGroup: rbac.authorization.k8s.io | |
| roleRef: | |
| kind: Role | |
| name: tekton-pipelines-admin | |
| apiGroup: rbac.authorization.k8s.io | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1beta1 | |
| kind: Role | |
| metadata: | |
| name: build-bot-deploy-role | |
| namespace: tekton-pipelines | |
| rules: | |
| - apiGroups: ["extensions", "apps"] | |
| resources: ["deployments"] | |
| verbs: ["get", "create", "update", "patch"] | |
| - apiGroups: [""] | |
| resources: ["services"] | |
| verbs: ["get", "create", "update", "patch"] | |
| --- | |
| kind: RoleBinding | |
| apiVersion: rbac.authorization.k8s.io/v1beta1 | |
| metadata: | |
| name: build-bot-deploy-binding | |
| namespace: tekton-pipelines | |
| subjects: | |
| - kind: ServiceAccount | |
| name: build-bot | |
| namespace: tekton-pipelines | |
| roleRef: | |
| kind: Role | |
| name: build-bot-deploy-role | |
| apiGroup: rbac.authorization.k8s.io | |
| --- | |
| # =================================================== | |
| apiVersion: tekton.dev/v1alpha1 | |
| kind: Task | |
| metadata: | |
| name: unit-tests | |
| spec: | |
| inputs: | |
| resources: | |
| - name: workspace | |
| type: git | |
| targetPath: go/src/github.com/GoogleContainerTools/skaffold | |
| steps: | |
| - name: run-tests | |
| image: golang | |
| env: | |
| - name: GOPATH | |
| value: /workspace/go | |
| workingDir: /workspace/go/src/github.com/GoogleContainerTools/skaffold | |
| command: | |
| - echo | |
| args: | |
| - "pass" | |
| --- | |
| apiVersion: tekton.dev/v1alpha1 | |
| kind: Task | |
| metadata: | |
| name: build-push | |
| spec: | |
| inputs: | |
| resources: | |
| - name: workspace | |
| type: git | |
| params: | |
| - name: pathToDockerFile | |
| description: The path to the dockerfile to build | |
| default: /workspace/workspace/Dockerfile | |
| - name: pathToContext | |
| description: The build context used by Kaniko (https://github.com/GoogleContainerTools/kaniko#kaniko-build-contexts) | |
| default: /workspace/workspace | |
| outputs: | |
| resources: | |
| - name: builtImage | |
| type: image | |
| steps: | |
| - name: build-and-push | |
| image: gcr.io/kaniko-project/executor:v0.9.0 | |
| # specifying DOCKER_CONFIG is required to allow kaniko to detect docker credential | |
| env: | |
| - name: "DOCKER_CONFIG" | |
| value: "/tekton/home/.docker/" | |
| command: | |
| - /kaniko/executor | |
| args: | |
| - --dockerfile=$(inputs.params.pathToDockerFile) | |
| - --destination=$(outputs.resources.builtImage.url) | |
| - --context=$(inputs.params.pathToContext) | |
| --- | |
| apiVersion: tekton.dev/v1alpha1 | |
| kind: Task | |
| metadata: | |
| name: scan-image | |
| spec: | |
| inputs: | |
| resources: | |
| - name: image | |
| type: image | |
| steps: | |
| - name: scan-image-step | |
| image: sysdiglabs/secure-image-scanning:latest | |
| env: | |
| - name: IMAGE_TO_SCAN | |
| value: quay.io/marcf5/mltitanic | |
| - name: SYSDIG_SECURE_TOKEN | |
| value: <your_sysdig_secure_token> | |
| --- | |
| #This task deploys with kubectl apply -f <filename> | |
| apiVersion: tekton.dev/v1alpha1 | |
| kind: Task | |
| metadata: | |
| name: demo-deploy-kubectl | |
| spec: | |
| inputs: | |
| resources: | |
| - name: workspace | |
| type: git | |
| - name: image | |
| type: image | |
| params: | |
| - name: path | |
| description: Path to the manifest to apply | |
| - name: yqArg | |
| description: Okay this is a hack, but I didn't feel right hard-codeing `-d1` down below | |
| - name: yamlPathToImage | |
| description: The path to the image to replace in the yaml manifest (arg to yq) | |
| steps: | |
| - name: replace-image | |
| image: mikefarah/yq | |
| command: ['yq'] | |
| args: | |
| - "w" | |
| - "-i" | |
| - "$(inputs.params.yqArg)" | |
| - "$(inputs.params.path)" | |
| - "$(inputs.params.yamlPathToImage)" | |
| - "$(inputs.resources.image.url)" | |
| - name: run-kubectl | |
| image: lachlanevenson/k8s-kubectl | |
| command: ['kubectl'] | |
| args: | |
| - 'apply' | |
| - '-f' | |
| - '$(inputs.params.path)' | |
| --- | |
| # This Pipeline Builds two microservice images(https://github.com/GoogleContainerTools/skaffold/tree/master/examples/microservices) | |
| # from the Skaffold repo (https://github.com/GoogleContainerTools/skaffold) and deploys them to the repo currently running Tekton Pipelines. | |
| # **Note** : It does this using the k8s `Deployment` in the skaffold repos's existing yaml | |
| # files, so at the moment there is no guarantee that the image that are built and | |
| # pushed are the ones that are deployed (that would require using the digest of | |
| # the built image, see https://github.com/tektoncd/pipeline/issues/216). | |
| apiVersion: tekton.dev/v1alpha1 | |
| kind: Pipeline | |
| metadata: | |
| name: demo-pipeline | |
| spec: | |
| resources: | |
| - name: source-repo | |
| type: git | |
| - name: web-image | |
| type: image | |
| - name: app-image | |
| type: image | |
| tasks: | |
| - name: skaffold-unit-tests | |
| taskRef: | |
| name: unit-tests | |
| resources: | |
| inputs: | |
| - name: workspace | |
| resource: source-repo | |
| - name: build-skaffold-web | |
| runAfter: [skaffold-unit-tests] | |
| taskRef: | |
| name: build-push | |
| params: | |
| - name: pathToDockerFile | |
| value: Dockerfile | |
| - name: pathToContext | |
| value: /workspace/workspace/examples/microservices/leeroy-web | |
| resources: | |
| inputs: | |
| - name: workspace | |
| resource: source-repo | |
| outputs: | |
| - name: builtImage | |
| resource: web-image | |
| - name: build-skaffold-app | |
| runAfter: [skaffold-unit-tests] | |
| taskRef: | |
| name: build-push | |
| params: | |
| - name: pathToDockerFile | |
| value: Dockerfile | |
| - name: pathToContext | |
| value: /workspace/workspace/examples/microservices/leeroy-app | |
| resources: | |
| inputs: | |
| - name: workspace | |
| resource: source-repo | |
| outputs: | |
| - name: builtImage | |
| resource: app-image | |
| - name: scan-image-web | |
| runAfter: [build-skaffold-web] | |
| taskRef: | |
| name: scan-image | |
| resources: | |
| inputs: | |
| - name: image | |
| resource: web-image | |
| from: | |
| - build-skaffold-web | |
| - name: scan-image-app | |
| runAfter: [build-skaffold-app] | |
| taskRef: | |
| name: scan-image | |
| resources: | |
| inputs: | |
| - name: image | |
| resource: app-image | |
| from: | |
| - build-skaffold-app | |
| - name: deploy-app | |
| runAfter: [scan-image-app] | |
| taskRef: | |
| name: demo-deploy-kubectl | |
| resources: | |
| inputs: | |
| - name: workspace | |
| resource: source-repo | |
| - name: image | |
| resource: app-image | |
| from: | |
| - build-skaffold-app | |
| params: | |
| - name: path | |
| value: /workspace/workspace/examples/microservices/leeroy-app/kubernetes/deployment.yaml | |
| - name: yqArg | |
| value: "-d1" | |
| - name: yamlPathToImage | |
| value: "spec.template.spec.containers[0].image" | |
| - name: deploy-web | |
| runAfter: [scan-image-web] | |
| taskRef: | |
| name: demo-deploy-kubectl | |
| resources: | |
| inputs: | |
| - name: workspace | |
| resource: source-repo | |
| - name: image | |
| resource: web-image | |
| from: | |
| - build-skaffold-web | |
| params: | |
| - name: path | |
| value: /workspace/workspace/examples/microservices/leeroy-web/kubernetes/deployment.yaml | |
| - name: yqArg | |
| value: "-d1" | |
| - name: yamlPathToImage | |
| value: "spec.template.spec.containers[0].image" | |
| --- | |
| # ================================================= | |
| apiVersion: tekton.dev/v1alpha1 | |
| kind: PipelineResource | |
| metadata: | |
| name: skaffold-image-leeroy-app | |
| spec: | |
| type: image | |
| params: | |
| - name: url | |
| value: gcr.io/christiewilson-catfactory/leeroy-app | |
| --- | |
| apiVersion: tekton.dev/v1alpha1 | |
| kind: PipelineResource | |
| metadata: | |
| name: skaffold-image-leeroy-web-pipelinerun | |
| spec: | |
| type: image | |
| params: | |
| - name: url | |
| value: gcr.io/christiewilson-catfactory/leeroy-web | |
| --- | |
| apiVersion: tekton.dev/v1alpha1 | |
| kind: PipelineResource | |
| metadata: | |
| name: skaffold-git-pipelinerun | |
| spec: | |
| type: git | |
| params: | |
| - name: revision | |
| value: v0.32.0 | |
| - name: url | |
| value: https://github.com/GoogleContainerTools/skaffold | |
| --- | |
| apiVersion: tekton.dev/v1alpha1 | |
| kind: PipelineRun | |
| metadata: | |
| name: demo-pipeline-run-1 | |
| spec: | |
| pipelineRef: | |
| name: demo-pipeline | |
| serviceAccountName: build-bot | |
| resources: | |
| - name: source-repo | |
| resourceRef: | |
| name: skaffold-git-pipelinerun | |
| - name: web-image | |
| resourceRef: | |
| name: skaffold-image-leeroy-web-pipelinerun | |
| - name: app-image | |
| resourceRef: | |
| name: skaffold-image-leeroy-app |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment