当前位置:网站首页>How to implement approval function in Tekton
How to implement approval function in Tekton
2022-06-24 08:27:00 【Chenshaowen】
1. CICD The basic functions of the platform
common CICD The engine is not suitable for being directly provided to the business side . The main reason lies in the high learning cost of users 、 Lack of necessary authentication 、 It is difficult to maintain and upgrade .
We are usually based on process engines , Adapt to the business to improve ease of use , The convergence complexity of encapsulation for scenarios , So one CICD What are the basic functions of the platform ?
- Process planning . Basic and core functions , With the help of an open source orchestration engine .
- Process atom . The process atom is assembled into a pipeline , The richer the process atoms , The more it can meet the needs of the business side .
- Process control . It mainly includes condition execution 、 Pause 、 continue 、 Approval, etc , Allows you to control the behavior of the pipeline .
- Automatic triggering . adopt API、Webhook And so on , It will bring great convenience to the user .
- Access control . As a user oriented platform , Permission control is indispensable .
Tekton As a child of Yunyuan CICD engine , Used to build for Kubernetes Infrastructure CICD platform , just the thing . What I want to share with you in this article is Tekton Process control , Especially the approval function .
2. Tekton Process control in
2.1 runAfter
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | - name: test-app taskRef: name: make-test resources: inputs: - name: workspace resource: my-repo - name: build-app taskRef: name: kaniko-build runAfter: - test-app resources: inputs: - name: workspace resource: my-repo |
|---|
adopt runAfter Keywords can control the execution order of tasks , In the example above build-app Will be in test-app After execution, execute . Use runAfter It can realize the arrangement of the process .
2.2 conditions
First of all, create a Condition object , Check if the specified file exists in the code warehouse .
1 2 3 4 5 6 7 8 9 10 11 12 13 | apiVersion: tekton.dev/v1alpha1 kind: Condition metadata: name: file-exists spec: params: - name: "path" resources: - name: workspace type: git check: image: alpine script: 'test -f $(resources.workspace.path)/$(params.path)' |
|---|
Creating Pipeline when , Only need Task Quote this Condition, Provide necessary parameters . In the following example , Only if... Exists in the code warehouse README.md When you file ,my-task The task will be performed .
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | apiVersion: tekton.dev/v1beta1 kind: Pipeline metadata: name: conditional-pipeline spec: resources: - name: source-repo type: git params: - name: "path" default: "README.md" tasks: - name: if-condition-then-run conditions: - conditionRef: "file-exists" params: - name: "path" value: "$(params.path)" resources: - name: workspace resource: source-repo taskRef: name: my-task |
|---|
2.3 PipelineRunCancelled
When PipelineRun Spec The state in is PipelineRunCancelled when ,Reconciler Will cancel all in advance Task And update the status .
Reference code : https://github.com/tektoncd/pipeline/blob/c8dc797cf5a6f11f90cb742d014470a444fcdc60/pkg/reconciler/pipelinerun/pipelinerun.go#L147
- See what's running pipelinerun
1 2 3 4 | kubectl get pipelineruns.tekton.dev NAME SUCCEEDED REASON STARTTIME COMPLETIONTIME cancel-pipelinerun-r-67qsr Unknown Running 51m |
|---|
- modify pipelineruns Of status by PipelineRunCancelled
1 | kubectl patch PipelineRun cancel-pipelinerun-r-67qsr --type=merge -p '{"spec":{"status":"PipelineRunCancelled"}}' |
|---|
- View cancelled pipelinerun
1 2 3 4 | kubectl get pipelineruns.tekton.dev NAME SUCCEEDED REASON STARTTIME COMPLETIONTIME cancel-pipelinerun-r-67qsr False PipelineRunCancelled 52m 3s |
|---|
2.4 PipelineRunPending
Except for the top PipelineRunCancelled state ,pipelinerun There is another state ,PipelineRunPending.PipelineRunPending The effect is , establish PipelineRun But not immediately
- Create a PipelineRunPending State pipeline
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | --- apiVersion: tekton.dev/v1beta1 kind: PipelineRun metadata: name: pending-pipelinerun spec: params: - name: pl-param-x value: "100" - name: pl-param-y value: "500" pipelineRef: name: pending-pipeline status: "PipelineRunPending" |
|---|
- Check the pipeline status
1 2 3 4 | kubectl get pipelineruns.tekton.dev NAME SUCCEEDED REASON STARTTIME COMPLETIONTIME pending-pipelinerun Unknown PipelineRunPending |
|---|
This pipeline has no execution time , Because it has been waiting .
- remove PipelineRunPending state
1 | kubectl patch PipelineRun pending-pipelinerun --type=merge -p '{"spec":{"status":""}}' |
|---|
This pipeline starts to execute .
- Check the pipeline status
1 2 3 4 | kubectl get pipelineruns.tekton.dev NAME SUCCEEDED REASON STARTTIME COMPLETIONTIME pending-pipelinerun Unknown Running 4s |
|---|
- Cannot modify a running pipeline to PipelineRunPending state
stay Tekton v0.24.1 The status cannot be modified to PipelineRunPending, If you run, you can achieve the effect of pause .
1 2 3 4 | kubectl get pipelineruns.tekton.dev NAME SUCCEEDED REASON STARTTIME COMPLETIONTIME cancel-pipelinerun Unknown Running 9s |
|---|
1 2 3 | kubectl patch PipelineRun cancel-pipelinerun --type=merge -p '{"spec":{"status":"PipelineRunPending"}}' Error from server (BadRequest): admission webhook "validation.webhook.pipeline.tekton.dev" denied the request: validation failed: invalid value: PipelineRun cannot be Pending after it is started: spec.status |
|---|
validation This operation is limited .
3. How to implement the approval function
It's mentioned above that Tekton Several process control methods in , But the community doesn't offer 、 It is not prepared to provide the approval function . therefore , In the face of Tekton During the secondary development , need CICD The platform realizes approval and authority control by itself . Here are two implementation options , For reference :
3.1 Scheme 1 , Use Trigger
Pictured above , One pipeline of the user can be disassembled into two pipelines ,pipeline-1/2 and pipeline-2/2. One is introduced between the two pipelines trigger.
- When pipeline pipeline-1/2 Execution complete , Notify the approver .
- After approval by the approver , Trigger pipeline-2/2 perform .
- pipeline-2/2 end of execution , Complete the whole assembly line .
Tekton The community provides a triggers Components , Used to automatically trigger the pipeline . Here's the picture :
- After approval , Push a trigger event Event
- EventController After receiving this incident , from TriggerBinding Extract the parameters in the event Parameters
- TriggerTemplate Use the passed parameters Parameters, Create a pipeline pipeline-2/2 .
3.2 Option two , Develop an approval Task
Development Task yes Tekton The main extension of , Develop at the same time Task Just master the basic Shell and Yaml Knowledge is enough . Another idea here is to develop an approval Task.
Pictured above , In an assembly line , Insert a for approval control Task-Approve.
- When using approval atoms , You need to create one synchronously ConfigMap, Used to save the approval status Status=init
- When pipeline execution is completed Task-beforeApprove When the task , start-up Task-Approve Mission , modify state Status=notifying.Task-Approve The task has been waiting .
- Send a notice to Approver, modify state Status=notified
- The approver approves the assembly line , Allow to execute , modify state Status=success
- Task-Approve detected Status=success, Immediately end the waiting state , Complete the current Task
- The assembly line continues to perform the approved tasks Task-afterApprove, Until the end
Here's an example :
First create a ConfigMap Used to save approval status .
1 2 3 4 5 6 | apiVersion: v1 kind: ConfigMap metadata: name: approve-cm data: status: init |
|---|
Write an approved Task, Default wait 24 Hour approval , Otherwise, it will be overtime . If the status is changed to success Then it is approved , If the status is changed to refused Is rejected .
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 | apiVersion: tekton.dev/v1beta1 kind: Task metadata: name: approve-task spec: workspaces: - name: data params: - name: timeout description: The max seconds to approve type: string default: "86400" steps: - name: sleep-a-while image: bash:latest script: | #!/usr/bin/env bash end=$((SECONDS+$(params.timeout))) while [ $SECONDS -lt $end ]; do name=$(cat "$(workspaces.data.path)"/status) if [ "$name" = "success" ] then echo "approved!" exit 0 elif [ "$name" = "refused" ] then echo "refused!" exit 1 fi sleep 2 echo "waiting" done echo "too long not to approve" exit 1 |
|---|
then , Create a test case
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 | apiVersion: tekton.dev/v1beta1 kind: Task metadata: name: something annotations: description: | A simple task that do something spec: steps: - name: do-something image: bash:latest script: | #!/usr/bin/env bash uname -a --- apiVersion: tekton.dev/v1beta1 kind: Pipeline metadata: name: approve-pipeline spec: workspaces: - name: workspace tasks: - name: wait-for-approve workspaces: - name: data workspace: workspace taskRef: name: approve-task - name: do-something taskRef: name: something runAfter: - wait-for-approve --- apiVersion: tekton.dev/v1beta1 kind: PipelineRun metadata: name: approve-pipelinerun spec: workspaces: - name: workspace configmap: name: approve-cm pipelineRef: name: approve-pipeline |
|---|
- View the pipeline after creation
The log will always output waiting.
- Approved
1 | kubectl patch ConfigMap approve-cm --type=merge -p '{"data":{"status":"success"}}' |
|---|
- Check the pipeline status
4. summary
It's going on Tekton Second development , Approval is a function that is difficult to bypass , But the community doesn't provide relevant features . This article first introduces Tekton Process control method in , Then it provides two schemes to realize the approval function . The following is a brief comparison and summary of the schemes :
4.1 Use Trigger The examination and approval
advantage
- flexible , Implementation after approval , Completely controlled by the developer , More freedom . You can also use background tasks to replace Trigger, Use Tekton Client Create a pipeline .
- reliable , Even the restart will not affect the approval .
shortcoming
- There may be more than two pipelines after splitting .
- Parameters need to be passed across the pipeline 、 product , Increased maintenance costs .
- Increased architecture complexity , Introduced new components 、 Background processing logic
4.2 Develop an approval Task
advantage
- Easy to use . One Pipeline only one DAG, Easy to understand .
- More in line with Tekton How to expand .
shortcoming
- The examination and approval Task When failed due to node failure , Can't recover
- Occupy cluster resources , The examination and approval Task Resident cluster waiting .
- ConfigMap The status is not updated in time , There will be a delay ( The default is in seconds ), The approximate value is kubelet The synchronization period of plus ConfigMap stay kubelet Cached TTL Time .
5. Reference resources
original text :https://www.chenshaowen.com/blog/how-to-implement-approval-function-in-tekton.html
边栏推荐
猜你喜欢
随机推荐
Robot acceleration level task priority inverse kinematics
Qopengl display point cloud file
Industrial computer anti cracking
[introduction to point cloud dataset]
Chart list Performance Optimization: minimum resource consumption in the visualization area
ZUCC_编译语言原理与编译_大作业
LabVIEW finds prime numbers in an array of n elements
Question 3 - MessageBox pop-up box, modify the default background color
ZUCC_编译语言原理与编译_实验08 语法分析 LR 分析
FPGA的虚拟时钟如何使用?
搜索与推荐那些事儿
小样本故障诊断 - 注意力机制代码 - BiGRU代码解析实现
longhorn安装与使用
Scénarios d'utilisation de la promesse
Catégorie de prêt 5
ZUCC_编译语言原理与编译_实验02 FSharp OCaml语言
Question 4 - datepicker date selector, disabling two date selectors (start and end dates)
问题4 — DatePicker日期选择器,2个日期选择器(开始、结束日期)的禁用
一文带你了解Windows操作系统安全,保护自己的电脑不受侵害
Qmenu response in pyqt