Tekton triggers with GitHub integration

Continuous Integration (CI) is a cornerstone of modern software development, ensuring that code changes are tested and integrated into the main codebase frequently and reliably. Tekton Triggers, coupled with GitHub integration, offers a powerful solution for automating CI workflows in Kubernetes environments. In this tutorial, we’ll walk through the process of setting up Tekton Triggers with GitHub integration, enabling seamless automation of CI tasks in response to GitHub events. Let’s dive in to the tutorial.

Prerequisites

Before you begin, ensure that you have the following:

A Kubernetes cluster with Tekton installed
Kubectl
Tekton Pipelines
A GitHub account

Install Triggers

Now that we have the prerequisites in place, let’s install Tekton Triggers. To do this, we’ll use the following command:

## Install the triggers
kubectl apply --filename \
https://storage.googleapis.com/tekton-releases/triggers/latest/release.yaml

## Install the interceptors
kubectl apply --filename \
https://storage.googleapis.com/tekton-releases/triggers/latest/interceptors.yaml

This command installs the Tekton Triggers and Interceptors, which are essential for setting up the CI workflow. Once the installation is complete, we can proceed to the next step. Now you can monitor the installation by running the following command:

1	kubectl get pods --namespace tekton-pipelines --watch

Set up RBAC

Event Listeners need a proper Kubernetes Service Account for role access control (RBAC), so the first step is creating the RBAC objects. You can create Service Account, Role, RoleBinding, ClusterRole and ClusterRoleBinding using the following YAML:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: tekton-triggers-sa
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: tekton-triggers-example-minimal
rules:
# EventListeners need to be able to fetch all namespaced resources
- apiGroups: ["triggers.tekton.dev"]
  resources: ["eventlisteners", "triggerbindings", "triggertemplates", "triggers", "interceptors"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
# configmaps is needed for updating logging config
  resources: ["configmaps"]
  verbs: ["get", "list", "watch"]
# Permissions to create resources in associated TriggerTemplates
- apiGroups: ["tekton.dev"]
  resources: ["pipelineruns", "pipelineresources", "taskruns"]
  verbs: ["create"]
- apiGroups: [""]
  resources: ["serviceaccounts"]
  verbs: ["impersonate"]
- apiGroups: ["policy"]
  resources: ["podsecuritypolicies"]
  resourceNames: ["tekton-triggers"]
  verbs: ["use"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: tekton-triggers-example-binding
subjects:
- kind: ServiceAccount
  name: tekton-triggers-sa
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: tekton-triggers-example-minimal
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: tekton-triggers-example-clusterrole
rules:
  # EventListeners need to be able to fetch any clustertriggerbindings
- apiGroups: ["triggers.tekton.dev"]
  resources: ["clustertriggerbindings", "clusterinterceptors"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: tekton-triggers-example-clusterbinding
subjects:
- kind: ServiceAccount
  name: tekton-triggers-sa
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: tekton-triggers-example-clusterrole

The RBAC yaml can be found here. Once you have created the RBAC objects, you can proceed to the next step.

Create an Event Listener

The next step is to create an Event Listener, which will listen for GitHub events and trigger the CI workflow. You can create an Event Listener using the following YAML:

apiVersion: triggers.tekton.dev/v1beta1
kind: EventListener
metadata:
  name: github-listener
  annotations:
    tekton.dev/payload-validation: "false"
    tekton.dev/disable-ssl-verify: "true"
spec:
  serviceAccountName: tekton-triggers-sa # This is referring to the Service Account created in the previous step
  triggers:
    - name: github-listener
      bindings:
        - ref: github-binding # TriggerBinding metada.name we are going to create in the next step
      template:
        ref: github-template # TriggerTemplate metadata.name we are going to create in the next step

Create a Trigger Binding

The next step is to create a Trigger Binding, which will define the parameters for the GitHub event. You can create a Trigger Binding using the following YAML:

apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerBinding
metadata:
  name: github-binding
spec:
  params:
    - name: gitrevision
      value: $(body.head_commit.id)

In here we are using the head_commit.id as the gitrevision parameter. You can use any other parameter as per your requirement.

Create a Trigger Template

The next step is to create a Trigger Template, which will define the CI workflow to be triggered by the GitHub event. You can create a Trigger Template using the following YAML:

apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerTemplate
metadata:
  name: github-template
spec:
  params:
    - name: gitrevision
      description: The git revision
  resourcetemplates:
    - apiVersion: tekton.dev/v1beta1
      kind: PipelineRun
      metadata:
        generateName: clone-build-push-run-
      spec:
        pipelineRef:
          name: clone-build-push
        podTemplate:
          securityContext:
            fsGroup: 65532
        workspaces:
        - name: shared-data
          volumeClaimTemplate:
            spec:
              accessModes:
              - ReadWriteOnce
              resources:
                requests:
                  storage: 1Gi
        - name: docker-credentials
          secret:
            secretName: docker-credential
        params:
        - name: repo-url
          value: [email protected]:dinushchathurya/tekton-triggers.git
        - name: image-reference
          value: limarktest/tekton-nodejs
        - name: image-tag
          value: "$(tt.params.gitrevision)"
        serviceAccountName: git-service-account

TriggerTemplate is similar to PipelineRun, except that the latter is triggered manually as we’ve seen in the previous posts. Then, the TriggerTemplate “sends” the needed params to the PipelineRef, along with the definition of Workspace volume claim templates.

Exposing the Event Listener

Now we need to expose the Event Listener to the outside world so that GitHub can send events to it. But before it you can check the Event Listener by running the following command:

kubectl get el

or 

tkn el list

To expose the Event Listener, we can use the kubectl port-forward command to forward traffic from a local port to the Event Listener’s service port. You can do this using the following command:

1	kubectl port-forward svc/el-github-listener 8080:8080

Great, our host is receiving in the port 8080 (localhost:8080), but how do we tunnel Github to our port using some service in the cloud? We can use a service like ngrok to expose our local port to the internet. You can download and install ngrok from here. Once you have ngrok installed, you can expose your local port to the internet using the following command:

1	ngrok http http://localhost:8080

Now you can see the public URL that ngrok has generated for you. You can use this URL to configure the GitHub webhook.

Configure the GitHub Webhook

In the repository settings, go to Webhooks and then you need to fillout the following details:

Payload URL: The public URL generated by ngrok
Content type: application/json
Secret: Leave it empty
Which events would you like to trigger this webhook?: Just the push event

Conclusion

In this tutorial, we’ve walked through the process of setting up Tekton Triggers with GitHub integration, enabling seamless automation of CI tasks in response to GitHub events. We’ve installed Tekton Triggers, set up RBAC, created an Event Listener, Trigger Binding, and Trigger Template, and exposed the Event Listener to the outside world. We’ve also configured the GitHub webhook to send events to the Event Listener. With this setup in place, we can now automate CI workflows in response to GitHub events, ensuring that code changes are tested and integrated into the main codebase frequently and reliably.
You can find the all the related scripts and code for this tutorial from here. If you have any issue regarding this tutorial, mention your issue in the comment section or reach me through my E-mail.