HackMD - Collaborative Markdown Knowledge Base

### What is the product, what is its purpose Tekton is a powerful and flexible open-source framework for creating CI/CD systems, allowing developers to build, test, and deploy across cloud providers and on-premise systems ### Who are the users Tekton is often used as a foundation on top of which CI/CD services and products are built. A few know implementations based on Tekton: - [IBM Cloud Continous Delivery](https://www.ibm.com/uk-en/cloud/continuous-delivery): Toolchain as a Service - Customers from various industries, including highly regulated ones (banking) - [RedHat OpenShift Pipelines](https://cloud.redhat.com/learn/topics/ci-cd): CI/CD service for OpenShift users - @Vincent: examples of users? - [Google Cloud Build Hybrid Pools](https://cloud.google.com/build/docs/hybrid/overview): Multicloud builds as a Service - @Dibyo: examples of users? - [SolarWind](https://www.youtube.com/watch?v=1-tMRxqMwTQ): SolarWind used Tekton to rearchitect their build service in wake of the Sunburst Hack - [Relay.sh by Puppet](https://relay.sh/): Workflow as a Service - [Kubeflow Pipelines for Tekton](https://github.com/kubeflow/kfp-tekton): Data/ML pipelines defined through a Python DSL and compiled to into Tekton - Used by various IBM offerings in the Data/ML area - IBM Users Tekton internally for development teams and compliance pipelines More examples in [Tekton Friends](https://github.com/tektoncd/friends). ### What is its architecture #### Tekton Components Overview - Core Projects: Pipeline, Triggers, Results, Chains - User Interfaces: CLI, Dashboard, Hub - Resources: Catalog - Lifecycle: Operator ![Tekton Components](https://i.imgur.com/LXvbp93.png) #### Tekton Pipelines Overview ![Tekton Pipelines](https://i.imgur.com/pbQBVgG.png) Workspaces are backed by k8s resources / storage: - secrets / configmaps - PVC with various backends TaskRuns are backed by Kubernetes Pods, one container per Step. #### Tekton Triggers Overview ![Tekton Triggers](https://i.imgur.com/6vJxnOq.png) - Event Listeners are backed by K8s Services / Knative ksvc - Interceptors are services that provide extra processing like validation or transformation functions #### Tekton Chains Overview - Watches Tekton TaskRuns (more in future) - Integrates with Sigstore - Sign Tekton container images, store attestation in Rekor ### How is it implemented #### How did you build it? We use `main` as our development branch; we use CI testing to keep `main` in a releasable state in every commit. We build our releases using `ko` embeeded in a Tekton pipelines that fetches the code, builds it, pushses the container images to gcr.io and manifest files to a public object storage bucket on GCP. We push the same manifests to GitHub and generate release notes automatically. Tekton chains monitors the cluster where we run our releases, so that out container images are signed and an attestation of the `TaskRun` that builds the container images is stored in Rekor. #### What languages, frameworks, design patterns were used? Tekton consists of a number of related projects that are built in Go (Dashboard is an exception). The core pipelines project (as well Triggers, and Chains) are [Kubernetes CRD controllers](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) using the [knative/pkg](https://github.com/knative/pkg) controller library ### How do you know it works #### What testing strategies do you use We have unit tests, integration, and end to end tests that run on every pull request as well as nightly builds on multiple architectures. We deploy our nightly builds to a dedicatd cluster on a nightly basis. We use the latest release of our services to run some CI/CD services for Tekton itself (dogfooding). #### What tools do you use (linting?) Standard go tools? [golang-ci](https://golangci-lint.run/) [ko](https://github.com/google/ko) + crane, git (obviously) + make >:D ### Security #### What security testing have you done? In the community we use dependabot from GitHub to stay on top of CVEs. Downstream users of Tekton perform further security testing: - IBM builds its own Tekton container images for different services. These images are scanned for vulnerabilities. Fixes are proposed upstream when issues are found - Google has been running a security audit - RedHat builds its own Tekton container images for OpenShift Pipelines. These images are scanned for vulnerabilities. Fixes are proposed upstream when issues are found #### What security challenges do you face? We just started a S3C (secure software supply chain) WG to discuss about S3C features in Tekton and compliance with S3C standards (OpenSSF badge, SLSA). We have a tekton vulnerability management team and mailing list where users can submit vulnerabilities. Vanilla CodeQL Analysis on Pipeline has not found any issue: https://github.com/tektoncd/pipeline/pull/4591 Four [small issues](https://lgtm.com/projects/g/tektoncd/pipeline/alerts/?mode=list) from lgtm.com are addressed in https://github.com/tektoncd/pipeline/pull/4592 ### Documentation ##### Where are the developer docs DEVELOPMENT.md in each repo https://github.com/tektoncd/pipeline/tree/main/docs/developers ##### What in line comments do you have? ##### Any info on architecture docs, design docs, testing docs - [Project documentation](https://tekton.dev/docs) - TODO: Links to talks?