Tekton CI, part III, listen to Github events

For this guide I’m assuming you are running a local Kubernetes cluster.

In the previous article we’ve seen how to share information across a Pipeline using Workspaces, leading to a task for cloning a Github repository then ending with anoter task for …

This content originally appeared on DEV Community 👩‍💻👨‍💻 and was authored by Leandro Proença

For this guide I'm assuming you are running a local Kubernetes cluster.

In the previous article we've seen how to share information across a Pipeline using Workspaces, leading to a task for cloning a Github repository then ending with anoter task for listing the source files in the cloned repository.

Now, let's understand how to listen to Github events and trigger the Pipeline using event bindings.

👂 Listening to Github events

How to listen to Github events? In other words, when someone pushes code to some branch or opens a pull request, how do we get notified from that?

Github (not only Github but other majors like Gitlab too) notifies such events using Webhooks.

We basically have to configure a webhook in the Github interface, choose some events and provide a webhook URL to receive a payload.

Payload received, we can decide whatever we want with that information.

In our case, we want to look at the event type (if pull request opened for instance), extract the repo URL from the payload and then run the pipeline providing the repo URL.

Here's the basic architecture of Webhooks on Github:
Webhook local

The summary of steps we're going to cover in this post:

  1. Create a Tekton Event Listener, TriggerBinding and TriggerTemplate
  2. Configure the Github Webhook

Let's dive in!

First things first

Install the triggers resources in the cluster:

$ kubectl apply --filename \

$ kubectl apply --filename \

1. Create the Event Listener

Event Listeners are Tekton components that listen for events at a specified port in your Kubernetes cluster. Listeners are attached to Kubernetes Pods and backed by Services.

Event Listeners need a proper Kubernetes Service Account for role access control (RBAC), so the first step is creating the RBAC objects.

The Gist with the RBAC yaml can be found here.

Time to exmplore the event-listener.yml:

apiVersion: triggers.tekton.dev/v1beta1
kind: EventListener
  name: github-pr
  serviceAccountName: tekton-service-account
    - name: pr-trigger
        - ref: github-pr-trigger-binding
        ref: github-pr-trigger-template
  • serviceAccountName referes to the RBAC
  • each trigger has a name and must provide a trigger binding and a trigger template

Trigger Binding

Trigger Bindings are responsible to extract information from the event payload and use such information in the TriggerTemplate.

apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerBinding
  name: github-pr-trigger-binding
  - name: revision
    value: $(body.pull_request.head.sha)
  - name: repo-url
    value: $(body.repository.clone_url)

Trigger Template

Trigger Templates define the template of the pipeline or task, using the params extracted by the TriggerBinding.

apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerTemplate
  name: github-pr-trigger-template
  - name: revision
    default: main
  - name: repo-url
  - apiVersion: tekton.dev/v1beta1
    kind: PipelineRun
      generateName: my-pipeline-
        name: my-pipeline
      - name: shared-data
            - ReadWriteOnce
                storage: 1Gi
      - name: repo-url
        value: $(tt.params.repo-url)
      - name: revision
        value: $(tt.params.revision)

TriggerTemplate is similar to PipelineRun, except that the latter is triggered manually as we've seen in the previous posts.

Then, the TriggerTemplate "sends" the needed params to the PipelineRef, along with the definition of Workspace volume claim templates.

Exposing the Event Listener URL

After applying the Trigger resources, we can check that Tekton created a Kubernetes service for the event listener:

$ tkn eventlisteners list

NAME        AGE              URL                                                  AVAILABLE
github-pr   21 minutes ago   http://el-github-pr.default.svc.cluster.local:8080   True

All we need is providing this URL http://el-github-pr.default.svc.cluster.local:8080 to the Github Webhook.

But we have two problems here:

a. The URL is only accessed within the cluster. In order to expose it to the localhost, we should perform a port-forward
b. Github cannot access our localhost, so we need to use some sort of "proxy" in the internet that creates a tunnel for our local computer on the port 8080.

First, let's perform the port-forward:

$ kubectl port-forward svc/el-github-pr 8080:8080

Forwarding from -> 8080
Forwarding from [::1]:8080 -> 8080

Great, our host is receiving in the port 8080 (localhost:8080), but how do we tunnel Github to our port using some service in the cloud?

Ngrok solves that problem. With ngrok, we simply issue:

$ ngrok http http://localhost:8080

And it outputs a public URL ready to be used across the internet, forwarding to our port 8080 in the localhost:

Add Single Sign-On to your ngrok dashboard via your Identity Provider: https://ngrok.com/dashSSO

Session Status                online
Account                       Leandro Proença (Plan: Free)
Version                       3.1.1
Region                        South America (sa)
Latency                       23ms
Web Interface       
Forwarding                    https://95d2-177-9-110-144.sa.ngrok.io -> http://localhost:8080

Connections                   ttl     opn     rt1     rt5     p50     p90
                              0       0       0.00    0.00    0.00    0.00 

Nice, look how we've got a random URL (in your case it will be different, okay?):



2. Configuring the Github Webhook

In the repository settings, go to Webhooks:

Github WH

Fill the form with the following:

  • Payload URL: paste the URL from Ngrok
  • Content-Type: application/json
  • Secret: leave it empty for now
  • Let me select individual events: Pull Requests only

Webhook created, time to create some PR in the repository.

As we can see next, the pipeline was triggered by the event! 🚀


🍺 Good times! 🍺

It's all about tests!

At this moment, our pipeline only runs a simple ls command in the cloned repository. But we should do even more: style checks, security checks and automated tests.

Let's change the pipeline so it runs the unit tests in the repository.

apiVersion: tekton.dev/v1beta1
kind: Pipeline
  name: chespirito-pipeline
    - name: repo-url
      type: string
    - name: revision
      type: string
    - name: shared-data
  - name: fetch-source
      name: git-clone
      - name: output
        workspace: shared-data
      - name: url
        value: $(params.repo-url)
      - name: revision
        value: $(params.revision)
  - name: run-tests
    runAfter: ["fetch-source"]
      name: run-tests
      - name: source
        workspace: shared-data
apiVersion: tekton.dev/v1beta1
kind: Task
  name: run-tests
    - name: source
  - name: unit-tests
    image: ubuntu
    workingDir: $(workspaces.source.path)
    script: |
      #!/usr/bin/env bash

      docker-compose run --rm ruby bundle install
      docker-compose run --rm ruby ruby -Itest test/all.rb

We just created a new pipeline called chespirito-pipeline, which uses 2 tasks: git-clone and run-tests.

The run-tests Task comprises of an Ubuntu image, so all we need is to use Docker to run the tests inside the container.

A note about running docker commands on CI

However, the Ubuntu Docker official image does not provide a Docker Runtime, then we need to run some kind of "Docker image" in order to have it ready to run.

Almost every CI environment in the cloud (including ours running on a local Kubernetes cluster) is already running jobs/tasks in Docker containers.

Eack Task is a container, so how can we run Docker in Docker?

Docker in Docker

Luckily, the Docker Hub community provides a Docker image for running Docker containers inside Docker.

It's called Docker-in-Docker, or dind.

For a Kubernetes cluster, there's a minimal setup needed to make it work. We should mount some specific volumes and export some environment variables so the container will use the correct Docker Runtime in the cluster.

We can use an architectural pattern called Sidecar Pattern, which is basically an initContainer that uses the dind image and mounts volumes so other containers in the same Pod can use the Docker Runtime.

In Tekton, it's no different, and the resource is actually called Sidecar, similar to Step within a Task but it runs before the steps.

Changing the Task

Because of separation of concerns, the only component we have to change is the Task (thanks to how Kubernetes employ important architectural patterns).

apiVersion: tekton.dev/v1beta1
kind: Task
  name: run-tests
    - name: source
  - name: unit-tests
    image: docker
    workingDir: $(workspaces.source.path)
    script: |
      docker-compose run --rm ruby bundle install
      docker-compose run --rm ruby ruby -Itest test/all.rb

The image used will be docker, because we'll run Docker commands for running the unit tests.

Now, we add to this step, the env variables that Docker will use to connect to the runtime:

      - name: DOCKER_HOST
        value: tcp://localhost:2376
      - name: DOCKER_TLS_VERIFY
        value: "1"
      - name: DOCKER_CERT_PATH
        value: "/certs/client"

Next, declare the volumeMounts that will be populated by the sidecar:

      - mountPath: /certs/client
        name: dind-certs

Step defined, let's declare the sidecar node, right after the steps section:

  - name: dind
    image: docker:dind
      privileged: true
      - --storage-driver=vfs
      - --userland-proxy=false
      - --debug
      - name: DOCKER_TLS_CERTDIR
        value: /certs
      - mountPath: /certs/client
        name: dind-certs
      - mountPath: $(workspaces.source.path)
        name: $(workspaces.source.volume)
      periodSeconds: 1
        command: ['ls', '/certs/client/ca.pem']

The sidecar uses the docker:dind image, starts it and then mounts the /certs in the volume shared with the step.

Also, it's important to note that the sidecar needs to mount the workspace as a Volume, since the Docker run will happen in the sidecar.

Finally, we declare the volumes section, which can be an emptyDir since it's used by steps/sidecars within the same Task:

    - name: dind-certs
      emptyDir: {}

Pipeline applied, time to create the PipelineRun:

apiVersion: tekton.dev/v1beta1
kind: PipelineRun
  generateName: chespirito-pipeline-
    name: chespirito-pipeline
  - name: repo-url
    value: https://github.com/leandronsp/chespirito.git
  - name: revision
    value: main
  - name: shared-data
        - ReadWriteOnce
            storage: 1Gi

🎉 May we run it and everything is green!

The last piece

Okay, we've run the new chespirito-pipeline manually. But now we have to change the EventListener, and the only thing needed is:

        name: chespirito-pipeline

Apply some changes in the branch, push to the PR and...


🎉 How wonderful is that? 🚀

In this article we learned about event listeners, triggers, Github webhooks and how to integrate all those stuff so we can run the unit tests at some arbitrary project in Github!

Keep in tune, later we'll see how to listen to the "push to main" event and rollout our application in the Kubernetes cluster, which is the "CD part".

Cheers! 🍺

This content originally appeared on DEV Community 👩‍💻👨‍💻 and was authored by Leandro Proença

Print Share Comment Cite Upload Translate Updates

Leandro Proença | Sciencx (2023-02-19T19:15:03+00:00) Tekton CI, part III, listen to Github events. Retrieved from https://www.scien.cx/2023/02/19/tekton-ci-part-iii-listen-to-github-events/

" » Tekton CI, part III, listen to Github events." Leandro Proença | Sciencx - Sunday February 19, 2023, https://www.scien.cx/2023/02/19/tekton-ci-part-iii-listen-to-github-events/
Leandro Proença | Sciencx Sunday February 19, 2023 » Tekton CI, part III, listen to Github events., viewed ,<https://www.scien.cx/2023/02/19/tekton-ci-part-iii-listen-to-github-events/>
Leandro Proença | Sciencx - » Tekton CI, part III, listen to Github events. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2023/02/19/tekton-ci-part-iii-listen-to-github-events/
" » Tekton CI, part III, listen to Github events." Leandro Proença | Sciencx - Accessed . https://www.scien.cx/2023/02/19/tekton-ci-part-iii-listen-to-github-events/
" » Tekton CI, part III, listen to Github events." Leandro Proença | Sciencx [Online]. Available: https://www.scien.cx/2023/02/19/tekton-ci-part-iii-listen-to-github-events/. [Accessed: ]
» Tekton CI, part III, listen to Github events | Leandro Proença | Sciencx | https://www.scien.cx/2023/02/19/tekton-ci-part-iii-listen-to-github-events/ |

Please log in to upload a file.

There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.