feat: 开发测试接口

tekton/pipeline.yaml

@@ -0,0 +1,90 @@
+apiVersion: tekton.dev/v1
+kind: Pipeline
+metadata:
+  name: fastapi-ci
+  namespace: tekton-ci
+spec:
+  params:
+  - name: git-url
+    type: string
+  - name: git-revision
+    type: string
+  - name: image-tag
+    type: string
+  workspaces:
+  - name: source
+  - name: dockerconfig
+  tasks:
+
+  # 1. 拉取代码
+  - name: git-clone
+    taskRef:
+      name: git-clone
+    params:
+    - name: url
+      value: $(params.git-url)
+    - name: revision
+      value: $(params.git-revision)
+    workspaces:
+    - name: output
+      workspace: source
+
+  # 2. 单元测试
+  - name: pytest
+    runAfter: [git-clone]
+    taskSpec:
+      steps:
+      - name: test
+        image: python:3.10-slim
+        script: |
+          cd $(workspaces.source.path)
+          pip install -r requirements.txt
+          pytest app/test_main.py -v
+    workspaces:
+    - name: source
+      workspace: source
+
+  # 3. 构建并推送镜像 (Kaniko)
+  - name: build-and-push
+    runAfter: [pytest]
+    taskRef:
+      name: kaniko
+    params:
+    - name: IMAGE
+      value: "registry.plfai.cn/fastapi-demo:$(params.image-tag)"
+    workspaces:
+    - name: source
+      workspace: source
+    - name: dockerconfig
+      workspace: dockerconfig
+
+  # 4. 镜像漏洞扫描
+  - name: trivy-scan
+    runAfter: [build-and-push]
+    taskSpec:
+      steps:
+      - name: scan
+        image: aquasec/trivy:latest
+        args:
+        - image
+        - --severity=HIGH,CRITICAL
+        - --exit-code=1
+        - "registry.plfai.cn/fastapi-demo:$(params.image-tag)"
+
+  # 5. 更新部署清单 (GitOps)
+  - name: gitops-update
+    runAfter: [trivy-scan]
+    taskSpec:
+      steps:
+      - name: update-image
+        image: alpine/git
+        script: |
+          git clone $(params.git-url) /workspace/repo
+          cd /workspace/repo
+          sed -i "s|image: registry.plfai.cn/fastapi-demo:.*|image: registry.plfai.cn/fastapi-demo:$(params.image-tag)|" \
+            k8s/deployment.yaml
+          git config user.email "tekton@plfai.cn"
+          git config user.name "Tekton CI"
+          git add k8s/deployment.yaml
+          git commit -m "ci: update image to $(params.image-tag) [skip ci]"
+          git push origin main

tekton/pvc.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: fastapi-ci-cache
+  namespace: tekton-ci
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 2Gi

tekton/trigger.yaml

@@ -0,0 +1,65 @@
+apiVersion: triggers.tekton.dev/v1beta1
+kind: TriggerTemplate
+metadata:
+  name: fastapi-trigger-template
+  namespace: tekton-ci
+spec:
+  params:
+  - name: git-url
+  - name: git-revision
+  resourcetemplates:
+  - apiVersion: tekton.dev/v1
+    kind: PipelineRun
+    metadata:
+      generateName: fastapi-ci-run-
+      namespace: tekton-ci
+    spec:
+      pipelineRef:
+        name: fastapi-ci
+      params:
+      - name: git-url
+        value: $(tt.params.git-url)
+      - name: git-revision
+        value: $(tt.params.git-revision)
+      - name: image-tag
+        value: $(tt.params.git-revision)
+      workspaces:
+      - name: source
+        volumeClaimTemplate:
+          spec:
+            accessModes:
+            - ReadWriteOnce
+            resources:
+              requests:
+                storage: 1Gi
+      - name: dockerconfig
+        secret:
+          secretName: registry-credentials
+
+---
+apiVersion: triggers.tekton.dev/v1beta1
+kind: TriggerBinding
+metadata:
+  name: fastapi-trigger-binding
+  namespace: tekton-ci
+spec:
+  params:
+  - name: git-url
+    value: $(body.repository.clone_url)
+  - name: git-revision
+    value: $(body.after)
+
+---
+apiVersion: triggers.tekton.dev/v1beta1
+kind: EventListener
+metadata:
+  name: fastapi-listener
+  namespace: tekton-ci
+spec:
+  serviceAccountName: tekton-triggers-sa
+  triggers:
+  - name: fastapi-push
+    bindings:
+    - ref: fastapi-trigger-binding
+    template:
+      ref: fastapi-trigger-template