apiVersion: tekton.dev/v1 kind: Pipeline metadata: name: fastapi-ci namespace: tekton-ci spec: params: - name: git-url type: string - name: git-revision type: string - name: image-tag type: string workspaces: - name: source - name: dockerconfig tasks: # 1. 拉取代码 - name: git-clone taskRef: name: git-clone params: - name: url value: $(params.git-url) - name: revision value: $(params.git-revision) workspaces: - name: output workspace: source # 2. 单元测试 - name: pytest runAfter: [git-clone] taskSpec: steps: - name: test image: python:3.10-slim script: | cd $(workspaces.source.path) pip install -r requirements.txt pytest app/test_main.py -v workspaces: - name: source workspace: source # 3. 构建并推送镜像 (Kaniko) - name: build-and-push runAfter: [pytest] taskRef: name: kaniko params: - name: IMAGE value: "registry.plfai.cn/fastapi-demo:$(params.image-tag)" workspaces: - name: source workspace: source - name: dockerconfig workspace: dockerconfig # 4. 镜像漏洞扫描 - name: trivy-scan runAfter: [build-and-push] taskSpec: steps: - name: scan image: aquasec/trivy:latest args: - image - --severity=HIGH,CRITICAL - --exit-code=1 - "registry.plfai.cn/fastapi-demo:$(params.image-tag)" # 5. 更新部署清单 (GitOps) - name: gitops-update runAfter: [trivy-scan] taskSpec: steps: - name: update-image image: alpine/git script: | git clone $(params.git-url) /workspace/repo cd /workspace/repo sed -i "s|image: registry.plfai.cn/fastapi-demo:.*|image: registry.plfai.cn/fastapi-demo:$(params.image-tag)|" \ k8s/deployment.yaml git config user.email "tekton@plfai.cn" git config user.name "Tekton CI" git add k8s/deployment.yaml git commit -m "ci: update image to $(params.image-tag) [skip ci]" git push origin main