Alauda DevOps Pipelines Docs
  • English

    • Tekton Results

    Tekton Results is a sophisticated system that extends Tekton's capabilities by providing persistent storage, querying, and management of CI/CD execution data. This document provides a deeper exploration of how Tekton Results works, its architecture, and how to leverage its features effectively.

    TOC

    Glossary

    TermDefinition
    ResultA top-level resource that groups related Records together, representing a logical unit of work
    RecordAn individual instance of data (TaskRun, PipelineRun, Log) that belongs to a Result
    WatcherA Kubernetes controller that monitors TaskRuns and PipelineRuns and stores them in the Results database
    API ServerA gRPC/REST server that provides access to stored Results and Records
    Retention PolicyRules that determine how long data is kept in the Results database

    Why We Need Tekton Results

    The Challenge of CI/CD Data Management

    In traditional Kubernetes-based CI/CD systems like Tekton Pipelines, all execution data is stored in the Kubernetes API server's etcd database. This approach has several limitations:

    • Limited Storage Capacity: etcd is designed for storing small amounts of configuration data, not large volumes of execution history and logs
    • Resource Constraints: As CI/CD workloads accumulate, they can consume significant etcd resources, potentially affecting cluster performance
    • Data Fragmentation: Related CI/CD activities (TaskRuns, PipelineRuns) are stored as separate resources without explicit relationships
    • Log Management: Logs are typically stored in the container runtime or external logging systems, making it difficult to associate them with specific pipeline executions
    • Data Lifecycle: There's no built-in mechanism for managing the lifecycle of completed CI/CD data

    These limitations become increasingly problematic as CI/CD usage scales, leading to potential performance issues and administrative overhead.

    How Tekton Results Addresses These Challenges

    Tekton Results provides a comprehensive solution by:

    1. Offloading Data Storage: Moving completed CI/CD execution data from etcd to a dedicated database optimized for this purpose
    2. Establishing Relationships: Creating explicit relationships between related CI/CD activities through the Result/Record data model
    3. Centralizing Log Storage: Storing logs alongside their associated TaskRuns/PipelineRuns
    4. Providing Data Lifecycle Management: Implementing retention policies to automatically manage data over time
    5. Enabling Advanced Querying: Offering powerful filtering and querying capabilities beyond what's possible with the Kubernetes API

    Advantages

    • Improved Cluster Performance: Reduces load on the Kubernetes API server and etcd by offloading completed CI/CD data
    • Enhanced Data Organization: Groups related CI/CD activities together for better visibility and management
    • Longer Data Retention: Enables long-term storage of execution history without impacting cluster resources
    • Powerful Querying: Provides advanced filtering and search capabilities for CI/CD data
    • Integrated Log Management: Stores logs alongside execution data for comprehensive pipeline history
    • Automated Cleanup: Manages data lifecycle through configurable retention policies

    Applicable Scenarios

    Tekton Results is particularly valuable in the following scenarios:

    1. High-Volume CI/CD Environments: Organizations running numerous pipelines that generate substantial execution data
    2. Compliance Requirements: Environments that need to maintain execution history for audit or compliance purposes
    3. Resource-Constrained Clusters: Clusters where etcd resources are limited and need to be optimized
    4. Advanced Analytics: Teams that want to perform analysis and reporting on CI/CD execution patterns
    5. Multi-Team Environments: Organizations where multiple teams share Tekton infrastructure and need isolated views of their CI/CD data

    Architecture and Principles

    Tekton Results follows a microservices architecture with three main components that work together to provide a complete solution:

    API Server Architecture

    The API Server is the central component that:

    1. Provides Data Access: Exposes gRPC and REST endpoints for storing and retrieving Results and Records
    2. Manages Authentication: Uses Kubernetes-style authentication (service accounts, tokens)
    3. Enforces Authorization: Implements RBAC-based access control for Results resources
    4. Handles Data Persistence: Interfaces with the underlying database (PostgreSQL)
    5. Supports Filtering: Implements CEL (Common Expression Language) for powerful query filtering

    The API Server uses a parent-child hierarchy where:

    • Namespaces/workspaces are parents of Results
    • Results are parents of Records
    • Records contain the actual execution data

    Watcher Architecture

    The Watcher operates as a Kubernetes controller that:

    1. Monitors Resources: Listens for TaskRun and PipelineRun events in the cluster
    2. Determines Grouping: Uses annotations, labels, and owner references to group related resources
    3. Creates/Updates Records: Stores execution data in the Results database via the API Server
    4. Annotates Resources: Adds Result identifiers to the original Kubernetes resources
    5. Manages Deletion: Optionally deletes completed resources after they're stored in the database

    The Watcher uses several strategies to group related resources:

    • results.tekton.dev/result annotation
    • triggers.tekton.dev/triggers-eventid label
    • Owner references to PipelineRuns
    • Automatic generation of new Result names when no grouping information is found

    Retention Policy Agent Architecture

    The Retention Policy Agent is responsible for:

    1. Scheduling Cleanup: Running pruning jobs according to a configured schedule
    2. Enforcing Retention: Removing data that exceeds the configured retention period
    3. Managing Database Size: Preventing unbounded growth of the Results database

    Data Model In-Depth

    Result Structure

    A Result contains:

    Result
├── metadata
│   ├── name
│   ├── uid
│   ├── createTime
│   ├── updateTime
│   └── annotations (key-value pairs)
└── summary
    ├── type (e.g., PIPELINE_RUN, TASK_RUN)
    ├── status (SUCCESS, FAILURE, TIMEOUT, CANCELLED, UNKNOWN)
    ├── startTime
    ├── endTime
    └── annotations (key-value pairs)

    Record Structure

    A Record contains:

    Record
├── name
├── data
│   ├── type (e.g., tekton.dev/v1.TaskRun, tekton.dev/v1.PipelineRun, results.tekton.dev/v1alpha3.Log)
│   └── value (serialized data)
└── createTime

    Authentication and Authorization

    Tekton Results uses Kubernetes-style authentication and RBAC for access control:

    1. Authentication: Uses service account tokens, user impersonation, and other Kubernetes authentication methods
    2. Authorization: Implements RBAC with resources (results, records) and verbs (get, list, create, update, delete)
    3. Namespace Isolation: Scopes permissions per namespace for multi-tenant environments

    Example RBAC roles:

    • tekton-results-readonly: Read-only access to Results and Records
    • tekton-results-readwrite: Read and write access to Results and Records
    • tekton-results-admin: Full access including deletion of Results and Records

    Advanced Filtering

    Tekton Results uses CEL (Common Expression Language) for powerful filtering capabilities:

    # Filter by Result status
results.tekton.dev/v1alpha2/parents/default/results?filter=summary.status==SUCCESS

# Filter by creation time
results.tekton.dev/v1alpha2/parents/default/results?filter=create_time>timestamp('2023-01-01T00:00:00Z')

# Filter Records by data type
results.tekton.dev/v1alpha2/parents/default/results/123/records?filter=data_type=='tekton.dev/v1.TaskRun'

# Complex filtering with logical operators
results.tekton.dev/v1alpha2/parents/default/results?filter=summary.status==SUCCESS&&create_time>timestamp('2023-01-01T00:00:00Z')

    Important Parameters

    Watcher Parameters

    ParameterDescriptionDefaultUsage
    completed_run_grace_periodHow long to wait after completion before deleting resources0 (no deletion)Set to a duration (e.g., 24h) to enable automatic deletion
    check_ownerWhether to check for owner references before deletionfalseSet to true to prevent deletion of resources with owner references
    store_deadlineMaximum time to wait for storing a resource10mIncrease for large resources or slow database connections

    API Server Parameters

    ParameterDescriptionDefaultUsage
    AUTH_IMPERSONATEEnable user impersonationfalseSet to true to allow service accounts to impersonate users
    page_sizeMaximum number of results per page100Adjust based on query performance and client needs

    Retention Policy Parameters

    ParameterDescriptionDefaultUsage
    runAtWhen to run the retention policy job0 0 * * * (daily)Cron expression for scheduling cleanup
    maxRetentionMaximum time to keep data720h (30 days)Duration to retain data before deletion

    References