Mastering Tekton: Build a Java CI/CD Pipeline on Kubernetes

What is Tekton?

Tekton is an open‑source, Kubernetes‑native CI/CD system originally derived from the Knative build‑pipeline project. It provides a set of Custom Resource Definitions (CRDs) that let you describe pipelines, tasks, and resources directly in Kubernetes, enabling fully containerized build and delivery workflows.

Key CRDs

Task : Defines a reusable build step template consisting of one or more container steps.

TaskRun : Instantiates a Task for a concrete execution.

Pipeline : Composes multiple Tasks and PipelineResources into an ordered workflow.

PipelineRun : Executes a Pipeline instance.

PipelineResource : Represents external inputs (e.g., a Git repository) or outputs (e.g., a Docker image).

Deploying Tekton

Tekton can be installed by applying the official YAML manifests with kubectl create -f <manifest.yaml>. In regions where the default gcr.io images are inaccessible, replace the image references in the YAML with a reachable registry before applying.

# kubectl -n tekton-pipelines get deploy
NAME                         READY   UP-TO-DATE   AVAILABLE   AGE
tekton-pipelines-controller  1/1     1            1           10d
tekton-pipelines-webhook     1/1     1            1           10d

The controller watches CRD events and runs the CI/CD logic, while the webhook validates CRD fields using Kubernetes admission webhooks.

Building a Java Application with Tekton

This example builds a Spring Boot project named ncs into a Docker image and pushes it to a registry.

1. Add a Dockerfile

FROM hub.c.163.com/qingzhou/tomcat:7-oracle-jdk-rev4
ENV TZ=Asia/Shanghai LANG=C.UTF-8 LANGUAGE=C.UTF-8 LC_ALL=C.UTF-8
RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
WORKDIR /usr/local/tomcat
RUN rm -rf webapps/*
COPY setenv.sh $CATALINA_HOME/bin/
COPY ./target/*.war webapps/
ENTRYPOINT ["catalina.sh", "run"]

The Dockerfile uses a Tomcat base image, copies the built WAR file, and runs catalina.sh. An auxiliary setenv.sh script can set JVM options before Tomcat starts.

2. Define a PipelineResource for the Git source

apiVersion: tekton.dev/v1alpha1
kind: PipelineResource
metadata:
  name: ncs-git-source
spec:
  type: git
  params:
    - name: url
      value: https://github.com/ethfoo/test.git
    - name: revision
      value: master

This resource tells Tekton where to fetch the source code; Tekton automatically clones the repository without needing explicit git steps.

3. Create a Task for Maven build

apiVersion: tekton.dev/v1alpha1
kind: Task
metadata:
  name: ncs
spec:
  inputs:
    resources:
      - name: gitssh
        type: git
  params:
    - name: directory
      description: The directory containing the build context.
      default: /workspace/ncs-git-source
  steps:
    - name: maven-install
      image: maven:3.5.0-jdk-8-alpine
      workingDir: "${inputs.params.directory}"
      args: ["mvn", "clean", "install", "-D", "maven.test.skip=true"]
      volumeMounts:
        - name: m2
          mountPath: /root/.m2

The task runs Maven inside a container, mounting a persistent /root/.m2 volume to cache dependencies across builds.

4. Set up ServiceAccount and Secret for private Git access

apiVersion: v1
kind: ServiceAccount
metadata:
  name: nce-qingzhou
  namespace: tekton-test
secrets:
  - name: ncs-git-ssh
---
apiVersion: v1
kind: Secret
metadata:
  name: ncs-git-ssh
  namespace: tekton-test
  annotations:
    tekton.dev/git-0: g.hz.netease.com
type: kubernetes.io/ssh-auth
data:
  ssh-privatekey: LS0tLS1CRUd...
  known_hosts: W2cuaHoub...

The ServiceAccount references the SSH secret, allowing Tekton to clone private repositories securely.

5. Define a Task for Docker build and push (using Docker‑outside‑of‑Docker)

spec:
  inputs:
    params:
      - name: image
        description: docker image
  steps:
    - name: dockerfile-build
      image: docker:git
      workingDir: "${inputs.params.directory}"
      args: ["build", "--tag", "${inputs.params.image}", "."]
      volumeMounts:
        - name: docker-socket
          mountPath: /var/run/docker.sock
    - name: dockerfile-push
      image: docker:git
      args: ["push", "${inputs.params.image}"]
      volumeMounts:
        - name: docker-socket
          mountPath: /var/run/docker.sock
  volumes:
    - name: docker-socket
      hostPath:
        path: /var/run/docker.sock
        type: Socket

This task builds the image with docker build and pushes it using the host’s Docker daemon, avoiding the complexity of Docker‑in‑Docker.

6. Run the pipeline

apiVersion: tekton.dev/v1alpha1
kind: TaskRun
metadata:
  generateName: ncs-
spec:
  inputs:
    resources:
      - name: gitssh
        resourceRef:
          name: ncs-git-source
  serviceAccount: nce-qingzhou
  taskRef:
    name: ncs

The TaskRun creates a one‑time execution of the defined Task, pulling the source, compiling with Maven, building the Docker image, and pushing it to the registry.

Beyond the Basics

Tekton’s higher‑level CRDs— Pipeline and PipelineRun —let you chain multiple Tasks (e.g., testing, deployment) into a full CI/CD workflow. By reusing Tasks across Pipelines, you achieve modular, maintainable automation that scales with your Kubernetes environment.