Edit on GitHub

With CI

Once you’ve bought into container-based development, you’ll want to set up CI to ensure your servers don’t break.

The Tilt team has this problem too! For every change, we create a real single-use cluster and verify that all our services and example projects still work. So we have a lot of experience with best practices.

There are two tools you’ll need to configure:

1) How to use tilt ci to build and deploy servers.

2) How to run a Kubernetes cluster in CI that tilt ci can deploy to.

Let’s dig into examples of each one.

The tilt ci command

The tilt ci command is made for CI jobs.

How it Works

Under the hood, tilt ci:

1) Executes your Tiltfile.

2) Runs all local_resource commands.

3) Builds all images.

4) Deploys all Kubernetes resources.

5) Waits until all servers and other resources are healthy.

tilt ci defaults to log-streaming mode. The web UI is still accessible, but the terminal will be a simple log stream.

If any step fails, Tilt will exit immediately with an error code.

If any resource crashes or looks like it will never succeed (e.g., a pod that takes too long to schedule), Tilt will also exit with an error code.

Once all services are healthy, it will exit with status code 0.


Most of our example projects use CircleCI to run tilt ci:

Each example invokes ctlptl to set up a single-use cluster. But the ctlptl tool has many options for setting up clusters, depending on what you need.

Single-use Kubernetes clusters

Running a Kubernetes cluster in CI can be harder than running one locally.

Here are some options, with the pros and cons of each:

Easiest: Cluster on VM-based CI

kind is currently the gold standard for running Kubernetes in CI. The Kubernetes project itself uses it for testing. kind can create clusters inside Docker.

kind comes with the ability to run a local registry, so you can push images to the registry on localhost:5000 and pull them from inside kind.

Set up a CI pipeline that:

  1. Creates a VM.

  2. Installs all our dependencies, including Docker.

  3. Creates a kind cluster with a local registry at localhost:5000, using their script.

This is the approach we use to test ctlptl with both minikube and kind. Here’s the CI config.

Tilt will auto-detect that the registry is running on localhost:5000 and push images there instead of your prod image registry.

The downside is that most teams are more comfortable managing container images than managing VMs. VMs are slower. Upgrading dependencies is more heavyweight.

Many CI environments offer a remote Docker environment outside the container. You can run test code in a container that talks to Docker, without the pitfalls of running Docker inside Docker.

Set up a CI pipeline that:

  1. Create a container with your code.

  2. Create a remote Docker environment.

  3. Start a kind cluster with a local registry inside the remote Docker environment.

  4. Use socat to expose the remote registry and Kubernetes cluster inside the local container.

The socat element makes this a bit tricky.

Tilt-team maintains ctlptl, a CLI for declaratively setting up local Kubernetes clusters. If you’re using ctlptl, it will try to detect when you have a remote docker environment and set up the socat forwarding automatically.

If you want to wire it up yourself, check out this Bash script.

You may already have a container image registry that you prefer for development, like Quay.io or Google Cloud Registry.

If you want to use this registry in CI, you need to set up permissions so that your CI job can write to this registry.

  1. Create a dedicated image registry for CI.

  2. Create a service account or access token with a secret in your CI build.

  3. Use kind to create the cluster.

This is an approach a lot of teams try. We usually don’t recommend it. The downsides:

  • Managing secrets and permissions for the remote registry can be a pain. You’ll want to set it up so that anyone who can send a pull request to your repository can also write to the remote registry. This may look different depending on your org structure.

  • It’s hard to guarantee that images aren’t leaking between tests. For example, if image pushing failed, you’ll want to be sure we weren’t picking up a cached image from a previous test. One solution is to reset the whole registry at regular intervals.

But it might be the best option if you’re not able to easily modify where your tools are pushing images to and pulling images from.


Was this doc helpful?