Tekton 构建容器镜像

Tekton 构建容器镜像

介绍如何使用 Tektonhub 官方 kaniko task 构建docker镜像,并推送到远程dockerhub镜像仓库。

kaniko task yaml文件下载地址:https://hub.tekton.dev/tekton/task/kaniko

查看kaniko task yaml内容:

点击Install,选择一种方式创建 task

这里使用kubectl命令创建官方kaniko task

bash 复制代码
kubectl apply -f \
https://raw.githubusercontent.com/tektoncd/catalog/main/task/kaniko/0.6/kaniko.yaml

在执行镜像构建前Dockerfile存放在git仓库中,需要将代码克隆到本地,因此也需要安装git-clone task,安装方式类似。

bash 复制代码
kubectl apply -f \
https://raw.githubusercontent.com/tektoncd/catalog/main/task/git-clone/0.9/git-clone.yaml

查看创建的task

bash 复制代码
$ kubectl get task
NAME             AGE
git-clone        25h
kaniko           13h

Task创建后,可以通过taskRunpipelineRun进行调用。

配置dockerhub认证

镜像构建完成后自动推送到dockerhub,需要为dockerhub配置认证信息。

安装jq工具

bash 复制代码
apt install -y jq

生成config.json,替换docker-usernamedocker-password为您的值。

bash 复制代码
kubectl create secret docker-registry dockerhub \
--docker-server=https://index.docker.io/v1/ \
--docker-username=<your-docker-username> \
--docker-password=<your-docker-password> \
--dry-run=client -o json | jq -r '.data.".dockerconfigjson"' | base64 -d > /tmp/config.json

基于config.json创建secret

bash 复制代码
kubectl create secret generic docker-config --from-file=/tmp/config.json

创建serviceaccount,绑定到secret

bash 复制代码
$ cat serviceaccount.yaml 
apiVersion: v1
kind: ServiceAccount
metadata:
  name: build-bot
secrets:
  - name: docker-config

应用yaml文件

bash 复制代码
kubectl apply -f serviceaccount.yaml 

创建pipeline和pipelinerun

官方示例pipeline:https://github.com/tektoncd/catalog/blob/main/task/kaniko/0.6/tests/run.yaml

该pipeline 首先运行git clone task,从https://github.com/kelseyhightower/nocode.git 克隆代码,然后运行kaniko task 基于根目录的Dockerfile文件构建镜像,并推送到dockerhub。

yaml 复制代码
$ cat kaniko-run.yaml
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
  name: kaniko-test-pipeline
spec:
  workspaces:
  - name: shared-workspace
  - name: docker-config
  params:
  - name: repo-url
    type: string
    description: The git repository URL to clone from.
  - name: branch-name
    type: string
    description: The git branch to clone.
  - name: gitInitImage
    type: string
    description: The gitInitImage params.
  - name: httpProxy
    type: string
    description: The httpProxy params.
  - name: httpsProxy
    type: string
  - name: dockerfile
    type: string
    description: reference of the image to build
  - name: builder-image
    type: string
    description: reference of the image to build
  - name: image
    type: string
    description: reference of the image to build
  tasks:
  - name: fetch-repository
    taskRef:
      name: git-clone
    workspaces:
    - name: output
      workspace: shared-workspace
    params:
    - name: url
      value: $(params.repo-url)
    - name: revision
      value: $(params.branch-name)
    - name: gitInitImage
      value: $(params.gitInitImage)
    - name: httpProxy
      value: $(params.httpProxy)
    - name: httpsProxy
      value: $(params.httpsProxy)
  - name: kaniko
    taskRef:
      name: kaniko
    runAfter:
    - fetch-repository
    workspaces:
    - name: source
      workspace: shared-workspace
    - name: dockerconfig
      workspace: docker-config
    params:
    - name: DOCKERFILE
      value: $(params.dockerfile)
    - name: IMAGE
      value: $(params.image)
    - name: BUILDER_IMAGE
      value: $(params.builder-image)
  - name: verify-digest
    runAfter:
    - kaniko
    params:
    - name: digest
      value: $(tasks.kaniko.results.IMAGE_DIGEST)
    taskSpec:
      params:
      - name: digest
      steps:
      - name: bash
        image: ubuntu
        script: |
          echo $(params.digest)
          case .$(params.digest) in
            ".sha"*) exit 0 ;;
            *)       echo "Digest value is not correct" && exit 1 ;;
          esac
  - name: verify-url
    runAfter:
    - kaniko
    params:
    - name: url
      value: $(tasks.kaniko.results.IMAGE_URL)
    taskSpec:
      params:
      - name: url
      steps:
      - name: bash
        image: ubuntu
        script: |
          echo $(params.url)
          case .$(params.url) in
            *"/kaniko-nocode") exit 0 ;;
            *)       echo "URL value is not correct" && exit 1 ;;
          esac
---
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
  generateName: kaniko-test-pipeline-run-
spec:
  serviceAccountName: build-bot
  pipelineRef:
    name: kaniko-test-pipeline
  params:
  - name: repo-url
    value: https://github.com/kelseyhightower/nocode.git
  - name: branch-name
    value: master
  - name: gitInitImage
    #value: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:latest
    value: dyrnq/tektoncd-pipeline-cmd-git-init:latest
  - name: httpProxy
    value: http://192.168.72.1:7890/
  - name: httpsProxy
    value: http://192.168.72.1:7890/
  - name: dockerfile
    value: ./Dockerfile
  - name: image
    value: docker.io/willdockerhub/kaniko-nocode
  - name: builder-image
    # value: gcr.io/kaniko-project/executor:v1.5.1@sha256:c6166717f7fe0b7da44908c986137ecfeab21f31ec3992f6e128fff8a94be8a5
    value: docker.io/bitnami/kaniko:latest
  workspaces:
  - name: shared-workspace
    volumeClaimTemplate:
      spec:
        accessModes:
        - ReadWriteOnce
        resources:
          requests:
            storage: 1Gi
  - name: docker-config
    secret:
      secretName: docker-config

参数说明:

  • gitInitImage:执行git clone任务的镜像,官方镜像无法访问,推荐在docekrhub中查找替代镜像
  • builder-image:执行kaniko 构建任务的镜像,官方镜像无法访问,推荐在docekrhub中查找替代镜像
  • serviceAccountName:指定serviceAccountName用于认证
  • shared-workspace:用于在不同任务之间共享数据,PipelineRun中定义了volumeClaimTemplate类型的workspaces,能够动态申请所需的持久卷,使用kubectl get storageclass命令,确认k8s集群有默认可用的storageclass资源可用,本示例输出为openebs-hostpath (default)
  • docker-config workspace:用于dockerhub认证的secret卷,将secret中的config.json挂载到/kaniko/.docker

应用yaml文件

bash 复制代码
kubectl create -f kaniko-run.yaml

查看pipelinerun执行结果

查看镜像构建结果

相关推荐
kaixin_learn_qt_ing9 小时前
Bazel CI
ci/cd
创实信息3 天前
GitHub企业版:AWS CodeCommit迁移的最佳路径与技术优势
git·ci/cd·github·aws·github企业版·aws codecommit
Web项目开发3 天前
GoCD 持续集成和部署工具配置指南(CentOS 7)
linux·ci/cd·centos
魔幻云3 天前
第八章:持续集成管理
ci/cd
编码浪子4 天前
devops和ICCID简介
运维·ci/cd·docker·devops
vvw&4 天前
如何在 Ubuntu 22.04 服务器上安装 Jenkins
linux·运维·服务器·ubuntu·ci/cd·自动化·jenkins
优质&青年4 天前
【故障处理系列--gitlab的CI流水线下载安装包提示报错】
linux·运维·ci/cd·云原生·容器·gitlab
明明跟你说过4 天前
在Rocky Linux中安装【Jenkins】的详细指南
linux·运维·服务器·ci/cd·jenkins·devops
Anna_Tong4 天前
探索 CI/CD 工具的力量
ci/cd·开源·jenkins·开源软件·devops
虹科网络安全5 天前
艾体宝案例丨CircleCI 助力 ANA Systems 打造高效 CI/CD 模型
自动化测试·ci/cd·持续集成·saas平台·circleci