kaniko是一個容器鏡像建構工具
本文主要講述從github擷取Dockerfile,建構鏡像,最終上傳倉庫的過程。
本文使用的task版本為:
https://github.com/tektoncd/catalog/tree/main/task/kaniko/0.6
https://github.com/tektoncd/catalog/tree/main/task/git-clone/0.8
準備工作
-
安裝tekton,dashboard環境
具體步驟請按照這篇教程操作:https://tekton.dev/docs/dashboard/tutorial/
- 安裝内置task
kubectl apply -f https://raw.githubusercontent.com/tektoncd/catalog/main/task/git-clone/0.8/git-clone.yaml kubectl apply -f https://raw.githubusercontent.com/tektoncd/catalog/main/task/kaniko/0.6/kaniko.yaml
設定workspace
為了能在pipeline裡有一個儲存中間結果的地方,供前後不同的task使用,需要建立一個workspace。
而workspace後端實際上關聯的是個pvc。
建立workspace的pvc
# https://raw.githubusercontent.com/tektoncd/catalog/main/task/kaniko/0.6/tests/resources.yaml
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: kaniko-source-pvc
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
PipelineRun
進入正式部分
# https://raw.githubusercontent.com/tektoncd/catalog/main/task/kaniko/0.6/tests/run.yaml
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
name: kaniko-test-pipeline-run
spec:
pipelineRef:
name: kaniko-test-pipeline
params:
- name: image
value: localhost:5000/kaniko-nocode
workspaces:
- name: shared-workspace
persistentvolumeclaim:
claimName: kaniko-source-pvc
這裡有兩點注意:
- image是最後推送到倉庫的url
- workspaces設定綁定了pvc
Pipeline
限于篇幅隻介紹部配置設定置檔案
完整請參考https://raw.githubusercontent.com/tektoncd/catalog/main/task/kaniko/0.6/tests/run.yaml
git-clone
[1] 第一處修改是因為git-clone 0.8開始有重大改變,變成了nonroot拉取代碼。
Note : The
git-clone
Task is run as nonroot. The files cloned on to the
output
workspace will end up owned by user 65532.
是以要做一定修改添加
securityContext
[2] 第二處修改用于上傳鏡像之叢集内部的registry
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
@@ -81,9 +81,12 @@
spec:
pipelineRef:
name: kaniko-test-pipeline
+ podTemplate: [1]
+ securityContext:
+ fsGroup: 65532
params:
- name: image
- value: localhost:5000/kaniko-nocode [2]
+ value: docker-registry:5000/kaniko-nocode
workspaces:
- name: shared-workspace
persistentvolumeclaim:
完整資訊請檢視https://github.com/tektoncd/catalog/tree/main/task/git-clone/0.8
kaniko
如果本地registry隻支援http方式,需要設定參數
--insecure
- name: kaniko
taskRef:
name: kaniko
runAfter:
- fetch-repository
workspaces:
- name: source
workspace: shared-workspace
params:
- name: IMAGE
value: $(params.image)
- name: EXTRA_ARGS
value:
- --skip-tls-verify
- --insecure
測試運作
部署yaml
# kubectl apply -f run.yaml
pipeline.tekton.dev/kaniko-test-pipeline created
pipelinerun.tekton.dev/kaniko-test-pipeline-run created
連通内部docker-registry
檢視registry裡是否成功上傳鏡像,這裡可以看到
kaniko-nocode
已經成功上傳
# curl -X GET http://localhost:5000/v2/_catalog
{"repositories":["kaniko-nocode","nginx"]}
支援docker hub倉庫
完成了簡單内部無密碼,無tls倉庫上傳後。正式倉庫肯定是要https,要賬戶,要密碼的。
接下來以docker hub為例
轉存docker憑據
-
手動登入産生docker login
/root/.docker/config.json
- 将
轉化成config.json
secret
- 在
裡增加一個PipelineRun
的dockerconfig-ws
workspace
apiVersion: tekton.dev/v1beta1 kind: PipelineRun metadata: @@ -81,10 +84,16 @@ workspaces: - name: shared-workspace persistentvolumeclaim: claimName: kaniko-source-pvc + - name: dockerconfig-ws + secret: + secretName: dockerhub-secret
- 修改鏡像上傳的URL [1]
apiVersion: tekton.dev/v1beta1 kind: PipelineRun metadata: @@ -81,9 +81,12 @@ params: - name: image - value: docker-registry:5000/kaniko-nocode + value: docker.io/massivezh/kaniko-nocode [1]
- 在
的一開始Pipeline
聲明新增的workspaces
dockerconfig-ws
apiVersion: tekton.dev/v1beta1 kind: Pipeline metadata: name: kaniko-test-pipeline spec: workspaces: - name: shared-workspace - name: dockerconfig-ws optional: true
- 在
裡綁定kaniko
配置項到dockerconfig
這個dockerconfig-ws
workspace
- name: kaniko taskRef: name: kaniko runAfter: - fetch-repository workspaces: - name: source workspace: shared-workspace - name: dockerconfig workspace: dockerconfig-ws
關于dockerconfig的具體用法參考文檔https://github.com/tektoncd/catalog/tree/main/task/kaniko/0.6
具體實作看這裡https://github.com/tektoncd/catalog/blob/main/task/kaniko/0.6/kaniko.yaml
可以看到是mountPath到檔案的,關于workspace支援的其他一些類型,請參考workspaces文檔
workspaces: - name: source description: Holds the context and Dockerfile - name: dockerconfig description: Includes a docker `config.json` optional: true mountPath: /kaniko/.docker
- 開啟tls驗證,去掉
--skip-tls-verify
- name: EXTRA_ARGS value: - --skip-tls-verify
驗證結果
最後我們通過dashboard看下運作結果
登入docker hub可以看到鏡像已經成功上傳