Migrate Kaniko Task off ImageDigestExporter

This commit migrates the pipelinerun examples that utilizes the old kaniko task to build, push images and write digests off the ImageDigestExporter. It changes to use the latest copied in Kaniko Task from Catalog. The image built from https://github.com/GoogleContainerTools/skaffold repo has also been changed correspondingly since the old Dockerfile is no longer compatible with the latest Kaniko Task.
Yongxuanzhang · Feb 13, 2023 · 8407669 · 8407669
1 parent d4242ed
commit 8407669
Show file tree

Hide file tree

Showing 3 changed files with 206 additions and 531 deletions.
diff --git a/examples/v1/pipelineruns/pipelinerun.yaml b/examples/v1/pipelineruns/pipelinerun.yaml
@@ -14,28 +14,6 @@ roleRef:
   name: cluster-admin
   apiGroup: rbac.authorization.k8s.io
 ---
-apiVersion: tekton.dev/v1
-kind: Task
-metadata:
-  name: "unit.tests"
-spec:
-  workspaces:
-  - name: source
-    mountPath: /workspace/source/go/src/github.com/GoogleContainerTools/skaffold
-  steps:
-  - name: run-tests
-    image: golang
-    env:
-    - name: GOPATH
-      value: /workspace/go
-    workingDir: $(workspaces.source.path)
-    script: |
-      # The intention behind this example Task is to run unit test, however we
-      # currently do nothing to ensure that a unit test issue doesn't cause this example
-      # to fail unnecessarily. In the future we could re-introduce the unit tests (since
-      # we are now pinning the version of Skaffold we pull) or use Tekton Pipelines unit tests.
-      echo "pass"
----
 # Copied from https://github.com/tektoncd/catalog/blob/v1/git/git-clone.yaml
 # With a few fixes being ported over in https://github.com/tektoncd/catalog/pull/290
 # Post #1839 we can refer to the remote Task in a registry or post #2298 in git directly
@@ -119,113 +97,78 @@ spec:
       # Make sure we don't add a trailing newline to the result!
       echo -n "$RESULT_SHA" > $(results.commit.path)
 ---
-# Copied from https://github.com/tektoncd/catalog/blob/v1/kaniko/kaniko.yaml
-# with a few fixes that will be port over in https://github.com/tektoncd/catalog/pull/291
-# Post #1839 we can refer to the remote Task in a registry or post #2298 in git directly
-apiVersion: tekton.dev/v1
+# Copied from https://github.com/tektoncd/catalog/blob/main/task/kaniko/0.6/kaniko.yaml
+# Using the catalog fails for unknown reasons, so we're keeping this here.
+# Adding `--ignore-path=/product_uuid` EXTRA_ARGS is a workaround for the 'build unlinkat
+# //product_uuid' error filed at https://github.com/GoogleContainerTools/kaniko/issues/2164.
+apiVersion: tekton.dev/v1beta1
 kind: Task
 metadata:
   name: kaniko
+  labels:
+    app.kubernetes.io/version: "0.6"
+  annotations:
+    tekton.dev/pipelines.minVersion: "0.17.0"
+    tekton.dev/categories: Image Build
+    tekton.dev/tags: image-build
+    tekton.dev/displayName: "Build and upload container image using Kaniko"
+    tekton.dev/platforms: "linux/amd64,linux/arm64,linux/ppc64le"
 spec:
-  workspaces:
-  - name: source
-  params:
-  - name: IMAGE
-    description: Name (reference) of the image to build.
-  - name: DOCKERFILE
-    description: Path to the Dockerfile to build.
-    default: ./Dockerfile
-  - name: CONTEXT
-    description: The build context used by Kaniko.
-    default: ./
-  - name: EXTRA_ARGS
-    default: ""
-  - name: BUILDER_IMAGE
-    description: The image on which builds will run
-    default: gcr.io/kaniko-project/executor:v1.8.1
-  - name: baseImage
-    description: Base image for GoogleContainerTools/skaffold microservice apps
-    default: BASE=alpine:3.9
-  results:
-  - name: IMAGE_DIGEST
-    description: Digest of the image just built.
-  steps:
-  - name: build-and-push
-    workingDir: $(workspaces.source.path)
-    image: $(params.BUILDER_IMAGE)
-    # specifying DOCKER_CONFIG is required to allow kaniko to detect docker credential
-    # https://github.com/tektoncd/pipeline/pull/706
-    env:
-    - name: DOCKER_CONFIG
-      value: /tekton/home/.docker
-    command:
-    - /kaniko/executor
-    - $(params.EXTRA_ARGS)
-    - --dockerfile=$(params.DOCKERFILE)
-    - --context=$(workspaces.source.path)/$(params.CONTEXT)  # The user does not need to care the workspace and the source.
-    - --destination=$(params.IMAGE)
-    - --oci-layout-path=$(workspaces.source.path)/$(params.CONTEXT)/image-digest
-    - --build-arg=$(inputs.params.baseImage)
-    - --ignore-path=/product_uuid # TODO(abayer): Work around Kaniko multi-stage build issues on Kind: https://github.com/GoogleContainerTools/kaniko/issues/2164
-    # kaniko assumes it is running as root, which means this example fails on platforms
-    # that default to run containers as random uid (like OpenShift). Adding this securityContext
-    # makes it explicit that it needs to run as root.
-    securityContext:
-      runAsUser: 0
-  - name: write-digest
-    workingDir: $(workspaces.source.path)
-    image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/imagedigestexporter:latest
-    # output of imagedigestexport [{"name":"image","digest":"sha256:eed29..660"}]
-    command: ["/ko-app/imagedigestexporter"]
-    securityContext:
-      runAsUser: 0
-    args:
-    - -images=[{"name":"$(params.IMAGE)","type":"image","url":"$(params.IMAGE)","digest":"","OutputImageDir":"$(workspaces.source.path)/$(params.CONTEXT)/image-digest"}]
-    - -terminationMessagePath=$(params.CONTEXT)/image-digested
-  - name: digest-to-results
-    workingDir: $(workspaces.source.path)
-    image: stedolan/jq
-    script: |
-      cat $(params.CONTEXT)/image-digested | jq '.[0].value' -rj | tee $(results.IMAGE_DIGEST.path)
----
-# This task deploys with kubectl apply -f <filename>
-apiVersion: tekton.dev/v1
-kind: Task
-metadata:
-  name: demo-deploy-kubectl
-spec:
+  description: >-
+    This Task builds a simple Dockerfile with kaniko and pushes to a registry.
+    This Task stores the image name and digest as results, allowing Tekton Chains to pick up
+    that an image was built & sign it.
   params:
-  - name: path
-    description: Path to the manifest to apply
-  - name: yqArg
-    description: Okay this is a hack, but I didn't feel right hard-coding `-d1` down below
-  - name: yamlPathToImage
-    description: The path to the image to replace in the yaml manifest (arg to yq)
-  - name: imageURL
-    description: The URL of the image to deploy
+    - name: IMAGE
+      description: Name (reference) of the image to build.
+    - name: DOCKERFILE
+      description: Path to the Dockerfile to build.
+      default: ./Dockerfile
+    - name: CONTEXT
+      description: The build context used by Kaniko.
+      default: ./
+    - name: EXTRA_ARGS
+      type: array
+      default: [--ignore-path=/product_uuid]
+    - name: BUILDER_IMAGE
+      description: The image on which builds will run
+      default: gcr.io/kaniko-project/executor:v1.8.1
   workspaces:
-  - name: source
+    - name: source
+      description: Holds the context and Dockerfile
+    - name: dockerconfig
+      description: Includes a docker `config.json`
+      optional: true
+      mountPath: /kaniko/.docker
+  results:
+    - name: IMAGE_DIGEST
+      description: Digest of the image just built.
+    - name: IMAGE_URL
+      description: URL of the image just built.
   steps:
-  - name: replace-image
-    image: mikefarah/yq:3
-    command: ['yq']
-    args:
-    - "w"
-    - "-i"
-    - "$(params.yqArg)"
-    - "$(params.path)"
-    - "$(params.yamlPathToImage)"
-    - "$(params.imageURL)"
-  - name: run-kubectl
-    image: lachlanevenson/k8s-kubectl
-    command: ['kubectl']
-    args:
-    - 'apply'
-    - '-f'
-    - '$(params.path)'
+    - name: build-and-push
+      workingDir: $(workspaces.source.path)
+      image: $(params.BUILDER_IMAGE)
+      args:
+        - $(params.EXTRA_ARGS)
+        - --dockerfile=$(params.DOCKERFILE)
+        - --context=$(workspaces.source.path)/$(params.CONTEXT) # The user does not need to care the workspace and the source.
+        - --destination=$(params.IMAGE)
+        - --digest-file=$(results.IMAGE_DIGEST.path)
+      # kaniko assumes it is running as root, which means this example fails on platforms
+      # that default to run containers as random uid (like OpenShift). Adding this securityContext
+      # makes it explicit that it needs to run as root.
+      securityContext:
+        runAsUser: 0
+    - name: write-url
+      image: docker.io/library/bash:5.1.4@sha256:c523c636b722339f41b6a431b44588ab2f762c5de5ec3bd7964420ff982fb1d9
+      script: |
+        set -e
+        image="$(params.IMAGE)"
+        echo -n "${image}" | tee "$(results.IMAGE_URL.path)"
 ---
-# This Pipeline Builds two microservice images(https://github.com/GoogleContainerTools/skaffold/tree/master/examples/microservices)
-# from the Skaffold repo (https://github.com/GoogleContainerTools/skaffold) and deploys them to the repo currently running Tekton Pipelines.
+# This Pipeline Builds a container image (https://github.com/GoogleContainerTools/skaffold/tree/master/examples/getting-started)
+# and pushes it to a registry.
 apiVersion: tekton.dev/v1
 kind: Pipeline
 metadata:
@@ -244,72 +187,21 @@ spec:
     - name: url
       value: https://github.com/GoogleContainerTools/skaffold
     - name: revision
-      value: v1.32.0
+      value: main
     workspaces:
     - name: output
       workspace: git-source
-  - name: skaffold-unit-tests
+  - name: build-image
     runAfter: [fetch-from-git]
-    taskRef:
-      name: "unit.tests"
-    workspaces:
-    - name: source
-      workspace: git-source
-  - name: build-skaffold-web
-    runAfter: [skaffold-unit-tests]
     taskRef:
       name: kaniko
     params:
     - name: IMAGE
-      value: $(params.image-registry)/leeroy-web
+      value: $(params.image-registry)/getting-started
     - name: CONTEXT
-      value: examples/microservices/leeroy-web
+      value: examples/getting-started
     - name: DOCKERFILE
-      value: $(workspaces.source.path)/examples/microservices/leeroy-web/Dockerfile
-    workspaces:
-    - name: source
-      workspace: git-source
-  - name: build-skaffold-app
-    runAfter: [skaffold-unit-tests]
-    taskRef:
-      name: kaniko
-    params:
-    - name: IMAGE
-      value: $(params.image-registry)/leeroy-app
-    - name: CONTEXT
-      value: examples/microservices/leeroy-app
-    - name: DOCKERFILE
-      value: $(workspaces.source.path)/examples/microservices/leeroy-app/Dockerfile
-    workspaces:
-    - name: source
-      workspace: git-source
-  - name: deploy-app
-    taskRef:
-      name: demo-deploy-kubectl
-    params:
-    - name: imageURL
-      value: $(params.image-registry)/leeroy-app@$(tasks.build-skaffold-app.results.IMAGE_DIGEST)
-    - name: path
-      value: $(workspaces.source.path)/examples/microservices/leeroy-app/kubernetes/deployment.yaml
-    - name: yqArg
-      value: "-d1"
-    - name: yamlPathToImage
-      value: "spec.template.spec.containers[0].image"
-    workspaces:
-    - name: source
-      workspace: git-source
-  - name: deploy-web
-    taskRef:
-      name: demo-deploy-kubectl
-    params:
-    - name: imageURL
-      value: $(params.image-registry)/leeroy-web@$(tasks.build-skaffold-web.results.IMAGE_DIGEST)
-    - name: path
-      value: $(workspaces.source.path)/examples/microservices/leeroy-web/kubernetes/deployment.yaml
-    - name: yqArg
-      value: "-d0"
-    - name: yamlPathToImage
-      value: "spec.template.spec.containers[0].image"
+      value: $(workspaces.source.path)/examples/getting-started/Dockerfile
     workspaces:
     - name: source
       workspace: git-source