From 8407669cff41327a0f178565f02b8cecf3e89c7a Mon Sep 17 00:00:00 2001 From: Jerome Ju Date: Mon, 6 Feb 2023 21:32:21 +0000 Subject: [PATCH] Migrate Kaniko Task off ImageDigestExporter This commit migrates the pipelinerun examples that utilizes the old kaniko task to build, push images and write digests off the ImageDigestExporter. It changes to use the latest copied in Kaniko Task from Catalog. The image built from https://github.com/GoogleContainerTools/skaffold repo has also been changed correspondingly since the old Dockerfile is no longer compatible with the latest Kaniko Task. --- examples/v1/pipelineruns/pipelinerun.yaml | 246 +++++------------ .../v1beta1/pipelineruns/pipelinerun.yaml | 241 +++++------------ .../v1beta1/pipelineruns/pipelinerun.yaml | 250 +++++------------- 3 files changed, 206 insertions(+), 531 deletions(-) diff --git a/examples/v1/pipelineruns/pipelinerun.yaml b/examples/v1/pipelineruns/pipelinerun.yaml index 0e1b348ccb8..6730a231557 100644 --- a/examples/v1/pipelineruns/pipelinerun.yaml +++ b/examples/v1/pipelineruns/pipelinerun.yaml @@ -14,28 +14,6 @@ roleRef: name: cluster-admin apiGroup: rbac.authorization.k8s.io --- -apiVersion: tekton.dev/v1 -kind: Task -metadata: - name: "unit.tests" -spec: - workspaces: - - name: source - mountPath: /workspace/source/go/src/github.com/GoogleContainerTools/skaffold - steps: - - name: run-tests - image: golang - env: - - name: GOPATH - value: /workspace/go - workingDir: $(workspaces.source.path) - script: | - # The intention behind this example Task is to run unit test, however we - # currently do nothing to ensure that a unit test issue doesn't cause this example - # to fail unnecessarily. In the future we could re-introduce the unit tests (since - # we are now pinning the version of Skaffold we pull) or use Tekton Pipelines unit tests. - echo "pass" ---- # Copied from https://github.com/tektoncd/catalog/blob/v1/git/git-clone.yaml # With a few fixes being ported over in https://github.com/tektoncd/catalog/pull/290 # Post #1839 we can refer to the remote Task in a registry or post #2298 in git directly @@ -119,113 +97,78 @@ spec: # Make sure we don't add a trailing newline to the result! echo -n "$RESULT_SHA" > $(results.commit.path) --- -# Copied from https://github.com/tektoncd/catalog/blob/v1/kaniko/kaniko.yaml -# with a few fixes that will be port over in https://github.com/tektoncd/catalog/pull/291 -# Post #1839 we can refer to the remote Task in a registry or post #2298 in git directly -apiVersion: tekton.dev/v1 +# Copied from https://github.com/tektoncd/catalog/blob/main/task/kaniko/0.6/kaniko.yaml +# Using the catalog fails for unknown reasons, so we're keeping this here. +# Adding `--ignore-path=/product_uuid` EXTRA_ARGS is a workaround for the 'build unlinkat +# //product_uuid' error filed at https://github.com/GoogleContainerTools/kaniko/issues/2164. +apiVersion: tekton.dev/v1beta1 kind: Task metadata: name: kaniko + labels: + app.kubernetes.io/version: "0.6" + annotations: + tekton.dev/pipelines.minVersion: "0.17.0" + tekton.dev/categories: Image Build + tekton.dev/tags: image-build + tekton.dev/displayName: "Build and upload container image using Kaniko" + tekton.dev/platforms: "linux/amd64,linux/arm64,linux/ppc64le" spec: - workspaces: - - name: source - params: - - name: IMAGE - description: Name (reference) of the image to build. - - name: DOCKERFILE - description: Path to the Dockerfile to build. - default: ./Dockerfile - - name: CONTEXT - description: The build context used by Kaniko. - default: ./ - - name: EXTRA_ARGS - default: "" - - name: BUILDER_IMAGE - description: The image on which builds will run - default: gcr.io/kaniko-project/executor:v1.8.1 - - name: baseImage - description: Base image for GoogleContainerTools/skaffold microservice apps - default: BASE=alpine:3.9 - results: - - name: IMAGE_DIGEST - description: Digest of the image just built. - steps: - - name: build-and-push - workingDir: $(workspaces.source.path) - image: $(params.BUILDER_IMAGE) - # specifying DOCKER_CONFIG is required to allow kaniko to detect docker credential - # https://github.com/tektoncd/pipeline/pull/706 - env: - - name: DOCKER_CONFIG - value: /tekton/home/.docker - command: - - /kaniko/executor - - $(params.EXTRA_ARGS) - - --dockerfile=$(params.DOCKERFILE) - - --context=$(workspaces.source.path)/$(params.CONTEXT) # The user does not need to care the workspace and the source. - - --destination=$(params.IMAGE) - - --oci-layout-path=$(workspaces.source.path)/$(params.CONTEXT)/image-digest - - --build-arg=$(inputs.params.baseImage) - - --ignore-path=/product_uuid # TODO(abayer): Work around Kaniko multi-stage build issues on Kind: https://github.com/GoogleContainerTools/kaniko/issues/2164 - # kaniko assumes it is running as root, which means this example fails on platforms - # that default to run containers as random uid (like OpenShift). Adding this securityContext - # makes it explicit that it needs to run as root. - securityContext: - runAsUser: 0 - - name: write-digest - workingDir: $(workspaces.source.path) - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/imagedigestexporter:latest - # output of imagedigestexport [{"name":"image","digest":"sha256:eed29..660"}] - command: ["/ko-app/imagedigestexporter"] - securityContext: - runAsUser: 0 - args: - - -images=[{"name":"$(params.IMAGE)","type":"image","url":"$(params.IMAGE)","digest":"","OutputImageDir":"$(workspaces.source.path)/$(params.CONTEXT)/image-digest"}] - - -terminationMessagePath=$(params.CONTEXT)/image-digested - - name: digest-to-results - workingDir: $(workspaces.source.path) - image: stedolan/jq - script: | - cat $(params.CONTEXT)/image-digested | jq '.[0].value' -rj | tee $(results.IMAGE_DIGEST.path) ---- -# This task deploys with kubectl apply -f -apiVersion: tekton.dev/v1 -kind: Task -metadata: - name: demo-deploy-kubectl -spec: + description: >- + This Task builds a simple Dockerfile with kaniko and pushes to a registry. + This Task stores the image name and digest as results, allowing Tekton Chains to pick up + that an image was built & sign it. params: - - name: path - description: Path to the manifest to apply - - name: yqArg - description: Okay this is a hack, but I didn't feel right hard-coding `-d1` down below - - name: yamlPathToImage - description: The path to the image to replace in the yaml manifest (arg to yq) - - name: imageURL - description: The URL of the image to deploy + - name: IMAGE + description: Name (reference) of the image to build. + - name: DOCKERFILE + description: Path to the Dockerfile to build. + default: ./Dockerfile + - name: CONTEXT + description: The build context used by Kaniko. + default: ./ + - name: EXTRA_ARGS + type: array + default: [--ignore-path=/product_uuid] + - name: BUILDER_IMAGE + description: The image on which builds will run + default: gcr.io/kaniko-project/executor:v1.8.1 workspaces: - - name: source + - name: source + description: Holds the context and Dockerfile + - name: dockerconfig + description: Includes a docker `config.json` + optional: true + mountPath: /kaniko/.docker + results: + - name: IMAGE_DIGEST + description: Digest of the image just built. + - name: IMAGE_URL + description: URL of the image just built. steps: - - name: replace-image - image: mikefarah/yq:3 - command: ['yq'] - args: - - "w" - - "-i" - - "$(params.yqArg)" - - "$(params.path)" - - "$(params.yamlPathToImage)" - - "$(params.imageURL)" - - name: run-kubectl - image: lachlanevenson/k8s-kubectl - command: ['kubectl'] - args: - - 'apply' - - '-f' - - '$(params.path)' + - name: build-and-push + workingDir: $(workspaces.source.path) + image: $(params.BUILDER_IMAGE) + args: + - $(params.EXTRA_ARGS) + - --dockerfile=$(params.DOCKERFILE) + - --context=$(workspaces.source.path)/$(params.CONTEXT) # The user does not need to care the workspace and the source. + - --destination=$(params.IMAGE) + - --digest-file=$(results.IMAGE_DIGEST.path) + # kaniko assumes it is running as root, which means this example fails on platforms + # that default to run containers as random uid (like OpenShift). Adding this securityContext + # makes it explicit that it needs to run as root. + securityContext: + runAsUser: 0 + - name: write-url + image: docker.io/library/bash:5.1.4@sha256:c523c636b722339f41b6a431b44588ab2f762c5de5ec3bd7964420ff982fb1d9 + script: | + set -e + image="$(params.IMAGE)" + echo -n "${image}" | tee "$(results.IMAGE_URL.path)" --- -# This Pipeline Builds two microservice images(https://github.com/GoogleContainerTools/skaffold/tree/master/examples/microservices) -# from the Skaffold repo (https://github.com/GoogleContainerTools/skaffold) and deploys them to the repo currently running Tekton Pipelines. +# This Pipeline Builds a container image (https://github.com/GoogleContainerTools/skaffold/tree/master/examples/getting-started) +# and pushes it to a registry. apiVersion: tekton.dev/v1 kind: Pipeline metadata: @@ -244,72 +187,21 @@ spec: - name: url value: https://github.com/GoogleContainerTools/skaffold - name: revision - value: v1.32.0 + value: main workspaces: - name: output workspace: git-source - - name: skaffold-unit-tests + - name: build-image runAfter: [fetch-from-git] - taskRef: - name: "unit.tests" - workspaces: - - name: source - workspace: git-source - - name: build-skaffold-web - runAfter: [skaffold-unit-tests] taskRef: name: kaniko params: - name: IMAGE - value: $(params.image-registry)/leeroy-web + value: $(params.image-registry)/getting-started - name: CONTEXT - value: examples/microservices/leeroy-web + value: examples/getting-started - name: DOCKERFILE - value: $(workspaces.source.path)/examples/microservices/leeroy-web/Dockerfile - workspaces: - - name: source - workspace: git-source - - name: build-skaffold-app - runAfter: [skaffold-unit-tests] - taskRef: - name: kaniko - params: - - name: IMAGE - value: $(params.image-registry)/leeroy-app - - name: CONTEXT - value: examples/microservices/leeroy-app - - name: DOCKERFILE - value: $(workspaces.source.path)/examples/microservices/leeroy-app/Dockerfile - workspaces: - - name: source - workspace: git-source - - name: deploy-app - taskRef: - name: demo-deploy-kubectl - params: - - name: imageURL - value: $(params.image-registry)/leeroy-app@$(tasks.build-skaffold-app.results.IMAGE_DIGEST) - - name: path - value: $(workspaces.source.path)/examples/microservices/leeroy-app/kubernetes/deployment.yaml - - name: yqArg - value: "-d1" - - name: yamlPathToImage - value: "spec.template.spec.containers[0].image" - workspaces: - - name: source - workspace: git-source - - name: deploy-web - taskRef: - name: demo-deploy-kubectl - params: - - name: imageURL - value: $(params.image-registry)/leeroy-web@$(tasks.build-skaffold-web.results.IMAGE_DIGEST) - - name: path - value: $(workspaces.source.path)/examples/microservices/leeroy-web/kubernetes/deployment.yaml - - name: yqArg - value: "-d0" - - name: yamlPathToImage - value: "spec.template.spec.containers[0].image" + value: $(workspaces.source.path)/examples/getting-started/Dockerfile workspaces: - name: source workspace: git-source diff --git a/examples/v1beta1/pipelineruns/pipelinerun.yaml b/examples/v1beta1/pipelineruns/pipelinerun.yaml index 8516e67bb5e..88d5d27a00c 100644 --- a/examples/v1beta1/pipelineruns/pipelinerun.yaml +++ b/examples/v1beta1/pipelineruns/pipelinerun.yaml @@ -14,134 +14,78 @@ roleRef: name: cluster-admin apiGroup: rbac.authorization.k8s.io --- -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: "unit.tests" -spec: - workspaces: - - name: source - mountPath: /workspace/source/go/src/github.com/GoogleContainerTools/skaffold - steps: - - name: run-tests - image: golang - env: - - name: GOPATH - value: /workspace/go - workingDir: $(workspaces.source.path) - script: | - # The intention behind this example Task is to run unit test, however we - # currently do nothing to ensure that a unit test issue doesn't cause this example - # to fail unnecessarily. In the future we could re-introduce the unit tests (since - # we are now pinning the version of Skaffold we pull) or use Tekton Pipelines unit tests. - echo "pass" ---- -# Copied from https://github.com/tektoncd/catalog/blob/v1beta1/kaniko/kaniko.yaml +# Copied from https://github.com/tektoncd/catalog/blob/main/task/kaniko/0.6/kaniko.yaml # Using the catalog fails for unknown reasons, so we're keeping this here. +# Adding `--ignore-path=/product_uuid` EXTRA_ARGS is a workaround for the 'build unlinkat +# //product_uuid' error filed at https://github.com/GoogleContainerTools/kaniko/issues/2164. apiVersion: tekton.dev/v1beta1 kind: Task metadata: name: kaniko + labels: + app.kubernetes.io/version: "0.6" + annotations: + tekton.dev/pipelines.minVersion: "0.17.0" + tekton.dev/categories: Image Build + tekton.dev/tags: image-build + tekton.dev/displayName: "Build and upload container image using Kaniko" + tekton.dev/platforms: "linux/amd64,linux/arm64,linux/ppc64le" spec: - workspaces: - - name: source + description: >- + This Task builds a simple Dockerfile with kaniko and pushes to a registry. + This Task stores the image name and digest as results, allowing Tekton Chains to pick up + that an image was built & sign it. params: - - name: IMAGE - description: Name (reference) of the image to build. - - name: DOCKERFILE - description: Path to the Dockerfile to build. - default: ./Dockerfile - - name: CONTEXT - description: The build context used by Kaniko. - default: ./ - - name: EXTRA_ARGS - default: "" - - name: BUILDER_IMAGE - description: The image on which builds will run - default: gcr.io/kaniko-project/executor:v1.8.1 - - name: baseImage - description: Base image for GoogleContainerTools/skaffold microservice apps - default: BASE=alpine:3.9 - results: - - name: IMAGE_DIGEST - description: Digest of the image just built. - steps: - - name: build-and-push - workingDir: $(workspaces.source.path) - image: $(params.BUILDER_IMAGE) - # specifying DOCKER_CONFIG is required to allow kaniko to detect docker credential - # https://github.com/tektoncd/pipeline/pull/706 - env: - - name: DOCKER_CONFIG - value: /tekton/home/.docker - command: - - /kaniko/executor - - $(params.EXTRA_ARGS) - - --dockerfile=$(params.DOCKERFILE) - - --context=$(workspaces.source.path)/$(params.CONTEXT) # The user does not need to care the workspace and the source. - - --destination=$(params.IMAGE) - - --oci-layout-path=$(workspaces.source.path)/$(params.CONTEXT)/image-digest - - --build-arg=$(inputs.params.baseImage) - - --ignore-path=/product_uuid # TODO(abayer): Work around Kaniko multi-stage build issues on Kind: https://github.com/GoogleContainerTools/kaniko/issues/2164 - # kaniko assumes it is running as root, which means this example fails on platforms - # that default to run containers as random uid (like OpenShift). Adding this securityContext - # makes it explicit that it needs to run as root. - securityContext: - runAsUser: 0 - - name: write-digest - workingDir: $(workspaces.source.path) - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/imagedigestexporter:latest - # output of imagedigestexport [{"name":"image","digest":"sha256:eed29..660"}] - command: ["/ko-app/imagedigestexporter"] - securityContext: - runAsUser: 0 - args: - - -images=[{"name":"$(params.IMAGE)","type":"image","url":"$(params.IMAGE)","digest":"","OutputImageDir":"$(workspaces.source.path)/$(params.CONTEXT)/image-digest"}] - - -terminationMessagePath=$(params.CONTEXT)/image-digested - - name: digest-to-results - workingDir: $(workspaces.source.path) - image: stedolan/jq - script: | - cat $(params.CONTEXT)/image-digested | jq '.[0].value' -rj | tee $(results.IMAGE_DIGEST.path) ---- -# This task deploys with kubectl apply -f -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: demo-deploy-kubectl -spec: - params: - - name: path - description: Path to the manifest to apply - - name: yqArg - description: Okay this is a hack, but I didn't feel right hard-coding `-d1` down below - - name: yamlPathToImage - description: The path to the image to replace in the yaml manifest (arg to yq) - - name: imageURL - description: The URL of the image to deploy + - name: IMAGE + description: Name (reference) of the image to build. + - name: DOCKERFILE + description: Path to the Dockerfile to build. + default: ./Dockerfile + - name: CONTEXT + description: The build context used by Kaniko. + default: ./ + - name: EXTRA_ARGS + type: array + default: [--ignore-path=/product_uuid] + - name: BUILDER_IMAGE + description: The image on which builds will run + default: gcr.io/kaniko-project/executor:v1.8.1 workspaces: - - name: source + - name: source + description: Holds the context and Dockerfile + - name: dockerconfig + description: Includes a docker `config.json` + optional: true + mountPath: /kaniko/.docker + results: + - name: IMAGE_DIGEST + description: Digest of the image just built. + - name: IMAGE_URL + description: URL of the image just built. steps: - - name: replace-image - image: mikefarah/yq:3 - command: ['yq'] - args: - - "w" - - "-i" - - "$(params.yqArg)" - - "$(params.path)" - - "$(params.yamlPathToImage)" - - "$(params.imageURL)" - - name: run-kubectl - image: lachlanevenson/k8s-kubectl - command: ['kubectl'] - args: - - 'apply' - - '-f' - - '$(params.path)' + - name: build-and-push + workingDir: $(workspaces.source.path) + image: $(params.BUILDER_IMAGE) + args: + - $(params.EXTRA_ARGS) + - --dockerfile=$(params.DOCKERFILE) + - --context=$(workspaces.source.path)/$(params.CONTEXT) # The user does not need to care the workspace and the source. + - --destination=$(params.IMAGE) + - --digest-file=$(results.IMAGE_DIGEST.path) + # kaniko assumes it is running as root, which means this example fails on platforms + # that default to run containers as random uid (like OpenShift). Adding this securityContext + # makes it explicit that it needs to run as root. + securityContext: + runAsUser: 0 + - name: write-url + image: docker.io/library/bash:5.1.4@sha256:c523c636b722339f41b6a431b44588ab2f762c5de5ec3bd7964420ff982fb1d9 + script: | + set -e + image="$(params.IMAGE)" + echo -n "${image}" | tee "$(results.IMAGE_URL.path)" --- -# This Pipeline Builds two microservice images(https://github.com/GoogleContainerTools/skaffold/tree/master/examples/microservices) -# from the Skaffold repo (https://github.com/GoogleContainerTools/skaffold) and deploys them to the repo currently running Tekton Pipelines. +# This Pipeline Builds a container image (https://github.com/GoogleContainerTools/skaffold/tree/master/examples/getting-started) +# and pushes it to a registry. apiVersion: tekton.dev/v1beta1 kind: Pipeline metadata: @@ -167,72 +111,21 @@ spec: - name: url value: https://github.com/GoogleContainerTools/skaffold - name: revision - value: v1.32.0 + value: main workspaces: - name: output workspace: git-source - - name: skaffold-unit-tests + - name: build-image runAfter: [fetch-from-git] - taskRef: - name: "unit.tests" - workspaces: - - name: source - workspace: git-source - - name: build-skaffold-web - runAfter: [skaffold-unit-tests] taskRef: name: kaniko params: - name: IMAGE - value: $(params.image-registry)/leeroy-web + value: $(params.image-registry)/getting-started - name: CONTEXT - value: examples/microservices/leeroy-web + value: examples/getting-started - name: DOCKERFILE - value: $(workspaces.source.path)/examples/microservices/leeroy-web/Dockerfile - workspaces: - - name: source - workspace: git-source - - name: build-skaffold-app - runAfter: [skaffold-unit-tests] - taskRef: - name: kaniko - params: - - name: IMAGE - value: $(params.image-registry)/leeroy-app - - name: CONTEXT - value: examples/microservices/leeroy-app - - name: DOCKERFILE - value: $(workspaces.source.path)/examples/microservices/leeroy-app/Dockerfile - workspaces: - - name: source - workspace: git-source - - name: deploy-app - taskRef: - name: demo-deploy-kubectl - params: - - name: imageURL - value: $(params.image-registry)/leeroy-app@$(tasks.build-skaffold-app.results.IMAGE_DIGEST) - - name: path - value: $(workspaces.source.path)/examples/microservices/leeroy-app/kubernetes/deployment.yaml - - name: yqArg - value: "-d1" - - name: yamlPathToImage - value: "spec.template.spec.containers[0].image" - workspaces: - - name: source - workspace: git-source - - name: deploy-web - taskRef: - name: demo-deploy-kubectl - params: - - name: imageURL - value: $(params.image-registry)/leeroy-web@$(tasks.build-skaffold-web.results.IMAGE_DIGEST) - - name: path - value: $(workspaces.source.path)/examples/microservices/leeroy-web/kubernetes/deployment.yaml - - name: yqArg - value: "-d0" - - name: yamlPathToImage - value: "spec.template.spec.containers[0].image" + value: $(workspaces.source.path)/examples/getting-started/Dockerfile workspaces: - name: source workspace: git-source diff --git a/test/yamls/v1beta1/pipelineruns/pipelinerun.yaml b/test/yamls/v1beta1/pipelineruns/pipelinerun.yaml index 3e19477cddb..53f4c072a3b 100644 --- a/test/yamls/v1beta1/pipelineruns/pipelinerun.yaml +++ b/test/yamls/v1beta1/pipelineruns/pipelinerun.yaml @@ -14,141 +14,82 @@ roleRef: name: cluster-admin apiGroup: rbac.authorization.k8s.io --- -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: unit-tests -spec: - workspaces: - - name: source - mountPath: /workspace/source/go/src/github.com/GoogleContainerTools/skaffold - steps: - - name: run-tests - image: golang - env: - - name: GOPATH - value: /workspace/go - workingDir: $(workspaces.source.path) - script: | - # The intention behind this example Task is to run unit test, however we - # currently do nothing to ensure that a unit test issue doesn't cause this example - # to fail unnecessarily. In the future we could re-introduce the unit tests (since - # we are now pinning the version of Skaffold we pull) or use Tekton Pipelines unit tests. - echo "pass" ---- -# Copied from https://github.com/tektoncd/catalog/blob/v1beta1/kaniko/kaniko.yaml -# with a few fixes that will be port over in https://github.com/tektoncd/catalog/pull/291 -# Post #1839 we can refer to the remote Task in a registry or post #2298 in git directly +# Copied from https://github.com/tektoncd/catalog/blob/main/task/kaniko/0.6/kaniko.yaml +# Using the catalog fails for unknown reasons, so we're keeping this here. +# Adding `--ignore-path=/product_uuid` EXTRA_ARGS is a workaround for the 'build unlinkat +# //product_uuid' error filed at https://github.com/GoogleContainerTools/kaniko/issues/2164. apiVersion: tekton.dev/v1beta1 kind: Task metadata: name: kaniko + labels: + app.kubernetes.io/version: "0.6" + annotations: + tekton.dev/pipelines.minVersion: "0.17.0" + tekton.dev/categories: Image Build + tekton.dev/tags: image-build + tekton.dev/displayName: "Build and upload container image using Kaniko" + tekton.dev/platforms: "linux/amd64,linux/arm64,linux/ppc64le" spec: - workspaces: - - name: source + description: >- + This Task builds a simple Dockerfile with kaniko and pushes to a registry. + This Task stores the image name and digest as results, allowing Tekton Chains to pick up + that an image was built & sign it. params: - - name: IMAGE - description: Name (reference) of the image to build. - - name: DOCKERFILE - description: Path to the Dockerfile to build. - default: ./Dockerfile - - name: CONTEXT - description: The build context used by Kaniko. - default: ./ - - name: EXTRA_ARGS - default: "" - - name: BUILDER_IMAGE - description: The image on which builds will run - default: gcr.io/kaniko-project/executor:v1.8.1 - - name: baseImage - description: Base image for GoogleContainerTools/skaffold microservice apps - default: BASE=alpine:3.9 - results: - - name: IMAGE_DIGEST - description: Digest of the image just built. - steps: - - name: build-and-push - workingDir: $(workspaces.source.path) - image: $(params.BUILDER_IMAGE) - # specifying DOCKER_CONFIG is required to allow kaniko to detect docker credential - # https://github.com/tektoncd/pipeline/pull/706 - env: - - name: DOCKER_CONFIG - value: /tekton/home/.docker - command: - - /kaniko/executor - - $(params.EXTRA_ARGS) - - --dockerfile=$(params.DOCKERFILE) - - --context=$(workspaces.source.path)/$(params.CONTEXT) # The user does not need to care the workspace and the source. - - --destination=$(params.IMAGE) - - --oci-layout-path=$(workspaces.source.path)/$(params.CONTEXT)/image-digest - - --build-arg=$(inputs.params.baseImage) - - --ignore-path=/product_uuid # TODO(abayer): Work around Kaniko multi-stage build issues on Kind: https://github.com/GoogleContainerTools/kaniko/issues/2164 - # kaniko assumes it is running as root, which means this example fails on platforms - # that default to run containers as random uid (like OpenShift). Adding this securityContext - # makes it explicit that it needs to run as root. - securityContext: - runAsUser: 0 - - name: write-digest - workingDir: $(workspaces.source.path) - # TODO(abayer): Using ko:// means we end up rebuilding the image, which can be annoying. Consider alternatives while ensuring - # we're always replacing the ko:// images with ones already built from our source... - image: ko://github.com/tektoncd/pipeline/cmd/imagedigestexporter - # output of imagedigestexport [{"name":"image","digest":"sha256:eed29..660"}] - command: ["/ko-app/imagedigestexporter"] - securityContext: - runAsUser: 0 - args: - - -images=[{"name":"$(params.IMAGE)","type":"image","url":"$(params.IMAGE)","digest":"","OutputImageDir":"$(workspaces.source.path)/$(params.CONTEXT)/image-digest"}] - - -terminationMessagePath=$(params.CONTEXT)/image-digested - - name: digest-to-results - workingDir: $(workspaces.source.path) - image: stedolan/jq - script: | - cat $(params.CONTEXT)/image-digested | jq '.[0].value' -rj | tee /tekton/results/IMAGE_DIGEST ---- -# This task deploys with kubectl apply -f -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: demo-deploy-kubectl -spec: - params: - - name: path - description: Path to the manifest to apply - - name: yqArg - description: Okay this is a hack, but I didn't feel right hard-coding `-d1` down below - - name: yamlPathToImage - description: The path to the image to replace in the yaml manifest (arg to yq) - - name: imageURL - description: The URL of the image to deploy + - name: IMAGE + description: Name (reference) of the image to build. + - name: DOCKERFILE + description: Path to the Dockerfile to build. + default: ./Dockerfile + - name: CONTEXT + description: The build context used by Kaniko. + default: ./ + - name: EXTRA_ARGS + type: array + default: [--ignore-path=/product_uuid] + - name: BUILDER_IMAGE + description: The image on which builds will run + default: gcr.io/kaniko-project/executor:v1.8.1 workspaces: - - name: source + - name: source + description: Holds the context and Dockerfile + - name: dockerconfig + description: Includes a docker `config.json` + optional: true + mountPath: /kaniko/.docker + results: + - name: IMAGE_DIGEST + description: Digest of the image just built. + - name: IMAGE_URL + description: URL of the image just built. steps: - - name: replace-image - image: mikefarah/yq:3 - command: ['yq'] - args: - - "w" - - "-i" - - "$(params.yqArg)" - - "$(params.path)" - - "$(params.yamlPathToImage)" - - "$(params.imageURL)" - - name: run-kubectl - image: lachlanevenson/k8s-kubectl - command: ['kubectl'] - args: - - 'apply' - - '-f' - - '$(params.path)' + - name: build-and-push + workingDir: $(workspaces.source.path) + image: $(params.BUILDER_IMAGE) + args: + - $(params.EXTRA_ARGS) + - --dockerfile=$(params.DOCKERFILE) + - --context=$(workspaces.source.path)/$(params.CONTEXT) # The user does not need to care the workspace and the source. + - --destination=$(params.IMAGE) + - --digest-file=$(results.IMAGE_DIGEST.path) + # kaniko assumes it is running as root, which means this example fails on platforms + # that default to run containers as random uid (like OpenShift). Adding this securityContext + # makes it explicit that it needs to run as root. + securityContext: + runAsUser: 0 + - name: write-url + image: docker.io/library/bash:5.1.4@sha256:c523c636b722339f41b6a431b44588ab2f762c5de5ec3bd7964420ff982fb1d9 + script: | + set -e + image="$(params.IMAGE)" + echo -n "${image}" | tee "$(results.IMAGE_URL.path)" --- -# This Pipeline Builds two microservice images(https://github.com/GoogleContainerTools/skaffold/tree/master/examples/microservices) -# from the Skaffold repo (https://github.com/GoogleContainerTools/skaffold) and deploys them to the repo currently running Tekton Pipelines. +# This Pipeline Builds a container image (https://github.com/GoogleContainerTools/skaffold/tree/master/examples/getting-started) +# and pushes it to a registry. apiVersion: tekton.dev/v1beta1 kind: Pipeline metadata: - name: demo-pipeline + name: "demo.pipeline" spec: params: - name: image-registry @@ -170,72 +111,21 @@ spec: - name: url value: https://github.com/GoogleContainerTools/skaffold - name: revision - value: v1.32.0 + value: main workspaces: - name: output workspace: git-source - - name: skaffold-unit-tests + - name: build-image runAfter: [fetch-from-git] - taskRef: - name: unit-tests - workspaces: - - name: source - workspace: git-source - - name: build-skaffold-web - runAfter: [skaffold-unit-tests] taskRef: name: kaniko params: - name: IMAGE - value: $(params.image-registry)/leeroy-web + value: $(params.image-registry)/getting-started - name: CONTEXT - value: examples/microservices/leeroy-web + value: examples/getting-started - name: DOCKERFILE - value: $(workspaces.source.path)/examples/microservices/leeroy-web/Dockerfile - workspaces: - - name: source - workspace: git-source - - name: build-skaffold-app - runAfter: [skaffold-unit-tests] - taskRef: - name: kaniko - params: - - name: IMAGE - value: $(params.image-registry)/leeroy-app - - name: CONTEXT - value: examples/microservices/leeroy-app - - name: DOCKERFILE - value: $(workspaces.source.path)/examples/microservices/leeroy-app/Dockerfile - workspaces: - - name: source - workspace: git-source - - name: deploy-app - taskRef: - name: demo-deploy-kubectl - params: - - name: imageURL - value: $(params.image-registry)/leeroy-app@$(tasks.build-skaffold-app.results.IMAGE_DIGEST) - - name: path - value: $(workspaces.source.path)/examples/microservices/leeroy-app/kubernetes/deployment.yaml - - name: yqArg - value: "-d1" - - name: yamlPathToImage - value: "spec.template.spec.containers[0].image" - workspaces: - - name: source - workspace: git-source - - name: deploy-web - taskRef: - name: demo-deploy-kubectl - params: - - name: imageURL - value: $(params.image-registry)/leeroy-web@$(tasks.build-skaffold-web.results.IMAGE_DIGEST) - - name: path - value: $(workspaces.source.path)/examples/microservices/leeroy-web/kubernetes/deployment.yaml - - name: yqArg - value: "-d0" - - name: yamlPathToImage - value: "spec.template.spec.containers[0].image" + value: $(workspaces.source.path)/examples/getting-started/Dockerfile workspaces: - name: source workspace: git-source @@ -246,7 +136,7 @@ metadata: name: demo-pipeline-run-1 spec: pipelineRef: - name: demo-pipeline + name: "demo.pipeline" serviceAccountName: 'default' podTemplate: securityContext: