mirror/catalog
1
0
Fork 0
mirror of https://github.com/tektoncd/catalog.git synced 2024-11-21 05:55:35 +00:00
Code Issues Releases Activity

option to provide container registry credentials in a workspace

Browse Source 
Signed-off-by: Zbynek Roubalik <zroubalik@gmail.com>
This commit is contained in:
Zbynek Roubalik 2022-08-02 16:48:12 +02:00 committed by tekton-robot
parent 9a80a5fc76
commit 6915b81a50
8 changed files with 541 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
task/s2i/0.3/Dockerfile Normal file
View File

@ -0,0 +1,14 @@
FROM registry.access.redhat.com/ubi8/ubi
# Install security updates
RUN yum -y update && yum clean all && rm -rf /var/cache/yum && \
yum install python3 -y
# Get latest S2I release from github with some curl+rest+python magic (which is provided by default
# in the image so wedon't have to install extra packages)
RUN mkdir -p /usr/local/bin && \
curl -L $(curl -L -s "https://api.github.com/repos/openshift/source-to-image/releases/latest"| python3 -c "import sys, json;x=json.load(sys.stdin);print([ r['browser_download_url'] for r in x['assets'] if 'linux-amd64' in r['name']][0])") -o /tmp/s2i.tgz && \
tar xz -f/tmp/s2i.tgz -C /usr/local/bin/ && \
chmod -R 0755 /usr/local/bin
ENTRYPOINT ["/usr/local/bin/s2i"]

158
task/s2i/0.3/README.md Normal file
View File

@ -0,0 +1,158 @@
# Source-to-Image
[Source-to-Image (S2I)](https://github.com/openshift/source-to-image)
is a toolkit and workflow for building reproducible container images
from source code. S2I produces images by injecting source code into a
base S2I container image and letting the container prepare that source
code for execution. The base S2I container images contains the
language runtime and build tools needed for building and running the
source code.
## Changelog
- Renamed `IMAGE_NAME` parameter to `IMAGE`.
- Add support for `dockerconfig` which can be provided via `workspaces`.
## Install the Task
```bash
kubectl apply -f https://raw.githubusercontent.com/tektoncd/catalog/main/task/s2i/0.3/s2i.yaml
```
## Parameters
- **IMAGE**: Reference of the image S2I will produce.
- **BUILDER_IMAGE**: The location of the s2i builder image.
- **PATH_CONTEXT**: Source path from where s2i command need to be run
(_default: ._).
- **TLSVERIFY**: Verify the TLS on the registry endpoint (for push/pull to a
non-TLS registry) (_default:_ `true`)
## Workspaces
- **source**: A [Workspace](https://github.com/tektoncd/pipeline/blob/main/docs/workspaces.md) containing the source to build.
- **sslcertdir**: An [_optional_ Workspace](https://github.com/tektoncd/pipeline/blob/v0.17.0/docs/workspaces.md#optional-workspaces) containing your custom SSL certificates to connect to the registry. Buildah will look for files ending with \*.crt, \*.cert, \*.key into this workspace. See [this sample](./samples/openshift-internal-registry.yaml) for a complete example on how to use it with OpenShift internal registry.
- **`dockerconfig`**: An [optional workspace](https://github.com/tektoncd/pipeline/blob/main/docs/workspaces.md#using-workspaces-in-tasks) that allows providing a `.docker/config.json` file for Buildah to access the container registry. The file should be placed at the root of the Workspace with name `config.json`. _(optional)_
## Results
- **IMAGE_DIGEST**: Digest of the image just built.
## ServiceAccount
S2I builds an image and pushes it to the destination registry which is
defined as a parameter. In order to properly authenticate to the
remote container registry, it needs to have the proper
credentials. The credentials can be provided through a `dockerconfig` workspace
or service account. See
[Authentication](https://github.com/tektoncd/pipeline/blob/main/docs/auth.md#basic-authentication-docker)
for further details.
If you are running on OpenShift, you also need to allow the service
account to run privileged containers because OpenShift does not allow
containers run as privileged containers by default unless explicitly
configured, due to security considerations.
Run the following in order to create a service account named
`pipeline` on OpenShift and allow it to run privileged containers:
```bash
oc create serviceaccount pipeline
oc adm policy add-scc-to-user privileged -z pipeline
oc adm policy add-role-to-user edit -z pipeline
```
## Platforms
The Task can be run on `linux/amd64` platform.
## Usage
- This PipelineRun runs the Task to fetch a Git repo, and build and push a
container image using s2i and a nodejs builder image.
```yaml
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
name: s2i-test-pipeline-run
spec:
pipelineSpec:
workspaces:
- name: shared-workspace
- name: sslcertdir
optional: true
tasks:
- name: fetch-repository
taskRef:
name: git-clone
workspaces:
- name: output
workspace: shared-workspace
params:
- name: url
value: https://github.com/sclorg/nodejs-ex
- name: subdirectory
value: ""
- name: deleteExisting
value: "true"
- name: s2i
taskRef:
name: s2i
runAfter:
- fetch-repository
workspaces:
- name: source
workspace: shared-workspace
params:
- name: BUILDER_IMAGE
value: quay.io/centos7/nodejs-12-centos7
- name: TLSVERIFY
value: "false"
- name: LOGLEVEL
value: "10"
- name: IMAGE
value: image-registry.openshift-image-registry.svc:5000/$(context.pipelineRun.namespace)/$(context.pipelineRun.name)
workspaces:
- name: shared-workspace
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 100Mi
```
- **[`dockerconfig.yaml`](samples/dockerconfig.yaml)**: A PipelineRun configured to demonstrate usage of `dockerconfig` workspace for referencing `.docker/config.json` file.
Here is a non-exhaustive list of well maintained s2i builder image
(from [`sclorg`](https://github.com/sclorg/)):
- [go](https://github.com/sclorg/golang-container)
- [`centos/go-toolset-7-centos7`](https://github.com/sclorg/golang-container)
- [nodejs](https://github.com/sclorg/s2i-nodejs-container)
- [`centos/nodejs-6-centos7`](https://hub.docker.com/r/centos/nodejs-6-centos7)
- [`centos/nodejs-8-centos7`](https://hub.docker.com/r/centos/nodejs-8-centos7)
- [`centos/nodejs-10-centos7`](https://hub.docker.com/r/centos/nodejs-10-centos7)
- [perl](https://github.com/sclorg/s2i-perl-container)
- [`centos/perl-524-centos7`](https://hub.docker.com/r/centos/perl-524-centos7)
- [`centos/perl-526-centos7`](https://hub.docker.com/r/centos/perl-526-centos7)
- [php](https://github.com/sclorg/s2i-php-container)
- [`centos/php-70-centos7`](https://hub.docker.com/r/centos/php-70-centos7)
- [`centos/php-71-centos7`](https://hub.docker.com/r/centos/php-71-centos7)
- [`centos/php-72-centos7`](https://hub.docker.com/r/centos/php-72-centos7)
- [python](https://github.com/sclorg/s2i-python-container)
- [`centos/python-27-centos7`](https://hub.docker.com/r/centos/python-27-centos7)
- [`centos/python-35-centos7`](https://hub.docker.com/r/centos/python-35-centos7)
- [`centos/python-36-centos7`](https://hub.docker.com/r/centos/python-36-centos7)
- [`centos/python-38-centos7`](https://hub.docker.com/r/centos/python-38-centos7)
- [ruby](https://github.com/sclorg/s2i-ruby-container)
- [`centos/ruby-23-centos7`](https://hub.docker.com/r/centos/ruby-23-centos7)
- [`centos/ruby-24-centos7`](https://hub.docker.com/r/centos/ruby-24-centos7)
- [`centos/ruby-25-centos7`](https://hub.docker.com/r/centos/ruby-25-centos7)
#### Note:
- All those images above are also available with RHEL as base
instead, just replace `centos7` by `rhel7` or `rhel8` when using from DockerHub
- The following images are also available at quay.io/centos7

86
task/s2i/0.3/s2i.yaml Normal file
View File

@ -0,0 +1,86 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: s2i
labels:
app.kubernetes.io/version: "0.3"
annotations:
tekton.dev/pipelines.minVersion: "0.17.0"
tekton.dev/categories: Image Build
tekton.dev/tags: image-build
tekton.dev/platforms: "linux/amd64"
spec:
description: >-
Source-to-Image (S2I) is a toolkit and workflow for building reproducible
container images from source code
S2I produces images by injecting source code into a base S2I container image
and letting the container prepare that source code for execution. The base
S2I container images contains the language runtime and build tools needed for
building and running the source code.
params:
- name: BUILDER_IMAGE
description: The location of the s2i builder image.
- name: IMAGE
description: Reference of the image S2I will produce.
- name: PATH_CONTEXT
description: The location of the path to run s2i from.
default: .
- name: TLSVERIFY
description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)
default: "true"
- name: LOGLEVEL
description: Log level when running the S2I binary
default: "0"
workspaces:
- name: source
- name: sslcertdir
optional: true
- name: dockerconfig
description: >-
An optional workspace that allows providing a .docker/config.json file
for Buildah to access the container registry.
The file should be placed at the root of the Workspace with name config.json.
optional: true
results:
- name: IMAGE_DIGEST
description: Digest of the image just built.
steps:
- name: generate
image: quay.io/openshift-pipeline/s2i:nightly
workingDir: $(workspaces.source.path)
command:
- /usr/local/bin/s2i
- --loglevel=$(params.LOGLEVEL)
- build
- $(params.PATH_CONTEXT)
- $(params.BUILDER_IMAGE)
- --as-dockerfile
- /gen-source/Dockerfile.gen
volumeMounts:
- mountPath: /gen-source
name: gen-source
- name: build
image: quay.io/buildah/stable:v1.17.0
workingDir: /gen-source
script: |
[[ "$(workspaces.sslcertdir.bound)" == "true" ]] && CERT_DIR_FLAG="--cert-dir $(workspaces.sslcertdir.path)"
buildah ${CERT_DIR_FLAG} bud --tls-verify=$(params.TLSVERIFY) --layers \
-f /gen-source/Dockerfile.gen -t $(params.IMAGE) .
[[ "$(workspaces.dockerconfig.bound)" == "true" ]] && export DOCKER_CONFIG="$(workspaces.dockerconfig.path)"
buildah ${CERT_DIR_FLAG} push --tls-verify=$(params.TLSVERIFY) --digestfile $(workspaces.source.path)/image-digest \
$(params.IMAGE) docker://$(params.IMAGE)
cat $(workspaces.source.path)/image-digest | tee /tekton/results/IMAGE_DIGEST
volumeMounts:
- name: varlibcontainers
mountPath: /var/lib/containers
- mountPath: /gen-source
name: gen-source
securityContext:
privileged: true
volumes:
- emptyDir: {}
name: varlibcontainers
- emptyDir: {}
name: gen-source

73
task/s2i/0.3/samples/dockerconfig.yaml Normal file
View File

@ -0,0 +1,73 @@
---
apiVersion: v1
kind: Secret
metadata:
name: dockerconfig-secret
stringData:
config.json: |
{
"auths" : {
"icr.io" : {
"auth" : "iamapikey",
"identitytoken" : "test123test123"
}
}
}
---
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
name: s2i-test-pipeline-run
spec:
pipelineSpec:
workspaces:
- name: shared-workspace
- name: sslcertdir
optional: true
- name: dockerconfig
optional: true
tasks:
- name: fetch-repository
taskRef:
name: git-clone
workspaces:
- name: output
workspace: shared-workspace
params:
- name: url
value: https://github.com/sclorg/nodejs-ex
- name: subdirectory
value: ""
- name: deleteExisting
value: "true"
- name: s2i
taskRef:
name: s2i
runAfter:
- fetch-repository
workspaces:
- name: source
workspace: shared-workspace
- name: dockerconfig
workspace: dockerconfig-ws
params:
- name: BUILDER_IMAGE
value: quay.io/centos7/nodejs-12-centos7
- name: TLSVERIFY
value: "false"
- name: LOGLEVEL
value: "10"
- name: IMAGE
value: image-registry.openshift-image-registry.svc:5000/$(context.pipelineRun.namespace)/$(context.pipelineRun.name)
workspaces:
- name: shared-workspace
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 100Mi
- name: dockerconfig-ws
secret:
secretName: dockerconfig-secret

95
task/s2i/0.3/samples/openshift-internal-registry.yaml Normal file
View File

@ -0,0 +1,95 @@
# Your custom CA, on OpenShift to be able to get the internal registry custom
# certificates you can just import it to your namespace with :
# oc get configmaps \
# -n openshift-controller-manager openshift-service-ca -o yaml | \
# sed '/namespace/d'|kubectl apply -f-
---
kind: ConfigMap
metadata:
name: openshift-service-ca
apiVersion: v1
data:
service-ca.crt: |
-----BEGIN CERTIFICATE-----
MIIDUTCCAjmgAwIBAgIIUaNbmFRnX2gwDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE
Awwrb3BlbnNoaWZ0LXNlcnZpY2Utc2VydmluZy1zaWduZXJAMTYwMzczMDU0MTAe
Fw0yMDEwMjYxNjQyMjFaFw0yMjEyMjUxNjQyMjJaMDYxNDAyBgNVBAMMK29wZW5z
aGlmdC1zZXJ2aWNlLXNlcnZpbmctc2lnbmVyQDE2MDM3MzA1NDEwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHNbOTMqKCISgRiq2LW2SPFBUcg9etDLqP
A9fwOVJPxRW5FpyRS9k9g28WpCi7jjf/Um5sid+AO4QkZ2bnHcGAtSq75bIHkYsh
sNVlfeQlJ1pcxAyxspUr/SFyQ63HmVcH/Xw9MRASE3TmPp/KYRNMT3Yz+sZOzhiz
mczxvzpxF26Vz/YzlSfzDDe6B8lT8Dv+s/Hnx/cBKFw53Q0U5VbBpbCuGLMG9VoQ
kog79skdY9aNF83wNH9V2DMb9Yzqf3IFFgfBlQQbqc6C2AutWDLzzyHWXs+Oa4E3
/ovdskwGP9/TKgF7zgbqAZLKhtch24m/SVY7cuJpzKRJ4gQ7ff21AgMBAAGjYzBh
MA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBT1jpOw
4Tz/bifAgNYCP6JH3J3tyjAfBgNVHSMEGDAWgBT1jpOw4Tz/bifAgNYCP6JH3J3t
yjANBgkqhkiG9w0BAQsFAAOCAQEAqYZqX/qMXxOUuiBcd+LawuL8eCYyvcbV6jWW
/j3Evko1WznrXyHnTeDLsOUt4gS9VeftqzIBFdWMJ58pmX68/dZxuZJNZq+GOMQn
Pxjz7s+xoHPqE6YH+YPMLJfCbHzuqfKH872jN+dilxR4gUCSrCFQMOdkAz5cy5JX
Ktor0wWhOTJuioC2RfOuh1PG+7jOTUf/6H5fnxzRN7aAyAd0sA4n3r2jN7ypfRKg
jOBL06I4xPicJJAH/K2Uq03Y8dT7xVJY2WAKg/+K4uxRgQlbCKT9oj7An4zyheMP
0MFG1w4cfO/2p/IVZMG7QZyIfCywuhFH9L3x9q1C5qrw0RGSsw==
-----END CERTIFICATE-----
---
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
generateName: buildah-custom-ca-
spec:
workspaces:
- name: shared-workspace
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
# Make sure the path ends up as ca.crt or buildah would not be able to find
# it.
- name: sslcertdir
configMap:
name: openshift-service-ca
defaultMode: 420
items:
- key: service-ca.crt
path: ca.crt
namespace: openshift-controller-manager
pipelineSpec:
workspaces:
- name: shared-workspace
- name: sslcertdir
optional: true
tasks:
- name: fetch-repository
taskRef:
name: git-clone
workspaces:
- name: output
workspace: shared-workspace
params:
- name: url
value: https://github.com/sclorg/django-ex
- name: subdirectory
value: ""
- name: deleteExisting
value: "true"
- name: s2i
taskRef:
name: s2i
runAfter:
- fetch-repository
workspaces:
- name: source
workspace: shared-workspace
- name: sslcertdir
workspace: sslcertdir
params:
- name: BUILDER_IMAGE
value: centos/python-36-centos7
- name: TLSVERIFY
value: "false"
- name: LOGLEVEL
value: "10"
- name: IMAGE
value: image-registry.openshift-image-registry.svc:5000/$(context.pipelineRun.namespace)/$(context.pipelineRun.name)

50
task/s2i/0.3/tests/internal-registry/internal-registry.yaml Normal file
View File

@ -0,0 +1,50 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: registry
spec:
selector:
matchLabels:
run: registry
replicas: 1
template:
metadata:
labels:
run: registry
spec:
containers:
- name: registry
image: docker.io/registry:2
ports:
- containerPort: 5000
volumeMounts:
- name: sslcert
mountPath: /certs
env:
- name: REGISTRY_HTTP_TLS_CERTIFICATE
value: "/certs/ca.crt"
- name: REGISTRY_HTTP_TLS_KEY
value: "/certs/ca.key"
- name: REGISTRY_HTTP_SECRET
value: "tekton"
volumes:
- name: sslcert
configMap:
defaultMode: 420
items:
- key: ca.crt
path: ca.crt
- key: ca.key
path: ca.key
name: sslcert
---
apiVersion: v1
kind: Service
metadata:
name: registry
spec:
ports:
- port: 5000
selector:
run: registry

6
task/s2i/0.3/tests/pre-apply-task-hook.sh Executable file
View File

@ -0,0 +1,6 @@
#!/usr/bin/env bash
add_sidecar_secure_registry
# Add git-clone
add_task git-clone latest

59
task/s2i/0.3/tests/run.yaml Normal file
View File

@ -0,0 +1,59 @@
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
name: s2i-test-pipeline-run
spec:
pipelineSpec:
workspaces:
- name: shared-workspace
- name: sslcertdir
optional: true
tasks:
- name: fetch-repository
taskRef:
name: git-clone
workspaces:
- name: output
workspace: shared-workspace
params:
- name: url
value: https://github.com/sclorg/django-ex
- name: subdirectory
value: ""
- name: deleteExisting
value: "true"
- name: s2i
taskRef:
name: s2i
runAfter:
- fetch-repository
workspaces:
- name: source
workspace: shared-workspace
- name: sslcertdir
workspace: sslcertdir
params:
- name: BUILDER_IMAGE
value: centos/python-36-centos7
- name: TLSVERIFY
value: "false"
- name: LOGLEVEL
value: "10"
- name: IMAGE
value: registry:5000/python-example-tekton
workspaces:
- name: shared-workspace
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 100Mi
- name: sslcertdir
configMap:
name: sslcert
defaultMode: 420
items:
- key: ca.crt
path: ca.crt