mirror of https://github.com/tektoncd/catalog.git synced 2024-11-24 06:15:46 +00:00

Akihiro Suda 7eb466bc40 buildkit: use mTLS and suppport daemonless mode

* `buildkit` task is updated to use mTLS for connecting to the
  `buildkit` daemon `Service`.
  This prohibits Dockerfile `RUN` containers from connecting to the daemon.

* `buildkit-daemonless` task is newly added for ease of setting up.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

2019-10-21 09:46:22 -05:00

2.6 KiB

Raw Permalink Blame History

BuildKit

This Task builds source into a container image using Moby BuildKit.

See also buildkit-daemonless for the daemonless version of this task.

Install

Step 0: Create mTLS secrets

You need to determine the SAN of the BuildKit daemon Service and create mTLS certificates. In this example, we use buildkitd as the SAN.

$ ./create-certs.sh buildkitd
$ kubectl apply -f .certs/buildkit-daemon-certs.yaml
secret/buildkit-daemon-certs created
$ kubectl apply -f .certs/buildkit-client-certs.yaml
secret/buildkit-client-certs created
$ rm -rf .certs

Step 1: Deploy BuildKit daemon

Two types of the daemon manifests are included:

deployment+service.rootless.yaml (recommended): Run the daemon as a non-root user. Using Ubuntu nodes is recommended. Needs sysctl configuration for Debian hosts and RHEL/CentOS 7 hosts. Does not work on Google COS.
deployment+service.privileged.yaml: Run the daemon as the root user with securityContext.privileged=true. Try this version if deployment+service.rootless.yaml does not work or too slow.

$ kubectl apply -f deployment+service.rootless.yaml
deployment.apps/buildkitd created
service/buildkitd created

The number of replicas can be adjusted as you like:

$ kubectl scale --replicas=10 deployment/buildkitd

See also BuildKit documentation for the further information about the manifests.

Step 2: Install the task

$ kubectl apply -f task.yaml
task.tekton.dev/buildkit created

Inputs

Parameters

DOCKERFILE: The path to the Dockerfile to execute (default: ./Dockerfile)
BUILDKIT_CLIENT_IMAGE: BuildKit client image (default:moby/buildkit:vX.Y.Z@sha256:...)
BUILDKIT_DAEMON_ADDRESS: BuildKit daemon address (default:tcp://buildkitd:1234)
BUILDKIT_CLIENT_CERTS: The name of Secret that contains ca.pem, cert.pem, key.pem for mTLS connection to BuildKit daemon (default:buildkit-client-certs)

Resources

source: A git-type PipelineResource specifying the location of the source to build.

Outputs

Resources

image: An image-type PipelineResource specifying the image that should be built. Currently, generating resourceResult is not supported. (buildkit#993)

2.6 KiB Raw Permalink Blame History

BuildKit

Install

Step 0: Create mTLS secrets

Step 1: Deploy BuildKit daemon

Step 2: Install the task

Inputs

Parameters

Resources

Outputs

Resources

2.6 KiB

Raw Permalink Blame History