mirror/catalog
1
0
Fork 0
mirror of https://github.com/tektoncd/catalog.git synced 2024-11-25 06:17:50 +00:00
Code Issues Releases Activity
v1alpha1
catalog/buildkit/README.md
Akihiro Suda 7eb466bc40 buildkit: use mTLS and suppport daemonless mode 
* `buildkit` task is updated to use mTLS for connecting to the
  `buildkit` daemon `Service`.
  This prohibits Dockerfile `RUN` containers from connecting to the daemon.

* `buildkit-daemonless` task is newly added for ease of setting up.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-10-21 09:46:22 -05:00

77 lines
2.6 KiB
Markdown
Raw Permalink Blame History

# BuildKit
This Task builds source into a container image using [Moby BuildKit](https://github.com/moby/buildkit).
See also [`buildkit-daemonless`](../buildkit-daemonless) for the daemonless version of this task.
## Install
### Step 0: Create mTLS secrets
You need to determine the SAN of the BuildKit daemon `Service` and create mTLS certificates.
In this example, we use `buildkitd` as the SAN.
```console
$ ./create-certs.sh buildkitd
$ kubectl apply -f .certs/buildkit-daemon-certs.yaml
secret/buildkit-daemon-certs created
$ kubectl apply -f .certs/buildkit-client-certs.yaml
secret/buildkit-client-certs created
$ rm -rf .certs
```
### Step 1: Deploy BuildKit daemon
Two types of the daemon manifests are included:
* `deployment+service.rootless.yaml` (recommended):
Run the daemon as a non-root user.
Using Ubuntu nodes is recommended.
[Needs `sysctl` configuration for Debian hosts and RHEL/CentOS 7 hosts. Does not work on Google COS.](https://github.com/moby/buildkit/blob/master/docs/rootless.md)
* `deployment+service.privileged.yaml`:
Run the daemon as the root user with `securityContext.privileged=true`.
Try this version if `deployment+service.rootless.yaml` does not work or too slow.
```console
$ kubectl apply -f deployment+service.rootless.yaml
deployment.apps/buildkitd created
service/buildkitd created
```
The number of replicas can be adjusted as you like:
```console
$ kubectl scale --replicas=10 deployment/buildkitd
```
See also [BuildKit documentation](https://github.com/moby/buildkit/tree/master/examples/kubernetes) for the further information about the manifests.
### Step 2: Install the task
```console
$ kubectl apply -f task.yaml
task.tekton.dev/buildkit created
```
## Inputs
### Parameters
* **DOCKERFILE**: The path to the `Dockerfile` to execute (_default:_ `./Dockerfile`)
* **BUILDKIT_CLIENT_IMAGE**: BuildKit client image (_default:_`moby/buildkit:vX.Y.Z@sha256:...`)
* **BUILDKIT_DAEMON_ADDRESS**: BuildKit daemon address (_default:_`tcp://buildkitd:1234`)
* **BUILDKIT_CLIENT_CERTS**: The name of Secret that contains `ca.pem`, `cert.pem`, `key.pem`
for mTLS connection to BuildKit daemon (_default:_`buildkit-client-certs`)
### Resources
* **source**: A `git`-type `PipelineResource` specifying the location of the source to build.
## Outputs
### Resources
* **image**: An `image`-type `PipelineResource` specifying the image that should be built.
Currently, generating [`resourceResult`](https://github.com/tektoncd/pipeline/blob/master/docs/resources.md#image-resource) is not supported. ([`buildkit#993`](https://github.com/moby/buildkit/issues/993))
Reference in New Issue View Git Blame Copy Permalink