kubernetes-sigs
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

CI: switch to unprivileged Kaniko to build pipeline images (#11292)

pull/11279/head
Antoine Legrand 2024-06-11 15:19:02 +02:00 committed by GitHub
parent f85e96904d
commit 3e72be2f72
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 30 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
.gitlab-ci/build.yml
View File

@ -1,40 +1,32 @@
--- ---
.build: .build-container:
cache:
key: $CI_COMMIT_REF_SLUG
paths:
- image-cache
tags:
- packet
stage: build stage: build
image: image:
name: moby/buildkit:rootless name: gcr.io/kaniko-project/executor:debug
entrypoint: [""] entrypoint: ['']
variables: variables:
BUILDKITD_FLAGS: --oci-worker-no-process-sandbox TAG: $CI_COMMIT_SHORT_SHA
PROJECT_DIR: $CI_PROJECT_DIR
DOCKERFILE: Dockerfile
GODEBUG: "http2client=0"
before_script: before_script:
- mkdir ~/.docker - echo "{\"auths\":{\"$CI_REGISTRY\":{\"auth\":\"$(echo -n ${CI_REGISTRY_USER}:${CI_REGISTRY_PASSWORD} | base64)\"}}}" > /kaniko/.docker/config.json
- echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > ~/.docker/config.json
pipeline image:
extends: .build
script: script:
- | - /kaniko/executor --cache=true
buildctl-daemonless.sh build \ --cache-dir=image-cache
--frontend=dockerfile.v0 \ --context $PROJECT_DIR
--local context=. \ --dockerfile $PROJECT_DIR/$DOCKERFILE
--local dockerfile=. \ --label 'git-branch'=$CI_COMMIT_REF_SLUG
--opt filename=./pipeline.Dockerfile \ --label 'git-tag=$CI_COMMIT_TAG'
--output type=image,name=$PIPELINE_IMAGE,push=true \ --destination $PIPELINE_IMAGE
--import-cache type=registry,ref=$CI_REGISTRY_IMAGE/pipeline:cache
rules:
- if: '$CI_COMMIT_REF_NAME != $CI_DEFAULT_BRANCH'
pipeline image and build cache: pipeline-image:
extends: .build extends: .build-container
script: variables:
- | DOCKERFILE: pipeline.Dockerfile
buildctl-daemonless.sh build \
--frontend=dockerfile.v0 \
--local context=. \
--local dockerfile=. \
--opt filename=./pipeline.Dockerfile \
--output type=image,name=$PIPELINE_IMAGE,push=true \
--import-cache type=registry,ref=$CI_REGISTRY_IMAGE/pipeline:cache \
--export-cache type=registry,ref=$CI_REGISTRY_IMAGE/pipeline:cache,mode=max
rules:
- if: '$CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH'

9
pipeline.Dockerfile
View File

@ -38,11 +38,12 @@ RUN apt update -q \
&& apt autoremove -yqq --purge && apt clean && rm -rf /var/lib/apt/lists/* /var/log/* && apt autoremove -yqq --purge && apt clean && rm -rf /var/lib/apt/lists/* /var/log/*
WORKDIR /kubespray WORKDIR /kubespray
ADD ./requirements.txt /kubespray/requirements.txt
ADD ./tests/requirements.txt /kubespray/tests/requirements.txt
ADD ./roles/kubespray-defaults/defaults/main/main.yml /kubespray/roles/kubespray-defaults/defaults/main/main.yml
RUN --mount=type=bind,target=./requirements.txt,src=./requirements.txt \
--mount=type=bind,target=./tests/requirements.txt,src=./tests/requirements.txt \ RUN update-alternatives --install /usr/bin/python python /usr/bin/python3 1 \
--mount=type=bind,target=./roles/kubespray-defaults/defaults/main/main.yml,src=./roles/kubespray-defaults/defaults/main/main.yml \
update-alternatives --install /usr/bin/python python /usr/bin/python3 1 \
&& pip install --no-compile --no-cache-dir pip -U \ && pip install --no-compile --no-cache-dir pip -U \
&& pip install --no-compile --no-cache-dir -r tests/requirements.txt \ && pip install --no-compile --no-cache-dir -r tests/requirements.txt \
&& KUBE_VERSION=$(sed -n 's/^kube_version: //p' roles/kubespray-defaults/defaults/main/main.yml) \ && KUBE_VERSION=$(sed -n 's/^kube_version: //p' roles/kubespray-defaults/defaults/main/main.yml) \