背景
在k8s环境,不依赖docker,基于tekton和kaniko完成镜像构建推送
前置条件
1:安装k8s 1.25以上版本
2:安装tekton,可以参考我的文章《minukube下离线安装tekton》
3:制作kaniko工具镜像,可以参考我的文章《基于kaniko镜像自定义镜像》
4:具有一个可用的harbor
制作tekton task和taskrun
要求是先用wget下载代码制品,然后基于写好的docker进行构建镜像,和推送到指定harbor
1:制作harbor凭证
假设harbor 域名为myharbor.com 账号user 密码passwd
echo -n 'user:passwd' | base64
dXNlcjpwYWFzd2Q=
生成配置文件config.json
{
"auths": {
"myharbor.com": {
"auth": "dXNlcjpwYWFzd2Q="
}
}
}
把配置文件转base64
cat config.json |base64 -w0
创建秘钥凭证 kaniko-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: kaniko-secret
data:
config.json: {config.json的base64编码文本}
执行 kubectl apply -f kaniko-secret.yaml生效,放在default的namespace
2:制作tekton task任务
这里需要根据tekton官网文档进行,可以直接参考我的task yaml
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: download-build-push-one
spec:
params:
- name: code-url
description: URL to download code.zip
type: string
- name: dockerfile
description: Dockerfilen content
type: string
- name: image-name-version
description: Image name and version (e.g., imageName:version)
type: string
- name: registry-url
description: The registry url(default is myharbor.com)
default: myharbor.com
- name: registry-http
description: use http push to registry
default: true
workspaces:
- name: tmpspace
- name: dockerconfig
description: Includes a docker `config.json`
optional: true
mountPath: /kaniko/.docker
results:
- name: IMAGE_DIGEST
description: Digest of the image just built.
- name: IMAGE_URL
description: URL of the image just built.
steps:
- name: dowload-build-push
image: myharbor.com/kaniko-tool:v1.0
command:
- sh
- -c
args:
- wget '$(inputs.params.code-url)' -O $(workspaces.tmpspace.path)/code.zip && echo '$(inputs.params.dockerfile)' | base64 -d > $(workspaces.tmpspace.path)/Dockerfile && /kaniko/executor --context=$(workspaces.tmpspace.path) --dockerfile=$(workspaces.tmpspace.path)/Dockerfile --destination=$(params.registry-url)/$(params.image-name-version) --digest-file=$(results.IMAGE_DIGEST.path) --insecure=$(params.registry-http) --insecure-pull=$(params.registry-http) --skip-tls-verify=$(params.registry-http)
保存为 download-build-push-one.yaml
kubectl apply -f download-build-push-one.yaml生效,放在default的namespace
这里是先用wget下载代码,然后把dockerfile 用base64编码的入参,解码保存为dockerfile文件,然后用kaniko执行,并推送到harbor,凭证用secret方式加载
以下为对应的task run.yaml
apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
name: download-build-push-one-run
spec:
taskRef:
name: download-build-push-one
workspaces:
- name: tmpspace
emptyDir: {}
- name: dockerconfig
secret:
secretName: kaniko-secret
params:
- name: code-url
value: "文件下载地址"
- name: dockerfile
value: "dockerfile base 64编码文本"
- name: image-name-version
value: faas/funTest:1
- name: registry-url
value: myhabor.com
- name: registry-http
value: true
保存为 download-build-push-run.yaml
kubectl apply -f download-build-push-run.yaml 即可运行,可以看日志看是否生效
可以用 kubectl get taskrun 命令查看全部taskrun任务状态
可以用 kubectl describe taskrun {任务名} 命令查看具体taskrun任务详情
可以用 kubectl logs {任务名}-pod 命令查看具体taskrun任务日志