参考官方文档
https://github.com/GoogleContainerTools/kaniko#running-kaniko-in-a-kubernetes-cluster
- 在本地创建 config.json 文件,添加以下内容
{ "credsStore": "ecr-login" }2. 使用上面的json文件创建 configmap ,如果你需要指定命名空间,加 -n
kubectl create configmap docker-config --from-file=<path to config.json> kubectl create configmap docker-config --from-file=<path to config.json> -n argo
3. 生成本地的aws credentials 文件
~/.aws/credentials4. 使用 credentials 文件创建 secret
kubectl create secret generic aws-secret --from-file=<path to .aws/credentials> kubectl create secret generic aws-secret --from-file=<path to .aws/credentials> -n argo
5. mount 上面的配置文件
官网例子是这样的
apiVersion: v1
kind: Pod
metadata:
name: kaniko
spec:
containers:
- name: kaniko
image: gcr.io/kaniko-project/executor:latest
args:
- "--dockerfile=<path to Dockerfile within the build context>"
- "--context=s3://<bucket name>/<path to .tar.gz>"
- "--destination=<aws_account_id.dkr.ecr.region.amazonaws.com/my-repository:my-tag>"
volumeMounts:
- name: docker-config
mountPath: /kaniko/.docker/
# when not using instance role
- name: aws-secret
mountPath: /root/.aws/
restartPolicy: Never
volumes:
- name: docker-config
configMap:
name: docker-config
# when not using instance role
- name: aws-secret
secret:
secretName: aws-secret
我本地的argo workflow内容是这样的
apiVersion: argoproj.io/v1alpha1
kind: Sensor
metadata:
name: lzgithub
namespace: argo
spec:
template:
serviceAccountName: operate-workflow-sa
dependencies:
- name: lz-dep
eventSourceName: lzgithub
eventName: lzgitwebhook
triggers:
- template:
name: lz-workflow-trigger
argoWorkflow:
group: argoproj.io
version: v1alpha1
resource: workflows
operation: submit
source:
resource:
apiVersion: argoproj.io/v1alpha1
kind: WorkflowTemplate
metadata:
generateName: lzbuildkit-
namespace: argo
spec:
templates:
- name: main
dag:
tasks:
- name: clean
template: clean
arguments: {}
- name: clone
template: clone
arguments:
parameters:
- name: repo
value: '{{workflow.parameters.repo}}'
- name: branch
value: '{{workflow.parameters.branch}}'
depends: clean
- name: getcommitid
template: getcommitid
arguments: {}
depends: clone
- name: mountcommitid
template: mountcommitid
arguments: {}
depends: getcommitid
- name: build
template: build
arguments: {}
depends: mountcommitid
- name: image
template: image
arguments:
parameters:
- name: image
value: '{{workflow.parameters.image}}'
- name: commitid
value: '{{tasks.mountcommitid.outputs.parameters.commitid}}'
depends: build
- name: clean
container:
name: ''
image: k8s.gcr.io/busybox
command:
- /bin/sh
args:
- '-c'
- 'rm -rf /work/*'
workingDir: /work
volumeMounts:
- name: work
mountPath: /work
- name: clone
inputs:
parameters:
- name: repo
- name: branch
container:
name: ''
image: 'alpine/git:v2.26.2'
args:
- clone
- '--depth'
- '1'
- '--branch'
- '{{inputs.parameters.branch}}'
- '--single-branch'
- '{{inputs.parameters.repo}}'
- /work
workingDir: /work
volumeMounts:
- name: work
mountPath: /work
- name: getcommitid
inputs: {}
outputs: {}
metadata: {}
container:
name: ''
image: xxxxxxx.dkr.ecr.ap-northeast-1.amazonaws.com/getcommitid
command:
- /bin/bash
args:
- '-c'
- /getcommitid.sh
workingDir: /work
volumeMounts:
- name: work
mountPath: /work
- name: mountcommitid
outputs:
parameters:
- name: commitid
valueFrom:
path: /work/commitid.txt
default: mockup_commitid
metadata: {}
container:
name: ''
image: k8s.gcr.io/busybox
command:
- /bin/sh
args:
- '-c'
- ls /work
workingDir: /work
resources: {}
volumeMounts:
- name: work
mountPath: /work
- name: build
container:
name: ''
image: 'golang:alpine3.13'
command:
- go
args:
- build
- main.go
workingDir: /work
env:
- name: ENVTEST
value: helloworld
volumeMounts:
- name: work
mountPath: /work
- name: image
inputs:
parameters:
- name: image
- name: commitid
container:
name: ''
image: gcr.io/kaniko-project/executor@sha256:f652f28537fa76e8f4f9393de13a064f0206003c451ce2ad6e4359fd5a21acbc
args:
- '-f'
- /work/Dockerfile
- '-c'
- /work
- --destination={{inputs.parameters.image}}:{{inputs.parameters.commitid}}
workingDir: /work
env:
- name: envkey
value: envvalue
resources: {}
volumeMounts:
- name: docker-config
mountPath: /kaniko/.docker/
- name: aws-secret
mountPath: /root/.aws/
- name: work
mountPath: /work
volumes:
- name: docker-config
configMap:
name: docker-config
- name: aws-secret
secret:
secretName: aws-secret
entrypoint: main
imagePullSecrets:
- name: regcred
arguments:
parameters:
- name: repo
value: 'https://xxxxx:xxxxx@github.com/xxxxx/xxxxxxx.git'
- name: branch
value: master
- name: image
value: xxxxx.dkr.ecr.ap-northeast-1.amazonaws.com/xxxxx
volumeClaimTemplates:
- metadata:
name: work
creationTimestamp: null
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: gp2
status: {}
ttlStrategy:
secondsAfterCompletion: 1800
secondsAfterSuccess: 1800
secondsAfterFailure: 18006. 上面的文件中还从 ECR中 pull 了一个镜像
下面的命令行可以做到这一点
如果要从 CLI 登录到 ECR
aws ecr get-login-password --region ap-northeast-1 | docker login --username AWS --password-stdin xxxxxx.dkr.ecr.ap-northeast-1.amazonaws.com也就是说
aws ecr get-login-password --region ap-northeast-1可以得到登录密码,用户名是 AWS
那么也就可以通过本办法创建 secret
kubectl create secret docker-registry regcred --docker-server=https://xxxxxxxxxx.dkr.ecr.ap-northeast-1.amazonaws.com --docker-username=AWS --docker-password=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxEdDcjBUMlVRZXdMV3h1QXZVS0wrbVNjMFN1RzkzM3pLVnhGNGdBbjlzclV6L1U2VU16MjVuenFRTjAyWkhnWFdmT1k4R0RMVCtpRkVtbnYwUkNORWhWTWM3NEh0ZDV5TDZ5dUVWWTlHN2FKbVpOQVJ1b3hab0ViK0p5WUQwUVM2WjZEK3NFSmREMWwxeUVnSVFUVFAwWHU5eXEwaGg1T1pmU2hGbUN5a0hDSmFGL25EMVFlMmlZSnhlMTBuNXhSZFVpMUhkTXQ5eSt5U2VFSkNhUlVXSHJ6RWRVU25wTmRESFpLUlYvMjR0ZU5JV3QrTmNyUllFWUE2SnA1SmxVS1VieXpCc2d4ZnNIY01KQU1tZGQ0SzJkWm1nWFl1Y1hkY0kzN0tHRml0TVV5NmJCMG1iN25GTytDaE5Way8rQVZyNFB3a1dOcjF1ZDZJMW9DbXcxVlZFOWl6M0cxTFFYRjFDWFZoK29aUUtRRDlodDQydHJSaWFISTZGeWxZS2U4SGdqb21vbTNwc3c2WktXWmhjYjkyUzIzYUlPN1JNalovQ0lvZGY5a24zQzUxaEVoek1IN0tyN2p6MkJsd0o5RFJ6THVWTVVEQiIsImRhdGFrZXkiOiJBUUVCQUhnQU1mS0RsSW9wQzZ6czBiTWRScllTSGEvQzM5a0NyY1A4a1ZwckU5ZitrUUFBQUg0d2ZBWUpLb1pJaHZjTkFRY0dvRzh3YlFJQkFEQm9CZ2txaGtpRzl3MEJCd0V3SGdZSllJWklBV1VEQkFFdU1CRUVEQXVYNzlrSjgrQ3JkT2w1c0FJQkVJQTdYbE9Xb3d2TWk1bnQ5ZWExbmRsRjdPUlgraG40RmEwZkJiVXFnZXZ2eXdTRThkZEtDYWJUMWJJalA2dFl3c28zQlF0aVZSZ3hWcmM1YUtjPSIsInZlcnNpb24iOiIyIiwidHlwZSI6IkRBVEFfS0VZIiwiZXhwaXJhdGlvbiI6MTYyNjgxNzQxOX0= --docker-email=YOUREMAIL@ADDRESS -n argo然后就可以正常引用了
entrypoint: main
imagePullSecrets:
- name: regcred
