除了kaniko, buildkit 的 daemonless 模式也可以用来在没有 守护进程的情况下来构建镜像
直接上 workflow template 例子
先配置 github权限
apiVersion: v1
data:
password: xxxxxxxxx (base64)
username: xxxxxxxxx (base64)
kind: Secret
metadata:
name: github-creds
namespace: default
type: Opaque再配置dockerhub权限
export DOCKER_USERNAME=******
export DOCKER_TOKEN=******
kubectl create secret generic docker-config --from-literal="config.json={\"auths\": {\"https://index.docker.io/v1/\": {\"auth\": \"$(echo -n $DOCKER_USERNAME:$DOCKER_TOKEN|base64)\"}}}" -n argoworkflow template
# Build and push an image using Docker Buildkit. This does not need privileged access, unlike Docker in Docker (DIND).
#
# Publishing images requires an access token. For hub.docker.com you can create one at https://hub.docker.com/settings/security
# This needs to be mounted as `$DOCKER_CONFIG/config.json`. To do this, you'll need to create a secret as follows:
#
# export DOCKER_USERNAME=******
# export DOCKER_TOKEN=******
# kubectl create secret generic docker-config --from-literal="config.json={\"auths\": {\"https://index.docker.io/v1/\": {\"auth\": \"$(echo -n $DOCKER_USERNAME:$DOCKER_TOKEN|base64)\"}}}"
#
# Read more:
#
# * https://github.com/moby/buildkit#expose-buildkit-as-a-tcp-service
# * https://blog.alexellis.io/building-containers-without-docker/
# * https://hub.docker.com/r/moby/buildkit
apiVersion: argoproj.io/v1alpha1
kind: WorkflowTemplate
metadata:
name: buildkit
namespace: argo
annotations:
workflows.argoproj.io/description: |
Build and push an image using Docker Buildkit. This does not need privileged access, unlike Docker in Docker (DIND).
workflows.argoproj.io/maintainer: '@alexec'
workflows.argoproj.io/tags: buildkit
workflows.argoproj.io/version: '>= 2.9.0'
spec:
templates:
- name: clean
container:
name: ''
image: k8s.gcr.io/busybox
imagePullPolicy: IfNotPresent
command:
- /bin/sh
args:
- '-c'
- 'rm -rf /work/*'
workingDir: /work
volumeMounts:
- name: work
mountPath: /work
- name: clone
inputs:
parameters:
- name: repo
- name: branch
artifacts:
- name: argo-source
path: /src
git:
repo: '{{inputs.parameters.repo}}'
revision: '{{inputs.parameters.branch}}'
usernameSecret:
name: github-creds
key: username
passwordSecret:
name: github-creds
key: password
container:
image: k8s.gcr.io/busybox
command:
- /bin/sh
args:
- '-c'
- cp -rf /src/. /work/ && ls /work
workingDir: /src
volumeMounts:
- name: work
mountPath: /work
- name: image
inputs:
parameters:
- name: image
# Mount the configuration so we can push the image.
# This should create the /.docker/config.json file.
volumes:
- name: docker-config
secret:
secretName: docker-config
container:
image: moby/buildkit:v0.7.2
volumeMounts:
- name: work
mountPath: /work
- name: docker-config
mountPath: /.docker
workingDir: /work
env:
# - name: BUILDKITD_FLAGS
# value: --oci-worker-no-process-sandbox
- name: DOCKER_CONFIG
value: /.docker
command:
- buildctl-daemonless.sh
securityContext:
privileged: true
args:
# - --addr
# - kube-pod://buildkitd
- build
- --frontend
- dockerfile.v0
- --local
- context=.
- --local
- dockerfile=.
- --output
- type=image,name=docker.io/{{inputs.parameters.image}},push=true
# command: ["buildctl-daemonless.sh", "--debug",
# "--addr",
# "kube-pod://buildkitd",
# "build",
# "--progress=plain",
# "--frontend=dockerfile.v0",
# "--local", "context=.", "--local", "dockerfile=.",
# "--output", "type=image,name=docker.io/{{inputs.parameters.image}},push=true"]
# buildctl --addr kube-pod://buildkitd build --frontend dockerfile.v0 --local context=. --local dockerfile=. --output - type=image,name=docker.io/{{inputs.parameters.image}},push=false
