Add separate Task to build base multi-arch image

This Task allows to build base pipeline multi-arch image using docker buildx extention and can be executed on adm64 cluster. The result will be built and published for `linux/amd64`, "linux/s390x", "linux/arm64" and "linux/ppc64le" platforms in form of multi-arch image. dind privileged sidecar is used to be able to use qemu emulation feature for buildx. The Task is used for nightly builds Signed-off-by: Yulia Gaponenko <[email protected]>
tektoncd · Oct 20, 2020 · 9d5f9fb · 9d5f9fb
1 parent d876923
commit 9d5f9fb
Show file tree

Hide file tree

Showing 3 changed files with 117 additions and 19 deletions.
diff --git a/tekton/build-push-ma-base-image.yaml b/tekton/build-push-ma-base-image.yaml
@@ -0,0 +1,100 @@
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: build-multiarch-base-image
+spec:
+  params:
+  - name: imageRegistry
+  - name: pathToProject
+    description: The path to the folder in the go/src dir that contains the project, which is used by `ko` to name the resulting images
+  resources:
+    inputs:
+    - name: source
+      type: git
+      targetPath: go/src/github.com/tektoncd/pipeline
+    outputs:
+    - name: builtBaseImage
+      type: image
+  steps:
+  - image: gcr.io/google.com/cloudsdktool/cloud-sdk
+    name: build-image
+    env:
+    # Connect to the sidecar over TCP, with TLS.
+    - name: DOCKER_HOST
+      value: tcp://localhost:2376
+    # Verify TLS.
+    - name: DOCKER_TLS_VERIFY
+      value: '1'
+    # Use the certs generated by the sidecar daemon.
+    - name: DOCKER_CERT_PATH
+      value: /certs/client
+    - name: GOOGLE_APPLICATION_CREDENTIALS
+      value: "/secret/release.json"
+    script: |
+        #!/usr/bin/env sh
+
+        # Activate service account
+        gcloud auth activate-service-account --key-file=${GOOGLE_APPLICATION_CREDENTIALS}
+
+        # Setup docker-auth
+        gcloud auth configure-docker
+
+        # add qemu bins
+        docker run --rm --privileged tonistiigi/binfmt:latest --install all
+
+        #install buildx
+        mkdir -p ~/.docker/cli-plugins
+        curl -fsSL https://github.com/docker/buildx/releases/download/v0.4.2/buildx-v0.4.2.linux-amd64 > ~/.docker/cli-plugins/docker-buildx
+        chmod u+x ~/.docker/cli-plugins/docker-buildx
+
+        #create docker context
+        docker context create context1
+
+        #create builder
+        docker buildx create context1 --name builder-buildx1 --driver docker-container --platform linux/amd64,linux/s390x,linux/ppc64le,linux/arm64 --use
+
+        #check the state
+        docker buildx inspect --bootstrap --builder builder-buildx1
+
+        #build multi-arch image
+        docker buildx build \
+        --platform linux/amd64,linux/s390x,linux/ppc64le,linux/arm64 \
+        --tag $(params.imageRegistry)/$(params.pathToProject)/$(resources.outputs.builtBaseImage.url) \
+        --push \
+        /workspace/go/src/github.com/tektoncd/pipeline/images
+
+    volumeMounts:
+    - mountPath: /certs/client
+      name: dind-certs
+    - name: gcp-secret
+      mountPath: /secret
+
+  sidecars:
+  - image: docker:dind
+    name: server
+    args:
+      - --storage-driver=vfs
+      - --userland-proxy=false
+      - --debug
+    securityContext:
+      privileged: true
+    env:
+    # Write generated certs to the path shared with the client.
+    - name: DOCKER_TLS_CERTDIR
+      value: /certs
+    volumeMounts:
+    - mountPath: /certs/client
+      name: dind-certs
+    # Wait for the dind daemon to generate the certs it will share with the
+    # client.
+    readinessProbe:
+      periodSeconds: 1
+      exec:
+        command: ['ls', '/certs/client/ca.pem']
+
+  volumes:
+  - name: dind-certs
+    emptyDir: {}
+  - name: gcp-secret
+    secret:
+      secretName: release-secret
diff --git a/tekton/publish.yaml b/tekton/publish.yaml
@@ -49,22 +49,6 @@ spec:
       type: cloudEvent
   steps:
 
-  - name: build-push-base-images
-    image: gcr.io/kaniko-project/executor:v0.17.1
-    command:
-    - /kaniko/executor
-    args:
-    - --dockerfile=/workspace/go/src/github.com/tektoncd/pipeline/images/Dockerfile
-    - --destination=$(params.imageRegistry)/$(params.pathToProject)/$(resources.outputs.builtBaseImage.url)
-    - --context=/workspace/go/src/github.com/tektoncd/pipeline
-
-    volumeMounts:
-      - name: gcp-secret
-        mountPath: /secret
-    env:
-      - name: GOOGLE_APPLICATION_CREDENTIALS
-        value: /secret/release.json
-
   - name: create-ko-yaml
     image: busybox
     script: |

diff --git a/tekton/release-pipeline-nightly.yaml b/tekton/release-pipeline-nightly.yaml
@@ -61,8 +61,24 @@ spec:
         inputs:
           - name: source
             resource: source-repo
-    - name: publish-images
+    - name: build-base-image
       runAfter: [build, unit-tests]
+      taskRef:
+        name: build-multiarch-base-image
+      params:
+        - name: pathToProject
+          value: $(params.package)
+        - name: imageRegistry
+          value: $(params.imageRegistry)
+      resources:
+        inputs:
+          - name: source
+            resource: source-repo
+        outputs:
+          - name: builtBaseImage
+            resource: builtBaseImage
+    - name: publish-images
+      runAfter: [build-base-image, build, unit-tests]
       taskRef:
         name: publish-tekton-pipelines
       params:
@@ -81,8 +97,6 @@ spec:
         outputs:
           - name: bucket
             resource: bucket
-          - name: builtBaseImage
-            resource: builtBaseImage
           - name: builtEntrypointImage
             resource: builtEntrypointImage
           - name: builtNopImage