-
Notifications
You must be signed in to change notification settings - Fork 1.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add separate Task to build base multi-arch image
This Task allows to build base pipeline multi-arch image using docker buildx extention and can be executed on adm64 cluster. The result will be built and published for `linux/amd64`, "linux/s390x", "linux/arm64" and "linux/ppc64le" platforms in form of multi-arch image. dind privileged sidecar is used to be able to use qemu emulation feature for buildx. The Task is used for nightly builds Signed-off-by: Yulia Gaponenko <[email protected]>
- Loading branch information
1 parent
36c81a9
commit f37860f
Showing
3 changed files
with
117 additions
and
19 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,100 @@ | ||
apiVersion: tekton.dev/v1beta1 | ||
kind: Task | ||
metadata: | ||
name: build-multiarch-base-image | ||
spec: | ||
params: | ||
- name: imageRegistry | ||
- name: pathToProject | ||
description: The path to the folder in the go/src dir that contains the project, which is used by `ko` to name the resulting images | ||
resources: | ||
inputs: | ||
- name: source | ||
type: git | ||
targetPath: go/src/github.com/tektoncd/pipeline | ||
outputs: | ||
- name: builtBaseImage | ||
type: image | ||
steps: | ||
- image: gcr.io/google.com/cloudsdktool/cloud-sdk | ||
name: build-image | ||
env: | ||
# Connect to the sidecar over TCP, with TLS. | ||
- name: DOCKER_HOST | ||
value: tcp://localhost:2376 | ||
# Verify TLS. | ||
- name: DOCKER_TLS_VERIFY | ||
value: '1' | ||
# Use the certs generated by the sidecar daemon. | ||
- name: DOCKER_CERT_PATH | ||
value: /certs/client | ||
- name: GOOGLE_APPLICATION_CREDENTIALS | ||
value: "/secret/release.json" | ||
script: | | ||
#!/usr/bin/env sh | ||
# Activate service account | ||
gcloud auth activate-service-account --key-file=${GOOGLE_APPLICATION_CREDENTIALS} | ||
# Setup docker-auth | ||
gcloud auth configure-docker | ||
# add qemu bins | ||
docker run --rm --privileged tonistiigi/binfmt:latest --install all | ||
#install buildx | ||
mkdir -p ~/.docker/cli-plugins | ||
curl -fsSL https://github.com/docker/buildx/releases/download/v0.4.2/buildx-v0.4.2.linux-amd64 > ~/.docker/cli-plugins/docker-buildx | ||
chmod u+x ~/.docker/cli-plugins/docker-buildx | ||
#create docker context | ||
docker context create context1 | ||
#create builder | ||
docker buildx create context1 --name builder-buildx1 --driver docker-container --platform linux/amd64,linux/s390x,linux/ppc64le,linux/arm64 --use | ||
#check the state | ||
docker buildx inspect --bootstrap --builder builder-buildx1 | ||
#build multi-arch image | ||
docker buildx build \ | ||
--platform linux/amd64,linux/s390x,linux/ppc64le,linux/arm64 \ | ||
--tag $(params.imageRegistry)/$(params.pathToProject)/$(resources.outputs.builtBaseImage.url) \ | ||
--push \ | ||
/workspace/go/src/github.com/tektoncd/pipeline/images | ||
volumeMounts: | ||
- mountPath: /certs/client | ||
name: dind-certs | ||
- name: gcp-secret | ||
mountPath: /secret | ||
|
||
sidecars: | ||
- image: docker:dind | ||
name: server | ||
args: | ||
- --storage-driver=vfs | ||
- --userland-proxy=false | ||
- --debug | ||
securityContext: | ||
privileged: true | ||
env: | ||
# Write generated certs to the path shared with the client. | ||
- name: DOCKER_TLS_CERTDIR | ||
value: /certs | ||
volumeMounts: | ||
- mountPath: /certs/client | ||
name: dind-certs | ||
# Wait for the dind daemon to generate the certs it will share with the | ||
# client. | ||
readinessProbe: | ||
periodSeconds: 1 | ||
exec: | ||
command: ['ls', '/certs/client/ca.pem'] | ||
|
||
volumes: | ||
- name: dind-certs | ||
emptyDir: {} | ||
- name: gcp-secret | ||
secret: | ||
secretName: release-secret |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters