From f37860f8a082f481c334c163133fa110dbdcbe6e Mon Sep 17 00:00:00 2001 From: Yulia Gaponenko Date: Fri, 16 Oct 2020 16:27:31 +0200 Subject: [PATCH] Add separate Task to build base multi-arch image This Task allows to build base pipeline multi-arch image using docker buildx extention and can be executed on adm64 cluster. The result will be built and published for `linux/amd64`, "linux/s390x", "linux/arm64" and "linux/ppc64le" platforms in form of multi-arch image. dind privileged sidecar is used to be able to use qemu emulation feature for buildx. The Task is used for nightly builds Signed-off-by: Yulia Gaponenko --- tekton/build-push-ma-base-image.yaml | 100 +++++++++++++++++++++++++++ tekton/publish.yaml | 16 ----- tekton/release-pipeline-nightly.yaml | 20 +++++- 3 files changed, 117 insertions(+), 19 deletions(-) create mode 100644 tekton/build-push-ma-base-image.yaml diff --git a/tekton/build-push-ma-base-image.yaml b/tekton/build-push-ma-base-image.yaml new file mode 100644 index 00000000000..c7edf06e8fb --- /dev/null +++ b/tekton/build-push-ma-base-image.yaml @@ -0,0 +1,100 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: build-multiarch-base-image +spec: + params: + - name: imageRegistry + - name: pathToProject + description: The path to the folder in the go/src dir that contains the project, which is used by `ko` to name the resulting images + resources: + inputs: + - name: source + type: git + targetPath: go/src/github.com/tektoncd/pipeline + outputs: + - name: builtBaseImage + type: image + steps: + - image: gcr.io/google.com/cloudsdktool/cloud-sdk + name: build-image + env: + # Connect to the sidecar over TCP, with TLS. + - name: DOCKER_HOST + value: tcp://localhost:2376 + # Verify TLS. + - name: DOCKER_TLS_VERIFY + value: '1' + # Use the certs generated by the sidecar daemon. + - name: DOCKER_CERT_PATH + value: /certs/client + - name: GOOGLE_APPLICATION_CREDENTIALS + value: "/secret/release.json" + script: | + #!/usr/bin/env sh + + # Activate service account + gcloud auth activate-service-account --key-file=${GOOGLE_APPLICATION_CREDENTIALS} + + # Setup docker-auth + gcloud auth configure-docker + + # add qemu bins + docker run --rm --privileged tonistiigi/binfmt:latest --install all + + #install buildx + mkdir -p ~/.docker/cli-plugins + curl -fsSL https://github.com/docker/buildx/releases/download/v0.4.2/buildx-v0.4.2.linux-amd64 > ~/.docker/cli-plugins/docker-buildx + chmod u+x ~/.docker/cli-plugins/docker-buildx + + #create docker context + docker context create context1 + + #create builder + docker buildx create context1 --name builder-buildx1 --driver docker-container --platform linux/amd64,linux/s390x,linux/ppc64le,linux/arm64 --use + + #check the state + docker buildx inspect --bootstrap --builder builder-buildx1 + + #build multi-arch image + docker buildx build \ + --platform linux/amd64,linux/s390x,linux/ppc64le,linux/arm64 \ + --tag $(params.imageRegistry)/$(params.pathToProject)/$(resources.outputs.builtBaseImage.url) \ + --push \ + /workspace/go/src/github.com/tektoncd/pipeline/images + + volumeMounts: + - mountPath: /certs/client + name: dind-certs + - name: gcp-secret + mountPath: /secret + + sidecars: + - image: docker:dind + name: server + args: + - --storage-driver=vfs + - --userland-proxy=false + - --debug + securityContext: + privileged: true + env: + # Write generated certs to the path shared with the client. + - name: DOCKER_TLS_CERTDIR + value: /certs + volumeMounts: + - mountPath: /certs/client + name: dind-certs + # Wait for the dind daemon to generate the certs it will share with the + # client. + readinessProbe: + periodSeconds: 1 + exec: + command: ['ls', '/certs/client/ca.pem'] + + volumes: + - name: dind-certs + emptyDir: {} + - name: gcp-secret + secret: + secretName: release-secret diff --git a/tekton/publish.yaml b/tekton/publish.yaml index aef4de3188b..1b9854c647b 100644 --- a/tekton/publish.yaml +++ b/tekton/publish.yaml @@ -49,22 +49,6 @@ spec: type: cloudEvent steps: - - name: build-push-base-images - image: gcr.io/kaniko-project/executor:v0.17.1 - command: - - /kaniko/executor - args: - - --dockerfile=/workspace/go/src/github.com/tektoncd/pipeline/images/Dockerfile - - --destination=$(params.imageRegistry)/$(params.pathToProject)/$(resources.outputs.builtBaseImage.url) - - --context=/workspace/go/src/github.com/tektoncd/pipeline - - volumeMounts: - - name: gcp-secret - mountPath: /secret - env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /secret/release.json - - name: create-ko-yaml image: busybox script: | diff --git a/tekton/release-pipeline-nightly.yaml b/tekton/release-pipeline-nightly.yaml index 7cd4b90eb54..3c086658d67 100644 --- a/tekton/release-pipeline-nightly.yaml +++ b/tekton/release-pipeline-nightly.yaml @@ -61,8 +61,24 @@ spec: inputs: - name: source resource: source-repo - - name: publish-images + - name: build-base-image runAfter: [build, unit-tests] + taskRef: + name: build-multiarch-base-image + params: + - name: pathToProject + value: $(params.package) + - name: imageRegistry + value: $(params.imageRegistry) + resources: + inputs: + - name: source + resource: source-repo + outputs: + - name: builtBaseImage + resource: builtBaseImage + - name: publish-images + runAfter: [build-base-image, build, unit-tests] taskRef: name: publish-tekton-pipelines params: @@ -81,8 +97,6 @@ spec: outputs: - name: bucket resource: bucket - - name: builtBaseImage - resource: builtBaseImage - name: builtEntrypointImage resource: builtEntrypointImage - name: builtNopImage