Commit 91a10b11 authored by Jochen Roth's avatar Jochen Roth

Added kaniko ci template to build docker images

When building docker images in a docker executor the
gitlab-runner needs privileged mode set to true which
can be a security risk.

With kaniko there is no additional configuration
required. Just add the template and it will build
and push branches/tags to gitlabs docker registry.

Changelog: added
parent 97d34106
......@@ -159,6 +159,7 @@ options:
- p_ci_templates_implicit_security_api_fuzzing
- p_ci_templates_implicit_security_dast
- p_ci_templates_implicit_security_cluster_image_scanning
- p_ci_templates_kaniko
distribution:
- ce
- ee
......
---
key_path: redis_hll_counters.ci_templates.p_ci_templates_kaniko_monthly
description: ''
product_section: ops
product_stage: verify
product_group: group::pipeline authoring
product_category: pipeline_authoring
value_type: number
status: active
milestone: '14.3'
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/72400
time_frame: 28d
data_source: redis_hll
data_category: optional
instrumentation_class: RedisHLLMetric
distribution:
- ce
- ee
tier:
- free
- premium
- ultimate
options:
events:
- p_ci_templates_kaniko
......@@ -159,6 +159,7 @@ options:
- p_ci_templates_implicit_security_api_fuzzing
- p_ci_templates_implicit_security_dast
- p_ci_templates_implicit_security_cluster_image_scanning
- p_ci_templates_kaniko
distribution:
- ce
- ee
......
---
key_path: redis_hll_counters.ci_templates.p_ci_templates_kaniko_weekly
description: ''
product_section: ops
product_stage: release
product_group: group::release
product_category: continuous_delivery
value_type: number
status: active
milestone: '14.5'
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/72400
time_frame: 7d
data_source: redis_hll
data_category: optional
instrumentation_class: RedisHLLMetric
distribution:
- ce
- ee
tier:
- free
- premium
- ultimate
options:
events:
- p_ci_templates_kaniko
# To contribute improvements to CI/CD templates, please follow the Development guide at:
# https://docs.gitlab.com/ee/development/cicd/templates.html
# This specific template is located at:
# https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Kaniko.gitlab-ci.yml
# Build and publish a tag/branch to Gitlab Docker Registry using Kaniko and Gitlab Docker executor.
# Kaniko can build Docker images without using Docker-In-Docker and it's permission
# drawbacks. No additional configuration required.
kaniko-build:
variables:
# Additional options for Kaniko executor.
# For more details see https://github.com/GoogleContainerTools/kaniko/blob/master/README.md#additional-flags
KANIKO_ARGS: ""
stage: build
image:
# For latest releases see https://github.com/GoogleContainerTools/kaniko/releases
# Only debug/*-debug versions of the Kaniko image are known to work within Gitlab CI
name: gcr.io/kaniko-project/executor:debug
entrypoint: [""]
script:
# Compose docker tag name
# Git Branch/Tag to Docker Image Tag Mapping
# * Default Branch: main -> latest
# * Branch: feature/my-feature -> branch-feature-my-feature
# * Tag: v1.0.0/beta2 -> v1.0.0-beta2
- |
if [ "$CI_COMMIT_REF_NAME" = $CI_DEFAULT_BRANCH ]; then
VERSION="latest"
elif [ -n "$CI_COMMIT_TAG" ];then
NOSLASH=$(echo "$CI_COMMIT_TAG" | tr -s / - )
SANITIZED="${NOSLASH//[^a-zA-Z0-9\-\.]/}"
VERSION="$SANITIZED"
else \
NOSLASH=$(echo "$CI_COMMIT_REF_NAME" | tr -s / - )
SANITIZED="${NOSLASH//[^a-zA-Z0-9\-]/}"
VERSION="branch-$SANITIZED"
fi
- echo $VERSION
- mkdir -p /kaniko/.docker
# Write credentials to access Gitlab Container Registry within the runner/ci
- echo "{\"auths\":{\"$CI_REGISTRY\":{\"auth\":\"$(echo -n ${CI_REGISTRY_USER}:${CI_REGISTRY_PASSWORD} | base64 | tr -d '\n')\"}}}" > /kaniko/.docker/config.json
# Build and push the container. To disable push add --no-push
- /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination $CI_REGISTRY_IMAGE:$VERSION $KANIKO_ARGS
# Run this job in a branch/tag where a Dockerfile exists
rules:
- exists:
- Dockerfile
......@@ -559,3 +559,7 @@
category: ci_templates
redis_slot: ci_templates
aggregation: weekly
- name: p_ci_templates_kaniko
category: ci_templates
redis_slot: ci_templates
aggregation: weekly
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe 'Kaniko.gitlab-ci.yml' do
subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('Kaniko') }
describe 'the created pipeline' do
let(:pipeline_branch) { 'master' }
let(:project) { create(:project, :custom_repo, files: { 'Dockerfile' => 'FROM alpine:latest' }) }
let(:user) { project.owner }
let(:service) { Ci::CreatePipelineService.new(project, user, ref: pipeline_branch ) }
let(:pipeline) { service.execute!(:push).payload }
let(:build_names) { pipeline.builds.pluck(:name) }
before do
stub_ci_pipeline_yaml_file(template.content)
allow(Ci::BuildScheduleWorker).to receive(:perform).and_return(true)
end
it 'creates "kaniko-build" job' do
expect(build_names).to include('kaniko-build')
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment