catalog
catalog copied to clipboard
Published
20 hours ago •
tektoncd
tektoncd
* Support registry with self signed CA crt.
Changes
These changes use SSL_CERT_FILE env variable to make buildpacks creator trust self signed CA for an image registry. With this support, we can build a development k8s cluster with a static private IP + tekton buildpacks pipeline + a Harbor image registry + a self signed CA! The steps to build this kind of cluster are a bit complex but achievable with this commit:
- Install k8s.
- Use tls-gen to generate ca.crt, server.crt, and server.key using your hostname in default.
- Setup Harbor with server.crt and server.key. Notice that the following steps are based on Harbor on Docker installation using tarball. (I did successfully setup Harbor on k8s installation using helm with this commit. But the Harbor TLS settings are much complex than the Docker one.)
- Make your OS trust ca.crt.
- Add your static private IP to hostname mapping to /etc/hosts.
- Add your static private IP to hostname to k8s coredns configmap. ref
- Apply tekton buildpacks manifest in this commit.
- Load ca.crt to k8s:
kubectl create secret generic buildpacks-trusted-ca --from-file=ca.crt=ca.crt - Try this tutorial to verify your tekton buildpacks development environment: https://buildpacks.io/docs/tools/tekton/
Without the changes in this commit, you will meet this error of buildpacks creator:
===> DETECTING
8 of 19 buildpacks participating
paketo-buildpacks/ca-certificates 3.0.2
paketo-buildpacks/bellsoft-liberica 9.0.3
paketo-buildpacks/syft 1.6.0
paketo-buildpacks/maven 6.1.0
paketo-buildpacks/executable-jar 6.0.2
paketo-buildpacks/apache-tomcat 7.0.4
paketo-buildpacks/dist-zip 5.0.2
paketo-buildpacks/spring-boot 5.3.1
===> ANALYZING
ERROR: failed to get previous image: connect to repo store "foo:8201/library/test": Get "https://foo:8201/v2/": x509: certificate signed by unknown authority
Additionally, the k8s secret volume is set to optional. Thus, This buildpacks.yaml also works well with image registries without using a self signed CA.
Submitter Checklist
These are the criteria that every PR should meet, please check them off as you review them:
- [X] Follows the authoring recommendations
- [X] Includes docs (if user facing)
- [X] Includes tests (if functionality of task changed or new task added)
- [X] Commit messages follow commit message best practices
- [X] Complies with Catalog Organization TEP, see example. Note An issue has been filed to automate this validation
-
[X] File path follows
<kind>/<name>/<version>/name.yaml -
[X] Has
README.mdat<kind>/<name>/<version>/README.md -
[X] Has mandatory
metadata.labels-app.kubernetes.io/versionthe same as the<version>of the resource -
[X] Has mandatory
metadata.annotationstekton.dev/pipelines.minVersion -
[X] mandatory
spec.descriptionfollows the convention``` spec: description: >- one line summary of the resource Paragraph(s) to describe the resource. ```
-
See the contribution guide for more details.
[APPROVALNOTIFIER] This PR is NOT APPROVED
This pull-request has been approved by:
To complete the pull request process, please assign dlorenc
You can assign the PR to them by writing /assign @dlorenc in a comment when ready.
The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment
The committers are authorized under a signed CLA.
- :white_check_mark: MrRogerHuang (e972cdec60eda605e68e144bf202011629de8321, f5ce2d38aeadeace3b73ade761a1e9ee9b156ed3)
![linux-foundation-easycla[bot] avatar](https://avatars.githubusercontent.com/in/17893?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hi @MrMYHuang. Thanks for your PR.
I'm waiting for a tektoncd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.
Once the patch is verified, the new status will be reflected by the ok-to-test label.
I understand the commands that are listed here.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
Catlin Output
FILE: task/buildpacks/0.3/buildpacks.yaml
WARN : Step "create" uses image "$(params.BUILDER_IMAGE)" that contains variables; skipping validation
Catlin script lint Output
ERROR: /usr/bin/shellcheck, [-s bash] failed:
In buildpacks-prepare line 33:
IFS='=' read -r key value string <<< "$env"
^----^ SC2034: string appears unused. Verify use (or export if used externally).
For more information:
https://www.shellcheck.net/wiki/SC2034 -- string appears unused. Verify use...
ERROR: /usr/bin/shellcheck, [-s bash] failed:
In buildpacks-results line 3:
cat /layers/report.toml | grep "digest" | cut -d'"' -f2 | cut -d'"' -f2 | tr -d '\n' | tee $(results.APP_IMAGE_DIGEST.path)
^-----------------^ SC2002: Useless cat. Consider 'cmd < file | ..' or 'cmd file | ..' instead.
^-- SC2046: Quote this to prevent word splitting.
For more information:
https://www.shellcheck.net/wiki/SC2046 -- Quote this to prevent word splitt...
https://www.shellcheck.net/wiki/SC2002 -- Useless cat. Consider 'cmd < file...
Catlin Output
FILE: task/buildpacks/0.3/buildpacks.yaml
WARN : Step "create" uses image "$(params.BUILDER_IMAGE)" that contains variables; skipping validation
Catlin script lint Output
ERROR: /usr/bin/shellcheck, [-s bash] failed:
In buildpacks-prepare line 33:
IFS='=' read -r key value string <<< "$env"
^----^ SC2034: string appears unused. Verify use (or export if used externally).
For more information:
https://www.shellcheck.net/wiki/SC2034 -- string appears unused. Verify use...
ERROR: /usr/bin/shellcheck, [-s bash] failed:
In buildpacks-results line 3:
cat /layers/report.toml | grep "digest" | cut -d'"' -f2 | cut -d'"' -f2 | tr -d '\n' | tee $(results.APP_IMAGE_DIGEST.path)
^-----------------^ SC2002: Useless cat. Consider 'cmd < file | ..' or 'cmd file | ..' instead.
^-- SC2046: Quote this to prevent word splitting.
For more information:
https://www.shellcheck.net/wiki/SC2046 -- Quote this to prevent word splitt...
https://www.shellcheck.net/wiki/SC2002 -- Useless cat. Consider 'cmd < file...
Catlin Output
FILE: task/buildpacks/0.3/buildpacks.yaml
WARN : Step "create" uses image "$(params.BUILDER_IMAGE)" that contains variables; skipping validation
Catlin script lint Output
ERROR: /usr/bin/shellcheck, [-s bash] failed:
In buildpacks-prepare line 33:
IFS='=' read -r key value string <<< "$env"
^----^ SC2034: string appears unused. Verify use (or export if used externally).
For more information:
https://www.shellcheck.net/wiki/SC2034 -- string appears unused. Verify use...
ERROR: /usr/bin/shellcheck, [-s bash] failed:
In buildpacks-results line 3:
cat /layers/report.toml | grep "digest" | cut -d'"' -f2 | cut -d'"' -f2 | tr -d '\n' | tee $(results.APP_IMAGE_DIGEST.path)
^-----------------^ SC2002: Useless cat. Consider 'cmd < file | ..' or 'cmd file | ..' instead.
^-- SC2046: Quote this to prevent word splitting.
For more information:
https://www.shellcheck.net/wiki/SC2046 -- Quote this to prevent word splitt...
https://www.shellcheck.net/wiki/SC2002 -- Useless cat. Consider 'cmd < file...
@MrMYHuang: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.
In response to this:
/ok-to-test
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
Catlin Output
FILE: task/buildpacks/0.3/buildpacks.yaml
WARN : Step "create" uses image "$(params.BUILDER_IMAGE)" that contains variables; skipping validation
Catlin script lint Output
ERROR: /usr/bin/shellcheck, [-s bash] failed:
In buildpacks-prepare line 33:
IFS='=' read -r key value string <<< "$env"
^----^ SC2034: string appears unused. Verify use (or export if used externally).
For more information:
https://www.shellcheck.net/wiki/SC2034 -- string appears unused. Verify use...
ERROR: /usr/bin/shellcheck, [-s bash] failed:
In buildpacks-results line 3:
cat /layers/report.toml | grep "digest" | cut -d'"' -f2 | cut -d'"' -f2 | tr -d '\n' | tee $(results.APP_IMAGE_DIGEST.path)
^-----------------^ SC2002: Useless cat. Consider 'cmd < file | ..' or 'cmd file | ..' instead.
^-- SC2046: Quote this to prevent word splitting.
For more information:
https://www.shellcheck.net/wiki/SC2046 -- Quote this to prevent word splitt...
https://www.shellcheck.net/wiki/SC2002 -- Useless cat. Consider 'cmd < file...
Catlin Output
FILE: task/buildpacks/0.3/buildpacks.yaml
WARN : Step "create" uses image "$(params.BUILDER_IMAGE)" that contains variables; skipping validation
Catlin script lint Output
ERROR: /usr/bin/shellcheck, [-s bash] failed:
In buildpacks-prepare line 33:
IFS='=' read -r key value string <<< "$env"
^----^ SC2034: string appears unused. Verify use (or export if used externally).
For more information:
https://www.shellcheck.net/wiki/SC2034 -- string appears unused. Verify use...
ERROR: /usr/bin/shellcheck, [-s bash] failed:
In buildpacks-results line 3:
cat /layers/report.toml | grep "digest" | cut -d'"' -f2 | cut -d'"' -f2 | tr -d '\n' | tee $(results.APP_IMAGE_DIGEST.path)
^-----------------^ SC2002: Useless cat. Consider 'cmd < file | ..' or 'cmd file | ..' instead.
^-- SC2046: Quote this to prevent word splitting.
For more information:
https://www.shellcheck.net/wiki/SC2046 -- Quote this to prevent word splitt...
https://www.shellcheck.net/wiki/SC2002 -- Useless cat. Consider 'cmd < file...
Catlin Output
FILE: task/buildpacks/0.3/buildpacks.yaml
WARN : Step "create" uses image "$(params.BUILDER_IMAGE)" that contains variables; skipping validation
Catlin script lint Output
ERROR: /usr/bin/shellcheck, [-s bash] failed:
In buildpacks-prepare line 33:
IFS='=' read -r key value string <<< "$env"
^----^ SC2034: string appears unused. Verify use (or export if used externally).
For more information:
https://www.shellcheck.net/wiki/SC2034 -- string appears unused. Verify use...
ERROR: /usr/bin/shellcheck, [-s bash] failed:
In buildpacks-results line 3:
cat /layers/report.toml | grep "digest" | cut -d'"' -f2 | cut -d'"' -f2 | tr -d '\n' | tee $(results.APP_IMAGE_DIGEST.path)
^-----------------^ SC2002: Useless cat. Consider 'cmd < file | ..' or 'cmd file | ..' instead.
^-- SC2046: Quote this to prevent word splitting.
For more information:
https://www.shellcheck.net/wiki/SC2046 -- Quote this to prevent word splitt...
https://www.shellcheck.net/wiki/SC2002 -- Useless cat. Consider 'cmd < file...
Thanks! would it be possible to document this in the README ?
Ok, I have updated it.
Catlin Output
FILE: task/buildpacks/0.3/buildpacks.yaml
WARN : Step "create" uses image "$(params.BUILDER_IMAGE)" that contains variables; skipping validation
Catlin script lint Output
ERROR: /usr/bin/shellcheck, [-s bash] failed:
In buildpacks-prepare line 33:
IFS='=' read -r key value string <<< "$env"
^----^ SC2034: string appears unused. Verify use (or export if used externally).
For more information:
https://www.shellcheck.net/wiki/SC2034 -- string appears unused. Verify use...
ERROR: /usr/bin/shellcheck, [-s bash] failed:
In buildpacks-results line 3:
cat /layers/report.toml | grep "digest" | cut -d'"' -f2 | cut -d'"' -f2 | tr -d '\n' | tee $(results.APP_IMAGE_DIGEST.path)
^-----------------^ SC2002: Useless cat. Consider 'cmd < file | ..' or 'cmd file | ..' instead.
^-- SC2046: Quote this to prevent word splitting.
For more information:
https://www.shellcheck.net/wiki/SC2046 -- Quote this to prevent word splitt...
https://www.shellcheck.net/wiki/SC2002 -- Useless cat. Consider 'cmd < file...
Diff between version 0.3 and 0.4
diff --git a/task/buildpacks/0.3/README.md b/task/buildpacks/0.4/README.md
index 93d3944..da988bf 100644
--- a/task/buildpacks/0.3/README.md
+++ b/task/buildpacks/0.4/README.md
@@ -17,7 +17,7 @@ See also [`buildpacks-phases`](../../buildpacks-phases) for the deconstructed ve
## Install
```
-kubectl apply -f https://raw.githubusercontent.com/tektoncd/catalog/master/task/buildpacks/0.3/buildpacks.yaml
+kubectl apply -f https://raw.githubusercontent.com/tektoncd/catalog/master/task/buildpacks/0.4/buildpacks.yaml
```
## Workspaces
@@ -68,6 +68,85 @@ See the following samples for usage:
- **[`env-vars.yaml`](samples/env-vars.yaml)**: A PipelineRun configured to provide _build-time_ environment variables.
- **[`results.yaml`](samples/results.yaml)**: A PipelineRun configured to demonstrate usage of task results.
+### Private image registry
+
+It's possible to use this Buildpacks task with a self signed CA crt private image registry. Using Harbor as an example:
+
+1. Generate private key and self signed certificate by tls-getn:
+
+ ```
+ cd
+ git clone https://github.com/michaelklishin/tls-gen.git
+ cd tls-gen/basic
+
+ # Append Harbor component k8s service names to server_alt_names.
+ echo "DNS.4 = harbor-core
+ DNS.5 = harbor-portal
+ DNS.6 = harbor-database
+ DNS.7 = harbor-jobservice
+ DNS.8 = harbor-redis
+ DNS.9 = harbor-registry
+ DNS.10 = harbor-trivy
+ DNS.11 = harbor-chartmuseum" >> openssl.cnf
+
+ make
+ cd result
+ mv ca_certificate.pem ca.crt
+ mv server_certificate.pem tls.crt
+ # Output RSA key.
+ openssl rsa -in server_key.pem -out tls.key
+ ```
+
+2. Get Harbor config, values.yaml:
+
+ ```
+ cd
+ helm repo add harbor https://helm.goharbor.io
+ helm fetch harbor/harbor --untar
+ cd ~/tls-gen/basic/result/
+ cp ca.crt tls.crt tls.key ~/harbor
+ cd ~/harbor
+ # Load to k8s.
+ kubectl create secret generic harbor --from-file tls.crt --from-file tls.key --from-file ca.crt
+ ```
+
+3. Modify these settings of Harbor values.yaml:
+
+ ```
+ expose:
+ ingress:
+ hosts:
+ core: harbor-portal
+
+ externalURL: https://harbor-portal
+
+ internalTLS:
+ enabled: true
+ certSource: "secret"
+
+ # Set ALL Harbor componets to use k8s secret "harbor," which contains your tls.key and tls.crt.
+ core:
+ secretName: "harbor"
+ # ...
+ jobservice
+ secretName: "harbor"
+ # ...
+ # ...
+ ```
+
+4. Install Harbor to k8s:
+
+ ```
+ helm install harbor harbor/harbor --values values.yaml
+ ```
+
+5. Run the sample:
+ ```
+ cd samples/private-registry/
+ # Check the Harbor username and password in it before running it.
+ ./run.sh
+ ```
+
## Support
The [Buildpacks Community](http://buildpacks.io/community/) is always here to help.
diff --git a/task/buildpacks/0.3/buildpacks.yaml b/task/buildpacks/0.4/buildpacks.yaml
index 4ccc867..649e768 100644
--- a/task/buildpacks/0.3/buildpacks.yaml
+++ b/task/buildpacks/0.4/buildpacks.yaml
@@ -4,7 +4,7 @@ kind: Task
metadata:
name: buildpacks
labels:
- app.kubernetes.io/version: "0.3"
+ app.kubernetes.io/version: "0.4"
annotations:
tekton.dev/categories: Image Build
tekton.dev/pipelines.minVersion: "0.17.0"
@@ -22,6 +22,9 @@ spec:
- name: cache
description: Directory where cache is stored (when no cache image is provided).
optional: true
+ - name: ca
+ description: Directory where image registry CA is located.
+ optional: true
params:
- name: APP_IMAGE
@@ -56,6 +59,9 @@ spec:
- name: PLATFORM_DIR
description: The name of the platform directory.
default: empty-dir
+ - name: CA_FILENAME
+ description: The key of a self signed CA crt file loaded to a k8s secret.
+ default: "ca.crt"
results:
- name: APP_IMAGE_DIGEST
@@ -76,6 +82,16 @@ spec:
#!/usr/bin/env bash
set -e
+ if [[ "$(workspaces.ca.bound)" == "true" ]]; then
+ echo "> Check CA file existence: $(workspaces.ca.path)/$(params.CA_FILENAME)"
+ if [[ ! -f "$(workspaces.ca.path)/$(params.CA_FILENAME)" ]]; then
+ echo "Error! Workspace ca is bound, but CA file is not found."
+ echo "Check your secret contains a key $(params.CA_FILENAME)."
+ exit 1
+ fi
+ echo "ok"
+ fi
+
if [[ "$(workspaces.cache.bound)" == "true" ]]; then
echo "> Setting permissions on '$(workspaces.cache.path)'..."
chown -R "$(params.USER_ID):$(params.GROUP_ID)" "$(workspaces.cache.path)"
@@ -121,6 +137,9 @@ spec:
privileged: true
- name: create
+ env:
+ - name: SSL_CERT_FILE
+ value: $(workspaces.ca.path)/$(params.CA_FILENAME)
image: $(params.BUILDER_IMAGE)
imagePullPolicy: Always
command: ["/cnb/lifecycle/creator"]
@@ -139,6 +158,8 @@ spec:
- "-run-image=$(params.RUN_IMAGE)"
- "$(params.APP_IMAGE)"
volumeMounts:
+ - name: docker-daemon-json
+ mountPath: /etc/docker
- name: layers-dir
mountPath: /layers
- name: $(params.PLATFORM_DIR)
@@ -158,6 +179,10 @@ spec:
mountPath: /layers
volumes:
+ - name: docker-daemon-json
+ secret:
+ secretName: docker-daemon-json
+ optional: true
- name: empty-dir
emptyDir: {}
- name: layers-dir
diff --git a/task/buildpacks/0.4/samples/private-registry/buildpacks-service-account.yaml b/task/buildpacks/0.4/samples/private-registry/buildpacks-service-account.yaml
new file mode 100644
index 0000000..fdccc29
--- /dev/null
+++ b/task/buildpacks/0.4/samples/private-registry/buildpacks-service-account.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: buildpacks-service-account
+secrets:
+ - name: docker-user-pass
\ No newline at end of file
diff --git a/task/buildpacks/0.4/samples/private-registry/clean.sh b/task/buildpacks/0.4/samples/private-registry/clean.sh
new file mode 100755
index 0000000..e416b85
--- /dev/null
+++ b/task/buildpacks/0.4/samples/private-registry/clean.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+kubectl delete secret registry-ca
+kubectl delete secret docker-user-pass
+kubectl delete -f buildpacks-service-account.yaml -f ../../tests/resources.yaml -f run.yaml
diff --git a/task/buildpacks/0.4/samples/private-registry/run.sh b/task/buildpacks/0.4/samples/private-registry/run.sh
new file mode 100755
index 0000000..626e25e
--- /dev/null
+++ b/task/buildpacks/0.4/samples/private-registry/run.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+# Assume a private Harbor image registry running on k8s with a self-signed CA crt.
+
+# Load the self signed CA crt as k8s secret.
+kubectl create secret generic registry-ca --from-file=ca.crt=ca.crt
+
+kubectl create secret docker-registry docker-user-pass \
+ --docker-username=admin \
+ --docker-password=Harbor12345 \
+ --docker-server=https://harbor-core:443 \
+ --namespace default
+
+kubectl create -f buildpacks-service-account.yaml -f ../../tests/resources.yaml -f run.yaml
diff --git a/task/buildpacks/0.4/samples/private-registry/run.yaml b/task/buildpacks/0.4/samples/private-registry/run.yaml
new file mode 100644
index 0000000..7234b1c
--- /dev/null
+++ b/task/buildpacks/0.4/samples/private-registry/run.yaml
@@ -0,0 +1,68 @@
+---
+apiVersion: tekton.dev/v1beta1
+kind: Pipeline
+metadata:
+ name: buildpacks-test-pipeline
+spec:
+ workspaces:
+ - name: source-ws
+ - name: cache-ws
+ - name: ca-ws
+ optional: true
+ tasks:
+ - name: fetch-repository
+ taskRef:
+ name: git-clone
+ workspaces:
+ - name: output
+ workspace: source-ws
+ params:
+ - name: url
+ value: https://github.com/buildpacks/samples
+ - name: subdirectory
+ value: ""
+ - name: deleteExisting
+ value: "true"
+ - name: buildpacks
+ taskRef:
+ name: buildpacks
+ runAfter:
+ - fetch-repository
+ workspaces:
+ - name: source
+ workspace: source-ws
+ - name: cache
+ workspace: cache-ws
+ - name: ca
+ workspace: ca-ws
+ params:
+ - name: APP_IMAGE
+ value: harbor-core:443/library/buildpacks-app
+ - name: SOURCE_SUBPATH
+ value: apps/java-maven
+ - name: BUILDER_IMAGE
+ value: cnbs/sample-builder:alpine@sha256:b51367258b3b6fff1fe8f375ecca79dab4339b177efb791e131417a5a4357f42
+ - name: CA_FILENAME
+ value: ca.crt # This is the key of your CA file in your K8s secret.
+---
+apiVersion: tekton.dev/v1beta1
+kind: PipelineRun
+metadata:
+ name: buildpacks-test-pipeline-run
+spec:
+ serviceAccountName: buildpacks-service-account # Only needed if you set up authorization
+ pipelineRef:
+ name: buildpacks-test-pipeline
+ workspaces:
+ - name: source-ws
+ subPath: source
+ persistentVolumeClaim:
+ claimName: buildpacks-pvc
+ - name: cache-ws
+ subPath: cache
+ persistentVolumeClaim:
+ claimName: buildpacks-pvc
+ - name: ca-ws
+ secret:
+ secretName: registry-ca
+---
Diff between version 0.3 and 0.4
diff --git a/task/buildpacks/0.3/README.md b/task/buildpacks/0.4/README.md
index 93d3944..da988bf 100644
--- a/task/buildpacks/0.3/README.md
+++ b/task/buildpacks/0.4/README.md
@@ -17,7 +17,7 @@ See also [`buildpacks-phases`](../../buildpacks-phases) for the deconstructed ve
## Install
```
-kubectl apply -f https://raw.githubusercontent.com/tektoncd/catalog/master/task/buildpacks/0.3/buildpacks.yaml
+kubectl apply -f https://raw.githubusercontent.com/tektoncd/catalog/master/task/buildpacks/0.4/buildpacks.yaml
```
## Workspaces
@@ -68,6 +68,85 @@ See the following samples for usage:
- **[`env-vars.yaml`](samples/env-vars.yaml)**: A PipelineRun configured to provide _build-time_ environment variables.
- **[`results.yaml`](samples/results.yaml)**: A PipelineRun configured to demonstrate usage of task results.
+### Private image registry
+
+It's possible to use this Buildpacks task with a self signed CA crt private image registry. Using Harbor as an example:
+
+1. Generate private key and self signed certificate by tls-getn:
+
+ ```
+ cd
+ git clone https://github.com/michaelklishin/tls-gen.git
+ cd tls-gen/basic
+
+ # Append Harbor component k8s service names to server_alt_names.
+ echo "DNS.4 = harbor-core
+ DNS.5 = harbor-portal
+ DNS.6 = harbor-database
+ DNS.7 = harbor-jobservice
+ DNS.8 = harbor-redis
+ DNS.9 = harbor-registry
+ DNS.10 = harbor-trivy
+ DNS.11 = harbor-chartmuseum" >> openssl.cnf
+
+ make
+ cd result
+ mv ca_certificate.pem ca.crt
+ mv server_certificate.pem tls.crt
+ # Output RSA key.
+ openssl rsa -in server_key.pem -out tls.key
+ ```
+
+2. Get Harbor config, values.yaml:
+
+ ```
+ cd
+ helm repo add harbor https://helm.goharbor.io
+ helm fetch harbor/harbor --untar
+ cd ~/tls-gen/basic/result/
+ cp ca.crt tls.crt tls.key ~/harbor
+ cd ~/harbor
+ # Load to k8s.
+ kubectl create secret generic harbor --from-file tls.crt --from-file tls.key --from-file ca.crt
+ ```
+
+3. Modify these settings of Harbor values.yaml:
+
+ ```
+ expose:
+ ingress:
+ hosts:
+ core: harbor-portal
+
+ externalURL: https://harbor-portal
+
+ internalTLS:
+ enabled: true
+ certSource: "secret"
+
+ # Set ALL Harbor componets to use k8s secret "harbor," which contains your tls.key and tls.crt.
+ core:
+ secretName: "harbor"
+ # ...
+ jobservice
+ secretName: "harbor"
+ # ...
+ # ...
+ ```
+
+4. Install Harbor to k8s:
+
+ ```
+ helm install harbor harbor/harbor --values values.yaml
+ ```
+
+5. Run the sample:
+ ```
+ cd samples/private-registry/
+ # Check the Harbor username and password in it before running it.
+ ./run.sh
+ ```
+
## Support
The [Buildpacks Community](http://buildpacks.io/community/) is always here to help.
diff --git a/task/buildpacks/0.3/buildpacks.yaml b/task/buildpacks/0.4/buildpacks.yaml
index 4ccc867..649e768 100644
--- a/task/buildpacks/0.3/buildpacks.yaml
+++ b/task/buildpacks/0.4/buildpacks.yaml
@@ -4,7 +4,7 @@ kind: Task
metadata:
name: buildpacks
labels:
- app.kubernetes.io/version: "0.3"
+ app.kubernetes.io/version: "0.4"
annotations:
tekton.dev/categories: Image Build
tekton.dev/pipelines.minVersion: "0.17.0"
@@ -22,6 +22,9 @@ spec:
- name: cache
description: Directory where cache is stored (when no cache image is provided).
optional: true
+ - name: ca
+ description: Directory where image registry CA is located.
+ optional: true
params:
- name: APP_IMAGE
@@ -56,6 +59,9 @@ spec:
- name: PLATFORM_DIR
description: The name of the platform directory.
default: empty-dir
+ - name: CA_FILENAME
+ description: The key of a self signed CA crt file loaded to a k8s secret.
+ default: "ca.crt"
results:
- name: APP_IMAGE_DIGEST
@@ -76,6 +82,16 @@ spec:
#!/usr/bin/env bash
set -e
+ if [[ "$(workspaces.ca.bound)" == "true" ]]; then
+ echo "> Check CA file existence: $(workspaces.ca.path)/$(params.CA_FILENAME)"
+ if [[ ! -f "$(workspaces.ca.path)/$(params.CA_FILENAME)" ]]; then
+ echo "Error! Workspace ca is bound, but CA file is not found."
+ echo "Check your secret contains a key $(params.CA_FILENAME)."
+ exit 1
+ fi
+ echo "ok"
+ fi
+
if [[ "$(workspaces.cache.bound)" == "true" ]]; then
echo "> Setting permissions on '$(workspaces.cache.path)'..."
chown -R "$(params.USER_ID):$(params.GROUP_ID)" "$(workspaces.cache.path)"
@@ -121,6 +137,9 @@ spec:
privileged: true
- name: create
+ env:
+ - name: SSL_CERT_FILE
+ value: $(workspaces.ca.path)/$(params.CA_FILENAME)
image: $(params.BUILDER_IMAGE)
imagePullPolicy: Always
command: ["/cnb/lifecycle/creator"]
@@ -139,6 +158,8 @@ spec:
- "-run-image=$(params.RUN_IMAGE)"
- "$(params.APP_IMAGE)"
volumeMounts:
+ - name: docker-daemon-json
+ mountPath: /etc/docker
- name: layers-dir
mountPath: /layers
- name: $(params.PLATFORM_DIR)
@@ -158,6 +179,10 @@ spec:
mountPath: /layers
volumes:
+ - name: docker-daemon-json
+ secret:
+ secretName: docker-daemon-json
+ optional: true
- name: empty-dir
emptyDir: {}
- name: layers-dir
diff --git a/task/buildpacks/0.4/samples/private-registry/buildpacks-service-account.yaml b/task/buildpacks/0.4/samples/private-registry/buildpacks-service-account.yaml
new file mode 100644
index 0000000..fdccc29
--- /dev/null
+++ b/task/buildpacks/0.4/samples/private-registry/buildpacks-service-account.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: buildpacks-service-account
+secrets:
+ - name: docker-user-pass
\ No newline at end of file
diff --git a/task/buildpacks/0.4/samples/private-registry/clean.sh b/task/buildpacks/0.4/samples/private-registry/clean.sh
new file mode 100755
index 0000000..e416b85
--- /dev/null
+++ b/task/buildpacks/0.4/samples/private-registry/clean.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+kubectl delete secret registry-ca
+kubectl delete secret docker-user-pass
+kubectl delete -f buildpacks-service-account.yaml -f ../../tests/resources.yaml -f run.yaml
diff --git a/task/buildpacks/0.4/samples/private-registry/run.sh b/task/buildpacks/0.4/samples/private-registry/run.sh
new file mode 100755
index 0000000..626e25e
--- /dev/null
+++ b/task/buildpacks/0.4/samples/private-registry/run.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+# Assume a private Harbor image registry running on k8s with a self-signed CA crt.
+
+# Load the self signed CA crt as k8s secret.
+kubectl create secret generic registry-ca --from-file=ca.crt=ca.crt
+
+kubectl create secret docker-registry docker-user-pass \
+ --docker-username=admin \
+ --docker-password=Harbor12345 \
+ --docker-server=https://harbor-core:443 \
+ --namespace default
+
+kubectl create -f buildpacks-service-account.yaml -f ../../tests/resources.yaml -f run.yaml
diff --git a/task/buildpacks/0.4/samples/private-registry/run.yaml b/task/buildpacks/0.4/samples/private-registry/run.yaml
new file mode 100644
index 0000000..7234b1c
--- /dev/null
+++ b/task/buildpacks/0.4/samples/private-registry/run.yaml
@@ -0,0 +1,68 @@
+---
+apiVersion: tekton.dev/v1beta1
+kind: Pipeline
+metadata:
+ name: buildpacks-test-pipeline
+spec:
+ workspaces:
+ - name: source-ws
+ - name: cache-ws
+ - name: ca-ws
+ optional: true
+ tasks:
+ - name: fetch-repository
+ taskRef:
+ name: git-clone
+ workspaces:
+ - name: output
+ workspace: source-ws
+ params:
+ - name: url
+ value: https://github.com/buildpacks/samples
+ - name: subdirectory
+ value: ""
+ - name: deleteExisting
+ value: "true"
+ - name: buildpacks
+ taskRef:
+ name: buildpacks
+ runAfter:
+ - fetch-repository
+ workspaces:
+ - name: source
+ workspace: source-ws
+ - name: cache
+ workspace: cache-ws
+ - name: ca
+ workspace: ca-ws
+ params:
+ - name: APP_IMAGE
+ value: harbor-core:443/library/buildpacks-app
+ - name: SOURCE_SUBPATH
+ value: apps/java-maven
+ - name: BUILDER_IMAGE
+ value: cnbs/sample-builder:alpine@sha256:b51367258b3b6fff1fe8f375ecca79dab4339b177efb791e131417a5a4357f42
+ - name: CA_FILENAME
+ value: ca.crt # This is the key of your CA file in your K8s secret.
+---
+apiVersion: tekton.dev/v1beta1
+kind: PipelineRun
+metadata:
+ name: buildpacks-test-pipeline-run
+spec:
+ serviceAccountName: buildpacks-service-account # Only needed if you set up authorization
+ pipelineRef:
+ name: buildpacks-test-pipeline
+ workspaces:
+ - name: source-ws
+ subPath: source
+ persistentVolumeClaim:
+ claimName: buildpacks-pvc
+ - name: cache-ws
+ subPath: cache
+ persistentVolumeClaim:
+ claimName: buildpacks-pvc
+ - name: ca-ws
+ secret:
+ secretName: registry-ca
+---
Catlin Output
FILE: task/buildpacks/0.4/buildpacks.yaml
WARN : Step "create" uses image "$(params.BUILDER_IMAGE)" that contains variables; skipping validation
Catlin script lint Output
ERROR: /usr/bin/shellcheck, [-s bash] failed:
In buildpacks-prepare line 43:
IFS='=' read -r key value string <<< "$env"
^----^ SC2034: string appears unused. Verify use (or export if used externally).
For more information:
https://www.shellcheck.net/wiki/SC2034 -- string appears unused. Verify use...
ERROR: /usr/bin/shellcheck, [-s bash] failed:
In buildpacks-results line 3:
cat /layers/report.toml | grep "digest" | cut -d'"' -f2 | cut -d'"' -f2 | tr -d '\n' | tee $(results.APP_IMAGE_DIGEST.path)
^-----------------^ SC2002: Useless cat. Consider 'cmd < file | ..' or 'cmd file | ..' instead.
^-- SC2046: Quote this to prevent word splitting.
For more information:
https://www.shellcheck.net/wiki/SC2046 -- Quote this to prevent word splitt...
https://www.shellcheck.net/wiki/SC2002 -- Useless cat. Consider 'cmd < file...
Catlin Output
FILE: task/buildpacks/0.4/buildpacks.yaml
WARN : Step "create" uses image "$(params.BUILDER_IMAGE)" that contains variables; skipping validation
Catlin script lint Output
ERROR: /usr/bin/shellcheck, [-s bash] failed:
In buildpacks-prepare line 43:
IFS='=' read -r key value string <<< "$env"
^----^ SC2034: string appears unused. Verify use (or export if used externally).
For more information:
https://www.shellcheck.net/wiki/SC2034 -- string appears unused. Verify use...
ERROR: /usr/bin/shellcheck, [-s bash] failed:
In buildpacks-results line 3:
cat /layers/report.toml | grep "digest" | cut -d'"' -f2 | cut -d'"' -f2 | tr -d '\n' | tee $(results.APP_IMAGE_DIGEST.path)
^-----------------^ SC2002: Useless cat. Consider 'cmd < file | ..' or 'cmd file | ..' instead.
^-- SC2046: Quote this to prevent word splitting.
For more information:
https://www.shellcheck.net/wiki/SC2046 -- Quote this to prevent word splitt...
https://www.shellcheck.net/wiki/SC2002 -- Useless cat. Consider 'cmd < file...
Catlin Output
FILE: task/buildpacks/0.4/buildpacks.yaml
WARN : Step "create" uses image "$(params.BUILDER_IMAGE)" that contains variables; skipping validation
Catlin script lint Output
ERROR: /usr/bin/shellcheck, [-s bash] failed:
In buildpacks-prepare line 43:
IFS='=' read -r key value string <<< "$env"
^----^ SC2034: string appears unused. Verify use (or export if used externally).
For more information:
https://www.shellcheck.net/wiki/SC2034 -- string appears unused. Verify use...
ERROR: /usr/bin/shellcheck, [-s bash] failed:
In buildpacks-results line 3:
cat /layers/report.toml | grep "digest" | cut -d'"' -f2 | cut -d'"' -f2 | tr -d '\n' | tee $(results.APP_IMAGE_DIGEST.path)
^-----------------^ SC2002: Useless cat. Consider 'cmd < file | ..' or 'cmd file | ..' instead.
^-- SC2046: Quote this to prevent word splitting.
For more information:
https://www.shellcheck.net/wiki/SC2046 -- Quote this to prevent word splitt...
https://www.shellcheck.net/wiki/SC2002 -- Useless cat. Consider 'cmd < file...
Diff between version 0.3 and 0.4
diff --git a/task/buildpacks/0.3/README.md b/task/buildpacks/0.4/README.md
index 93d3944..da988bf 100644
--- a/task/buildpacks/0.3/README.md
+++ b/task/buildpacks/0.4/README.md
@@ -17,7 +17,7 @@ See also [`buildpacks-phases`](../../buildpacks-phases) for the deconstructed ve
## Install
```
-kubectl apply -f https://raw.githubusercontent.com/tektoncd/catalog/master/task/buildpacks/0.3/buildpacks.yaml
+kubectl apply -f https://raw.githubusercontent.com/tektoncd/catalog/master/task/buildpacks/0.4/buildpacks.yaml
```
## Workspaces
@@ -68,6 +68,85 @@ See the following samples for usage:
- **[`env-vars.yaml`](samples/env-vars.yaml)**: A PipelineRun configured to provide _build-time_ environment variables.
- **[`results.yaml`](samples/results.yaml)**: A PipelineRun configured to demonstrate usage of task results.
+### Private image registry
+
+It's possible to use this Buildpacks task with a self signed CA crt private image registry. Using Harbor as an example:
+
+1. Generate private key and self signed certificate by tls-getn:
+
+ ```
+ cd
+ git clone https://github.com/michaelklishin/tls-gen.git
+ cd tls-gen/basic
+
+ # Append Harbor component k8s service names to server_alt_names.
+ echo "DNS.4 = harbor-core
+ DNS.5 = harbor-portal
+ DNS.6 = harbor-database
+ DNS.7 = harbor-jobservice
+ DNS.8 = harbor-redis
+ DNS.9 = harbor-registry
+ DNS.10 = harbor-trivy
+ DNS.11 = harbor-chartmuseum" >> openssl.cnf
+
+ make
+ cd result
+ mv ca_certificate.pem ca.crt
+ mv server_certificate.pem tls.crt
+ # Output RSA key.
+ openssl rsa -in server_key.pem -out tls.key
+ ```
+
+2. Get Harbor config, values.yaml:
+
+ ```
+ cd
+ helm repo add harbor https://helm.goharbor.io
+ helm fetch harbor/harbor --untar
+ cd ~/tls-gen/basic/result/
+ cp ca.crt tls.crt tls.key ~/harbor
+ cd ~/harbor
+ # Load to k8s.
+ kubectl create secret generic harbor --from-file tls.crt --from-file tls.key --from-file ca.crt
+ ```
+
+3. Modify these settings of Harbor values.yaml:
+
+ ```
+ expose:
+ ingress:
+ hosts:
+ core: harbor-portal
+
+ externalURL: https://harbor-portal
+
+ internalTLS:
+ enabled: true
+ certSource: "secret"
+
+ # Set ALL Harbor componets to use k8s secret "harbor," which contains your tls.key and tls.crt.
+ core:
+ secretName: "harbor"
+ # ...
+ jobservice
+ secretName: "harbor"
+ # ...
+ # ...
+ ```
+
+4. Install Harbor to k8s:
+
+ ```
+ helm install harbor harbor/harbor --values values.yaml
+ ```
+
+5. Run the sample:
+ ```
+ cd samples/private-registry/
+ # Check the Harbor username and password in it before running it.
+ ./run.sh
+ ```
+
## Support
The [Buildpacks Community](http://buildpacks.io/community/) is always here to help.
diff --git a/task/buildpacks/0.3/buildpacks.yaml b/task/buildpacks/0.4/buildpacks.yaml
index 4ccc867..649e768 100644
--- a/task/buildpacks/0.3/buildpacks.yaml
+++ b/task/buildpacks/0.4/buildpacks.yaml
@@ -4,7 +4,7 @@ kind: Task
metadata:
name: buildpacks
labels:
- app.kubernetes.io/version: "0.3"
+ app.kubernetes.io/version: "0.4"
annotations:
tekton.dev/categories: Image Build
tekton.dev/pipelines.minVersion: "0.17.0"
@@ -22,6 +22,9 @@ spec:
- name: cache
description: Directory where cache is stored (when no cache image is provided).
optional: true
+ - name: ca
+ description: Directory where image registry CA is located.
+ optional: true
params:
- name: APP_IMAGE
@@ -56,6 +59,9 @@ spec:
- name: PLATFORM_DIR
description: The name of the platform directory.
default: empty-dir
+ - name: CA_FILENAME
+ description: The key of a self signed CA crt file loaded to a k8s secret.
+ default: "ca.crt"
results:
- name: APP_IMAGE_DIGEST
@@ -76,6 +82,16 @@ spec:
#!/usr/bin/env bash
set -e
+ if [[ "$(workspaces.ca.bound)" == "true" ]]; then
+ echo "> Check CA file existence: $(workspaces.ca.path)/$(params.CA_FILENAME)"
+ if [[ ! -f "$(workspaces.ca.path)/$(params.CA_FILENAME)" ]]; then
+ echo "Error! Workspace ca is bound, but CA file is not found."
+ echo "Check your secret contains a key $(params.CA_FILENAME)."
+ exit 1
+ fi
+ echo "ok"
+ fi
+
if [[ "$(workspaces.cache.bound)" == "true" ]]; then
echo "> Setting permissions on '$(workspaces.cache.path)'..."
chown -R "$(params.USER_ID):$(params.GROUP_ID)" "$(workspaces.cache.path)"
@@ -121,6 +137,9 @@ spec:
privileged: true
- name: create
+ env:
+ - name: SSL_CERT_FILE
+ value: $(workspaces.ca.path)/$(params.CA_FILENAME)
image: $(params.BUILDER_IMAGE)
imagePullPolicy: Always
command: ["/cnb/lifecycle/creator"]
@@ -139,6 +158,8 @@ spec:
- "-run-image=$(params.RUN_IMAGE)"
- "$(params.APP_IMAGE)"
volumeMounts:
+ - name: docker-daemon-json
+ mountPath: /etc/docker
- name: layers-dir
mountPath: /layers
- name: $(params.PLATFORM_DIR)
@@ -158,6 +179,10 @@ spec:
mountPath: /layers
volumes:
+ - name: docker-daemon-json
+ secret:
+ secretName: docker-daemon-json
+ optional: true
- name: empty-dir
emptyDir: {}
- name: layers-dir
diff --git a/task/buildpacks/0.4/samples/private-registry/buildpacks-service-account.yaml b/task/buildpacks/0.4/samples/private-registry/buildpacks-service-account.yaml
new file mode 100644
index 0000000..fdccc29
--- /dev/null
+++ b/task/buildpacks/0.4/samples/private-registry/buildpacks-service-account.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: buildpacks-service-account
+secrets:
+ - name: docker-user-pass
\ No newline at end of file
diff --git a/task/buildpacks/0.4/samples/private-registry/clean.sh b/task/buildpacks/0.4/samples/private-registry/clean.sh
new file mode 100755
index 0000000..e416b85
--- /dev/null
+++ b/task/buildpacks/0.4/samples/private-registry/clean.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+kubectl delete secret registry-ca
+kubectl delete secret docker-user-pass
+kubectl delete -f buildpacks-service-account.yaml -f ../../tests/resources.yaml -f run.yaml
diff --git a/task/buildpacks/0.4/samples/private-registry/run.sh b/task/buildpacks/0.4/samples/private-registry/run.sh
new file mode 100755
index 0000000..626e25e
--- /dev/null
+++ b/task/buildpacks/0.4/samples/private-registry/run.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+# Assume a private Harbor image registry running on k8s with a self-signed CA crt.
+
+# Load the self signed CA crt as k8s secret.
+kubectl create secret generic registry-ca --from-file=ca.crt=ca.crt
+
+kubectl create secret docker-registry docker-user-pass \
+ --docker-username=admin \
+ --docker-password=Harbor12345 \
+ --docker-server=https://harbor-core:443 \
+ --namespace default
+
+kubectl create -f buildpacks-service-account.yaml -f ../../tests/resources.yaml -f run.yaml
diff --git a/task/buildpacks/0.4/samples/private-registry/run.yaml b/task/buildpacks/0.4/samples/private-registry/run.yaml
new file mode 100644
index 0000000..7234b1c
--- /dev/null
+++ b/task/buildpacks/0.4/samples/private-registry/run.yaml
@@ -0,0 +1,68 @@
+---
+apiVersion: tekton.dev/v1beta1
+kind: Pipeline
+metadata:
+ name: buildpacks-test-pipeline
+spec:
+ workspaces:
+ - name: source-ws
+ - name: cache-ws
+ - name: ca-ws
+ optional: true
+ tasks:
+ - name: fetch-repository
+ taskRef:
+ name: git-clone
+ workspaces:
+ - name: output
+ workspace: source-ws
+ params:
+ - name: url
+ value: https://github.com/buildpacks/samples
+ - name: subdirectory
+ value: ""
+ - name: deleteExisting
+ value: "true"
+ - name: buildpacks
+ taskRef:
+ name: buildpacks
+ runAfter:
+ - fetch-repository
+ workspaces:
+ - name: source
+ workspace: source-ws
+ - name: cache
+ workspace: cache-ws
+ - name: ca
+ workspace: ca-ws
+ params:
+ - name: APP_IMAGE
+ value: harbor-core:443/library/buildpacks-app
+ - name: SOURCE_SUBPATH
+ value: apps/java-maven
+ - name: BUILDER_IMAGE
+ value: cnbs/sample-builder:alpine@sha256:b51367258b3b6fff1fe8f375ecca79dab4339b177efb791e131417a5a4357f42
+ - name: CA_FILENAME
+ value: ca.crt # This is the key of your CA file in your K8s secret.
+---
+apiVersion: tekton.dev/v1beta1
+kind: PipelineRun
+metadata:
+ name: buildpacks-test-pipeline-run
+spec:
+ serviceAccountName: buildpacks-service-account # Only needed if you set up authorization
+ pipelineRef:
+ name: buildpacks-test-pipeline
+ workspaces:
+ - name: source-ws
+ subPath: source
+ persistentVolumeClaim:
+ claimName: buildpacks-pvc
+ - name: cache-ws
+ subPath: cache
+ persistentVolumeClaim:
+ claimName: buildpacks-pvc
+ - name: ca-ws
+ secret:
+ secretName: registry-ca
+---
Diff between version 0.3 and 0.4
diff --git a/task/buildpacks/0.3/README.md b/task/buildpacks/0.4/README.md
index 93d3944..63f3656 100644
--- a/task/buildpacks/0.3/README.md
+++ b/task/buildpacks/0.4/README.md
@@ -17,7 +17,7 @@ See also [`buildpacks-phases`](../../buildpacks-phases) for the deconstructed ve
## Install
```
-kubectl apply -f https://raw.githubusercontent.com/tektoncd/catalog/master/task/buildpacks/0.3/buildpacks.yaml
+kubectl apply -f https://raw.githubusercontent.com/tektoncd/catalog/master/task/buildpacks/0.4/buildpacks.yaml
```
## Workspaces
@@ -68,6 +68,38 @@ See the following samples for usage:
- **[`env-vars.yaml`](samples/env-vars.yaml)**: A PipelineRun configured to provide _build-time_ environment variables.
- **[`results.yaml`](samples/results.yaml)**: A PipelineRun configured to demonstrate usage of task results.
+### Private image registry
+
+It's possible to use this Buildpacks task with a self signed CA crt private image registry. Using Harbor as an example:
+
+1. Bind static private IP (e.g., 192.168.0.100) of your k8s node to a host name - harbor
+
+ ```
+ sudo bash -c "echo '192.168.0.100 harbor' >> /etc/hosts"
+ ```
+
+2. Install Harbor to k8s:
+
+ ```
+ cd
+ helm repo add harbor https://helm.goharbor.io
+ helm install harbor harbor/harbor --set expose.ingress.hosts.core=harbor --set externalURL=https://harbor --set internalTLS.enabled=true
+ ```
+
+5. Run the sample:
+ ```
+ cd samples/private-registry/
+ # Check the Harbor username and password in it before running it.
+ ./run.sh
+ ```
+
+6. (Optional) Export Harbor autogenerated CA crt:
+ ```
+ # If you want to push images from host to the private Harbor registry on k8s,
+ # you can first export the CA crt by this command:
+ kubectl get secrets harbor-ingress -o jsonpath='{.data.ca\.crt}' | base64 --decode > ca.crt
+ ```
+
## Support
The [Buildpacks Community](http://buildpacks.io/community/) is always here to help.
diff --git a/task/buildpacks/0.3/buildpacks.yaml b/task/buildpacks/0.4/buildpacks.yaml
index 4ccc867..649e768 100644
--- a/task/buildpacks/0.3/buildpacks.yaml
+++ b/task/buildpacks/0.4/buildpacks.yaml
@@ -4,7 +4,7 @@ kind: Task
metadata:
name: buildpacks
labels:
- app.kubernetes.io/version: "0.3"
+ app.kubernetes.io/version: "0.4"
annotations:
tekton.dev/categories: Image Build
tekton.dev/pipelines.minVersion: "0.17.0"
@@ -22,6 +22,9 @@ spec:
- name: cache
description: Directory where cache is stored (when no cache image is provided).
optional: true
+ - name: ca
+ description: Directory where image registry CA is located.
+ optional: true
params:
- name: APP_IMAGE
@@ -56,6 +59,9 @@ spec:
- name: PLATFORM_DIR
description: The name of the platform directory.
default: empty-dir
+ - name: CA_FILENAME
+ description: The key of a self signed CA crt file loaded to a k8s secret.
+ default: "ca.crt"
results:
- name: APP_IMAGE_DIGEST
@@ -76,6 +82,16 @@ spec:
#!/usr/bin/env bash
set -e
+ if [[ "$(workspaces.ca.bound)" == "true" ]]; then
+ echo "> Check CA file existence: $(workspaces.ca.path)/$(params.CA_FILENAME)"
+ if [[ ! -f "$(workspaces.ca.path)/$(params.CA_FILENAME)" ]]; then
+ echo "Error! Workspace ca is bound, but CA file is not found."
+ echo "Check your secret contains a key $(params.CA_FILENAME)."
+ exit 1
+ fi
+ echo "ok"
+ fi
+
if [[ "$(workspaces.cache.bound)" == "true" ]]; then
echo "> Setting permissions on '$(workspaces.cache.path)'..."
chown -R "$(params.USER_ID):$(params.GROUP_ID)" "$(workspaces.cache.path)"
@@ -121,6 +137,9 @@ spec:
privileged: true
- name: create
+ env:
+ - name: SSL_CERT_FILE
+ value: $(workspaces.ca.path)/$(params.CA_FILENAME)
image: $(params.BUILDER_IMAGE)
imagePullPolicy: Always
command: ["/cnb/lifecycle/creator"]
@@ -139,6 +158,8 @@ spec:
- "-run-image=$(params.RUN_IMAGE)"
- "$(params.APP_IMAGE)"
volumeMounts:
+ - name: docker-daemon-json
+ mountPath: /etc/docker
- name: layers-dir
mountPath: /layers
- name: $(params.PLATFORM_DIR)
@@ -158,6 +179,10 @@ spec:
mountPath: /layers
volumes:
+ - name: docker-daemon-json
+ secret:
+ secretName: docker-daemon-json
+ optional: true
- name: empty-dir
emptyDir: {}
- name: layers-dir
diff --git a/task/buildpacks/0.4/samples/private-registry/buildpacks-service-account.yaml b/task/buildpacks/0.4/samples/private-registry/buildpacks-service-account.yaml
new file mode 100644
index 0000000..fdccc29
--- /dev/null
+++ b/task/buildpacks/0.4/samples/private-registry/buildpacks-service-account.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: buildpacks-service-account
+secrets:
+ - name: docker-user-pass
\ No newline at end of file
diff --git a/task/buildpacks/0.4/samples/private-registry/clean.sh b/task/buildpacks/0.4/samples/private-registry/clean.sh
new file mode 100755
index 0000000..98205a1
--- /dev/null
+++ b/task/buildpacks/0.4/samples/private-registry/clean.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+kubectl delete secret docker-user-pass
+kubectl delete -f buildpacks-service-account.yaml -f ../../tests/resources.yaml -f run.yaml
diff --git a/task/buildpacks/0.4/samples/private-registry/run.sh b/task/buildpacks/0.4/samples/private-registry/run.sh
new file mode 100755
index 0000000..df487e7
--- /dev/null
+++ b/task/buildpacks/0.4/samples/private-registry/run.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+# Assume a private Harbor image registry running on k8s.
+
+kubectl create secret docker-registry docker-user-pass \
+ --docker-username=admin \
+ --docker-password=Harbor12345 \
+ --docker-server=https://harbor-core:443 \
+ --namespace default
+
+kubectl create -f buildpacks-service-account.yaml -f ../../tests/resources.yaml -f run.yaml
diff --git a/task/buildpacks/0.4/samples/private-registry/run.yaml b/task/buildpacks/0.4/samples/private-registry/run.yaml
new file mode 100644
index 0000000..7c2e224
--- /dev/null
+++ b/task/buildpacks/0.4/samples/private-registry/run.yaml
@@ -0,0 +1,68 @@
+---
+apiVersion: tekton.dev/v1beta1
+kind: Pipeline
+metadata:
+ name: buildpacks-test-pipeline
+spec:
+ workspaces:
+ - name: source-ws
+ - name: cache-ws
+ - name: ca-ws
+ optional: true
+ tasks:
+ - name: fetch-repository
+ taskRef:
+ name: git-clone
+ workspaces:
+ - name: output
+ workspace: source-ws
+ params:
+ - name: url
+ value: https://github.com/buildpacks/samples
+ - name: subdirectory
+ value: ""
+ - name: deleteExisting
+ value: "true"
+ - name: buildpacks
+ taskRef:
+ name: buildpacks
+ runAfter:
+ - fetch-repository
+ workspaces:
+ - name: source
+ workspace: source-ws
+ - name: cache
+ workspace: cache-ws
+ - name: ca
+ workspace: ca-ws
+ params:
+ - name: APP_IMAGE
+ value: harbor-core:443/library/buildpacks-app
+ - name: SOURCE_SUBPATH
+ value: apps/java-maven
+ - name: BUILDER_IMAGE
+ value: cnbs/sample-builder:alpine@sha256:b51367258b3b6fff1fe8f375ecca79dab4339b177efb791e131417a5a4357f42
+ - name: CA_FILENAME
+ value: ca.crt # This is the key of your CA file in your K8s secret.
+---
+apiVersion: tekton.dev/v1beta1
+kind: PipelineRun
+metadata:
+ name: buildpacks-test-pipeline-run
+spec:
+ serviceAccountName: buildpacks-service-account # Only needed if you set up authorization
+ pipelineRef:
+ name: buildpacks-test-pipeline
+ workspaces:
+ - name: source-ws
+ subPath: source
+ persistentVolumeClaim:
+ claimName: buildpacks-pvc
+ - name: cache-ws
+ subPath: cache
+ persistentVolumeClaim:
+ claimName: buildpacks-pvc
+ - name: ca-ws
+ secret:
+ secretName: harbor-core-internal-tls # The secret containing the CA of the registry.
+---
Catlin Output
FILE: task/buildpacks/0.4/buildpacks.yaml
WARN : Step "create" uses image "$(params.BUILDER_IMAGE)" that contains variables; skipping validation
Catlin script lint Output
ERROR: /usr/bin/shellcheck, [-s bash] failed:
In buildpacks-prepare line 43:
IFS='=' read -r key value string <<< "$env"
^----^ SC2034: string appears unused. Verify use (or export if used externally).
For more information:
https://www.shellcheck.net/wiki/SC2034 -- string appears unused. Verify use...
ERROR: /usr/bin/shellcheck, [-s bash] failed:
In buildpacks-results line 3:
cat /layers/report.toml | grep "digest" | cut -d'"' -f2 | cut -d'"' -f2 | tr -d '\n' | tee $(results.APP_IMAGE_DIGEST.path)
^-----------------^ SC2002: Useless cat. Consider 'cmd < file | ..' or 'cmd file | ..' instead.
^-- SC2046: Quote this to prevent word splitting.
For more information:
https://www.shellcheck.net/wiki/SC2046 -- Quote this to prevent word splitt...
https://www.shellcheck.net/wiki/SC2002 -- Useless cat. Consider 'cmd < file...
Diff between version 0.3 and 0.4
diff --git a/task/buildpacks/0.3/README.md b/task/buildpacks/0.4/README.md
index 93d3944..ce7c781 100644
--- a/task/buildpacks/0.3/README.md
+++ b/task/buildpacks/0.4/README.md
@@ -17,7 +17,7 @@ See also [`buildpacks-phases`](../../buildpacks-phases) for the deconstructed ve
## Install
```
-kubectl apply -f https://raw.githubusercontent.com/tektoncd/catalog/master/task/buildpacks/0.3/buildpacks.yaml
+kubectl apply -f https://raw.githubusercontent.com/tektoncd/catalog/master/task/buildpacks/0.4/buildpacks.yaml
```
## Workspaces
@@ -68,6 +68,37 @@ See the following samples for usage:
- **[`env-vars.yaml`](samples/env-vars.yaml)**: A PipelineRun configured to provide _build-time_ environment variables.
- **[`results.yaml`](samples/results.yaml)**: A PipelineRun configured to demonstrate usage of task results.
+### Private image registry
+
+It's possible to use this Buildpacks task with a self signed CA crt private image registry. Using Harbor as an example:
+
+1. Bind static private IP (e.g., 192.168.0.100) of your k8s node to a host name - harbor
+
+ ```
+ sudo bash -c "echo '192.168.0.100 harbor' >> /etc/hosts"
+ ```
+
+2. Install Harbor to k8s:
+
+ ```
+ helm repo add harbor https://helm.goharbor.io
+ helm install harbor harbor/harbor --set expose.ingress.hosts.core=harbor --set externalURL=https://harbor --set internalTLS.enabled=true
+ ```
+
+5. Run the sample:
+ ```
+ cd samples/private-registry/
+ # Check the Harbor username and password in it before running it.
+ ./run.sh
+ ```
+
+6. (Optional) Export Harbor autogenerated CA crt:
+ ```
+ # If you want to push images from host to the private Harbor registry on k8s,
+ # you can first export the CA crt by this command:
+ kubectl get secrets harbor-ingress -o jsonpath='{.data.ca\.crt}' | base64 --decode > ca.crt
+ ```
+
## Support
The [Buildpacks Community](http://buildpacks.io/community/) is always here to help.
diff --git a/task/buildpacks/0.3/buildpacks.yaml b/task/buildpacks/0.4/buildpacks.yaml
index 4ccc867..649e768 100644
--- a/task/buildpacks/0.3/buildpacks.yaml
+++ b/task/buildpacks/0.4/buildpacks.yaml
@@ -4,7 +4,7 @@ kind: Task
metadata:
name: buildpacks
labels:
- app.kubernetes.io/version: "0.3"
+ app.kubernetes.io/version: "0.4"
annotations:
tekton.dev/categories: Image Build
tekton.dev/pipelines.minVersion: "0.17.0"
@@ -22,6 +22,9 @@ spec:
- name: cache
description: Directory where cache is stored (when no cache image is provided).
optional: true
+ - name: ca
+ description: Directory where image registry CA is located.
+ optional: true
params:
- name: APP_IMAGE
@@ -56,6 +59,9 @@ spec:
- name: PLATFORM_DIR
description: The name of the platform directory.
default: empty-dir
+ - name: CA_FILENAME
+ description: The key of a self signed CA crt file loaded to a k8s secret.
+ default: "ca.crt"
results:
- name: APP_IMAGE_DIGEST
@@ -76,6 +82,16 @@ spec:
#!/usr/bin/env bash
set -e
+ if [[ "$(workspaces.ca.bound)" == "true" ]]; then
+ echo "> Check CA file existence: $(workspaces.ca.path)/$(params.CA_FILENAME)"
+ if [[ ! -f "$(workspaces.ca.path)/$(params.CA_FILENAME)" ]]; then
+ echo "Error! Workspace ca is bound, but CA file is not found."
+ echo "Check your secret contains a key $(params.CA_FILENAME)."
+ exit 1
+ fi
+ echo "ok"
+ fi
+
if [[ "$(workspaces.cache.bound)" == "true" ]]; then
echo "> Setting permissions on '$(workspaces.cache.path)'..."
chown -R "$(params.USER_ID):$(params.GROUP_ID)" "$(workspaces.cache.path)"
@@ -121,6 +137,9 @@ spec:
privileged: true
- name: create
+ env:
+ - name: SSL_CERT_FILE
+ value: $(workspaces.ca.path)/$(params.CA_FILENAME)
image: $(params.BUILDER_IMAGE)
imagePullPolicy: Always
command: ["/cnb/lifecycle/creator"]
@@ -139,6 +158,8 @@ spec:
- "-run-image=$(params.RUN_IMAGE)"
- "$(params.APP_IMAGE)"
volumeMounts:
+ - name: docker-daemon-json
+ mountPath: /etc/docker
- name: layers-dir
mountPath: /layers
- name: $(params.PLATFORM_DIR)
@@ -158,6 +179,10 @@ spec:
mountPath: /layers
volumes:
+ - name: docker-daemon-json
+ secret:
+ secretName: docker-daemon-json
+ optional: true
- name: empty-dir
emptyDir: {}
- name: layers-dir
diff --git a/task/buildpacks/0.4/samples/private-registry/buildpacks-service-account.yaml b/task/buildpacks/0.4/samples/private-registry/buildpacks-service-account.yaml
new file mode 100644
index 0000000..fdccc29
--- /dev/null
+++ b/task/buildpacks/0.4/samples/private-registry/buildpacks-service-account.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: buildpacks-service-account
+secrets:
+ - name: docker-user-pass
\ No newline at end of file
diff --git a/task/buildpacks/0.4/samples/private-registry/clean.sh b/task/buildpacks/0.4/samples/private-registry/clean.sh
new file mode 100755
index 0000000..98205a1
--- /dev/null
+++ b/task/buildpacks/0.4/samples/private-registry/clean.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+kubectl delete secret docker-user-pass
+kubectl delete -f buildpacks-service-account.yaml -f ../../tests/resources.yaml -f run.yaml
diff --git a/task/buildpacks/0.4/samples/private-registry/run.sh b/task/buildpacks/0.4/samples/private-registry/run.sh
new file mode 100755
index 0000000..df487e7
--- /dev/null
+++ b/task/buildpacks/0.4/samples/private-registry/run.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+# Assume a private Harbor image registry running on k8s.
+
+kubectl create secret docker-registry docker-user-pass \
+ --docker-username=admin \
+ --docker-password=Harbor12345 \
+ --docker-server=https://harbor-core:443 \
+ --namespace default
+
+kubectl create -f buildpacks-service-account.yaml -f ../../tests/resources.yaml -f run.yaml
diff --git a/task/buildpacks/0.4/samples/private-registry/run.yaml b/task/buildpacks/0.4/samples/private-registry/run.yaml
new file mode 100644
index 0000000..7c2e224
--- /dev/null
+++ b/task/buildpacks/0.4/samples/private-registry/run.yaml
@@ -0,0 +1,68 @@
+---
+apiVersion: tekton.dev/v1beta1
+kind: Pipeline
+metadata:
+ name: buildpacks-test-pipeline
+spec:
+ workspaces:
+ - name: source-ws
+ - name: cache-ws
+ - name: ca-ws
+ optional: true
+ tasks:
+ - name: fetch-repository
+ taskRef:
+ name: git-clone
+ workspaces:
+ - name: output
+ workspace: source-ws
+ params:
+ - name: url
+ value: https://github.com/buildpacks/samples
+ - name: subdirectory
+ value: ""
+ - name: deleteExisting
+ value: "true"
+ - name: buildpacks
+ taskRef:
+ name: buildpacks
+ runAfter:
+ - fetch-repository
+ workspaces:
+ - name: source
+ workspace: source-ws
+ - name: cache
+ workspace: cache-ws
+ - name: ca
+ workspace: ca-ws
+ params:
+ - name: APP_IMAGE
+ value: harbor-core:443/library/buildpacks-app
+ - name: SOURCE_SUBPATH
+ value: apps/java-maven
+ - name: BUILDER_IMAGE
+ value: cnbs/sample-builder:alpine@sha256:b51367258b3b6fff1fe8f375ecca79dab4339b177efb791e131417a5a4357f42
+ - name: CA_FILENAME
+ value: ca.crt # This is the key of your CA file in your K8s secret.
+---
+apiVersion: tekton.dev/v1beta1
+kind: PipelineRun
+metadata:
+ name: buildpacks-test-pipeline-run
+spec:
+ serviceAccountName: buildpacks-service-account # Only needed if you set up authorization
+ pipelineRef:
+ name: buildpacks-test-pipeline
+ workspaces:
+ - name: source-ws
+ subPath: source
+ persistentVolumeClaim:
+ claimName: buildpacks-pvc
+ - name: cache-ws
+ subPath: cache
+ persistentVolumeClaim:
+ claimName: buildpacks-pvc
+ - name: ca-ws
+ secret:
+ secretName: harbor-core-internal-tls # The secret containing the CA of the registry.
+---
Catlin Output
FILE: task/buildpacks/0.4/buildpacks.yaml
WARN : Step "create" uses image "$(params.BUILDER_IMAGE)" that contains variables; skipping validation
Catlin script lint Output
ERROR: /usr/bin/shellcheck, [-s bash] failed:
In buildpacks-prepare line 43:
IFS='=' read -r key value string <<< "$env"
^----^ SC2034: string appears unused. Verify use (or export if used externally).
For more information:
https://www.shellcheck.net/wiki/SC2034 -- string appears unused. Verify use...
ERROR: /usr/bin/shellcheck, [-s bash] failed:
In buildpacks-results line 3:
cat /layers/report.toml | grep "digest" | cut -d'"' -f2 | cut -d'"' -f2 | tr -d '\n' | tee $(results.APP_IMAGE_DIGEST.path)
^-----------------^ SC2002: Useless cat. Consider 'cmd < file | ..' or 'cmd file | ..' instead.
^-- SC2046: Quote this to prevent word splitting.
For more information:
https://www.shellcheck.net/wiki/SC2046 -- Quote this to prevent word splitt...
https://www.shellcheck.net/wiki/SC2002 -- Useless cat. Consider 'cmd < file...
Hello, all. The latest commit a78d864 massively simplifies the private Harbor registry installation flow! Now, it needs only 3 commands😊
The buildpacks.yaml is unchanged since the overwritten commit e88167d.
@MrMYHuang: PR needs rebase.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale with a justification.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.
/lifecycle stale
Send feedback to tektoncd/plumbing.