From b3514326745be33ee1cb499d5dfc664b73419ae3 Mon Sep 17 00:00:00 2001 From: Alex Viscreanu Date: Sat, 15 Feb 2020 18:55:26 +0100 Subject: [PATCH] Initial commit --- .dockerignore | 3 + .gitignore | 75 ++++++++++++++++++++++++ Dockerfile | 8 +++ README.md | 156 ++++++++++++++++++++++++++++++++++++++++++++++++++ action.yml | 43 ++++++++++++++ entrypoint.sh | 62 ++++++++++++++++++++ 6 files changed, 347 insertions(+) create mode 100644 .dockerignore create mode 100644 .gitignore create mode 100644 Dockerfile create mode 100644 README.md create mode 100644 action.yml create mode 100755 entrypoint.sh diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..c9c8ccc --- /dev/null +++ b/.dockerignore @@ -0,0 +1,3 @@ +* +!entrypoint.sh + diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..f81b0aa --- /dev/null +++ b/.gitignore @@ -0,0 +1,75 @@ +#### joe made this: http://goel.io/joe + +#####=== macOS ===##### +# General +.DS_Store +.AppleDouble +.LSOverride + +# Icon must end with two \r +Icon + + +# Thumbnails +._* + +# Files that might appear in the root of a volume +.DocumentRevisions-V100 +.fseventsd +.Spotlight-V100 +.TemporaryItems +.Trashes +.VolumeIcon.icns +.com.apple.timemachine.donotpresent + +# Directories potentially created on remote AFP share +.AppleDB +.AppleDesktop +Network Trash Folder +Temporary Items +.apdisk + +#####=== Windows ===##### +# Windows thumbnail cache files +Thumbs.db +ehthumbs.db +ehthumbs_vista.db + +# Dump file +*.stackdump + +# Folder config file +[Dd]esktop.ini + +# Recycle Bin used on file shares +$RECYCLE.BIN/ + +# Windows Installer files +*.cab +*.msi +*.msix +*.msm +*.msp + +# Windows shortcuts +*.lnk + +#####=== Linux ===##### +*~ + +# temporary files which can be created if a process still has a handle open of a deleted file +.fuse_hidden* + +# KDE directory preferences +.directory + +# Linux trash folder which might appear on any partition or disk +.Trash-* + +# .nfs files are created when an open file is removed but is still being accessed +.nfs* + +#####=== Custom ===##### +.direnv +.envrc +.env diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..18f6f4d --- /dev/null +++ b/Dockerfile @@ -0,0 +1,8 @@ +FROM gcr.io/kaniko-project/executor:debug + +COPY entrypoint.sh / + +ENTRYPOINT ["/entrypoint.sh"] + +LABEL repository="https://github.com/outillage/action-kaniko" \ + maintainer="Alex Viscreanu " diff --git a/README.md b/README.md new file mode 100644 index 0000000..a3b61ad --- /dev/null +++ b/README.md @@ -0,0 +1,156 @@ +# Kaniko image builder + +This Action uses the [kaniko](https://github.com/GoogleContainerTools/kaniko) executor instead of the docker daemon. Kaniko builds the image +by extracting the filesystem of the base image, making the changes in the user space, snapshotting any change and appending it to the base +image filesystem. + +This allows for a quite efficient caching, that can be pushed to another docker registry and downloaded on-demand, and a noticeably easier and +more secure secret passing to the build context, as it happens in the user space itself. + +## Usage + +## Example pipeline +```yaml +name: Docker build +on: push +jobs: + docker: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@master + - name: Kaniko build + uses: outillage/kaniko-action@master + with: + image: outillage/kaniko + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_PASSWORD }} + cache: true + cache_registry: outillage/cache +``` + +## Required Arguments + +This action aims to be as flexible as possible, so it tries to define the defaults as for what I thought of being +the most used values. So, technically there is a single required argument + +| variable | description | required | default | +|-----------------|----------------------------------------------------------|----------|-----------------------------| +| image | Name of the image you would like to push | true | | + +## Optional Arguments + +| variable | description | required | default | +|-----------------|----------------------------------------------------------|----------|-----------------------------| +| registry | Docker registry where the image will be pushed | false | docker.io | +| username | Username used for authentication to the Docker registry | false | $GITHUB_ACTOR | +| password | Password used for authentication to the Docker registry | false | | +| tag | Image tag | false | latest | +| cache | Enables build cache | false | false | +| cache_ttl | How long the cache should be considered valid | false | | +| cache_registry | Docker registry meant to be used as cache | false | | +| cache_directory | Filesystem path meant to be used as cache | false | | +| build_file | Dockerfile filename | false | Dockerfile | +| extra_args | Additional arguments to be passed to the kaniko executor | false | | + +**Here is where it gets specific, as the optional arguments become required depending on the registry targeted** + +### [docker.io](https://hub.docker.com/) + +This is the default, and implicit docker registry, in the same way as with using the docker CLI +In this case, the authentication credentials need to be passed via GitHub Action secrets + +```yaml +with: + image: outillage/kaniko + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_PASSWORD }} +``` + +> NOTE: Dockerhub doesn't support more than one level deep of docker images, so Kaniko's default approach of pushing the cache to `$image/cache` +doesn't work. If you want to use caching with Dockerhub, create a `cache` repository, and specify it in the action options. + +```yaml +with: + image: outillage/kaniko + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_PASSWORD }} + cache: true + cache_registry: outillage/cache +``` + +### [docker.pkg.github.com](https://github.com/features/packages) + +GitHub's docker registry is a bit special. It doesn't allow top-level images, so this action will prefix any image with the GitHub namespace. +If you want to push your image like `outillage/kaniko-action/kaniko`, you'll only need to pass `kaniko` to this action. + +The authentication is automatically done using the `GITHUB_ACTOR` and `GITHUB_TOKEN` provided from GitHub itself. But as `GITHUB_TOKEN` is not +passed by default, it will have to be explicitly set up. + +```yaml +with: + registry: docker.pkg.github.com + password: ${{ secrets.GITHUB_TOKEN }} + image: kaniko +``` + +> NOTE: GitHub's docker registry is structured a bit differently, but it has the same drawback as Dockerhub, and that's that it's not possible +to "namespace" images for cache. In order to use registry cache, just specify the image meant to be used as cache, and Kaniko will push the +cache layers to that image instead + +```yaml +with: + registry: docker.pkg.github.com + password: ${{ secrets.GITHUB_TOKEN }} + image: kaniko + cache: true + cache_registry: cache +``` + +### [registry.gitlab.com](https://docs.gitlab.com/ee/user/packages/container_registry) + +GitLab's registry is quite flexible, it allows easy image namespacing, so a project's docker registry can hold up to three levels of image +repository names. + +``` +registry.gitlab.com/group/project:some-tag +registry.gitlab.com/group/project/image:latest +registry.gitlab.com/group/project/my/image:rc1 +``` + +To authenticate to it, a username and personal access token must be supplied via GitHub Action Secrets. + +```yaml +with: + registry: registry.gitlab.com + username: ${{ secrets.GL_REGISTRY_USERNAME }} + password: ${{ secrets.GL_REGISTRY_PASSWORD }} + image: outillage/kaniko +``` + +> NOTE: As GitLab's registry does support namespacing, Kaniko can natively push cached layers to it, so only `cache: true` is necessary to be +specified in order to use it. + +```yaml +with: + registry: registry.gitlab.com + username: ${{ secrets.GL_REGISTRY_USERNAME }} + password: ${{ secrets.GL_REGISTRY_PASSWORD }} + image: outillage/kaniko + cache: true +``` + +### Other registries + +If you would like to publish the image to other registries, these actions might be helpful + +| Registry | Action | +|------------------------------------------------------|-----------------------------------------------| +| Amazon Webservices Elastic Container Registry (ECR) | https://github.com/elgohr/ecr-login-action | +| Google Cloud Container Registry | https://github.com/elgohr/gcloud-login-action | + +### Other arguments details + +#### tag + +The `tag` argument, **unless overridden**, is automatically guessed based on the branch name. If the branch is `master` then the tag will +be `latest`, otherwise it will keep the branch name, but replacing any forward slash (/) with a hyphen (-). diff --git a/action.yml b/action.yml new file mode 100644 index 0000000..e09bb95 --- /dev/null +++ b/action.yml @@ -0,0 +1,43 @@ +# kaniko.yml +name: "Kaniko builder" +description: "Build and push docker images using Kaniko" +branding: + icon: anchor + color: orange +inputs: + registry: + description: "Docker registry where the image will be pushed" + required: false + username: + description: "Username used for authentication to the Docker registry" + required: false + password: + description: "Password used for authentication to the Docker registry" + required: false + image: + description: "Image name" + required: true + tag: + description: "Image tag" + required: false + cache: + description: "Enables build cache" + required: false + cache_ttl: + description: "How long the cache should be considered valid" + required: false + cache_registry: + description: "Docker registry meant to be used as cache" + required: false + cache_directory: + description: "Filesystem path meant to be used as cache" + required: false + build_file: + description: "Dockerfile filename" + required: false + extra_args: + description: "Additional arguments to be passed to the kaniko executor" + required: false +runs: + using: "docker" + image: "Dockerfile" diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100755 index 0000000..4eba477 --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1,62 @@ +#!/busybox/sh +set -e pipefail + +export REGISTRY=${INPUT_REGISTRY:-"docker.io"} +export IMAGE=${INPUT_IMAGE} +export BRANCH=$(echo ${GITHUB_REF} | sed -e "s/refs\/heads\///g" | sed -e "s/\//-/g") +export TAG=${INPUT_TAG:-$([ "$BRANCH" == "master" ] && echo latest || echo $BRANCH)} +export TAG=${TAG:-"latest"} +export USERNAME=${INPUT_USERNAME:-$GITHUB_ACTOR} +export PASSWORD=${INPUT_PASSWORD:-$GITHUB_TOKEN} +export IMAGE=$IMAGE:$TAG + +function sanitize() { + if [ -z "${1}" ]; then + echo >&2 "Unable to find the ${2}. Did you set with.${2}?" + exit 1 + fi +} + +sanitize "${REGISTRY}" "registry" +sanitize "${USERNAME}" "username" +sanitize "${PASSWORD}" "password" +sanitize "${IMAGE}" "image" +sanitize "${TAG}" "tag" + +if [ "$REGISTRY" == "docker.pkg.github.com" ]; then + export IMAGE="$GITHUB_REPOSITORY/$IMAGE" + + if [ -z $INPUT_CACHE_REGISTRY ]; then + export INPUT_CACHE_REGISTRY="$GITHUB_REPOSITORY/$INPUT_CACHE_REGISTRY" + fi +fi + +if [ "$REGISTRY" == "docker.io" ]; then + export REGISTRY="index.${REGISTRY}/v1/" +else + export IMAGE="$REGISTRY/$IMAGE" +fi + +export CACHE=${INPUT_CACHE:+"--cache=true"} +export CACHE=$CACHE${INPUT_CACHE_TTL:+" --cache-ttl=$INPUT_CACHE_TTL"} +export CACHE=$CACHE${INPUT_CACHE_REGISTRY:+" --cache-repo=$INPUT_CACHE_REGISTRY"} +export CACHE=$CACHE${INPUT_CACHE_DIRECTORY:+" --cache-dir=$INPUT_CACHE_DIRECTORY"} +export CONTEXT="--context $GITHUB_WORKSPACE" +export DOCKERFILE="--dockerfile ${INPUT_BUILD_FILE:-Dockerfile}" +export DESTINATION="--destination $IMAGE" + +export ARGS="$CACHE $CONTEXT $DOCKERFILE $DESTINATION $INPUT_EXTRA_ARGS" +echo $ARGS + +cat </kaniko/.docker/config.json +{ + "auths": { + "https://${REGISTRY}": { + "username": "${USERNAME}", + "password": "${PASSWORD}" + } + } +} +EOF + +/kaniko/executor $ARGS