Build container images (and push them to a registry) on Kubernetes
3 min read | by Jordi Prats
Shipwright is a framework that allow us to build container images and push them to remote registries from within a Kubernetes clusters. It supports popular tools such as Kaniko, Cloud Native Buildpacks and Buildah
Shipwright installation
To install shipwright we will need to install tekton, shipwright itself and predefined build strategies that they provide. We can do it using the following commands:
kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.34.1/release.yaml
kubectl apply -f https://github.com/shipwright-io/build/releases/download/v0.9.0/release.yaml
kubectl apply -f https://github.com/shipwright-io/build/releases/download/v0.9.0/sample-strategies.yaml
Create secrets
If we need to work with private repositories we will need to create some Kubernetes Secrets containing the key to use to be able to fetch the repository we want to build. To import ~/.ssh/id_rsa into a Kubernetes ssh-auth secret named githubssh we can use the following command:
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
name: githubssh
type: kubernetes.io/ssh-auth
data:
ssh-privatekey: $(base64 -w0 ~/.ssh/id_rsa)
EOF
Again, to be able to push the container image, we are, most likely, going to have to authenticate against it. In case we want to push it to docker Hub we can use the following command (just needing to set docker-username, docker-username and docker-email to the appropriate values)
kubectl create secret docker-registry hubdocker \
--docker-server=https://index.docker.io/v1/ \
--docker-username=demouser \
--docker-username=passw0rd \
--docker-email=demouser@pet2cattle.com
We can, of course, use other solutions like KES to dynamically fetch secrets from an external source.
Build definition
To start defining the build process we'll have to create the Build object defining the template:
- source: git repository containing the source to build
- output: Where to upload the container to
apiVersion: shipwright.io/v1alpha1
kind: Build
metadata:
name: build
spec:
source:
url: https://github.com/jordiprats/flask-pet2cattle
credentials:
name: githubssh
strategy:
name: kaniko
kind: ClusterBuildStrategy
output:
image: docker.io/jordiprats/shipwright-test:latest
credentials:
name: hubdocker
Build instance
Using the Build as a template, we can now create a BuildRun that will create a Pod to actually build the container and upload it to the registry:
Using this object we can override the image name that it's going to use using spec.output.name:
apiVersion: shipwright.io/v1alpha1
kind: BuildRun
metadata:
name: buildrun
spec:
buildRef:
name: build
output:
image: {{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}
As soon as we apply these objects on the cluster, it will start the build process: Building the container image and then uploading it to the registry using the image name defined on the BuildRun object:
$ kubectl get build
NAME REGISTERED REASON BUILDSTRATEGYKIND BUILDSTRATEGYNAME CREATIONTIME
build True Succeeded ClusterBuildStrategy kaniko 8m10s
$ kubectl get buildrun
NAME SUCCEEDED REASON STARTTIME COMPLETIONTIME
buildrun True Succeeded 8m16s 7m39s
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
buildrun-rj2wv-pod-q4np5 0/2 Completed 0 8m26s
Posted on 30/05/2022