I have a Dockerfile which I can build using kaniko in the GitLab CI/CD pipeline.
Currently the build
stage both builds the Container and pushes it to the remote Docker repository.
I would like to utilize the stages concept of the CI/CD pipeline to build the image, then perform automatic tests and run a container security analysis tool (Trivy) and then as the last step, if all before steps were successful, I want to have it pushed to the registry:
The command to build and push the image is:
build:latest-master:
stage: build
image:
name: gcr.io/kaniko-project/executor:debug
entrypoint: [""]
script:
- echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
- /kaniko/executor --cache=true --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination $CI_REGISTRY_IMAGE:latest
only:
- master
There is an option / command line flag to perform no push with --no-push
and there is a flag --tar-path
that only produces a tarball of the image.
How would I have to combine these flags and commands to create the image only without pushing it to the regsitry, as it should only be pushed there if the security check has been performed. And then how does the push stage (GitLab CI Job) look like, especially the exact kaniko command line.
It would be great if that last pushing stage/job could reuse the previously build image or cache and not rebuilt it again. I guess the tarball could be used somehow but what would be the flag for kaniko to use it? Or do I just use that tarball and use a docker command to push the tarball to the registy?
kaniko is a tool to build container images from a Dockerfile, inside a container or Kubernetes cluster. kaniko solves two problems with using the Docker-in-Docker build method: Docker-in-Docker requires privileged mode to function, which is a significant security concern.
You can build your own Docker images and publish them in the GitLab Container Registry, which can act as a private registry. Maybe you are wondering if there is a way to store Docker images at GitLab and use them in pipelines. There are many reasons why you may want to use the GitLab Container Registry.
You can do that using crane tool:
docker:build:
stage: build
image:
name: gcr.io/kaniko-project/executor:debug-v1.0.0
entrypoint: [""]
script:
- /kaniko/executor
--context $CI_PROJECT_DIR
--dockerfile $CI_PROJECT_DIR/docker/Dockerfile
--no-push
--destination $CI_REGISTRY_IMAGE/path/to/your/image:version
--tarPath image.tar
artifacts:
paths:
- image.tar
when: on_success
docker:push:
stage: push
image:
name: gcr.io/go-containerregistry/crane:debug
entrypoint: [""]
script:
- crane auth login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
- crane push image.tar $CI_REGISTRY_IMAGE/path/to/your/image:version
needs:
- docker:build
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With