Skip to content
Snippets Groups Projects
Commit 57998b26 authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

feat: add image digest support

parent a159fce3
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
README.md
+ 35
23
View file @ 57998b26
......@@ -30,7 +30,7 @@ activate the Docker-in-Docker build at your own risks by setting `DOCKER_DIND_BU
The Docker template uses some global configuration used throughout all jobs.
| Name | description | default value |
| Name | Description | Default value |
| --------------------- | -------------------------------------- | ----------------- |
| `DOCKER_DIND_BUILD` | Set to enable Docker-in-Docker build (:warning: unsecured, requires privileged runners). | _(none)_ (kaniko build by default) |
| `DOCKER_KANIKO_IMAGE` | The Docker image used to run kaniko - _for kaniko build only_ | `gcr.io/kaniko-project/executor:debug` (use `debug` images for GitLab) |
......@@ -41,7 +41,7 @@ The Docker template uses some global configuration used throughout all jobs.
In addition to this, the template supports _standard_ Linux proxy variables:
| Name | description | default value |
| Name | Description | Default value |
| --------------------- | ------------------------------------------- | ------------- |
| `http_proxy` | Proxy used for http requests | _none_ |
| `https_proxy` | Proxy used for https requests | _none_ |
......@@ -67,7 +67,7 @@ In practice:
The **snapshot** and **release** images are defined by the following variables:
| Name | description | default value |
| Name | Description | Default value |
| ------------------------- | --------------------- | ------------------------------------------------- |
| `DOCKER_SNAPSHOT_IMAGE` | Docker snapshot image | `$CI_REGISTRY_IMAGE/snapshot:$CI_COMMIT_REF_SLUG` |
| `DOCKER_RELEASE_IMAGE` | Docker release image | `$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME` |
......@@ -92,7 +92,7 @@ But when using other registry(ies), you'll have also to **configure appropriate
If you use the **same registry** for both snapshot and release images, you shall use the following configuration
variables:
| Name | description |
| Name | Description |
| -------------------------------- | -------------------------------------- |
| :lock: `DOCKER_REGISTRY_USER` | Docker registry username for image registry |
| :lock: `DOCKER_REGISTRY_PASSWORD`| Docker registry password for image registry |
......@@ -101,7 +101,7 @@ variables:
If you use **different registries** for snapshot and release images, you shall use separate configuration variables:
| Name | description |
| Name | Description |
| ---------------------------------------- | -------------------------------------- |
| :lock: `DOCKER_REGISTRY_SNAPSHOT_USER` | Docker registry username for snapshot image registry |
| :lock: `DOCKER_REGISTRY_SNAPSHOT_PASSWORD`| Docker registry password for snapshot image registry |
......@@ -139,7 +139,7 @@ If you need to redefine a variable with the same value for all your Dockerfiles,
```yaml
variables:
DOCKER_DIND_BUILD: "True"
DOCKER_DIND_BUILD: "true"
```
### Secrets management
......@@ -164,9 +164,9 @@ This job performs a [Lint](https://github.com/projectatomic/dockerfile_lint) on
It is bound to the `build` stage, and uses the following variables:
| Name | description | default value |
| Name | Description | Default value |
| --------------------- | -------------------------------------- | --------------------------------------- |
| `DOCKER_LINT_IMAGE` | The dockerlint image | `projectatomic/dockerfile-lint:latest` |
| `DOCKER_LINT_IMAGE` | The dockerlint image | `projectatomic/dockerfile-lint:latest` |
| `DOCKER_LINT_ARGS` | Additional `dockerfile_lint` arguments | _(none)_ |
In case you have to disable some rules, copy and edit the [rules](https://github.com/projectatomic/dockerfile_lint#extending-and-customizing-rule-files) into `mycustomdockerlint.yml` and set `DOCKER_LINT_ARGS: '-r mycustomdockerlint.yml'`
......@@ -177,7 +177,7 @@ This job performs a [Lint](https://github.com/hadolint/hadolint) on your `Docker
It is bound to the `build` stage, and uses the following variables:
| Name | description | default value |
| Name | Description | Default value |
| -------------------------- | -------------------------------------- | --------------------------------------- |
| `DOCKER_HADOLINT_IMAGE` | The Hadolint image | `hadolint/hadolint:latest-alpine` |
| `DOCKER_HADOLINT_ARGS` | Additional `hadolint` arguments | `` |
......@@ -200,17 +200,23 @@ This job builds the image and publishes it to the _snapshot_ repository.
It is bound to the `package-build` stage, and uses the following variables:
| Name | description | default value |
| Name | Description | Default value |
| ------------------------------- | ------------------------------------------------------------------------------------------------------------- | ------------------------------ |
| `DOCKER_BUILD_ARGS` | Additional `docker build`/`kaniko` arguments | _(none)_ |
| `DOCKER_REGISTRY_MIRROR` | URL of a Docker registry mirror to use during the image build (instead of default `https://index.docker.io`) | _(none)_ |
| `DOCKER_METADATA` | Additional `docker build`/`kaniko` arguments to set label | OCI Image Format Specification |
| `DOCKER_METADATA` | Additional `docker build`/`kaniko` arguments to set label | OCI Image Format Specification |
This job produces an _output variable_ that is propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/pipelines/job_artifacts.html#artifactsreportsdotenv)):
This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/pipelines/job_artifacts.html#artifactsreportsdotenv)):
* `docker_image`: set to `$DOCKER_SNAPSHOT_IMAGE`
| Name | Description | Example |
| --------------------- | ------------------------------------------------------ | --------------------------------------- |
| `docker_image` | snapshot image name **with tag** | `registry.gitlab.com/acme/website/snaposhot:main` |
| `docker_image_digest` | snapshot image name **with digest** (no tag) | `registry.gitlab.com/acme/website/snaposhot@sha256:b7914a91...` |
| `docker_repository` | snapshot image **bare repository** (no tag nor digest) | `registry.gitlab.com/acme/website/snaposhot` |
| `docker_tag` | snapshot image tag | `main` |
| `docker_digest` | snapshot image digest | `sha256:b7914a91...` |
It may be freely used in downstream jobs (for instance to deploy the upstream built Docker image, whatever the branch of tag).
They may be freely used in downstream jobs (for instance to deploy the upstream built Docker image, whatever the branch or tag).
If you want to use GitLab CI variables or any other variable in your Dockerfile, you can add them to `DOCKER_BUILD_ARGS` like so:
......@@ -261,7 +267,7 @@ This job performs a [Health Check](https://docs.docker.com/engine/reference/buil
It is bound to the `package-test` stage, and uses the following variables:
| Name | description | default value |
| Name | Description | Default value |
| -------------------------------------- | -------------------------------------------------------------------- | ----------------- |
| `DOCKER_HEALTHCHECK_DISABLED` | Set to `true` to disable health check | _(none: enabled by default)_ |
| `DOCKER_HEALTHCHECK_TIMEOUT` | When testing a Docker Health (test stage), how long (in seconds) wait for the [HealthCheck status](https://docs.docker.com/engine/reference/builder/#healthcheck) | `60` |
......@@ -288,7 +294,7 @@ variables:
It is bound to the `package-test` stage, and uses the following variables:
| Name | description | default value |
| Name | Description | Default value |
| ---------------------- | -------------------------------------- | ----------------- |
| `DOCKER_TRIVY_IMAGE` | The docker image used to scan images with Trivy | `aquasec/trivy:latest` |
| `DOCKER_TRIVY_ADDR` | The Trivy server address | _(none: disabled by default)_ |
......@@ -300,18 +306,24 @@ It is bound to the `package-test` stage, and uses the following variables:
This job pushes (_promotes_) the built image as the _release_ image [skopeo](https://github.com/containers/skopeo).
| Name | description | default value |
| Name | Description | Default value |
| --------------------- | --------------------------------------------------------------------------- | ----------------- |
| `DOCKER_SKOPEO_IMAGE` | The Docker image used to run [skopeo](https://github.com/containers/skopeo) | `quay.io/skopeo/stable:latest` |
| `DOCKER_PUBLISH_ARGS` | Additional [`skopeo copy` arguments](https://github.com/containers/skopeo/blob/master/docs/skopeo-copy.1.md#options) | _(none)_ |
| `AUTODEPLOY_TO_PROD` | Set to enable automatic publish (and deploy) on `master` branch | _none_ (enabled) |
| `PUBLISH_ON_PROD` | Determines whether this job is enabled on `master` branch | `true`_ (enabled) |
This job produces an _output variable_ that is propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/pipelines/job_artifacts.html#artifactsreportsdotenv)):
This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/pipelines/job_artifacts.html#artifactsreportsdotenv)):
* `docker_image`: set to `$DOCKER_RELEASE_IMAGE`
| Name | Description | Example |
| --------------------- | ----------------------------------------------------- | --------------------------------------- |
| `docker_image` | release image name **with tag** | `registry.gitlab.com/acme/website:main` |
| `docker_image_digest` | release image name **with digest** (no tag) | `registry.gitlab.com/acme/website@sha256:b7914a91...` |
| `docker_repository` | release image **bare repository** (no tag nor digest) | `registry.gitlab.com/acme/website` |
| `docker_tag` | release image tag | `main` |
| `docker_digest` | release image digest | `sha256:b7914a91...` |
It may be freely used in downstream jobs (for instance to deploy the upstream built Docker image, whatever the branch of tag).
They may be freely used in downstream jobs (for instance to deploy the upstream built Docker image, whatever the branch or tag).
## Examples
......@@ -352,7 +364,7 @@ include:
file: '/templates/gitlab-ci-docker.yml'
variables:
DOCKER_DIND_BUILD: "True"
DOCKER_DIND_BUILD: "true"
.docker-base:
parallel:
......@@ -377,7 +389,7 @@ This variant allows delegating your secrets management to a [Vault](https://www.
In order to be able to communicate with the Vault server, the variant requires the additional configuration parameters:
| Name | description | default value |
| Name | Description | Default value |
| ----------------- | -------------------------------------- | ----------------- |
| `VAULT_BASE_URL` | The Vault server base API url | _none_ |
| :lock: `VAULT_ROLE_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | **must be defined** |
......@@ -393,7 +405,7 @@ Then you may retrieve any of your secret(s) from Vault using the following synta
With:
| Name | description |
| Name | Description |
| -------------------------------- | -------------------------------------- |
| `secret_path` (_path parameter_) | this is your secret location in the Vault server |
| `field` (_query parameter_) | parameter to access a single basic field from the secret JSON payload |
......
templates/gitlab-ci-docker.yml
+ 26
5
View file @ 57998b26
......@@ -277,7 +277,6 @@ stages:
docker_snapshot_authent_token=$(echo -n "${DOCKER_REGISTRY_SNAPSHOT_USER:-${DOCKER_REGISTRY_USER:-$CI_REGISTRY_USER}}:${DOCKER_REGISTRY_SNAPSHOT_PASSWORD:-${DOCKER_REGISTRY_PASSWORD:-$CI_REGISTRY_PASSWORD}}" | base64 | tr -d '\n')
docker_snapshot_registry_host=$(echo "$DOCKER_SNAPSHOT_IMAGE" | cut -d/ -f1)
docker_release_authent_token=$(echo -n "${DOCKER_REGISTRY_RELEASE_USER:-${DOCKER_REGISTRY_USER:-$CI_REGISTRY_USER}}:${DOCKER_REGISTRY_RELEASE_PASSWORD:-${DOCKER_REGISTRY_PASSWORD:-$CI_REGISTRY_PASSWORD}}" | base64 | tr -d '\n')
docker_release_registry_host=$(echo "$DOCKER_RELEASE_IMAGE" | cut -d/ -f1)
......@@ -497,9 +496,16 @@ docker-kaniko-build:
extends: .docker-kaniko-base
stage: package-build
script:
- run_build_kaniko "$DOCKER_SNAPSHOT_IMAGE" --build-arg http_proxy="$http_proxy" --build-arg https_proxy="$https_proxy" --build-arg no_proxy="$no_proxy"
- run_build_kaniko "$DOCKER_SNAPSHOT_IMAGE" --digest-file .img-digest.txt --build-arg http_proxy="$http_proxy" --build-arg https_proxy="$https_proxy" --build-arg no_proxy="$no_proxy"
# push docker_image in dotenv file
- docker_digest=$(cat .img-digest.txt)
- docker_repository=${DOCKER_SNAPSHOT_IMAGE%%:*}
- docker_tag=${DOCKER_SNAPSHOT_IMAGE#*:}
- echo "docker_image=$DOCKER_SNAPSHOT_IMAGE" > docker.env
- echo "docker_image_digest=$docker_repository@$docker_digest" >> docker.env
- echo "docker_repository=$docker_repository" >> docker.env
- echo "docker_tag=$docker_tag" >> docker.env
- echo "docker_digest=$docker_digest" >> docker.env
artifacts:
reports:
dotenv:
......@@ -522,9 +528,17 @@ docker-dind-build:
# Display the size of each layer
- docker history $DOCKER_SNAPSHOT_IMAGE
# Display the total size of the image
- docker images $DOCKER_SNAPSHOT_IMAGE
# push docker_image in dotenv file
- docker images --digests $DOCKER_SNAPSHOT_IMAGE
# create dotenv file
- image_with_digest=$(docker inspect --format '{{index .RepoDigests 0}}' "$DOCKER_SNAPSHOT_IMAGE")
- docker_digest=${image_with_digest#*@}
- docker_repository=${DOCKER_SNAPSHOT_IMAGE%%:*}
- docker_tag=${DOCKER_SNAPSHOT_IMAGE#*:}
- echo "docker_image=$DOCKER_SNAPSHOT_IMAGE" > docker.env
- echo "docker_image_digest=$docker_repository@$docker_digest" >> docker.env
- echo "docker_repository=$docker_repository" >> docker.env
- echo "docker_tag=$docker_tag" >> docker.env
- echo "docker_digest=$docker_digest" >> docker.env
artifacts:
reports:
dotenv:
......@@ -665,7 +679,14 @@ docker-publish:
fi
skopeo copy --src-authfile /skopeo/.docker/src-config.json --dest-authfile /skopeo/.docker/dest-config.json ${DOCKER_PUBLISH_ARGS} docker://$DOCKER_SNAPSHOT_IMAGE docker://$DOCKER_RELEASE_IMAGE
log_info "Well done your image is published and can be downloaded by doing: docker pull $DOCKER_RELEASE_IMAGE"
echo "docker_image=$DOCKER_RELEASE_IMAGE" > docker.env
- docker_digest=$(skopeo inspect --format='{{ .Digest }}' "docker://$DOCKER_RELEASE_IMAGE")
- docker_repository=${DOCKER_RELEASE_IMAGE%%:*}
- docker_tag=${DOCKER_RELEASE_IMAGE#*:}
- echo "docker_image=$DOCKER_RELEASE_IMAGE" > docker.env
- echo "docker_image_digest=$docker_repository@$docker_digest" >> docker.env
- echo "docker_repository=$docker_repository" >> docker.env
- echo "docker_tag=$docker_tag" >> docker.env
- echo "docker_digest=$docker_digest" >> docker.env
artifacts:
reports:
dotenv:
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment