Skip to content

Tekton / OpenShift Pipelines

Container build (buildah) with secrets

Task documentation: https://tekton.dev/docs/pipelines/tasks/

Create secret

1
2
3
oc create secret generic build-args \
  --from-literal=USERNAME=web-auth-user \
  --from-literal=PASSWORD=IeNae1eigheBiz8ne

Apply buildah-with-secret task:

1
oc apply -f https://examples.openshift.pub/build/pipeline/buildah-with-secret.yaml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  annotations:
    tekton.dev/pipelines.minVersion: "0.19"
    tekton.dev/tags: image-build
  creationTimestamp: "2021-05-11T14:49:48Z"
  labels:
    app.kubernetes.io/version: "0.1-with-secret"
    operator.tekton.dev/provider-type: redhat
  name: buildah-with-secret
spec:
  description: |-
    Buildah task builds source into a container image and then pushes it to a container registry.
    Buildah Task builds source into a container image using Project Atomic's Buildah build tool.It uses Buildah's support for building from Dockerfiles, using its buildah bud command.This command executes the directives in the Dockerfile to assemble a container image, then pushes that image to a container registry.
  params:
  - description: Reference of the image buildah will produce.
    name: IMAGE
    type: string
  - default: registry.redhat.io/rhel8/buildah:latest
    description: The location of the buildah builder image.
    name: BUILDER_IMAGE
    type: string
  - default: vfs
    description: Set buildah storage driver
    name: STORAGE_DRIVER
    type: string
  - default: ./Dockerfile
    description: Path to the Dockerfile to build.
    name: DOCKERFILE
    type: string
  - default: .
    description: Path to the directory to use as context.
    name: CONTEXT
    type: string
  - default: "true"
    description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)
    name: TLSVERIFY
    type: string
  - default: oci
    description: The format of the built container, oci or docker
    name: FORMAT
    type: string
  - default: ""
    description: Extra parameters passed for the build command when building images.
    name: BUILD_EXTRA_ARGS
    type: string
  - default: ""
    description: Extra parameters passed for the push command when pushing images.
    name: PUSH_EXTRA_ARGS
    type: string
  results:
  - description: Digest of the image just built.
    name: IMAGE_DIGEST
  steps:
  - image: $(params.BUILDER_IMAGE)
    name: build
    resources: {}
    script: |
      buildah --storage-driver=$(params.STORAGE_DRIVER) bud \
        $(params.BUILD_EXTRA_ARGS) --format=$(params.FORMAT) \
        --tls-verify=$(params.TLSVERIFY) --no-cache \
        -f $(params.DOCKERFILE) -t $(params.IMAGE) $(params.CONTEXT)
    volumeMounts:
    - mountPath: /var/lib/containers
      name: varlibcontainers
    workingDir: $(workspaces.source.path)
    envFrom:
      - secretRef:
          name: build-args
  - image: $(params.BUILDER_IMAGE)
    name: push
    resources: {}
    script: |
      buildah --storage-driver=$(params.STORAGE_DRIVER) push \
        $(params.PUSH_EXTRA_ARGS) --tls-verify=$(params.TLSVERIFY) \
        --digestfile $(workspaces.source.path)/image-digest $(params.IMAGE) \
        docker://$(params.IMAGE)
    volumeMounts:
    - mountPath: /var/lib/containers
      name: varlibcontainers
    workingDir: $(workspaces.source.path)
  - image: $(params.BUILDER_IMAGE)
    name: digest-to-results
    resources: {}
    script: cat $(workspaces.source.path)/image-digest | tee /tekton/results/IMAGE_DIGEST
  volumes:
  - emptyDir: {}
    name: varlibcontainers
  workspaces:
  - name: source

Apply pipeline:

1
oc apply -f https://examples.openshift.pub/build/pipeline/buildah-pipeline.yaml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
  name: buildah-pipeline
spec:
  params:
  - default: image-registry.openshift-image-registry.svc:5000/$(context.pipelineRun.namespace)/buildargs:latest
    name: IMAGE_NAME
    type: string
  - default: https://github.com/openshift-examples/container-build.git
    name: GIT_REPO
    type: string
  - default: master
    name: GIT_REVISION
    type: string
  - name: DOCKERFILE
    type: string
    default: "./Containerfile"
  - name: CONTEXT
    type: string
    default: "buildArgs"
  - name: BUILD_EXTRA_ARGS
    type: string
    default: "--build-arg USERNAME=$USERNAME --build-arg PASSWORD=$PASSWORD"
  tasks:
  - name: fetch-repository
    params:
    - name: url
      value: $(params.GIT_REPO)
    - name: revision
      value: $(params.GIT_REVISION)
    taskRef:
      kind: ClusterTask
      name: git-clone
    workspaces:
    - name: output
      workspace: workspace
  - name: buildah-with-secret
    params:
    - name: IMAGE
      value: $(params.IMAGE_NAME)
    - name: DOCKERFILE
      value: $(params.DOCKERFILE)
    - name: CONTEXT
      value: $(params.CONTEXT)
    - name: BUILD_EXTRA_ARGS
      value: $(params.BUILD_EXTRA_ARGS)
    runAfter:
    - fetch-repository
    taskRef:
      kind: Task
      name: buildah-with-secret
    workspaces:
    - name: source
      workspace: workspace
  workspaces:
  - name: workspace

Start pipeline

1
oc apply -f https://examples.openshift.pub/build/pipeline/buildah-pipelinerun.yaml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
  labels:
    tekton.dev/pipeline: buildah-pipeline
  name: buildah-pipeline-1
spec:
  pipelineRef:
    name: buildah-pipeline
  serviceAccountName: pipeline
  timeout: 1h0m0s
  workspaces:
  - name: workspace
    # persistentVolumeClaim:
    #   claimName: workspace
    volumeClaimTemplate:
      spec:
        accessModes:
          - ReadWriteMany # access mode may affect how you can use this volume in parallel tasks
        resources:
          requests:
            storage: 1Gi

Missing --workspac argument becuase missnig documentation: https://github.com/tektoncd/cli/issues/1169

1
2
3
4
5
6
tkn pipeline start buildah-pipeline -p \
  IMAGE_NAME=image-registry.openshift-image-registry.svc:5000/demo-app/container-build:latest \
  GIT_REPO=https://github.com/openshift-examples/container-build.git \
  CONTEXT=buildArgs \
  DOCKERFILE=./Containerfile \
  BUILD_EXTRA_ARGS='--build-arg USERNAME=$USERNAME --build-arg PASSWORD=$PASSWORD' \

Last update: June 18, 2021