Kaniko与Azure DevOps上下文

huangapple go评论73阅读模式
英文:

Kaniko with Azure Devops Context

问题

我正在尝试在Kubernetes上运行kaniko构建。

containers:
  - name: kaniko
    image: gcr.io/kaniko-project/executor:latest
    args: ["--context=https://dev.azure.com/,
            "--destination=build:1.0.0",
            "--dockerfile=dockerfile"]

源代码存储库位于Azure DevOps上,只能通过HTTP或SSH访问。

据我了解,我需要设置http.extraHeader以使用PAT身份验证。

https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops&tabs=Linux

git -c http.extraHeader="Authorization: Basic ${B64_PAT}" clone https://dev.azure.com/yourOrgName/yourProjectName/_git/yourRepoName 

是否有一种通过环境变量或kaniko-project/executor的包装来处理身份验证的方式?

我尝试过
ssh://PAT@repo
和环境变量GIT_TOKEN、GIT_USERNAME、GIT_PASSWORD的组合。

英文:

I am trying to run kaniko builds on Kubernetes.

containers:
  - name: kaniko
    image: gcr.io/kaniko-project/executor:latest
    args: ["--context=https://dev.azure.com/,
            "--destination=build:1.0.0",
            "--dockerfile=dockerfile"]

The source repo is on azure devops and only reachable via http or ssh

As far as i understand, i will have set http.extraHeader to use PAT authentication

https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops&tabs=Linux

git -c http.extraHeader="Authorization: Basic ${B64_PAT}" clone https://dev.azure.com/yourOrgName/yourProjectName/_git/yourRepoName 

Is there a way to handle the authentication via environment variables or some kind of wrapper for kaniko-project/executor?

I tried
ssh://PAT@repo
and env variables GIT_TOKEN, GIT_USERNAME, GIT_PASSWORD combinations

答案1

得分: 0

Short answer: 是的,可以在Azure DevOps上使用Kaniko。

Detailed answer:

Kaniko在底层使用了"go-git"库(因为Kaniko是用Go语言编写的)。在我回答这个问题的时候,Kaniko无法从Azure DevOps仓库中获取源代码,因为看起来go-git不支持Azure DevOps的git仓库(它没有实现Azure DevOps使用的"multi-ack"协议)。

解决这个问题的方法是使用一个"initContainer",其中可以使用任何你想要的镜像进行"git clone"操作,然后让Kaniko在此之后使用它。以下是一个链接,可以帮助你(以及阅读这篇帖子的其他人)实现这个组合:https://github.com/GoogleContainerTools/kaniko/issues/719#issuecomment-1283407534

以下是我用来实现这一点的示例代码:

# 用于git克隆源代码的initContainer
initContainers:
- name: git-clone
  image: alpine:3.18.0
  command: ["sh", "-c"]
  args:
  - |
    apk add --no-cache git && \
    AUTH=$(echo -n ":$PAT_TOKEN" | base64) && \
    git -c http.extraHeader="Authorization: Basic $AUTH" clone --depth 1 $(Build.Repository.Uri) /workspace    
  env:
    - name: GIT_TERMINAL_PROMPT
      value: "0"
    - name: PAT_TOKEN
      value: YOUR_SECRET # 或者从Secrets中获取更安全
  volumeMounts:
  - name: build-context
    mountPath: /workspace
# Kaniko容器
containers:
- name: kaniko
  image: gcr.io/kaniko-project/executor:latest
  args:
  - "--dockerfile=Dockerfile"
  - "--context=dir:///workspace"
  - "--destination=build:1.0.0"
  volumeMounts:
  - name: build-context
    mountPath: /workspace
restartPolicy: Never
volumes:
- name: build-context
  emptyDir: {}

在这个示例代码中,我使用initContainer来获取我的仓库的源代码,并填充"/workspace"文件夹。Kaniko(主容器)和"initContainer"都使用这个卷,因为它在两侧都被挂载(volumeMounts)。当然,根据你的需要进行调整。

英文:

Short answer: Yes it's possible to use Kaniko with Azure DevOps context.

Detailed answer:

Kaniko uses under the hood "go-git" library (because Kaniko is written with Go language). At this time of writing this answer, it's not possible for Kaniko to fetch the source code from Azure DevOps repository because it appears that go-git does not work with Azure DevOps git repos (it doesn't implement "multi-ack" protocol which is used by Azure DevOps).

The workaround of this is to use an "initContainer" with any image you want where you can "git clone" your repo and let Kaniko consume it afterwards.
Here's a link that can help you (and anyone else reading this post) to achieve this combination: https://github.com/GoogleContainerTools/kaniko/issues/719#issuecomment-1283407534

Here's a sample code of how it helped me achieve that:

            # Init container to git clone the source code
            initContainers:
            - name: git-clone
              image: alpine:3.18.0
              command: ["sh", "-c"]
              args:
              - |
                apk add --no-cache git && \
                AUTH=$(echo -n ":$PAT_TOKEN" | base64) && \
                git -c http.extraHeader="Authorization: Basic $AUTH" clone --depth 1 $(Build.Repository.Uri) /workspace
              env:
                - name: GIT_TERMINAL_PROMPT
                  value: "0"
                - name: PAT_TOKEN
                  value: YOUR_SECRET # Or coming from Secrets it's better
              volumeMounts:
              - name: build-context
                mountPath: /workspace
            # Kaniko container
            containers:
            - name: kaniko
              image: gcr.io/kaniko-project/executor:latest
              args:
              - "--dockerfile=Dockerfile"
              - "--context=dir:///workspace"
              - "--destination=build:1.0.0"
              volumeMounts:
              - name: build-context
                mountPath: /workspace
            
            restartPolicy: Never
            volumes:
            - name: build-context
              emptyDir: {}

In this sample code, I use the initContainer to fetch the source code of my repo and populate the "/workspace" folder. Both Kaniko (main container) and "initContainer" use this volume as it is mounted on both sides (volumeMounts).
Of course, feel free to adapt to your needs.

huangapple
  • 本文由 发表于 2023年4月6日 22:25:58
  • 转载请务必保留本文链接:https://go.coder-hub.com/75950666.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定