cnbBuild¶
Executes Cloud Native Buildpacks.
Description¶
Executes a Cloud Native Buildpacks build for creating Docker image(s). Important: Please note, that the cnbBuild step is in beta state, and there could be breaking changes before we remove the beta notice.
Usage¶
We recommend to define values of step parameters via .pipeline/config.yml file.
In this case, calling the step is essentially reduced to defining the step name.
Calling the step can be done either in an orchestrator specific way (e.g. via a Jenkins library step) or on the command line.
library('piper-lib-os')
cnbBuild script: this
piper cnbBuild
Outputs¶
| Output type | Details |
|---|---|
| commonPipelineEnvironment |
|
see Examples
Prerequisites¶
When pushing to a container registry, you need to maintain the respective credentials in your Jenkins credentials store:
cnbBuild expects a Docker config.json file containing the credential information for registries.
You can create it like explained in the protocodeExecuteScan Prerequisites section.
Please copy this file and upload it to your Jenkins for example
via Jenkins -> Credentials -> System -> Global credentials (unrestricted) -> Add Credentials ->
- Kind: Secret file
- File: upload your
config.jsonfile - ID: specify id which you then use for the configuration of
dockerConfigJsonCredentialsId(see below)
Parameters¶
Overview - Step¶
| Name | Mandatory | Additional information |
|---|---|---|
| containerImageTag | yes | |
| containerRegistryUrl | yes | |
| script | (yes) |  reference to Jenkins main pipeline script |
| additionalTags | no | |
| bindings | no | |
| buildEnvVars | no | |
| buildSettingsInfo | no | |
| buildpacks | no | |
| containerImageAlias | no | |
| containerImageName | no | |
| createBOM | no | |
| customTlsCertificateLinks | no | |
| defaultProcess | no | |
| dockerConfigJSON | no |   pass via ENV, Vault or Jenkins credentials (dockerConfigJsonCredentialsId) |
| dockerConfigJSONCPE | no | pass via ENV or Jenkins credentials |
| expandBuildEnvVars | no | |
| multipleImages | no | |
| path | no | |
| postBuildpacks | no | |
| preBuildpacks | no | |
| preserveFiles | no | |
| projectDescriptor | no | |
| runImage | no | |
| syftDownloadUrl | no | |
| verbose | no | activates debug output |
Overview - Execution Environment¶
Orchestrator-specific only
These parameters are relevant for orchestrator usage and not considered when using the command line option.
| Name | Mandatory | Additional information |
|---|---|---|
| containerCommand | no | |
| containerShell | no | |
| dockerEnvVars | no | |
| dockerImage | no | |
| dockerName | no | |
| dockerOptions | no | |
| dockerPullImage | no | |
| dockerVolumeBind | no | |
| dockerWorkspace | no | |
Details¶
additionalTags¶
List of tags which will be pushed to the registry (additionally to the provided containerImageTag), e.g. "latest".
| Scope | Details |
|---|---|
| Aliases | - |
| Type | []string |
| Mandatory | no |
| Default | $PIPER_additionalTags (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
bindings¶
Map of bindings that should be offered to the buildpack. The type of bindings depend on the buildpack. For documentation about bindings in general see the paketo documentation.
Example: Custom maven settings.xml for the Java Buildpack
bindings:
maven-settings:
type: maven
data:
- key: settings.xml
file: path/to/settings.xml
inline:
bindings:
maven-settings:
type: maven
data:
- key: settings.xml
content: "inline settings.xml"
from url:
bindings:
maven-settings:
type: maven
data:
- key: settings.xml
fromUrl: https://url-to/setting.xml
using Vault general purpose credentials:
bindings:
dynatrace:
type: Dynatrace
data:
- key: api-token
vaultCredentialKey: dynatrace-api-token
vaultCredentialPath: cnb-bindings
vaultCredentialKeys: ['dynatrace-api-token']
Deprecated: A binding with a single key, could be written like this:
bindings:
maven-settings:
type: maven
key: settings.xml
file: path/to/settings.xml
| Scope | Details |
|---|---|
| Aliases | - |
| Type | map[string]interface{} |
| Mandatory | no |
| Default | $PIPER_bindings (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
buildEnvVars¶
Map of custom environment variables used during a build. Example:
buildEnvVars:
foo: bar
| Scope | Details |
|---|---|
| Aliases | - |
| Type | map[string]interface{} |
| Mandatory | no |
| Default | $PIPER_buildEnvVars (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
buildSettingsInfo¶
Build settings info is typically filled by the step automatically to create information about the build settings that were used during the mta build. This information is typically used for compliance related processes.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | $PIPER_buildSettingsInfo (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | commonPipelineEnvironment: reference to: custom/buildSettingsInfo |
buildpacks¶
List of custom buildpacks to use in the form of $HOSTNAME/$REPO[:$TAG]. When this property is specified, buildpacks which are part of the builder will be ignored.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | []string |
| Mandatory | no |
| Default | $PIPER_buildpacks (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | commonPipelineEnvironment: reference to: container/buildpacks |
containerCommand¶
Jenkins-specific: Used for proper environment setup.
Kubernetes only: Allows to specify start command for container created with dockerImage parameter to overwrite Piper default (/usr/bin/tail -f /dev/null).
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
containerImageAlias¶
Logical name used for this image.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | $PIPER_containerImageAlias (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
containerImageName¶
Name of the container which will be built
cnbBuild step will try to identify a containerImageName using the following precedence:
containerImageNameparameter.project.idfield of aproject.tomlfile.git/repositoryparameter of thecommonPipelineEnvironment.github/repositoryparameter of thecommonPipelineEnvironment.
If none of the above was found - an error will be raised.
| Scope | Details |
|---|---|
| Aliases | dockerImageName |
| Type | string |
| Mandatory | no |
| Default | $PIPER_containerImageName (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
containerImageTag¶
Tag of the container which will be built
| Scope | Details |
|---|---|
| Aliases | artifactVersion |
| Type | string |
| Mandatory | yes |
| Default | $PIPER_containerImageTag (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | commonPipelineEnvironment: reference to: artifactVersioncommonPipelineEnvironment: reference to: git/commitId |
containerRegistryUrl¶
Container registry where the image should be pushed to.
Note: containerRegistryUrl should include only the domain. If you want to publish an image under docker.io/example/my-image, you must set containerRegistryUrl: "docker.io" and containerImageName: "example/my-image".
| Scope | Details |
|---|---|
| Aliases | dockerRegistryUrl |
| Type | string |
| Mandatory | yes |
| Default | $PIPER_containerRegistryUrl (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | commonPipelineEnvironment: reference to: container/registryUrl |
containerShell¶
Jenkins-specific: Used for proper environment setup.
Allows to specify the shell to be executed for container with containerName.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
createBOM¶
Creates the bill of materials (BOM) using Syft and stores it in a file in CycloneDX 1.4 format.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | bool |
| Mandatory | no |
| Default | false |
| Possible values | - true- false |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
customTlsCertificateLinks¶
List containing download links of custom TLS certificates. This is required to ensure trusted connections to registries with custom certificates.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | []string |
| Mandatory | no |
| Default | $PIPER_customTlsCertificateLinks (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
defaultProcess¶
Process that should be started by default. See https://buildpacks.io/docs/app-developer-guide/run-an-app/
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | $PIPER_defaultProcess (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
dockerConfigJSON¶
Path to the file .docker/config.json - this is typically provided by your CI/CD system. You can find more details about the Docker credentials in the Docker documentation.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | $PIPER_dockerConfigJSON (if set) |
| Secret | yes |
| Configuration scope |
|
| Resource references | Jenkins credential id: id: dockerConfigJsonCredentialsIdVault paths:
|
dockerConfigJSONCPE¶
This property is intended only for reading the dockerConfigJSON from the Common Pipeline Environment. If you want to provide your own credentials, please refer to the dockerConfigJSON property. If both properties are set, the config files will be merged, with the dockerConfigJSON having higher priority.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | $PIPER_dockerConfigJSONCPE (if set) |
| Secret | yes |
| Configuration scope |
|
| Resource references | commonPipelineEnvironment: reference to: custom/dockerConfigJSON |
dockerEnvVars¶
Jenkins-specific: Used for proper environment setup.
Environment variables to set in the container, e.g. [http_proxy: "proxy:8080"].
| Scope | Details |
|---|---|
| Aliases | - |
| Type | map[string]string |
| Mandatory | no |
| Default | |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
dockerImage¶
Jenkins-specific: Used for proper environment setup.
Name of the docker image that should be used. If empty, Docker is not used and the command is executed directly on the Jenkins system.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | paketobuildpacks/builder-jammy-base:latest |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
dockerName¶
Jenkins-specific: Used for proper environment setup.
Kubernetes only: Name of the container launching dockerImage. SideCar only: Name of the container in local network.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
dockerOptions¶
Jenkins-specific: Used for proper environment setup.
Docker options to be set when starting the container.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | []string |
| Mandatory | no |
| Default | [{-u 0}] |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
dockerPullImage¶
Jenkins-specific: Used for proper environment setup.
Set this to 'false' to bypass a docker image pull. Useful during development process. Allows testing of images which are available in the local registry only.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | bool |
| Mandatory | no |
| Default | true |
| Possible values | - true- false |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
dockerVolumeBind¶
Jenkins-specific: Used for proper environment setup.
Volumes that should be mounted into the docker container.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | map[string]string |
| Mandatory | no |
| Default | |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
dockerWorkspace¶
Jenkins-specific: Used for proper environment setup.
Kubernetes only: Specifies a dedicated user home directory for the container which will be passed as value for environment variable HOME.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
expandBuildEnvVars¶
Expand environment variables used in buildEnvVars.
Example:
expandBuildEnvVars: true
buildEnvVars:
foo: ${BAR}
| Scope | Details |
|---|---|
| Aliases | - |
| Type | bool |
| Mandatory | no |
| Default | false |
| Possible values | - true- false |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
multipleImages¶
This parameter is only needed if cnbBuild should create multiple images.
Otherwise it can be ignored!!!
In case of multiple images, this array contains one entry for each image. That entry can override any parameter from the main section, e.g.
containerImageTag: latest
containerRegistryUrl: docker.io
dockerConfigJsonCredentialsId: CREDENTIALS
multipleImages:
- containerImageName: example/java-app
containerImageAlias: java
buildpacks:
- "gcr.io/paketo-buildpacks/java"
path: "source/java"
- containerImageName: example/nodejs-app
containerImageAlias: nodejs
containerImageTag: v1.0.0
buildpacks:
- "gcr.io/paketo-buildpacks/nodejs"
path: "source/nodejs"
| Scope | Details |
|---|---|
| Aliases | images |
| Type | []map[string]interface{} |
| Mandatory | no |
| Default | $PIPER_multipleImages (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
path¶
Glob that should either point to a directory with your sources or one artifact in zip format. This property determines the input to the buildpack.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | $PIPER_path (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
postBuildpacks¶
Buildpacks to append to the groups in the builder's order.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | []string |
| Mandatory | no |
| Default | $PIPER_postBuildpacks (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | commonPipelineEnvironment: reference to: container/postBuildpacks |
preBuildpacks¶
Buildpacks to prepend to the groups in the builder's order.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | []string |
| Mandatory | no |
| Default | $PIPER_preBuildpacks (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | commonPipelineEnvironment: reference to: container/preBuildpacks |
preserveFiles¶
List of globs, for keeping build results in the Jenkins workspace.
Note: globs will be calculated relative to the path property.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | []string |
| Mandatory | no |
| Default | $PIPER_preserveFiles (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
projectDescriptor¶
Relative path to the project.toml file.
See buildpacks.io for the reference.
Parameters passed to the cnbBuild step will take precedence over the parameters set in the project.toml file, except the env block.
Environment variables declared in a project descriptor file, will be merged with the buildEnvVars property, with the buildEnvVars having a precedence.
Note: The project descriptor path should be relative to what is set in the path property. If the path property is pointing to a zip archive (e.g. jar file), project descriptor path will be relative to the root of the workspace.
Note: Inline buildpacks (see specification) are not supported yet.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | project.toml |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
runImage¶
Base image from which application images are built. Will be defaulted to the image provided by the builder.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | $PIPER_runImage (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
script¶
Jenkins-specific: Used for proper environment setup.
The common script environment of the Jenkinsfile running. Typically the reference to the script calling the pipeline step is provided with the this parameter, as in script: this. This allows the function to access the commonPipelineEnvironment for retrieving, e.g. configuration parameters.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | Jenkins Script |
| Mandatory | yes |
| Default | |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
syftDownloadUrl¶
Specifies the download url of the Syft Linux amd64 tar binary file. This can be found at https://github.com/anchore/syft/releases/.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | https://github.com/anchore/syft/releases/download/v0.62.3/syft_0.62.3_linux_amd64.tar.gz |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
verbose¶
verbose output
| Scope | Details |
|---|---|
| Aliases | - |
| Type | bool |
| Mandatory | no |
| Default | false |
| Possible values | - true- false |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
dockerConfigJsonCredentialsId¶
Jenkins-specific: Used for proper environment setup. See using credentials for details.
Jenkins 'Secret file' credentials ID containing Docker config.json (with registry credential(s)) in the following format:
{
"auths": {
"$server": {
"auth": "base64($username + ':' + $password)"
}
}
}
Example:
{
"auths": {
"example.com": {
"auth": "dXNlcm5hbWU6cGFzc3dvcmQ="
}
}
}
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Configuration scope |
|
Additional hints¶
To run the cnbBuild with a different builder, you can specify the dockerImage parameter.
Without specifying it, the step will run with the paketobuildpacks/builder:base builder.
Default Excludes¶
When building images, these files/folders are excluded from the build by default:
- Piper binary:
piper - Piper configuration folder:
.pipeline - Git folder:
.git
This behavior can be overwritten by using the respective sections in project.toml. Keep in mind that by doing so, no default excludes will be applied by the cnbBuild step at all.
Examples¶
Example 1: simple usage¶
cnbBuild(
script: this,
dockerConfigJsonCredentialsId: 'DOCKER_REGISTRY_CREDS',
containerImageName: 'images/example',
containerImageTag: 'v0.0.1',
containerRegistryUrl: 'gcr.io'
)
Example 2: User provided builder¶
cnbBuild(
script: this,
dockerConfigJsonCredentialsId: 'DOCKER_REGISTRY_CREDS',
dockerImage: 'paketobuildpacks/builder:base',
containerImageName: 'images/example',
containerImageTag: 'v0.0.1',
containerRegistryUrl: 'gcr.io'
)
Example 3: User provided buildpacks¶
cnbBuild(
script: this,
dockerConfigJsonCredentialsId: 'DOCKER_REGISTRY_CREDS',
containerImageName: 'images/example',
containerImageTag: 'v0.0.1',
containerRegistryUrl: 'gcr.io',
buildpacks: ['gcr.io/paketo-buildpacks/nodejs', 'paketo-community/build-plan']
)
Example 4: Build environment variables¶
cnbBuild(
script: this,
dockerConfigJsonCredentialsId: 'DOCKER_REGISTRY_CREDS',
containerImageName: 'images/example',
containerImageTag: 'v0.0.1',
containerRegistryUrl: 'gcr.io',
buildEnvVars: [
"FOO": "BAR"
]
)