Skip to content

kanikoExecute

Executes a Kaniko build for creating a Docker container.

Description

Executes a Kaniko build for creating a Docker container.

Building multiple container images

The step allows you to build multiple container images with one run. This is suitable in case you need to create multiple images for one microservice, e.g. for testing.

All images will get the same "root" name and the same versioning.
Thus, this is not suitable to be used for a monorepo approach! For monorepos you need to use a build tool natively capable to take care for monorepos or implement a custom logic and for example execute this kanikoExecute step multiple times in your custom pipeline.

You can activate multiple builds using the parameter containerMultiImageBuild

Behavior can be adapted using:

Examples:

Multiple containers in sub directories

Configuration as follows:

general:
  containerImageName: myImage
steps:
  kanikoExecute:
    containerMultiImageBuild: true

Following Dockerfiles are available in the repository:

  • sub1/Dockerfile
  • sub2/Dockerfile

Following final image names will be built:

  • myImage-sub1
  • myImage-sub2

Multiple containers in sub directories while trimming a directory part

Configuration as follows:

general:
  containerImageName: myImage
steps:
  kanikoExecute:
    containerMultiImageBuild: true
    containerMultiImageBuildTrimDir: .ci

Following Dockerfiles are available in the repository:

  • .ci/sub1/Dockerfile
  • .ci/sub2/Dockerfile

Following final image names will be built:

  • myImage-sub1
  • myImage-sub2

Usage

We recommend to define values of step parameters via .pipeline/config.yml file.
In this case, calling the step is essentially reduced to defining the step name.
Calling the step can be done either in an orchestrator specific way (e.g. via a Jenkins library step) or on the command line.

library('piper-lib-os')

kanikoExecute script: this
piper kanikoExecute

Outputs

Output type Details
commonPipelineEnvironment
  • container/registryUrl
  • container/imageNameTag
  • container/imageDigest
  • container/imageNames
  • container/imageNameTags
  • container/imageDigests
  • custom/buildSettingsInfo

Prerequisites

When pushing to a container registry, you need to maintain the respective credentials in your Jenkins credentials store:

Kaniko expects a Docker config.json file containing the credential information for registries. You can create it like explained in the protocodeExecuteScan Prerequisites section.

Please copy this file and upload it to your Jenkins for example
via Jenkins -> Credentials -> System -> Global credentials (unrestricted) -> Add Credentials ->

  • Kind: Secret file
  • File: upload your config.json file
  • ID: specify id which you then use for the configuration of dockerConfigJsonCredentialsId (see below)

Example

kanikoExecute script:this

Parameters

Overview - Step

Name Mandatory Additional information
containerImageName (yes) mandatory in case of:
- containerMultiImageBuild=true
script (yes) Jenkins only reference to Jenkins main pipeline script
buildOptions no
buildSettingsInfo no
containerBuildOptions no
containerImage no
containerImageTag no
containerMultiImageBuild no
containerMultiImageBuildExcludes no
containerMultiImageBuildTrimDir no
containerPreparationCommand no
containerRegistryPassword no
containerRegistryUrl no
containerRegistryUser no
createBOM no
customTlsCertificateLinks no
dockerConfigJSON no Vault Secret pass via ENV, Vault or Jenkins credentials (dockerConfigJsonCredentialsId)
dockerfilePath no
readImageDigest no
syftDownloadUrl no
targetArchitectures no
verbose no activates debug output

Overview - Execution Environment

Orchestrator-specific only

These parameters are relevant for orchestrator usage and not considered when using the command line option.

Name Mandatory Additional information
containerCommand no Jenkins only
containerShell no Jenkins only
dockerEnvVars no
dockerImage no
dockerName no
dockerOptions no
dockerPullImage no
dockerVolumeBind no Jenkins only
dockerWorkspace no Jenkins only

Details

buildOptions

Defines a list of build options for the kaniko build.

back to overview

Scope Details
Aliases -
Type []string
Mandatory no
Default - --skip-tls-verify-pull
- --ignore-path=/workspace
- --ignore-path=/busybox
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

buildSettingsInfo

Build settings info is typically filled by the step automatically to create information about the build settings that were used during the mta build. This information is typically used for compliance related processes.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default $PIPER_buildSettingsInfo (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references commonPipelineEnvironment:
  reference to: custom/buildSettingsInfo

containerBuildOptions

Deprected, please use buildOptions. Defines the build options for the kaniko build.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default $PIPER_containerBuildOptions (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

containerCommand

Jenkins-specific: Used for proper environment setup.

Kubernetes only: Allows to specify start command for container created with dockerImage parameter to overwrite Piper default (/usr/bin/tail -f /dev/null).

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default /busybox/tail -f /dev/null
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

containerImage

Defines the full name of the Docker image to be created including registry, image name and tag like my.docker.registry/path/myImageName:myTag. If left empty, image will not be pushed.

back to overview

Scope Details
Aliases containerImageNameAndTag (deprecated)
Type string
Mandatory no
Default $PIPER_containerImage (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

containerImageName

Name of the container which will be built - will be used instead of parameter containerImage

back to overview

Scope Details
Aliases dockerImageName
Type string
Mandatory mandatory in case of:
- containerMultiImageBuild=true
Default $PIPER_containerImageName (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

containerImageTag

Tag of the container which will be built - will be used instead of parameter containerImage

back to overview

Scope Details
Aliases artifactVersion
Type string
Mandatory no
Default $PIPER_containerImageTag (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references commonPipelineEnvironment:
  reference to: artifactVersion

containerMultiImageBuild

Defines if multiple containers should be build. Dockerfiles are used using the pattern */Dockerfile. Excludes can be defined via containerMultiImageBuildExcludes.

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default false
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

containerMultiImageBuildExcludes

Defines a list of Dockerfile paths to exclude from the build when using containerMultiImageBuild.

back to overview

Scope Details
Aliases -
Type []string
Mandatory no
Default $PIPER_containerMultiImageBuildExcludes (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

containerMultiImageBuildTrimDir

Defines a trailing directory part which should not be considered in the final image name.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default $PIPER_containerMultiImageBuildTrimDir (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

containerPreparationCommand

Defines the command to prepare the Kaniko container. By default the contained credentials are removed in order to allow anonymous access to container registries.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default rm -f /kaniko/.docker/config.json
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

containerRegistryPassword

Password of the Container registry where the image should be pushed to - which will updated in a docker config json file. If a docker config json file is provided via parameter dockerConfigJSON , then the existing file will be enhanced

back to overview

Scope Details
Aliases dockerRegistryPassword
Type string
Mandatory no
Default $PIPER_containerRegistryPassword (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references commonPipelineEnvironment:
  reference to: container/repositoryPassword

containerRegistryUrl

http(s) url of the Container registry where the image should be pushed to - will be used instead of parameter containerImage

back to overview

Scope Details
Aliases dockerRegistryUrl
Type string
Mandatory no
Default $PIPER_containerRegistryUrl (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references commonPipelineEnvironment:
  reference to: container/registryUrl

containerRegistryUser

Username of the Container registry where the image should be pushed to - which will updated in a docker config json file. If a docker config json file is provided via parameter dockerConfigJSON , then the existing file will be enhanced

back to overview

Scope Details
Aliases dockerRegistryUser
Type string
Mandatory no
Default $PIPER_containerRegistryUser (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references commonPipelineEnvironment:
  reference to: container/repositoryUsername

containerShell

Jenkins-specific: Used for proper environment setup.

Allows to specify the shell to be executed for container with containerName.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default /busybox/sh
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

createBOM

Creates the bill of materials (BOM) using Syft and stored in a file of CycloneDX 1.4 format.

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default false
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

List containing download links of custom TLS certificates. This is required to ensure trusted connections to registries with custom certificates.

back to overview

Scope Details
Aliases -
Type []string
Mandatory no
Default $PIPER_customTlsCertificateLinks (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

dockerConfigJSON

Path to the file .docker/config.json - this is typically provided by your CI/CD system. You can find more details about the Docker credentials in the Docker documentation.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default $PIPER_dockerConfigJSON (if set)
Secret yes
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references Jenkins credential id:
  id: dockerConfigJsonCredentialsId

Vault paths:
  • $(vaultPath)/docker-config
  • $(vaultBasePath)/$(vaultPipelineName)/docker-config
  • $(vaultBasePath)/GROUP-SECRETS/docker-config

dockerEnvVars

Jenkins-specific: Used for proper environment setup.

Environment variables to set in the container, e.g. [http_proxy: "proxy:8080"].

back to overview

Scope Details
Aliases -
Type map[string]string
Mandatory no
Default map[container:docker]
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

dockerImage

Jenkins-specific: Used for proper environment setup.

Name of the docker image that should be used. If empty, Docker is not used and the command is executed directly on the Jenkins system.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default gcr.io/kaniko-project/executor:debug
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

dockerName

Jenkins-specific: Used for proper environment setup.

Kubernetes only: Name of the container launching dockerImage. SideCar only: Name of the container in local network.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

dockerOptions

Jenkins-specific: Used for proper environment setup.

Docker options to be set when starting the container.

back to overview

Scope Details
Aliases -
Type []string
Mandatory no
Default [{-u 0} {--entrypoint }]
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

dockerPullImage

Jenkins-specific: Used for proper environment setup.

Set this to 'false' to bypass a docker image pull. Useful during development process. Allows testing of images which are available in the local registry only.

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default true
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

dockerVolumeBind

Jenkins-specific: Used for proper environment setup.

Volumes that should be mounted into the docker container.

back to overview

Scope Details
Aliases -
Type map[string]string
Mandatory no
Default
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

dockerWorkspace

Jenkins-specific: Used for proper environment setup.

Kubernetes only: Specifies a dedicated user home directory for the container which will be passed as value for environment variable HOME.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

dockerfilePath

Defines the location of the Dockerfile relative to the Jenkins workspace.

back to overview

Scope Details
Aliases dockerfile
Type string
Mandatory no
Default Dockerfile
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

readImageDigest

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default false
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

script

Jenkins-specific: Used for proper environment setup.

The common script environment of the Jenkinsfile running. Typically the reference to the script calling the pipeline step is provided with the this parameter, as in script: this. This allows the function to access the commonPipelineEnvironment for retrieving, e.g. configuration parameters.

back to overview

Scope Details
Aliases -
Type Jenkins Script
Mandatory yes
Default
Secret no
Configuration scope
  • ☐ parameter
  • ☐ general
  • ☐ steps
  • ☐ stages
Resource references none

syftDownloadUrl

Specifies the download url of the Syft Linux amd64 tar binary file. This can be found at https://github.com/anchore/syft/releases/.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default https://github.com/anchore/syft/releases/download/v0.60.3/syft_0.60.3_linux_amd64.tar.gz
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☐ stages
Resource references none

targetArchitectures

Defines the target architectures for which the build should run using OS and architecture separated by a comma. (EXPERIMENTAL)

back to overview

Scope Details
Aliases -
Type []string
Mandatory no
Default
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

verbose

verbose output

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default false
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

dockerConfigJsonCredentialsId

Jenkins-specific: Used for proper environment setup. See using credentials for details.

Jenkins 'Secret file' credentials ID containing Docker config.json (with registry credential(s)). You can create it like explained in the protocodeExecuteScan Prerequisites section.

back to overview

Scope Details
Aliases -
Type string
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages