kanikoExecute¶
Executes a Kaniko build for creating a Docker container.
Description¶
Executes a Kaniko build for creating a Docker container.
Building one container image¶
For building one container image the step expects that one of the containerImage, containerImageName or --destination (via buildOptions) is set.
Building multiple container images¶
The step allows you to build multiple container images with one run. This is suitable in case you need to create multiple images for one microservice, e.g. for testing.
All images will get the same "root" name and the same versioning.
Thus, this is not suitable to be used for a monorepo approach! For monorepos you need to use a build tool natively capable to take care for monorepos
or implement a custom logic and for example execute this kanikoExecute
step multiple times in your custom pipeline.
You can activate multiple builds using the parameter containerMultiImageBuild
Behavior can be adapted using:
- containerMultiImageBuildExcludes for defining excludes
- containerMultiImageBuildTrimDir for removing parent directory part from image name
Examples:
Multiple containers in sub directories¶
Configuration as follows:
general:
containerImageName: myImage
steps:
kanikoExecute:
containerMultiImageBuild: true
Following Dockerfiles are available in the repository:
- sub1/Dockerfile
- sub2/Dockerfile
Following final image names will be built:
myImage-sub1
myImage-sub2
Multiple containers in sub directories while trimming a directory part¶
Configuration as follows:
general:
containerImageName: myImage
steps:
kanikoExecute:
containerMultiImageBuild: true
containerMultiImageBuildTrimDir: .ci
Following Dockerfiles are available in the repository:
- .ci/sub1/Dockerfile
- .ci/sub2/Dockerfile
Following final image names will be built:
myImage-sub1
myImage-sub2
Usage¶
We recommend to define values of step parameters via .pipeline/config.yml file.
In this case, calling the step is essentially reduced to defining the step name.
Calling the step can be done either in an orchestrator specific way (e.g. via a Jenkins library step) or on the command line.
library('piper-lib-os')
kanikoExecute script: this
piper kanikoExecute
Outputs¶
Output type | Details |
---|---|
commonPipelineEnvironment |
|
Prerequisites¶
When pushing to a container registry, you need to maintain the respective credentials in your Jenkins credentials store:
Kaniko expects a Docker config.json
file containing the credential information for registries.
You can create it like explained in the protocodeExecuteScan Prerequisites section.
Please copy this file and upload it to your Jenkins for example
via Jenkins -> Credentials -> System -> Global credentials (unrestricted) -> Add Credentials ->
- Kind: Secret file
- File: upload your
config.json
file - ID: specify id which you then use for the configuration of
dockerConfigJsonCredentialsId
(see below)
Example¶
kanikoExecute script:this
Parameters¶
Overview - Step¶
Name | Mandatory | Additional information |
---|---|---|
containerImageName | (yes) | mandatory in case of: - containerMultiImageBuild =true |
script | (yes) | reference to Jenkins main pipeline script |
buildOptions | no | |
buildSettingsInfo | no | |
containerBuildOptions | no | |
containerImage | no | |
containerImageTag | no | |
containerMultiImageBuild | no | |
containerMultiImageBuildExcludes | no | |
containerMultiImageBuildTrimDir | no | |
containerPreparationCommand | no | |
containerRegistryPassword | no | |
containerRegistryUrl | no | |
containerRegistryUser | no | |
createBOM | no | |
customTlsCertificateLinks | no | |
dockerConfigJSON | no | pass via ENV, Vault or Jenkins credentials (dockerConfigJsonCredentialsId ) |
dockerfilePath | no | |
multipleImages | no | |
readImageDigest | no | |
syftDownloadUrl | no | |
targetArchitectures | no | |
verbose | no | activates debug output |
Overview - Execution Environment¶
Orchestrator-specific only
These parameters are relevant for orchestrator usage and not considered when using the command line option.
Name | Mandatory | Additional information |
---|---|---|
containerCommand | no | |
containerShell | no | |
dockerEnvVars | no | |
dockerImage | no | |
dockerName | no | |
dockerOptions | no | |
dockerPullImage | no | |
dockerVolumeBind | no | |
dockerWorkspace | no |
Details¶
buildOptions¶
Defines a list of build options for the kaniko build.
Scope | Details |
---|---|
Aliases | - |
Type | []string |
Mandatory | no |
Default | - --skip-tls-verify-pull - --ignore-path=/workspace - --ignore-path=/busybox |
Secret | no |
Configuration scope |
|
Resource references | none |
buildSettingsInfo¶
Build settings info is typically filled by the step automatically to create information about the build settings that were used during the mta build. This information is typically used for compliance related processes.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | $PIPER_buildSettingsInfo (if set) |
Secret | no |
Configuration scope |
|
Resource references | commonPipelineEnvironment: reference to: custom/buildSettingsInfo |
containerBuildOptions¶
Deprected, please use buildOptions. Defines the build options for the kaniko build.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | $PIPER_containerBuildOptions (if set) |
Secret | no |
Configuration scope |
|
Resource references | none |
containerCommand¶
Jenkins-specific: Used for proper environment setup.
Kubernetes only: Allows to specify start command for container created with dockerImage parameter to overwrite Piper default (/usr/bin/tail -f /dev/null).
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | /busybox/tail -f /dev/null |
Secret | no |
Configuration scope |
|
Resource references | none |
containerImage¶
Defines the full name of the Docker image to be created including registry, image name and tag like my.docker.registry/path/myImageName:myTag
. If containerImage
is not provided, then containerImageName
or --destination
(via buildOptions) should be provided.
Scope | Details |
---|---|
Aliases | containerImageNameAndTag (deprecated) |
Type | string |
Mandatory | no |
Default | $PIPER_containerImage (if set) |
Secret | no |
Configuration scope |
|
Resource references | none |
containerImageName¶
Name of the container which will be built - will be used instead of parameter containerImage
. If containerImageName
is not provided, then containerImage
or --destination
(via buildOptions) should be provided.
Scope | Details |
---|---|
Aliases | dockerImageName |
Type | string |
Mandatory | mandatory in case of: - containerMultiImageBuild =true |
Default | $PIPER_containerImageName (if set) |
Secret | no |
Configuration scope |
|
Resource references | none |
containerImageTag¶
Tag of the container which will be built - will be used instead of parameter containerImage
Scope | Details |
---|---|
Aliases | artifactVersion |
Type | string |
Mandatory | no |
Default | $PIPER_containerImageTag (if set) |
Secret | no |
Configuration scope |
|
Resource references | commonPipelineEnvironment: reference to: artifactVersion |
containerMultiImageBuild¶
Defines if multiple containers should be build. Dockerfiles are used using the pattern */Dockerfile. Excludes can be defined via containerMultiImageBuildExcludes
.
Scope | Details |
---|---|
Aliases | - |
Type | bool |
Mandatory | no |
Default | false |
Possible values | - true - false |
Secret | no |
Configuration scope |
|
Resource references | none |
containerMultiImageBuildExcludes¶
Defines a list of Dockerfile paths to exclude from the build when using containerMultiImageBuild
.
Scope | Details |
---|---|
Aliases | - |
Type | []string |
Mandatory | no |
Default | $PIPER_containerMultiImageBuildExcludes (if set) |
Secret | no |
Configuration scope |
|
Resource references | none |
containerMultiImageBuildTrimDir¶
Defines a trailing directory part which should not be considered in the final image name.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | $PIPER_containerMultiImageBuildTrimDir (if set) |
Secret | no |
Configuration scope |
|
Resource references | none |
containerPreparationCommand¶
Defines the command to prepare the Kaniko container. By default the contained credentials are removed in order to allow anonymous access to container registries.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | rm -f /kaniko/.docker/config.json |
Secret | no |
Configuration scope |
|
Resource references | none |
containerRegistryPassword¶
Password of the Container registry where the image should be pushed to - which will updated in a docker config json file. If a docker config json file is provided via parameter dockerConfigJSON
, then the existing file will be enhanced
Scope | Details |
---|---|
Aliases | dockerRegistryPassword |
Type | string |
Mandatory | no |
Default | $PIPER_containerRegistryPassword (if set) |
Secret | no |
Configuration scope |
|
Resource references | commonPipelineEnvironment: reference to: container/repositoryPassword |
containerRegistryUrl¶
http(s) url of the Container registry where the image should be pushed to - will be used instead of parameter containerImage
Scope | Details |
---|---|
Aliases | dockerRegistryUrl |
Type | string |
Mandatory | no |
Default | $PIPER_containerRegistryUrl (if set) |
Secret | no |
Configuration scope |
|
Resource references | commonPipelineEnvironment: reference to: container/registryUrl |
containerRegistryUser¶
Username of the Container registry where the image should be pushed to - which will updated in a docker config json file. If a docker config json file is provided via parameter dockerConfigJSON
, then the existing file will be enhanced
Scope | Details |
---|---|
Aliases | dockerRegistryUser |
Type | string |
Mandatory | no |
Default | $PIPER_containerRegistryUser (if set) |
Secret | no |
Configuration scope |
|
Resource references | commonPipelineEnvironment: reference to: container/repositoryUsername |
containerShell¶
Jenkins-specific: Used for proper environment setup.
Allows to specify the shell to be executed for container with containerName.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | /busybox/sh |
Secret | no |
Configuration scope |
|
Resource references | none |
createBOM¶
Creates the bill of materials (BOM) using Syft and stores it in a file in CycloneDX 1.4 format.
Scope | Details |
---|---|
Aliases | - |
Type | bool |
Mandatory | no |
Default | false |
Possible values | - true - false |
Secret | no |
Configuration scope |
|
Resource references | none |
customTlsCertificateLinks¶
List containing download links of custom TLS certificates. This is required to ensure trusted connections to registries with custom certificates.
Scope | Details |
---|---|
Aliases | - |
Type | []string |
Mandatory | no |
Default | $PIPER_customTlsCertificateLinks (if set) |
Secret | no |
Configuration scope |
|
Resource references | none |
dockerConfigJSON¶
Path to the file .docker/config.json
- this is typically provided by your CI/CD system. You can find more details about the Docker credentials in the Docker documentation.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | $PIPER_dockerConfigJSON (if set) |
Secret | yes |
Configuration scope |
|
Resource references | Jenkins credential id: id: dockerConfigJsonCredentialsId Vault resource: name: dockerConfigFileVaultSecretName default value: docker-config Vault paths:
|
dockerEnvVars¶
Jenkins-specific: Used for proper environment setup.
Environment variables to set in the container, e.g. [http_proxy: "proxy:8080"].
Scope | Details |
---|---|
Aliases | - |
Type | map[string]string |
Mandatory | no |
Default | map[container:docker] |
Secret | no |
Configuration scope |
|
Resource references | none |
dockerImage¶
Jenkins-specific: Used for proper environment setup.
Name of the docker image that should be used. If empty, Docker is not used and the command is executed directly on the Jenkins system.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | gcr.io/kaniko-project/executor:debug |
Secret | no |
Configuration scope |
|
Resource references | none |
dockerName¶
Jenkins-specific: Used for proper environment setup.
Kubernetes only: Name of the container launching dockerImage. SideCar only: Name of the container in local network.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | |
Secret | no |
Configuration scope |
|
Resource references | none |
dockerOptions¶
Jenkins-specific: Used for proper environment setup.
Docker options to be set when starting the container.
Scope | Details |
---|---|
Aliases | - |
Type | []string |
Mandatory | no |
Default | [{-u 0} {--entrypoint }] |
Secret | no |
Configuration scope |
|
Resource references | none |
dockerPullImage¶
Jenkins-specific: Used for proper environment setup.
Set this to 'false' to bypass a docker image pull. Useful during development process. Allows testing of images which are available in the local registry only.
Scope | Details |
---|---|
Aliases | - |
Type | bool |
Mandatory | no |
Default | true |
Possible values | - true - false |
Secret | no |
Configuration scope |
|
Resource references | none |
dockerVolumeBind¶
Jenkins-specific: Used for proper environment setup.
Volumes that should be mounted into the docker container.
Scope | Details |
---|---|
Aliases | - |
Type | map[string]string |
Mandatory | no |
Default | |
Secret | no |
Configuration scope |
|
Resource references | none |
dockerWorkspace¶
Jenkins-specific: Used for proper environment setup.
Kubernetes only: Specifies a dedicated user home directory for the container which will be passed as value for environment variable HOME
.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | |
Secret | no |
Configuration scope |
|
Resource references | none |
dockerfilePath¶
Defines the location of the Dockerfile relative to the Jenkins workspace.
Scope | Details |
---|---|
Aliases | dockerfile |
Type | string |
Mandatory | no |
Default | Dockerfile |
Secret | no |
Configuration scope |
|
Resource references | none |
multipleImages¶
This parameter is only needed if kanikoExecute
should create multiple images using the same root Dockerfile, but with different sub-contexts.
Otherwise it can be ignored!!!
In case of multiple images, this array contains one entry for each image. Either containerImageName OR containerImage MUST be provided for each entry. contextSubPath MUST be provided for each entry.
Array keys: contextSubPath - Set a context subpath. dockerfilePath - Dockerfile path (optional). If empty, root will be used. containerImageName - Name of the container which will be built. containerImageTag - Tag of the container which will be built. If empty - root containerImageTag will be used. containerImage - Defines the full name of the Docker image to be created including registry.
containerRegistryUrl: docker.io
containerImageTag: latest
multipleImages:
- containerImageName: myImage1
containerImageTag: v1.0.0
contextSubPath: path/to/folder
Scope | Details |
---|---|
Aliases | images |
Type | []map[string]interface{} |
Mandatory | no |
Default | $PIPER_multipleImages (if set) |
Secret | no |
Configuration scope |
|
Resource references | none |
readImageDigest¶
Scope | Details |
---|---|
Aliases | - |
Type | bool |
Mandatory | no |
Default | false |
Possible values | - true - false |
Secret | no |
Configuration scope |
|
Resource references | none |
script¶
Jenkins-specific: Used for proper environment setup.
The common script environment of the Jenkinsfile running. Typically the reference to the script calling the pipeline step is provided with the this
parameter, as in script: this
. This allows the function to access the commonPipelineEnvironment
for retrieving, e.g. configuration parameters.
Scope | Details |
---|---|
Aliases | - |
Type | Jenkins Script |
Mandatory | yes |
Default | |
Secret | no |
Configuration scope |
|
Resource references | none |
syftDownloadUrl¶
Specifies the download url of the Syft Linux amd64 tar binary file. This can be found at https://github.com/anchore/syft/releases/.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | https://github.com/anchore/syft/releases/download/v1.4.1/syft_1.4.1_linux_amd64.tar.gz |
Secret | no |
Configuration scope |
|
Resource references | none |
targetArchitectures¶
Defines the target architectures for which the build should run using OS and architecture separated by a comma. (EXPERIMENTAL)
Scope | Details |
---|---|
Aliases | - |
Type | []string |
Mandatory | no |
Default | |
Secret | no |
Configuration scope |
|
Resource references | none |
verbose¶
verbose output
Scope | Details |
---|---|
Aliases | - |
Type | bool |
Mandatory | no |
Default | false |
Possible values | - true - false |
Secret | no |
Configuration scope |
|
Resource references | none |
dockerConfigJsonCredentialsId¶
Jenkins-specific: Used for proper environment setup. See using credentials for details.
Jenkins 'Secret file' credentials ID containing Docker config.json (with registry credential(s)). You can create it like explained in the protocodeExecuteScan Prerequisites section.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Configuration scope |
|