Build an image for executing ko 🏗️

Instead of doing a lot of hacks to make sure we have all the tools we need to auth + invoke ko, let's build an image that has what we need in advance. Eventually we should be able to build this image and refer to the built image in our steps (tektoncd#639) but for now we'll have to hardcode it. We may also improve this image in tektoncd#631, or decide to move away from `ko` entirely.
bobcatfish · Mar 20, 2019 · bdd78b6 · bdd78b6
1 parent 9e7a67b
commit bdd78b6
Show file tree

Hide file tree

Showing 5 changed files with 116 additions and 39 deletions.
diff --git a/tekton/README.md b/tekton/README.md
@@ -13,6 +13,9 @@ to invoke these `Pipelines` automatically, but for now we will have to invoke th
 
 The `Tasks` which make up our release `Pipeline` are:
 
+* [`ci-images.yaml`](ci-images.yaml) - This `Task` uses [`kaniko`](https://github.com/GoogleContainerTools/kaniko)
+  to build and publish [images for the CI itself](#supporting-images), which can then be used as `steps` in
+  downstream `Tasks`
 * [`publish.yaml`](publish.yaml) - This `Task` uses [`kaniko`](https://github.com/GoogleContainerTools/kaniko)
   to build and publish base images, and uses [`ko`](https://github.com/google/go-containerregistry/tree/master/cmd/ko)
   to build all of the container images we release and generate the `release.yaml`
@@ -31,6 +34,14 @@ TODO(#569): Normally we'd use the image `PipelineResources` to control which ima
 However since we have so many images, all going to the same registry, we are cheating and using a parameter
 for the image registry instead.
 
+* [`ciimages-run.yaml`](ci-images-run.yaml) - This example `TaskRun` and `PipelineResources` demonstrate
+  how to invoke `ci-images.yaml`:
+
+  ```bash
+  kubectl apply -f tekton/ci-images.yaml
+  kubectl apply -f tekton/ci-images-run.yaml
+  ```
+
 * [`publish-run.yaml`](publish-run.yaml) - This example `TaskRun` and `PipelineResources` demonstrate
   how to invoke `publish.yaml`:
 
@@ -68,4 +79,24 @@ users.
 
 Some supporting scripts have been written using Python 2.7:
 
-* [koparse](./koparse) - Contains logic for parsing `release.yaml` files created by `ko`
+* [koparse](./koparse) - Contains logic for parsing `release.yaml` files created by `ko`
+
+## Supporting images
+
+TODO(#639) Ensure we are using the images that are published by the `Pipeline` itself.
+
+These images are built and published to be used by the release Pipeline itself.
+
+### ko image
+
+In order to run `ko`, and to be able to use a cluster's default credentials, we need an image which
+contains:
+
+* `ko`
+* `golang` - Required by `ko` to build
+* `gcloud` - Required to auth with default namespace credentials
+
+The image which we use for this is built from [tekton/ko/Dockerfile](./ko/Dockerfile).
+
+_[go-containerregistry#383](https://github.com/google/go-containerregistry/issues/383) is about publishing
+a `ko` image, which hopefully we'll be able to move it._
diff --git a/tekton/ci-images-run.yaml b/tekton/ci-images-run.yaml
@@ -0,0 +1,44 @@
+apiVersion: tekton.dev/v1alpha1
+kind: PipelineResource
+metadata:
+  name: tekton-pipelines
+spec:
+  type: git
+  params:
+  - name: url
+    value: https://github.com/tektoncd/pipeline # REPLACE with your own fork
+  - name: revision
+    value: master # REPLACE with your own commit
+---
+apiVersion: tekton.dev/v1alpha1
+kind: PipelineResource
+metadata:
+  name: ko-image
+spec:
+  type: image
+  params:
+   - name: url
+     value: ko-ci # Registry is provided via parameter, this is a hack see #569
+---
+apiVersion: tekton.dev/v1alpha1
+kind: TaskRun
+metadata:
+  name: publish-ci-images-run
+spec:
+  taskRef:
+    name: publish-ci-images
+  trigger:
+    type: manual
+  inputs:
+    resources:
+    - name: source
+      resourceRef:
+        name: tekton-pipelines
+    params:
+    - name: imageRegistry
+      value: gcr.io/tekton-releases # REPLACE with your own registry
+  outputs:
+    resources:
+    - name: builtKoImage
+      resourceRef:
+        name: ko-image
diff --git a/tekton/ci-images.yaml b/tekton/ci-images.yaml
@@ -0,0 +1,27 @@
+
+apiVersion: tekton.dev/v1alpha1
+kind: Task
+metadata:
+  name: publish-ci-images
+spec:
+  inputs:
+    resources:
+    - name: source
+      type: git
+    params:
+    - name: imageRegistry
+      description: TODO(#569) This is a hack to make it easy for folks to switch the registry being used by the many many image outputs
+  outputs:
+    resources:
+    - name: builtKoImage
+      type: image
+  steps:
+
+  - name: build-push-ko-image
+    image: gcr.io/kaniko-project/executor
+    command:
+    - /kaniko/executor
+    args:
+    - --dockerfile=/workspace/source/tekton/ko/Dockerfile
+    - --destination=${inputs.params.imageRegistry}/${outputs.resources.builtKoImage.url}
+    - --context=/workspace/source
diff --git a/tekton/ko/Dockerfile b/tekton/ko/Dockerfile
@@ -0,0 +1,10 @@
+FROM google/cloud-sdk:latest
+
+# Install golang
+RUN curl https://dl.google.com/go/go1.12.1.linux-amd64.tar.gz > go1.12.1.tar.gz
+RUN tar -C /usr/local -xzf go1.12.1.tar.gz
+ENV PATH="${PATH}:/usr/local/go/bin"
+
+# Install ko
+ENV GOBIN=/usr/local/go/bin
+RUN go get github.com/google/go-containerregistry/cmd/ko
diff --git a/tekton/publish.yaml b/tekton/publish.yaml
@@ -72,50 +72,20 @@ spec:
 
       cat /workspace/go/src/github.com/tektoncd/pipeline/.ko.yaml
 
-  # TODO(#631): publish a `ko` image
-  - name: install-ko
-    image: golang
-    env:
-    - name: GOBIN
-      value: /workspace
-    command: ["go"]
-    args:
-    - "get"
-    - "github.com/google/go-containerregistry/cmd/ko"
-
-  # TODO(#631): publish a `ko` image (which has golang)
-  - name: install-go
-    image: golang
-    env:
-    command:
-    - /bin/sh
-    args:
-    - -ce
-    - |
-      set -e
-      set -x
-      # TODO(#631): this is a hack to make the go binary available in a container that has gcloud
-      mkdir -p /workspace/golang
-      cp /usr/local/go/bin/go /workspace/golang/go
-      cp -R /usr/local/go /workspace/golang/localgo
-
   - name: ensure-release-dirs-exist
     image: busybox
     command: ["mkdir"]
     args:
     - "-p"
     - "/workspace/bucket/latest/"
     - "/workspace/bucket/previous/"
-  
+
   - name: run-ko
-    image: google/cloud-sdk
+    # TODO(#639) we should be able to use the image built by an upstream Task here instead of hardcoding
+    image: gcr.io/tekton-releases/ko-ci
     env:
     - name: KO_DOCKER_REPO
       value: ${inputs.params.imageRegistry}
-    - name: GOBIN
-      value: /workspace/golang
-    - name: GOPATH
-      value: /workspace/go
     command:
     - /bin/sh
     args:
@@ -124,11 +94,6 @@ spec:
       set -e
       set -x
 
-      # TODO(#631) Hacks to have the go binary available in this container
-      ls -lA /workspace/golang
-      cp -R /workspace/golang/localgo/ /usr/local/go
-      cp /workspace/golang/go /usr/bin/go
-
       # TODO(#631) This is a hack to auth with the default creds, need a solution that supports service accounts
       gcloud auth configure-docker