airship/charts
Code Issues Proposed changes
charts/tools/gate/jarvis/development-pipeline/templates/task-image.yaml
Dustin Specker ff0eaeb1c8 feat: enable development pipeline to pass behind proxy with TLS 
This is a squashed commit, keeping messages intact for history.

- feat(charts/development-pipeline): work behind corporate proxy

dockerd sidecar works behind proxy with cert. Proxy is only needed on
the sidecar to pull public images. The cert is mounted via a host path
so that the proxy may be trusted.

- fix(standard-container/roles): remove installing Helm push plugin

The standard-container Dockerfile already installs the Helm push plugin,
so no reason to try to install it in multiple ansible roles.

I suspect this was originally done because someone tried to use `helm
push` in the ansible role, but Helm couldn't find even though it was
installed in the image. But tekton defines a the HOME env var if you
describe the pod in a cluster. So if we just define HELM_DATA_HOME to
the location where the push plugin is installed we can remove having to
install it in the ansible roles.

- feat(standard-container/roles): use image.image_from for docker build

Change-Id: Ibc3c5f400978cb98d2d2a37b737b56125f4c2aa7
2021-03-10 15:09:11 +00:00

169 lines
5.1 KiB
YAML
Raw Blame History

apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: image-tasks
namespace: {{ $.Release.Namespace }}
spec:
description: >-
This task builds images if source is provided
workspaces:
- name: k8s_cluster_data
- name: development_pipeline_data
steps:
- name: clone
image: {{ $.Values.tasks.image.buildImage }}
volumeMounts:
- mountPath: /certs/client
name: dind-certs
- mountPath: /usr/local/share/ca-certificates/harbor-ca.crt
name: harbor-ca
subPath: harbor-ca
script: |
/jarvis/git_clone_image_repo.sh
- name: set-image-output
image: {{ $.Values.tasks.image.buildImage }}
script: |
#!/usr/bin/env sh
cat "$(workspaces.development_pipeline_data.path)/image.json"
- name: docker-build
image: {{ $.Values.tasks.image.buildImage }}
volumeMounts:
- mountPath: /certs/client
name: dind-certs
env:
# Connect to the sidecar over TCP, with TLS.
- name: DOCKER_HOST
value: tcp://localhost:2376
# Verify TLS.
- name: DOCKER_TLS_VERIFY
value: '1'
# Use the certs generated by the sidecar daemon.
- name: DOCKER_CERT_PATH
value: /certs/client
script: |
update-ca-certificates
/jarvis/build_docker_image.sh
- name: set-image-build-output-after-build
image: {{ $.Values.tasks.image.buildImage }}
script: |
#!/usr/bin/env sh
cat "$(workspaces.development_pipeline_data.path)/image.json"
- name: publish-and-scan-image
image: {{ $.Values.tasks.image.buildImage }}
volumeMounts:
- mountPath: /certs/client
name: dind-certs
- mountPath: /tekton/home/.docker/config.json
name: image-push-creds
subPath: .dockerconfigjson
env:
# Connect to the sidecar over TCP, with TLS.
- name: DOCKER_HOST
value: tcp://localhost:2376
# Verify TLS.
- name: DOCKER_TLS_VERIFY
value: '1'
# Use the certs generated by the sidecar daemon.
- name: DOCKER_CERT_PATH
value: /certs/client
script: |
/jarvis/push_docker_image.sh
- name: set-image-output-after-publish-scan
image: {{ $.Values.tasks.image.buildImage }}
script: |
#!/usr/bin/env sh
cat "$(workspaces.development_pipeline_data.path)/image.json"
- name: get-scan-results
image: {{ $.Values.tasks.image.buildImage }}
volumeMounts:
- mountPath: /certs/client
name: dind-certs
script: |
/jarvis/get_image_scan_results.sh
- name: set-image-output-set-scan-results
image: {{ $.Values.tasks.image.buildImage }}
script: |
#!/usr/bin/env sh
cat "$(workspaces.development_pipeline_data.path)/image.json"
sidecars:
- image: {{ $.Values.tasks.image.sidecarServer }}
name: server
script: |
# Alpine's update-ca-certificates does not support directories, so copy files
# Copy files instead of mounting to prevent overriding built-in certificates
if ls /internal-certs/*.crt ; then
cp /internal-certs/*.crt /usr/local/share/ca-certificates/
fi
update-ca-certificates
/usr/local/bin/dockerd-entrypoint.sh \
--storage-driver=overlay2 \
--userland-proxy=false \
--debug \
--insecure-registry={{ $.Values.tasks.image.insecureRegistry }}
##TODO: Get rid of privileged true
securityContext:
privileged: true
env:
# Write generated certs to the path shared with the client.
- name: DOCKER_TLS_CERTDIR
value: /certs
- name: http_proxy
value: {{ $.Values.proxy.http_proxy }}
- name: https_proxy
value: {{ $.Values.proxy.https_proxy }}
- name: no_proxy
value: {{ $.Values.proxy.no_proxy }}
- name: HTTP_PROXY
value: {{ $.Values.proxy.http_proxy }}
- name: HTTPS_PROXY
value: {{ $.Values.proxy.https_proxy }}
- name: NO_PROXY
value: {{ $.Values.proxy.no_proxy }}
volumeMounts:
- mountPath: /certs/client
name: dind-certs
- mountPath: /var/lib/docker
name: var-lib-docker
- mountPath: /usr/local/share/ca-certificates/harbor-ca.crt
name: harbor-ca
subPath: harbor-ca
{{ if .Values.proxy.internal_certs_dir }}
- mountPath: /internal-certs
name: internal-certs
{{ end }}
# Wait for the dind daemon to generate the certs it will share with the
# client.
readinessProbe:
periodSeconds: 1
exec:
command: ['ls', '/certs/client/ca.pem']
volumes:
- name: dind-certs
emptyDir: {}
- name: var-lib-docker
emptyDir: {}
- name: image-push-creds
secret:
secretName: harbor-docker-auth
- name: helm-publish-creds
secret:
secretName: harbor-basic-auth
- name: harbor-ca
secret:
secretName: harbor-ca
{{ if .Values.proxy.internal_certs_dir }}
- name: internal-certs
hostPath:
path: {{ .Values.proxy.internal_certs_dir }}
type: Directory
{{ end }}
View Git Blame Copy Permalink