我正在尝试使用 Knative 构建和推送 docker 映像。我有一个 Maven Java 应用程序和一个Dockerfile
构建和运行该应用程序的多阶段:
WORKDIR /usr/app
COPY pom.xml ./
COPY src/ ./src/
RUN mvn package
FROM openjdk:8-jdk-alpine
WORKDIR /usr/app
ENV PORT 8080
COPY --from=build /usr/app/target/*.jar ./app.jar
CMD ["java", "-jar", "/usr/app/app.jar"]
我想构建应用程序并将其推送到 gcr 存储库。所以我有一个ServiceAccount
和一个Build
:
apiVersion: v1
data:
password: ENCODED_PASS
username: ENCODED_USERNAME
kind: Secret
metadata:
annotations:
build.knative.dev/docker-0: https://gcr.io
name: knative-build-auth
namespace: default
resourceVersion: "3001"
selfLink: /api/v1/namespaces/default/secrets/knative-build-auth
type: kubernetes.io/basic-auth
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: knative-build
secrets:
- name: knative-build-auth
---
apiVersion: build.knative.dev/v1alpha1
kind: Build
metadata:
name: example-build
spec:
serviceAccountName: knative-build
source:
git:
url: https://github.com/pathtorepo.git
revision: master
steps:
- name: build-and-push
image: gcr.io/kaniko-project/executor:v0.1.0
args:
- --dockerfile=/workspace/Dockerfile
- --destination=gcr.io/$projectid/my-build
我试着用kaniko-project
这个。但是,使用它存在一些问题。版本0.1.0
适用于简单的Dockerfile
:
FROM ubuntu
CMD ["/bin/sh", "-c", "echo Hiiiiiii"]
但不支持Dockerfile
访问被拒绝错误的 multistaging s 和 fils。任何其他版本的kaniko
都不起作用,并且失败。在多阶段构建的 0.1.0 版本的日志中,我可以看到以下错误:2019/07/02 14:43:13 No matching credentials found for index.docker.io, fall back on anonymous time="2019-07 -02T14:43:15Z" level=info msg="保存依赖项 []" time="2019-07-02T14:43:15Z" level=error msg="复制失败:未指定源文件"
和构建的状态:
conditions:
- lastTransitionTime: "2019-07-02T14:43:16Z"
message: 'build step "build-step-build-and-push" exited with code 1 (image: "docker-pullable://gcr.io/kaniko-project/executor@sha256:501056bf52f3a96f151ccbeb028715330d5d5aa6647e7572ce6c6c55f91ab374");
for logs run: kubectl -n default logs example-build-pod-7d95a9 -c build-step-build-and-push'
status: "False"
type: Succeeded
对于kaniko
高于 0.1.0 的任何其他版本,这是错误:
error pushing image: failed to push to destination gcr.io/star-wars-istio/reverse-function:latest: DENIED: Access denied.
同样在日志中有类似的东西:
ERROR: logging before flag.Parse: E0702 14:54:23.003241 1 metadata.go:142] while reading 'google-dockercfg' metadata: http status code: 404 while fetching url http://metadata.google.internal./computeMetadata/v1/instance/attributes/google-dockercfg
我在他们的回购中发现了一个问题,该问题已关闭。但是,它仍然可以重现。这是github问题
我可以确认我ServiceAccount
的做法是正确的,因为我能够使用此配置构建和推送一个简单的 docker 映像。我还尝试了不同的图像来构建和推送。例如这里描述的那个。即使我已经按照那里描述的所有步骤进行操作(按照说明创建我ServiceAccount
的说明,它适用于一个简单的 Dockerfile),但当我尝试构建和推送我的应用程序时它仍然失败。因此,当我应用以下构建时:
apiVersion: build.knative.dev/v1alpha1
kind: Build
metadata:
name: reverse-build
spec:
serviceAccountName: knative-build
source:
git:
url: https://github.com/lvivJavaClub/spring-cloud-functions.git
revision: init-knative
subPath: reverse-function
steps:
- name: build-and-push
image: gcr.io/cloud-builders/mvn
args: ["compile", "jib:build", "-Dimage=gcr.io/star-wars-istio/reverse-function"]
构建失败,我在日志中收到错误:
[ERROR] Failed to execute goal com.google.cloud.tools:jib-maven-plugin:0.9.3:build (default-cli) on project reverse: Build image failed, perhaps you should set a credential helper name with the configuration '<from><credHelper>' or set credentials for 'gcr.io' in your Maven settings: com.google.api.client.http.HttpResponseException: 401 Unauthorized
[ERROR] {"errors":[{"code":"UNAUTHORIZED","message":"You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication"}]}