当开发人员对代码进行更改并且此代码持续部署到测试 Kubernetes AWS EKS 集群时,我想开发一个工作流。
由于我们使用的是 ARM 风格,因此 Kaniko 在 EKS 集群中构建了图像。
Skaffold看起来是此类工作流的一个很好的解决方案,但我无法在我的环境中启动它。
我正在使用以下 skaffold.yaml:
---
apiVersion: skaffold/v2beta26
kind: Config
metadata:
name: releases
build:
artifacts:
- image: <account id>.dkr.ecr.<region>.amazonaws.com/releases
kaniko:
cache:
repo: <account id>.dkr.ecr.<region>.amazonaws.com/cache
cluster:
dockerConfig:
secretName: skaffold-docker-config
skaffold build无法运行:
> skaffold build
Generating tags...
- <account id>.dkr.ecr.<region>.amazonaws.com/releases -> <account id>.dkr.ecr.<region>.amazonaws.com/releases:1ef2c39-dirty
Checking cache...
- <account id>.dkr.ecr.<region>.amazonaws.com/releases: Not found. Building
Starting build...
Creating docker config secret [skaffold-docker-config]...
checking for existing kaniko secret: Unauthorized
从跟踪日志中,我看到了注册表的 401 错误:
TRAC[0000] Checking base image <account id>.dkr.ecr.<region>.amazonaws.com/releases:arm64-v0.1.5 for ONBUILD triggers. subtask=-1 task=DevLoop
TRAC[0000] --> GET https://<account id>.dkr.ecr.<region>.amazonaws.com/v2/
TRAC[0000] GET /v2/ HTTP/1.1
TRAC[0000] Host: <account id>.dkr.ecr.<region>.amazonaws.com
TRAC[0000] User-Agent: Go-http-client/1.1
TRAC[0000] Accept-Encoding: gzip
TRAC[0000]
TRAC[0000]
TRAC[0000] <-- 401 https://<account id>.dkr.ecr.<region>.amazonaws.com/v2/ (189.277611ms)
TRAC[0000] HTTP/1.1 401 Unauthorized
TRAC[0000] Content-Length: 15
TRAC[0000] Content-Type: text/plain; charset=utf-8
TRAC[0000] Date: Mon, 31 Jan 2022 08:00:51 GMT
TRAC[0000] Docker-Distribution-Api-Version: registry/2.0
TRAC[0000] Sizes:
TRAC[0000] Www-Authenticate: Basic realm="https://<account id>.dkr.ecr.<region>.amazonaws.com/",service="ecr.amazonaws.com"
TRAC[0000]
TRAC[0000] Not Authorized
但我可以很好地在我的笔记本电脑上提取图像。
跟踪中还有其他成功的 GET 请求:
TRAC[0000] --> GET https://<account id>.dkr.ecr.<region>.amazonaws.com/v2/releases/manifests/arm64-v0.1.5
TRAC[0000] GET /v2/releases/manifests/arm64-v0.1.5 HTTP/1.1
TRAC[0000] Host: <account id>.dkr.ecr.<region>.amazonaws.com
TRAC[0000] User-Agent: go-containerregistry/v0.7.0
TRAC[0000] Accept: application/vnd.docker.distribution.manifest.v1+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v2+json,application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.list.v2+json,application/vnd.oci.image.index.v1+json
TRAC[0000] Authorization: <redacted>
TRAC[0000] Accept-Encoding: gzip
TRAC[0000]
TRAC[0000]
TRAC[0000] <-- 200 https://<account id>.dkr.ecr.<region>.amazonaws.com/v2/releases/manifests/arm64-v0.1.5 (101.445121ms)
TRAC[0000] HTTP/1.1 200 OK
TRAC[0000] Content-Length: 1723
TRAC[0000] Content-Type: application/vnd.docker.distribution.manifest.v2+json
TRAC[0000] Date: Mon, 31 Jan 2022 08:00:51 GMT
TRAC[0000] Docker-Distribution-Api-Version: registry/2.0
在 AWS EKS 集群方面,我将实例委托人用于 ECR 身份验证,并且 kaniko 构建的此类作业运行良好:
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
controller-uid: 27ec2141-e691-4217-940d-02dc87b894cc
job-name: releases-job
name: releases-job
spec:
selector:
matchLabels:
controller-uid: 27ec2141-e691-4217-940d-02dc87b894cc
template:
metadata:
labels:
controller-uid: 27ec2141-e691-4217-940d-02dc87b894cc
job-name: releases-job
spec:
containers:
- args:
- --context=$(CONTEXT)
- --dockerfile=$(DOCKERFILE_LOCATION)
- --destination=<account id>.dkr.ecr.<region>.amazonaws.com/$(REPO):$(TAG)
- --cache-repo=<account id>.dkr.ecr.<region>.amazonaws.com/cache
- --cache=true
env:
- name: CONTEXT
value: git://github.com/account/releases.git
- name: DOCKERFILE_LOCATION
value: docker/Dockerfile
- name: REPO
value: releases
- name: TAG
value: arm64-v0.1.5
image: gcr.io/kaniko-project/executor:latest
name: kaniko
volumeMounts:
- mountPath: /kaniko/.docker/
name: docker-config
volumes:
- configMap:
defaultMode: 420
name: releases-docker-config-c28k6bh5tm
name: docker-config
---
apiVersion: v1
data:
config.json: '{ "credsStore": "ecr-login" }'
kind: ConfigMap
metadata:
name: releases-docker-config-c28k6bh5tm