-
Notifications
You must be signed in to change notification settings - Fork 0
/
k8s-buildkit-job.yaml
173 lines (173 loc) · 6.29 KB
/
k8s-buildkit-job.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
---
apiVersion: batch/v1
kind: Job
metadata:
generateName: buildkit-
labels:
app.kubernetes.io/name: ccs-conclave-document-check
spec:
template:
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/buildkit: unconfined
# see buildkit/docs/rootless.md for caveats of rootless mode
spec:
securityContext:
fsGroup: 1000
serviceAccount: buildkit
restartPolicy: Never
initContainers:
- name: started
image: alpine:3.10
command:
- sh
- -c
- "true"
- name: receive-archive
image: alpine:3.10
command:
- sh
- -c
- sleep 30
securityContext:
runAsUser: 1000
runAsGroup: 1000
volumeMounts:
- name: repo
mountPath: /tmp
- name: extract-archive
image: alpine:3.10
command:
- sh
- -c
- "tar -zxf /tmp/repo.tar.gz -C /workspace"
securityContext:
runAsUser: 1000
runAsGroup: 1000
volumeMounts:
- name: workspace
mountPath: /workspace
- name: repo
mountPath: /tmp
readOnly: true
# This initContainer downloads the Docker Credential helper for AWS ECR. For efficiency, it caches it to an EFS volume
# https://github.com/awslabs/amazon-ecr-credential-helper
- name: aws-ecr-login
image: alpine:3.10
command:
- sh
- -c
- >-
(ls /binaries/docker-credential-ecr-login && cp /binaries/docker-credential-ecr-login /usr/local/bin) || (wget
https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/0.7.1/linux-amd64/docker-credential-ecr-login
-O /binaries/docker-credential-ecr-login) && cp /binaries/docker-credential-ecr-login /usr/local/bin/docker-credential-ecr-login
&& chmod +x /usr/local/bin/docker-credential-ecr-login
securityContext:
runAsUser: 1000
runAsGroup: 1000
volumeMounts:
- name: local-bin
mountPath: /usr/local/bin
- name: binaries
mountPath: /binaries
# Use for debugging the previous initContainers
# - name: sh
# image: alpine:3.10
# command:
# - sh
# - -c
# - "tail -f /dev/null"
# securityContext:
# runAsUser: 1000
# runAsGroup: 1000
# volumeMounts:
# - name: workspace
# mountPath: /workspace
containers:
- name: buildkit
image: moby/buildkit:v0.12.1-rootless
env:
- name: BUILDKITD_FLAGS
value: --oci-worker-no-process-sandbox
command:
- buildctl-daemonless.sh
args:
- build
- --frontend
- dockerfile.v0
- --local
- context=/workspace
- --local
- dockerfile=/workspace
#SANDBOX_ECR- --output
#SANDBOX_ECR- "type=image,\"name=157055423267.dkr.ecr.eu-west-2.amazonaws.com/checker:TAG_PLACEHOLDER,157055423267.dkr.ecr.eu-west-2.amazonaws.com/checker:latest\",push=true"
#DEV_ECR- --output
#DEV_ECR- "type=image,\"name=671910228148.dkr.ecr.eu-west-2.amazonaws.com/checker:TAG_PLACEHOLDER,671910228148.dkr.ecr.eu-west-2.amazonaws.com/checker:latest\",push=true"
#PRE_PROD_ECR- --output
#PRE_PROD_ECR- type=image,name=321344124181.dkr.ecr.eu-west-2.amazonaws.com/checker:TAG_PLACEHOLDER,push=true
#PROD_ECR- --output
#PROD_ECR- type=image,name=PRODUCTION.dkr.ecr.eu-west-2.amazonaws.com/checker:TAG_PLACEHOLDER,push=true
- --export-cache
- type=local,mode=max,dest=/cache/conclave-document-check-checker
- --import-cache
- type=local,src=/cache/conclave-document-check-checker
# TODO: Implement per-branch caching as per https://docs.docker.com/build/cache/backends/#multiple-caches
# - --import-cache
# - type=local,src=/cache/conclave-document-check-REF_PLACEHOLDER
resources:
limits:
cpu: "4"
memory: 4Gi
requests:
cpu: "4"
memory: 4Gi
securityContext:
# TODO: Remove once confirmed not required
capabilities:
add:
- chown
# Needs Kubernetes >= 1.19
seccompProfile:
type: Unconfined
runAsUser: 1000
runAsGroup: 1000
volumeMounts:
# Dockerfile has `VOLUME /home/user/.local/share/buildkit` by default too,
# but the default VOLUME does not work with rootless on Google's Container-Optimized OS
# as it is mounted with `nosuid,nodev`.
# https://github.com/moby/buildkit/issues/879#issuecomment-1240347038
- name: buildkit
mountPath: /home/user/.local/share/buildkit
- name: buildkit-cache
mountPath: /cache
- name: docker-config
mountPath: /home/user/.docker
readOnly: true
- name: local-bin
mountPath: /usr/local/bin
readOnly: true
- name: workspace
readOnly: true
mountPath: /workspace
volumes:
# EFS volume where binaries are stored for quick access. Retained.
- name: binaries
persistentVolumeClaim:
claimName: binaries
# EBS volume used as the buildkit working directory. Needs to be big enough to do the build. Discarded at the of the job.
- name: buildkit
persistentVolumeClaim:
claimName: PVC_PLACEHOLDER
# EFS volume for the local buildkit cache. Retained.
- name: buildkit-cache
persistentVolumeClaim:
claimName: buildkit-cache
- name: docker-config
configMap:
name: buildkit-docker-config
- name: local-bin
emptyDir: {}
- name: repo
emptyDir: {}
- name: workspace
emptyDir: {}