The latest articles on DEV Community by Hideki Igarashi (@hideki). https://dev.to/hideki https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F42385%2F4863d13e-5034-4a97-b62e-92614fb93ca6.png https://dev.to/hideki en Hideki Igarashi Wed, 04 Dec 2019 03:41:08 +0000 https://dev.to/hideki/build-and-push-a-docker-oci-image-with-kaniko-github-packages-ee https://dev.to/hideki/build-and-push-a-docker-oci-image-with-kaniko-github-packages-ee <p><a href="https://github.com/features/packages">GitHub Packages</a> provides a Docker container management platform.</p> <p>This article introduces how to push an image using it as a repository of <a href="https://github.com/GoogleContainerTools/kaniko">kaniko</a>.</p> <p>kaniko is a tool for Kubernetes, but you can use it without Kubernetes.</p> <p>By using kaniko, there is a benefit of using the cache with GitHub Packages.</p> <h2> Push image from the local environment </h2> <h3> Generate a personal access token </h3> <p>Generate a personal access token to access the registry in your <a href="https://github.com/settings/tokens/new?scopes=repo,write:packages,read:packages,delete:packages">GitHub settings</a>.</p> <p>The token needs the following scopes:</p> <ul> <li>repo</li> <li>write:packages</li> <li>read:packages</li> <li>delete:packages</li> </ul> <h3> Create a config.json </h3> <p>Get your GitHub username and token encoded in base64:<br> </p> <div class="highlight"><pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">echo</span> <span class="nt">-n</span> username:access_token | <span class="nb">base64</span> </code></pre></div> <p>Create a <code>config.json</code> file with GitHub package registry hostname and the previous generated base64 string:<br> </p> <div class="highlight"><pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"auths"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"docker.pkg.github.com"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"auth"</span><span class="p">:</span><span class="w"> </span><span class="s2">"xxxxxxxxxxxxxxxxx"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> <h3> Run kaniko </h3> <p>Run kaniko with the <code>config.json</code>.</p> <p>Also, put the <code>Dockerfile</code> you want to build in the same directory.</p> <p>The command to execute is as follows:<br> </p> <div class="highlight"><pre class="highlight shell"><code><span class="nv">$ </span>docker run <span class="se">\</span> <span class="nt">-v</span> <span class="si">$(</span><span class="nb">pwd</span><span class="si">)</span>:/workspace <span class="se">\</span> <span class="nt">-v</span> <span class="si">$(</span><span class="nb">pwd</span><span class="si">)</span>/config.json:/kaniko/.docker/config.json:ro <span class="se">\</span> gcr.io/kaniko-project/executor:latest <span class="se">\</span> <span class="nt">--context</span> <span class="nb">dir</span>:///workspace/ <span class="se">\</span> <span class="nt">--dockerfile</span> Dockerfile <span class="se">\</span> <span class="nt">--destination</span> docker.pkg.github.com/&lt;org&gt;/&lt;repos&gt;/&lt;image&gt;:&lt;tag&gt; <span class="se">\</span> <span class="nt">--cache</span><span class="o">=</span><span class="nb">true</span> <span class="se">\</span> <span class="nt">--cache-repo</span> docker.pkg.github.com/&lt;org&gt;/&lt;repos&gt;/&lt;image&gt;-cache </code></pre></div> <p>The cache repository is separate from the destination because GitHub Packages does not support <code>&lt;org&gt;/&lt;repos&gt;/&lt;image&gt;/cache</code> style.</p> <h2> Push image from GitHub Actions </h2> <p>Full example: <a href="https://github.com/ganta/example-kaniko-with-github-packages">https://github.com/ganta/example-kaniko-with-github-packages</a></p> <p>In this example, the workflow runs under the following conditions:</p> <ul> <li>When pushed to a branch except for the master, build an image</li> <li>When pushed to the master branch, add the latest tag and push the image</li> <li>When you push a tag in the version number format, add the tag of that number and push the image</li> </ul> <p>Create two workflows to build and push.</p> <p>To run the build workflow on a branch excluding master (<code>.github/workflows/build.yml</code>):<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches-ignore</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">master</span> </code></pre></div> <p>To run the push workflow on the master branch or a version number format tag (<code>.github/workflows/push.yml</code>):<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">master</span> <span class="na">tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">[0-9]+.[0-9]+.[0-9]+'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">[0-9]+.[0-9]+.[0-9]+-*'</span> </code></pre></div> <p>Add a step to generate <code>config.json</code> to pass GitHub Packages authentication:<br> </p> <div class="highlight"><pre class="highlight yaml"><code> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Generate a config.json</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cat &lt;&lt;JSON &gt; config.json</span> <span class="s">{</span> <span class="s">"auths": {</span> <span class="s">"docker.pkg.github.com": {</span> <span class="s">"auth": "$(echo -n :${{ secrets.GITHUB_TOKEN }} | base64)"</span> <span class="s">}</span> <span class="s">}</span> <span class="s">}</span> <span class="s">JSON</span> <span class="s">...</span> </code></pre></div> <p>When using <code>secrets.GITHUB_TOKEN</code>, the user name is not required.</p> <p>The execution method of kaniko is the same as when executing locally.</p> <p>For builds, use the <code>--no-push</code> option instead of the<code>--destination</code> option.<br> </p> <div class="highlight"><pre class="highlight yaml"><code> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build an image</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">docker run \</span> <span class="s">-v $(pwd):/workspace \</span> <span class="s">-v $(pwd)/config.json:/kaniko/.docker/config.json:ro \</span> <span class="s">gcr.io/kaniko-project/executor:latest \</span> <span class="s">--context dir:///workspace/ \</span> <span class="s">--dockerfile Dockerfile \</span> <span class="s">--cache=true \</span> <span class="s">--cache-repo docker.pkg.github.com/${GITHUB_REPOSITORY}/${IMAGE_NAME}-cache \</span> <span class="s">--no-push</span> </code></pre></div> <p>In the case of a push, you can get the tag to attach to the image from the <code>GITHUB_REF</code> environment variable.<br> </p> <div class="highlight"><pre class="highlight yaml"><code> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build and push an image</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">tag=${GITHUB_REF##*/}</span> <span class="s">if [[ ${tag} == master ]]</span> <span class="s">then</span> <span class="s">tag="latest"</span> <span class="s">fi</span> <span class="s">echo "tag: ${tag}"</span> <span class="s">docker run \</span> <span class="s">-v $(pwd):/workspace \</span> <span class="s">-v $(pwd)/config.json:/kaniko/.docker/config.json:ro \</span> <span class="s">gcr.io/kaniko-project/executor:latest \</span> <span class="s">--context dir:///workspace/ \</span> <span class="s">--dockerfile Dockerfile \</span> <span class="s">--destination docker.pkg.github.com/${GITHUB_REPOSITORY}/${IMAGE_NAME}:${tag} \</span> <span class="s">--cache=true \</span> <span class="s">--cache-repo docker.pkg.github.com/${GITHUB_REPOSITORY}/${IMAGE_NAME}-cache</span> </code></pre></div> <h2> Conclusion </h2> <p>In this way, you can smoothly run kaniko with GitHub Packages.</p> <p>Also, you can use <code>secrets.GITHUB_TOKEN</code> in GitHub Actions, so you don't have to struggle with authentication.</p> <p>Even if you are not in Kubernetes, you can benefit from caching by using kaniko instead of <code>docker build</code>.</p> docker github kaniko