如何安全地从GitLab Runner KubernetesExecutor容器推送到私有容器注册表? [英] How can I securely push from a GitLab Runner KubernetesExecutor pod to a private container registry?
问题描述
建立一个CI / CD管道,可以使用多个具有特定项目结构的GitLab存储库。为此,将构建一个带有Python代码的Docker容器,然后将其安全地推送到Google Cloud的Container Registry。
Build a CI/CD pipeline multiple GitLab repositories with a certain project structure can make use of. For this, a Docker container with Python code is built and subsequently securely pushed to Google Cloud's Container Registry.
- 使用 Helm图表在Kubernetes Engine上安装KubernetesExecutor 由GitLab提供。
- 构建过程的基本映像(<$ c $中的
runners.image
c> values.yaml )是自定义的,因为这有助于自动容器化提供的存储库。 值得一提的原因是,这是从相同专用存储库中将图像推送到的位置。 - 右现在,从存储库构建容器已成功运行(请参见下面的代码)。
- KubernetesExecutor is installed on Kubernetes Engine using the Helm chart as provided by GitLab.
- The base image for the build process (
runners.image
in thevalues.yaml
) is a custom one as this helps automatically containerising the provided repository. The reason this is worth mentioning is that this is from the same private repository as where the image should be pushed to. - Right now, building the container from the repository runs successfully (see code below).
如何将图像推送到容器注册表而无需将服务帐户密钥添加到Docker图像(否则,请说服我这还不错练习)?
How can I push the image to the Container Registry without adding a service account key to a Docker image (otherwise, please convince me this isn't bad practice)?
services:
- docker:19.03.1-dind
stages:
- build
build:
stage: build
script:
- docker build -t ${CONTAINER_REGISTRY}/pyton-container-test:latest .
# This line is where I'd need to use `docker login`, I guess.
- docker push ${CONTAINER_REGISTRY}/python-container-test:latest
值。 yaml(Helm)
值得一提的是,GitLab Runner设置了以下环境变量:
values.yaml (Helm)
It's worth mentioning that the following environment variables are set by the GitLab Runner:
runners:
env:
DOCKER_DRIVER: overlay2
DOCKER_HOST: tcp://localhost:2375
DOCKER_TLS_CERTDIR: ""
CONTAINER_REGISTRY: eu.gcr.io/<project_id>
解决方案的方向
我想我应该能够将Kubernetes集群中的秘密安装到GitLab Runner构建吊舱中,但是我似乎找不到找到这种方法的方法。然后,我应该能够将以下行添加到 .gitlab-ci.yml
:
cat mounted_secret.json | docker login -u _json_key --password-stdin https://eu.gcr.io
设置 config.toml
以使用秘密音量应该可以正常工作。但是,使用赫尔姆图似乎还不可能。
Setting up config.toml
to use a secret volume should work. However, with a Helm chart this doesn't seem possible yet.
- 可以在GitLab CI中设置受保护的环境变量,但我宁愿不这样做,因为它们很难维护。
- 我已经已调查此答案,但这表示我需要向Docker添加密钥图片。
- 查看 GitLab文档有关使用私有容器注册表的信息,但似乎对此没有更多了解。
- 当例如,它必须在构建过程中连接到数据库。
- It is possible to set protected environment variables in GitLab CI, but I'd rather not, as they're harder to maintain.
- I've investigated this answer, but this says I need to add a key to my Docker image.
- Looked into the GitLab documentation on using a private container registry, but don't seem to get much further with that.
- A similar problem would occur when, for example, it must connect to a database during the build process.
推荐答案
GitLab提供的默认Helm图表。但是,自定义它们时有一种解决方法。
在 templates / configmap.yaml $ c $中c>,可以编辑
入口点
。最后,运行器的启动方式如下:
In templates/configmap.yaml
, it's possible to edit the entrypoint
. At the very end, the runner is started as follows:
# Start the runner
exec /entrypoint run --user=gitlab-runner \
--working-directory=/home/gitlab-runner
要执行此操作,将根据提供的 values.yaml
(具有正确的权限)生成 config.toml
亚军令牌)。这意味着在此步骤之前,我们可以根据需要编辑 config.toml
。就我而言,我只是添加:
For this to work, a config.toml
is generated based upon the provided values.yaml
(with the right Runner token). This means that right before this step, we could edit the config.toml
to our needs. In my case, I simply added:
echo " [[runners.kubernetes.volumes.secret]]" >> ${CONFIG_FILE}
echo " name = \"{{ .Values.secretName }}\"" >> ${CONFIG_FILE}
echo " mount_path = \"/keys\"" >> ${CONFIG_FILE}
echo " read_only = true" >> ${CONFIG_FILE}
其中 $ {CONFIG_FILE}
是 /home/gitlab-runner/.gitlab-runner/config.toml
。
最后,您可以部署您的GitLab Runner:
Finally, you can deploy your GitLab Runner using:
$ helm install project_name -f values.yaml <path to chart>
这篇关于如何安全地从GitLab Runner KubernetesExecutor容器推送到私有容器注册表?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!