具有GCP凭证的Gitlab Runner映像 [英] Gitlab Runner Image with GCP credentials

问题描述

我正在尝试教我的Gitlab Runner映像从我的私有Docker Registry（在Google Cloud中运行的GCR）获取自定义生成器映像。

I am trying to teach my Gitlab Runner image to get custom builder images from my private Docker Registry (GCR running in the Google Cloud).

什么无法解决？
我创建了一个自定义的Gitlab Runner映像，并正确设置了ServiceAccount。我以非特权模式启动，但采用虫洞模式（通过 docker.sock ）。在执行到该容器（基于 gitlab / gitlab-runner：v11.3.0 ）时，我不得不认识到我无法在其中执行任何docker命令（都不以root或gitlab-user身份）。 gitlab-runner之后如何启动构建器容器是远远超出我的认知能力的。 ;）

What did not work out? I created a custom Gitlab Runner image with the ServiceAccount properly set. I started in in non-privileged mode but the wormhole pattern (via docker.sock). On exec-ing into that container (which is based on gitlab/gitlab-runner:v11.3.0) I had to recognise that I cannot do any docker commands in there (neither as root nor as gitlab-user). How the gitlab-runner starts the builder containers afterwards is way above my cognitive capabilities. ;)

# got started via eu.gcr.io/my-project/gitlab-runner:0.0.5 which got taught the GCR credentials

stages:
    - build

build:
    image: docker pull eu.gcr.io/my-project/gitlab-builder-docker:0.0.2
    stage: build
    script: 
        # only for test if I have access to private docker registry
        - docker pull eu.gcr.io/my-project/gitlab-builder-docker:0.0.1 

有什么结果？
根据此教程，您可以通过 .gitlab-ci.yml 文件中的 before_script 块进行身份验证。

What worked out? According to this tutorial you can authenticate via in a before_script block in your .gitlab-ci.yml files. That worked out.

# got started via gitlab/gitlab-runner:v11.3.0 

stages:
    - build

before_script:
    - apk add --update curl python which bash
    - curl -sSL https://sdk.cloud.google.com | bash
    - export PATH="$PATH:/root/google-cloud-sdk/bin"
    - gcloud components install docker-credential-gcr
    - gcloud auth activate-service-account --key-file=/key.json
    - gcloud auth configure-docker --quiet

build:
    image: docker:18.03.1-ce
    stage: build
        # only for test if I have access to private docker registry
        - docker pull eu.gcr.io/my-project/gitlab-builder-docker:0.0.1 

问题
这意味着我必须执行此操作（安装gcloud& authenticate ）在每次构建过程中-我希望在gitlab-runner映像中完成此操作。您知道如何实现此目标吗？

The Question This means that I have to do this (install gcloud & authenticate) in each build run - I would prefer to have done this in the gitlab-runner image. Do you have an idea how to achieve this?

推荐答案

最后，我找到了一种完成此任务的方法。

Finally I found a way to get this done.

GCP

1. 在 IAM&中创建没有权限的服务帐户管理员


2. 下载Json密钥


3. 在存储浏览器中添加权限
   
   

1. Create Service account with no permissions in IAM & Admin
2. Download Json Key
3. Add Permissions in Storage Browser

1. 选择保存图像的存储桶（例如 eu.artifacts.my-project.appspot.com ）


2. 向服务帐户授予存储对象管理

1. Select bucket holding your images (eg eu.artifacts.my-project.appspot.com)
2. Grant permission Storage Object Admin to the service account

本地 Docker 容器

Local Docker Container

1. 启动一个库/ docker 容器并执行到其中（使用Docker Wormhole Pattern docker.sock 卷安装）


2. 通过（登录到您在欧洲的回购协议的网址，在我的情况下，请查看 eu <，登录到 GCR / em>网址中的前缀）
   
docker login -u _json_key --password-stdin https://eu.gcr.io< /etc/gitlab-runner/<MY_KEY>.json



3. 验证是否可以通过某些 docker pull< ; MY_GCR_IMAGE>


4. 复制〜/ .docker / config.json

的内容

1. Launch a library/docker container and exec into it (with Docker Wormhole Pattern docker.sock volume mount)
2. Login into GCR via (Check the url of your repo, in my case its located in Europe, therefore the eu prefix in the url) docker login -u _json_key --password-stdin https://eu.gcr.io < /etc/gitlab-runner/<MY_KEY>.json
3. Verify if it works via some docker pull <MY_GCR_IMAGE>
4. Copy the content of ~/.docker/config.json

Gitlab config.toml 配置

Gitlab config.toml configuration

1. 将以下内容添加到您的 config.toml 文件
   
[[runners]]
环境= [ DOCKER_AUTH_CONFIG = { \ auths\：{\ myregistryurl.com:port\：{\ auth\：\< TOKEN-FROM-DOCKER-CONFIG-FILE> \}} }]


1. Add the following into your config.toml file [[runners]] environment = ["DOCKER_AUTH_CONFIG={ \"auths\": { \"myregistryurl.com:port\": { \"auth\": \"<TOKEN-FROM-DOCKER-CONFIG-FILE>\" } } }"]

Vanilla Gitlab Runner容器

1. 运行跑步程序，例如
   
docker run -it \
--name gitlab-runner \
--rm \
-v< Folder-containerinng-gitlab-runner-configfile-gt;：/ etc / gitlab-runner：ro \
-v /var/run/docker.sock:/var/run/docker.sock \
gitlab / gitlab-runner：v11.3.0


1. Run the runner eg like this docker run -it \ --name gitlab-runner \ --rm \ -v <FOLDER-CONTAININNG-GITLAB-RUNNER-CONFIG-FILE>:/etc/gitlab-runner:ro \ -v /var/run/docker.sock:/var/run/docker.sock \ gitlab/gitlab-runner:v11.3.0

您的.gitlab-ci.yml文件

1. 通过 .gitlab-验证已完成的工作ci.yml
   
   

1. Verify the done work via a .gitlab-ci.yml

1. 使用位于您的私人 GCP容器注册表中的图像

1. Use an image which is located in your private GCP Container Registry

教您的构建器映像如何推送到私有GCR Docker Repo

GCP

1. 向服务帐户添加权限
   
   

1. Add permissions to your service account

1. 向存储浏览器中的服务帐户授予存储旧版存储桶读取器

自定义Docker Builder映像

1. 将服务帐户密钥文件添加到您的自定义图像中
   
从docker：18.03.1-ce
添加key.json /<MY_KEY>.json


1. Add your Service Account key file to your your custom image FROM docker:18.03.1-ce ADD key.json /<MY_KEY>.json

您的.gitlab-ci.yml文件

1. 添加以下脚本i在您的 before_script 部分
   
docker login -u _json_key --password-stdin https://eu.gcr.io < /key.json


1. Add the following script into your before_script section docker login -u _json_key --password-stdin https://eu.gcr.io < /key.json

最终想法

现在，香草gitlab-runner可以从您的私人GCR Docker Repo中提取您的自定义映像。此外，这些可拖动的自定义映像还能够与您的私人GCR Docker Repo进行对话，例如将生成的映像推送到您的构建管道中。

Final Thoughts

Now the vanilla gitlab-runner can pull your custom images from your private GCR Docker Repo. Furthermore those pullable custom images are also capable of talking to your private GCR Docker Repo and eg push the resulting images of your build pipeline.

那是相当复杂的事情。也许Gitlab将来会增强对此用例的支持。

That was quite complicated stuff. Maybe Gitlab enhances the support for this usecase in the future.

这篇关于具有GCP凭证的Gitlab Runner映像的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！