将单个Docker映像从VSTS构建/发布定义推送到AWS弹性容器注册表(ECR)中 [英] Single Docker image push into AWS elastic container registry (ECR) from VSTS build/release definition

问题描述

我们有一个python docker镜像，需要在AWS容器注册表中构建/发布(CI/CD).目前，AWS不支持使用docker hub私有存储库运行docker任务，因此我们必须使用ECR而不是docker hub.

我们的CI/CD管道使用docker build和push任务.Docker身份验证是通过VSTS项目中的服务端点完成的.

我们应遵循几个步骤来为ECR设置VSTS服务端点.看起来需要执行AWS CLI命令(本地或云)以获取docker客户端登录的用户和密码，

  aws ecr get-login --no-include-email 

Above命令输出带有用户名(AWS)和密码(令牌)的docker login命令.

此方法的问题是访问令牌将仅持续12个小时.因此，CI/CD任务需要每12小时更新一次服务端点，否则构建会因未授权令牌异常而失败.

我们拥有的其他选项是运行一些shell命令以执行aws get-login命令，并在同一上下文中运行docker build/push命令.该选项需要在构建代理中安装aws cli(我们正在使用公共linux代理).另外，shell命令涉及到带有环境/变量的笨拙的任务配置.否则，我们将在构建步骤中公开aws应用程序ID和密码.

请问您是否已使用带有AWS ecr的Docker解决了VSTS CI/CD管道?

谢谢，玛希

解决方案

经过大量研究，反复试验，我找到了自己问题的答案.

AWS通过构建任务和服务端点对VSTS进行了扩展.您需要使用帐号，应用程序ID和密码配置AWS服务终端节点.然后，在您的构建/发布定义中；

1. 使用开箱即用的docker build任务或shell/bash命令(例如，docker build -t your:tag)构建docker映像.

2. 然后添加另一个构建步骤以将映像推送到AWS注册表中，为此，您可以使用AWS扩展任务(Amazon Elastic Container Registry推送映像).每当您运行此构建定义时，Amazon Elastic Container Registry推送映像构建任务都会生成令牌并登录Docker客户端.您不必担心每12小时更新一次用户名/令牌，AWS扩展构建任务将为您完成此操作.

We have a python docker image which needs to build/publish (CI/CD) into AWS container registry. At the moment AWS does not support for running docker tasks using docker hub private repositories, therefore we have to use ECR instead of docker hub.

Our CI/CD pipeline uses docker build and push tasks. Docker authentication is done via a Service Endpoint in the VSTS project.

There are few steps we should follow to setup a VSTS service endpoint for ECR. This required to execute AWS CLI command (locally or cloud) to get a user and password for docker client to login, it looks like;

aws ecr get-login --no-include-email

Above command outputs a docker login command with a username (AWS) and a password (token).

The issue with this approach is access token will last only for 12 hours. Therefore CI/CD task requires updating the Service Endpoint every 12 hours, otherwise build fail with unauthorised token exception.

Other option we have is to run some shell commands to execute aws get-login command and run docker build/push commands in the same context. This option required installing aws cli into build agent (we are using public linux agent). In addition shell command involves awkward task configuration with environment/variables. Otherwise we will be exposing aws application id and secret in the build steps.

Could you please advice if you have solved VSTS CI/CD pipeline using docker with AWS ecr?

Thanks, Mahi

解决方案

After lot of research, trial and error I found an answer to my own question.

AWS provides an extension to VSTS with build tasks and Service Endpoints. You need to configure AWS service endpoint using an account number, application ID, and secret. Then, in your build/release definition;

1. build docker image using out of the box docker build task, or shell/bash command (for an example; docker build -t your:tag . )

2. Then add another build step to push image into AWS registry, for this you can use AWS extension task (Amazon Elastic Container Registry Push Image). Amazon Elastic Container Registry Push Image build task will generate token and login docker client every time you run this build definition. You don't have to worry about updating username/token every 12 hours, AWS extension build task will do that for you.

这篇关于将单个Docker映像从VSTS构建/发布定义推送到AWS弹性容器注册表(ECR)中的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！