通过 kubernetes/skaffold 将私有 npm 存储库拉到 docker 容器
[英]Pulling private npm repository to docker container through kubernetes/skaffold
问题描述
I am new to skaffold, k8s, docker set and I've been having trouble building my application on a cluster locally.
我是 skaffold、k8s、docker 集的新手,我在本地集群上构建应用程序时遇到了麻烦。
I have a code repository that is trying to pull a private NPM package but when building it loses the.npmrc file or the npm secret.我有一个代码存储库试图提取私有 NPM package 但是在构建它时会丢失 .npmrc 文件或 npm 秘密。
npm ERR! code E404
npm ERR! 404 Not Found - GET https://registry.npmjs.org/@sh1ba%2fcommon - Not found
npm ERR! 404
npm ERR! 404 '@sh1ba/common@^1.0.3' is not in the npm registry.
npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
npm ERR! 404
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.
npm ERR! A complete log of this run can be found in:
npm ERR! /root/.npm/_logs/2021-06-02T06_08_57_246Z-debug.log
unable to stream build output: The command '/bin/sh -c npm install' returned a non-zero code: 1. Please fix the Dockerfile and try again..
Ideally I'd like to avoid hard coding the secret into the file and use a k8s environment variable to pass in the key to docker as a secret.理想情况下,我想避免将秘密硬编码到文件中,并使用 k8s 环境变量将密钥作为秘密传递给 docker。 I am able to (kind of) do it with the docker build command:我能够(有点)使用 docker 构建命令来做到这一点:
- with "--build-args" with npm secret (the not safe way)使用“--build-args”和 npm 秘密(不安全的方式)
- with "--secret" with npm secret (the better way)用“--secret”和 npm 秘密(更好的方法)
- copying the.npmrc file directly,
npm installing and deleting it right after直接复制.npmrc文件, npm install后立即删除
The issue arises when I try to build it using kubernetes/skaffold.当我尝试使用 kubernetes/skaffold 构建它时,就会出现问题。 After running, it doesn't seem like any of the args, env variables, or even the.npmrc file is found.运行后,似乎没有找到任何 args、env 变量,甚至 .npmrc 文件。 When checking in the dockerfile for clues I was able to identify that nothing was being passed over from the manifest (args defined, .npmrc file, etc) to the dockerfile.在检查 dockerfile 中的线索时,我能够确定没有任何内容从清单(定义的参数、.npmrc 文件等)传递到 dockerfile。
Below is the manifest for the application:以下是应用程序的清单:
apiVersion: apps/v1
kind: Deployment
metadata:
name: auth-depl
spec:
replicas: 1
selector:
matchLabels:
app: auth
template:
metadata:
labels:
app: auth
spec:
containers:
- name: auth
image: auth
env:
- name: NPM_SECRET
valueFrom:
secretKeyRef:
name: npm-secret
key: NPM_SECRET
args: ["--no-cache", "--progress=plain", "--secret", "id=npmrc,src=.npmrc"]
Here's the code in the dockerfile:这是 dockerfile 中的代码:
# syntax=docker/dockerfile:1.2
# --------------> The build image
FROM node:alpine AS build
WORKDIR /app
COPY package*.json .
RUN --mount=type=secret,mode=0644,id=npmrc,target=/app/.npmrc \
npm install
# --------------> The production image
FROM node:alpine
WORKDIR /app
COPY package.json .
COPY tsconfig.json .
COPY src .
COPY prisma .
COPY --chown=node:node --from=build /app/node_modules /app/node_modules
COPY --chown=node:node . /app
s
RUN npm run build
CMD ["npm", "start"]
And also the skaffold file:还有脚手架文件:
apiVersion: skaffold/v2alpha3
kind: Config
deploy:
kubectl:
manifests:
- ./infra/k8s/*
- ./infra/k8s-dev/*
build:
local:
push: false
artifacts:
- image: auth
context: auth
docker:
dockerfile: Dockerfile
sync:
manual:
- src: 'src/**/*.ts'
dest: .
A few notes:几点注意事项:
- I can't locate the.npmrc file regardless of where I copy and paste it (in auth, in the manifest, in skaffold and in the ~/ directories)无论我在哪里复制和粘贴它(在 auth、manifest、skaffold 和 ~/ 目录中),我都找不到 .npmrc 文件
- I would like to also make it semi-usable (pretty reusable) in production too so that I don't need to do a complete overhaul if possible (but if this is bad practice I'd like to hear more about it)我也想让它在生产中半可用(相当可重复使用),这样如果可能的话我不需要进行彻底的检修(但如果这是不好的做法,我想听听更多关于它的信息)
- I've been able to make it work with buildArgs in the skaffold.yaml file but I'm not sure how that would translate into a production environment as I can't pass build args from kubernetes to docker (and I read that it isn't safe and that secrets should be used)我已经能够使其与 skaffold.yaml 文件中的 buildArgs 一起使用,但我不确定这将如何转化为生产环境,因为我无法将构建参数从 kubernetes 传递给 Z05B6063C41A21430 '不安全,应该使用秘密)
- The args in the manifest are throwing this error too (server runs if the args are commented out):清单中的参数也抛出此错误(如果参数被注释掉,服务器运行):
- deployment/auth-depl: container auth terminated with exit code 9
- pod/auth-depl-85fb8975d8-4rh9r: container auth terminated with exit code 9
> [auth-depl-85fb8975d8-4rh9r auth] node: bad option: --progress=plain
> [auth-depl-85fb8975d8-4rh9r auth] node: bad option: --secret
- deployment/auth-depl failed. Error: container auth terminated with exit code 9.
Any insight would be amazing, I've been fiddling with this for far too long now.任何见解都会令人惊叹,我已经摆弄这个太久了。
Thank you!谢谢!
1 个解决方案
解决方案1
3 2021-06-02 14:52:56
Building and deploying an image to Kubernetes is at three levels:构建和部署映像到 Kubernetes 分为三个级别:
- Your local system where you initiate the building of an image您启动映像构建的本地系统
- The Docker build that populates the image and then stores that image somewhere Docker 构建填充图像,然后将该图像存储在某处
- The Kubernetes cluster that loads and starts running that image加载并开始运行该映像的 Kubernetes 集群
Docker is not involved in #3. Docker 不参与#3。 (This is only partially true, since some clusters use Docker to run the containers too, but that's a hidden detail and is also changing.) (这只是部分正确,因为一些集群也使用 Docker 来运行容器,但这是一个隐藏的细节并且也在发生变化。)
There are two places where you might communicate secrets:有两个地方可以传达秘密:
- at image build time (steps #1 to #2): you can use Docker
--build-argsor mounting secrets with--secret(both require Buildkit)在图像构建时(步骤 #1 到 #2):您可以使用 Docker --build-args或使用--secret安装机密(都需要 Buildkit) - at deployment time (step #3): you use Kubernetes secrets or config maps, which are configured separately from the image build在部署时(步骤 #3):您使用 Kubernetes 机密或配置映射,它们与映像构建分开配置
Skaffold supports passing build-time secrets, like your npm password, with Docker's --build-args and --secret flags, though they are slightly renamed. Skaffold 支持传递构建时机密,例如您的 npm 密码,带有 Docker 的--build-args和--secret标志,尽管它们略有重命名。
buildArgs supports Go-style templating, so you can reference environment variables like MYSECRET as {{.MYSECRET}} : buildArgs支持 Go 风格的模板,因此您可以将MYSECRET等环境变量引用为{{.MYSECRET}} :
build:
local:
useBuildkit: true
artifacts:
- image: auth
context: auth
docker:
buildArgs:
MYSECRET: "{{.MYSECRET}}"
Then you can reference MYSECRET within your Dockerfile :然后您可以在Dockerfile MYSECRET
ARG MYSECRET
RUN echo MYSECRET=${MYSECRET}
Note that build-args are not propagated into your container unless you explicitly assign it via an ENV MYSECRET=${MYSECRET} .请注意,除非您通过ENV MYSECRET=${MYSECRET}显式分配它,否则 build-args 不会传播到您的容器中。
If the secret is in a local file, you can use the secret field in the skaffold.yaml :如果秘密在本地文件中,您可以使用skaffold.yaml中的secret字段:
build:
local:
useBuildkit: true
artifacts:
- image: auth
context: auth
docker:
secret:
id: npmrc
src: /path/to/.npmrc
and you'd then reference the secret as you are in your Dockerfile :然后您将在Dockerfile中引用该秘密:
RUN --mount=type=secret,mode=0644,id=npmrc,target=/app/.npmrc \
npm install
Now in your Deployment , you're attempting to setting args for your container:现在在您的Deployment中,您正在尝试为您的容器设置args :
args: ["--no-cache", "--progress=plain", "--secret", "id=npmrc,src=.npmrc"]
The args field overrides the CMD directive set in your image. args字段会覆盖映像中设置的CMD指令。 This field is used to provide command-line arguments provided to your image's entrypoint, which is likely node .此字段用于提供命令行 arguments 提供给图像的入口点,可能是node 。 If you want to reference a secret in a running container on a cluster, you'd use a Secret or ConfigMap .如果你想在集群上运行的容器中引用一个秘密,你可以使用Secret或ConfigMap 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.