如何在 GCP Cloud Build 的 Terraform Docker Provider 中构建和推送 docker 映像
[英]How to build and push a docker image in a Terraform Docker Provider by GCP Cloud Build
问题描述
References
参考
Terraform Docker Provider Terraform Docker 供应商
Terraform Google Provider Terraform 谷歌提供商
Context Details上下文详细信息
The deployemnt is done by CICD based on the GCP Cloud Build (and the cloud build service account has an 'owner' role for relevant projects).
部署由 CICD 基于 GCP Cloud Build 完成(并且云构建服务帐户具有相关项目的“所有者”角色)。Inside a 'cloudbuild.yaml' file there is a step with a 'hashicorp/terraform' worker an a command like 'terraform apply'.
在“cloudbuild.yaml”文件中,有一个带有“hashicorp/terraform”工作者的步骤,以及一个类似“terraform apply”的命令。
Goal目标
To build and push a docker image into a GCP Artefact Registry, so that it can be used in a container optimised compute engine deployment in other TF resources.构建 docker 映像并将其推送到 GCP Artefact Registry 中,以便可以在其他 TF 资源中的容器优化计算引擎部署中使用它。
Issue问题
As the Terraform Google Provider does not have resources to work with the Artefact Registry docker images, I have to use the Terraform Docker Provider. As the Terraform Google Provider does not have resources to work with the Artefact Registry docker images, I have to use the Terraform Docker Provider.
The docker image is described as: docker 镜像描述为:
resource "docker_registry_image" "my_image" {
name = "europe-west2-docker.pkg.dev/${var.my_project_id}/my-docker-reg/my-vm-image:test"
build {
context = "${path.module}/image"
dockerfile = "Dockerfile"
}
}
According to the comment Creating and pushing a docker image to a google cloud registry using terraform : For pushing images, the only way to set credentials is to declare them at the provider level.根据使用 terraform 创建和推送 docker 映像到谷歌云注册表的评论: For pushing images, the only way to set credentials is to declare them at the provider level.
Therefore the registry_auth block is to be provided as described in the Terraform Docker Provider documentation .因此,registry_auth 块将按照Terraform Docker Provider 文档中的描述提供。
On one hand, as described in the GCP Artefact Registry authentication documentation You do not need to configure authentication for Cloud Build .一方面,如GCP Artefact Registry 身份验证文档中所述, You do not need to configure authentication for Cloud Build 。 So I use this for configuration (as it is to be executed under the Cloud Build service account):所以我使用它进行配置(因为它要在 Cloud Build 服务帐户下执行):
provider "docker" {
registry_auth {
address = "europe-west2-docker.pkg.dev"
}
}
and the Cloud Build job (terraform step) failed with an error:并且 Cloud Build 作业(terraform 步骤)失败并出现错误:
Error: Error loading registry auth config: could not open config file from filePath: /root/.docker/config.json. Error: open /root/.docker/config.json: no such file or directory
with provider["registry.terraform.io/kreuzwerker/docker"],
on my-vm-image.tf line 6, in provider "docker":
6: provider "docker" {
as the Docker Provider mandatory would like to get some credentials for authentication...由于 Docker 提供者强制希望获得一些身份验证凭据...
So, another option is to try an 'access token' as descibed in the comment and documentation .因此,另一种选择是尝试评论和文档中描述的“访问令牌”。
The access token for the cloud build service account can be retrieved by a step in the cloud build yaml:可以通过云构建 yaml 中的步骤检索云构建服务帐户的访问令牌:
## Get Cloud Build access token
- id: "=> get CB access token =>"
name: 'gcr.io/cloud-builders/gcloud'
entrypoint: 'sh'
args:
- '-c'
- |
access_token=$(gcloud auth print-access-token) || exit 1
echo ${access_token} > /workspace/access_token || exit 1
and later used in the TF step as a variable value:稍后在 TF 步骤中用作变量值:
...
access_token=$(cat /workspace/access_token)
...
terraform apply -var 'access_token=${access_token}' ....
...
So the Terraform Docker Provider is supposed to be configured according to the example gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://LOCATION-docker.pkg.dev所以 Terraform Docker Provider 应该按照示例gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://LOCATION-docker.pkg.dev gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://LOCATION-docker.pkg.dev from the GCP Artefact Registry authentication documentation : gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://LOCATION-docker.pkg.dev来自GCP Artefact Registry 身份验证文档:
provider "docker" {
registry_auth {
address = "europe-west2-docker.pkg.dev"
username = "oauth2accesstoken"
password = var.access_token
}
}
But the Cloud Build job (terraform step) failed again:但是 Cloud Build 作业(terraform 步骤)再次失败:
Error: Error pushing docker image: Error pushing image: unauthorized: failed authentication
Questions问题
So, if I dont' try any completely different alternative approach, how the Terraform Docker Provider works within the GCP Cloud Build?所以,如果我不尝试任何完全不同的替代方法,那么 Terraform Docker Provider 如何在 GCP Cloud Build 中工作? What is to be done for a correct authentication?正确的身份验证需要做什么?
1 个解决方案
解决方案1
0 2022-09-16 11:34:57
As the Terraform Google Provider does not have resources to work with the Artefact Registry docker images
First, I don't understand the above sentence.首先,我不明白上面的句子。 Here is Google's Artifact Registry resource .这是Google 的 Artifact Registry 资源。
Second, why use docker_registry_image ?其次,为什么要使用docker_registry_image ? Or even docker provider?甚至是docker提供商?
If you provide your service account with the right role (no need for full ownership, roles/artifactregistry.writer will do) then you can push images built by Cloud Build to Artifact Registry without any problem.如果您为您的服务帐户提供正确的角色(无需完全所有权, roles/artifactregistry.writer即可),那么您可以毫无问题地将 Cloud Build 构建的图像推送到 Artifact Registry。 Just set the image name to docker in the necessary build steps.只需在必要的构建步骤中将映像名称设置为docker 。
For example:例如:
steps:
- id: build
name: docker
args:
- build
- .
- '-t'
- LOCATION-docker.pkg.dev/PROJECT_ID/ARTIFACT_REGISTRY_REPO/IMAGE
- id: push
name: docker
args:
- push
- LOCATION-docker.pkg.dev/PROJECT_ID/ARTIFACT_REGISTRY_REPO/IMAGE
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.