OpenShift构建镜像
使用镜像和仓库作为source和output
1、准备一个git仓库,包含一个Dockerfile,以下仅包含一行内容用于最简单的演示。
FROM docker.io/bitnami/nginx:1.21.6
以gitlab仓库为例,你可以使用github等其他仓库
2、创建BuildConfig文件
点击构建,选择构建配置,创建构建配置。
构建配置内容如下,注意source为git仓库地址。
apiVersion: build.openshift.io/v1
kind: BuildConfig
metadata:
name: mywebsite
labels:
app: mywebsite
spec:
source:
type: Git
git:
ref: main
uri: http://192.168.72.20:8929/root/nginx-demo
contextDir: ./
strategy:
type: Docker
dockerStrategy:
dockerfilePath: Dockerfile
output:
to:
kind: DockerImage
name: registry.example.com:8443/library/nginx-helloworld:v1.0
其中output指定镜像构建完成后推送到本地harbor镜像仓库,推送镜像需要为openshift配置权限和ca证书:
参考:https://docs.openshift.com/container-platform/4.10/cicd/builds/setting-up-trusted-ca.html
oc create configmap registry-cas -n openshift-config \
--from-file=registry.example.com..8443=/etc/docker/certs.d/registry.example.com:8443/ca.crt
oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"registry-cas"}}}' --type=merge
点击开始构建,自动生成一个新的构建任务
点击构建,查看构建日志,成功完成构建并推送镜像到harbor仓库:
使用镜像流作为source和output
如果构建完成后要输出到镜像流,需要启用openshift内置registry仓库,openshif默认未启用registry,执行以下操作启用,使用临时存储的快速解决方案(没有用于持久性的存储类):
参考:https://docs.openshift.com/container-platform/4.10/registry/configuring-registry-operator.html
1、切换到openshift-image-registry项目
oc project openshift-image-registry
2、编辑configs.imageregistry.operator.openshift.io
oc edit configs.imageregistry.operator.openshift.io
修改以下内容
...
managementState: Managed
...
...
replica: 1
...
...
storage:
emptyDir: {}
确认新部署了image-registry pod
root@bastion:~# oc -n openshift-image-registry get pods
NAME READY STATUS RESTARTS AGE
cluster-image-registry-operator-ddd96d697-p4fdx 1/1 Running 0 2d2h
image-pruner-27486720-ddzxx 0/1 Completed 0 31h
image-pruner-27488160-vxmmb 0/1 Completed 0 7h6m
image-registry-746b8888d4-6pdbb 1/1 Running 0 61s
node-ca-7zt48 1/1 Running 0 2d2h
node-ca-8fb9j 1/1 Running 0 2d2h
node-ca-dtsrl 1/1 Running 0 2d2h
node-ca-kn4pl 1/1 Running 0 2d2h
node-ca-vt6fm 1/1 Running 0 2d2h
然后公开注册表访问地址到集群外:
oc patch configs.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultRoute":true}}' --type=merge
查看访问地址
root@bastion:~# oc get routes
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
default-route default-route-openshift-image-registry.apps.okd4.example.com image-registry <all> reencrypt None
本地拉取镜像
参考:https://access.redhat.com/solutions/4308191
mkdir -p /etc/docker/certs.d/default-route-openshift-image-registry.apps.okd4.example.com/
oc extract secret/router-ca --keys=tls.crt -n openshift-ingress-operator
cp tls.crt /etc/docker/certs.d/default-route-openshift-image-registry.apps.okd4.example.com/
# token可以从console用户管理界面获取
export USERNAME=admin
export TOKEN=sha256~uC0tBK7zzeOM9dsoQ0kWIZO5W_ILPzhLvqc5qnTpZG0
docker login -u $USERNAME -p $TOKEN default-route-openshift-image-registry.apps.okd4.example.com
docker pull default-route-openshift-image-registry.apps.okd4.example.com/demo/local-image
使用内部仓库部署应用
oc create configmap registry-local -n openshift-config \
--from-file=registry.example.com..8443=/etc/docker/certs.d/registry.example.com:8443/ca.crt \
--from-file=default-route-openshift-image-registry.apps.okd4.example.com=/etc/docker/certs.d/default-route-openshift-image-registry.apps.okd4.example.com/tls.crt
oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"registry-local"}}}' --type=merge
2、使用imagestreamTag
创建imagestream
oc import-image bitnami-nginx:1.20.2 --from="docker.io/bitnami/nginx:1.20.2" --confirm
oc import-image mywebsite2:latest --from="docker.io/bitnami/nginx:1.20.2" --confirm
创建BuildConfig,source和output配置为ImageStreamTag
apiVersion: build.openshift.io/v1
kind: BuildConfig
metadata:
name: mywebsite2
labels:
app: mywebsite2
spec:
source:
type: Git
git:
ref: master
uri: http://192.168.72.20:8929/root/nginx-demo
contextDir: ./
strategy:
type: Docker
dockerStrategy:
dockerfilePath: Dockerfile
from:
kind: ImageStreamTag
namespace: demo
name: bitnami-nginx:1.20.2
output:
to:
kind: ImageStreamTag
name: mywebsite2:latest
triggers:
- type: ImageChange
现在,当构建运行时,OpenShift 会将Dockerfile 中的FROM行替换为来自镜像流的镜像。
在日志中,您可以看到 OpenShift 替换了 FROM 指令:
Cloning "http://192.168.72.20:10880/gogs/nginx-demo.git" ...
Commit: 031ff4e5124c8cb057c0576bed21fce88dc60e52 (更新 'Dockerfile')
Author: gogs <willzhmic@outlook.com>
Date: Thu Apr 7 02:27:13 2022 +0000
Replaced Dockerfile FROM image docker.io/bitnami/nginx:1.21.6