As a DevOps engineer at Cloudify.co, I am building a new CI/CD pipeline based on Kubernetes and Jenkins. Recently I integrated Elastic Container Registry with our CI/CD based on Jenkins. In this guide, I will share the knowledge on this topic.
作为Cloudify.co的DevOps工程师,我正在基于Kubernetes和Jenkins构建新的CI / CD管道。 最近,我将Elastic Container Registry与基于Jenkins的CI / CD集成在一起。 在本指南中,我将分享有关该主题的知识。
Let’s start.
开始吧。
什么是ECR-Amazon Elastic Container Registry? (What’s ECR — Amazon Elastic Container Registry?)
Amazon Elastic Container Registry (ECR) is a fully-managed Docker container registry that makes it easy for developers to store, manage, and deploy Docker container images. Amazon ECR is integrated with Amazon Elastic Container Service (ECS), simplifying your development to production workflow. Amazon ECR eliminates the need to operate your own container repositories or worry about scaling the underlying infrastructure.
Amazon Elastic Container Registry(ECR)是一个完全托管的Docker容器注册表,使开发人员可以轻松存储,管理和部署Docker容器映像。 Amazon ECR与Amazon Elastic Container Service(ECS)集成在一起,简化了从开发到生产工作流程的过程。 Amazon ECR无需操作您自己的容器存储库,也无需担心扩展基础架构。
詹金斯是什么? (What is Jenkins?)
Jenkins is a self-contained, open source automation server which can be used to automate all sorts of tasks related to building, testing, and delivering or deploying software.
Jenkins是一个自包含的开源自动化服务器,可用于自动化与构建,测试以及交付或部署软件有关的各种任务。
什么是詹金斯管道? (What is Jenkins Pipeline?)
Jenkins Pipeline (or simply “Pipeline” with a capital “P”) is a suite of plugins that supports implementing and integrating continuous delivery pipelines into Jenkins.
Jenkins Pipeline(或简称为“ Pipeline”,以大写字母“ P”表示)是一套插件,可支持将持续交付管道实现并将其集成到Jenkins中。
先决条件 (Prerequisites)
- You must have an AWS account 您必须拥有一个AWS账户
- Jenkins on Kubernetes running on your cluster Jenkins在集群上运行的Kubernetes上
在具有ECR完全访问权限和编程访问权限的AWS上创建用户 (Creating a user on AWS with ECR full access and programmatic access)
创建对ECR具有完全访问权限的策略 (Create a policy with full access to ECR)
In AWS account go to Services -> IAM -> Policies -> Create Policy -> JSON
在AWS账户中,转到服务-> IAM->策略->创建策略-> JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:*",
"cloudtrail:LookupEvents"
],
"Resource": "*"
}
]
}
Click on review and create the policy
点击查看并创建政策
使用我们创建的附加策略和编程访问权限来创建用户 (Create a user with the attached policy we created and programmatic access)
In AWS account go to Services -> IAM -> Users -> Add User
在AWS账户中,转到服务-> IAM->用户->添加用户
Select the programmatic access
选择程序访问
Attach created policy
附加创建的政策
Create the user and download .csv file with credentials for programmatic access to AWS
创建用户并下载具有凭证的.csv文件,以编程方式访问AWS
在您的机器上安装AWS CLI (Install AWS CLI to your machine)
https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html
https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html
将docker安装到您的机器上 (Install docker to your machine)
https://docs.docker.com/engine/install/
https://docs.docker.com/engine/install/
如何通过ECR进行身份验证? (How to authenticate with ECR?)
So basically you have two options:
因此,基本上,您有两种选择:
选项1 (Option 1)
Export AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY as environment variables to your console/terminal
将AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY作为环境变量导出到控制台/终端
$ export AWS_ACCESS_KEY_ID=Your_access_key_id_from_csv$ export AWS_SECRET_ACCESS_KEY=your_secret_access_ key_from_csv
选项2 (Option 2)
Use ‘aws configure’ to set your credentials and region, it will store credentials permanently in you $HOME/.aws directory
使用“ aws configure”设置凭据和区域,它将凭据永久存储在您的$ HOME / .aws目录中
For both options, you need to use AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY which you may find in downloaded .csv file
对于这两个选项,您都需要使用AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY,您可以在下载的.csv文件中找到它
创建Amazon Elastic Container Registry (Create Amazon Elastic Container Registry)
In AWS account go to Services -> Elastic Container registry
在AWS账户中,转到服务->弹性容器注册表
Click on Get Started
点击入门
Create a repository with a name hello-world for testing
创建一个名称为hello-world的存储库以进行测试
Created ECR in us-east-1 region, 796556984717 is your AWS account id
在us-east-1地区创建的ECR 796556984717是您的AWS账户ID
使用Docker登录到AWS (Login with docker to AWS)
$ aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 796556984717.dkr.ecr.us-east-1.amazonaws.com
测试您对ECR的访问权限 (Test your access to ECR)
Make sure you configured AWS like I explained or exported needed variables and did log in with docker
确保按照我解释或导出所需变量的方式配置了AWS,并使用docker登录了
$ aws ecr list-images --repository-name hello-world --region=us-east-1
If you getting a response similar to this one
如果您收到与此类似的回复
{ "imageIds": []}
It means everything is configured properly, otherwise, you will get access denied message.
这意味着一切都已正确配置,否则,您将收到拒绝访问消息。
如何创建图像并推送到ECR? (How to create an image and push to ECR?)
Let’s build an example image and will push it to ECR
让我们构建一个示例图像,并将其推送到ECR
Dockerfile of the example image
示例映像的Dockerfile
FROM alpine:3.4RUN apk update && \
apk add curl && \
apk add git && \
apk add vim
Build a hello-world image from Dockerfile
从Dockerfile构建一个hello-world映像
$ docker build -t hello-world .
标记图像 (Tag the image)
$ docker tag hello-world:latest 796556984717.dkr.ecr.us-east-1.amazonaws.com/hello-world:1.1
推送至ECR (Push to ECR)
$ docker push 796556984717.dkr.ecr.us-east-1.amazonaws.com/hello-world:1.1
We pushed our image to hello-world repository and version is 1.1
我们将映像推送到了hello-world存储库,版本为1.1
检查我们的图像是否存在于hello-world存储库中 (Checking our image exists in hello-world repository)
$ aws ecr list-images --repository-name hello-world --region=us-east-1
The response must be similar to this one
响应必须与此相似
{
"imageIds": [
{
"imageDigest": "sha256:6045a7fdc628f8764cc52f6d0fe640029a2eb9b860bfc265c3ff9a5048068546",
"imageTag": "1.1"
}
]
}
那么如何在Kubernetes上的Jenkins管道中使用ECR中的图像呢? (So how to use images in ECR with Jenkins pipeline on Kubernetes?)
I am using ‘Jenkins Kubernetes’ plugin to run workflows with Kubernetes on Jenkins
我正在使用'Jenkins Kubernetes'插件在Jenkins上使用Kubernetes运行工作流
什么是Jenkins的Kubernetes插件? (What is the Kubernetes plugin for Jenkins?)
Jenkins plugin to run dynamic agents in a Kubernetes cluster.
Jenkins插件可在Kubernetes集群中运行动态代理。
The plugin creates a Kubernetes Pod for each agent started, defined by the Docker image to run, and stops it after each build.
该插件为每个要启动的代理(由要运行的Docker映像定义)创建一个Kubernetes Pod,并在每次构建后停止它。
pod-template of your pipeline must be similar to this one
您的管道的pod-template必须与此模板相似
apiVersion: v1
kind: Pod
spec:
containers:
- name: hello-world
image: 796556984717.dkr.ecr.us-east-1.amazonaws.com/hello-world:1.1
command:
- cat
tty: true
Meaning we using an image in a regular way with a path to ECR
意味着我们以常规方式使用带有ECR路径的图像
image: 796556984717.dkr.ecr.us-east-1.amazonaws.com/hello-world:1.1
那么,为什么在这种情况下我们不需要在管道中访问ECR的权限? (So why we don’t need permissions to access ECR in our pipeline in this case?)
If you using the EKS cluster like me which was created using the eksctl utility or using the AWS CloudFormation templates, by default all worker nodes created with needed IAM permission to access ECR.
如果您使用像我这样的EKS集群,该集群是使用eksctl实用程序或AWS CloudFormation模板创建的,则默认情况下,所有创建的具有IAM权限的工作节点都必须具有访问ECR的IAM权限。
Every worker node has ‘AmazonEKSWorkerNodePolicy’ attached with needed IAM policy permissions.
每个工作节点都具有附加的“ AmazonEKSWorkerNodePolicy”和所需的IAM策略权限。
I that’s not the case you need to attach this policy to your worker node policy
我不是这种情况,您需要将此策略附加到工作节点策略
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer",
"ecr:GetAuthorizationToken"
],
"Resource": "*"
}
]
}
https://docs.aws.amazon.com/AmazonECR/latest/userguide/ECR_on_EKS.html
https://docs.aws.amazon.com/AmazonECR/latest/userguide/ECR_on_EKS.html
结论 (Conclusion)
I explained in this guide how to configure ECR in your account, create an image and push it to an ECR repository, then pull an image from ECR with Jenkins pipeline on Kubernetes, I also explained why in many cases on Kubernetes clusters like EKS it will work by default.
我在本指南中解释了如何在您的帐户中配置ECR,如何创建图像并将其推送到ECR存储库,然后使用Kubernetes上的Jenkins管道从ECR中提取图像,还解释了为什么在很多情况下,在诸如EKS之类的Kubernetes集群上它会默认工作。
I hope this guide was helpful and thank you for reading.
希望本指南对您有所帮助,并感谢您的阅读。