在kubernetes上通过jenkins管道使用来自ecr的图像

As a DevOps engineer at Cloudify.co, I am building a new CI/CD pipeline based on Kubernetes and Jenkins. Recently I integrated Elastic Container Registry with our CI/CD based on Jenkins. In this guide, I will share the knowledge on this topic.

作为Cloudify.co的DevOps工程师，我正在基于Kubernetes和Jenkins构建新的CI / CD管道。 最近，我将Elastic Container Registry与基于Jenkins的CI / CD集成在一起。 在本指南中，我将分享有关该主题的知识。

Let’s start.

开始吧。

什么是ECR-Amazon Elastic Container Registry？ (What’s ECR — Amazon Elastic Container Registry?)

Amazon Elastic Container Registry (ECR) is a fully-managed Docker container registry that makes it easy for developers to store, manage, and deploy Docker container images. Amazon ECR is integrated with Amazon Elastic Container Service (ECS), simplifying your development to production workflow. Amazon ECR eliminates the need to operate your own container repositories or worry about scaling the underlying infrastructure.

Amazon Elastic Container Registry(ECR)是一个完全托管的Docker容器注册表，使开发人员可以轻松存储，管理和部署Docker容器映像。 Amazon ECR与Amazon Elastic Container Service(ECS)集成在一起，简化了从开发到生产工作流程的过程。 Amazon ECR无需操作您自己的容器存储库，也无需担心扩展基础架构。

https://aws.amazon.com/ecr/

https://aws.amazon.com/ecr/

詹金斯是什么？ (What is Jenkins?)

Jenkins is a self-contained, open source automation server which can be used to automate all sorts of tasks related to building, testing, and delivering or deploying software.

Jenkins是一个自包含的开源自动化服务器，可用于自动化与构建，测试以及交付或部署软件有关的各种任务。

https://jenkins.io/doc/

https://jenkins.io/doc/

什么是詹金斯管道？ (What is Jenkins Pipeline?)

Jenkins Pipeline (or simply “Pipeline” with a capital “P”) is a suite of plugins that supports implementing and integrating continuous delivery pipelines into Jenkins.

Jenkins Pipeline(或简称为“ Pipeline”，以大写字母“ P”表示)是一套插件，可支持将持续交付管道实现并将其集成到Jenkins中。

https://www.jenkins.io/doc/book/pipeline/

https://www.jenkins.io/doc/book/pipeline/

先决条件 (Prerequisites)

• You must have an AWS account
  您必须拥有一个AWS账户
• Jenkins on Kubernetes running on your cluster
  Jenkins在集群上运行的Kubernetes上

在具有ECR完全访问权限和编程访问权限的AWS上创建用户 (Creating a user on AWS with ECR full access and programmatic access)

创建对ECR具有完全访问权限的策略 (Create a policy with full access to ECR)

In AWS account go to Services -> IAM -> Policies -> Create Policy -> JSON

在AWS账户中，转到服务-> IAM->策略->创建策略-> JSON

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:*",
                "cloudtrail:LookupEvents"
            ],
            "Resource": "*"
        }
    ]
}

Click on review and create the policy

点击查看并创建政策

使用我们创建的附加策略和编程访问权限来创建用户 (Create a user with the attached policy we created and programmatic access)

In AWS account go to Services -> IAM -> Users -> Add User

在AWS账户中，转到服务-> IAM->用户->添加用户

Select the programmatic access

选择程序访问

Attach created policy

附加创建的政策

Create the user and download .csv file with credentials for programmatic access to AWS

创建用户并下载具有凭证的.csv文件，以编程方式访问AWS

在您的机器上安装AWS CLI (Install AWS CLI to your machine)

https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html

https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html

将docker安装到您的机器上 (Install docker to your machine)

https://docs.docker.com/engine/install/

https://docs.docker.com/engine/install/

如何通过ECR进行身份验证？ (How to authenticate with ECR?)

So basically you have two options:

因此，基本上，您有两种选择：

选项1 (Option 1)

Export AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY as environment variables to your console/terminal

将AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY作为环境变量导出到控制台/终端

$ export AWS_ACCESS_KEY_ID=Your_access_key_id_from_csv$ export AWS_SECRET_ACCESS_KEY=your_secret_access_ key_from_csv

选项2 (Option 2)

Use ‘aws configure’ to set your credentials and region, it will store credentials permanently in you $HOME/.aws directory

使用“ aws configure”设置凭据和区域，它将凭据永久存储在您的$ HOME / .aws目录中

For both options, you need to use AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY which you may find in downloaded .csv file

对于这两个选项，您都需要使用AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY，您可以在下载的.csv文件中找到它

创建Amazon Elastic Container Registry (Create Amazon Elastic Container Registry)

In AWS account go to Services -> Elastic Container registry

在AWS账户中，转到服务->弹性容器注册表

Click on Get Started

点击入门

Create a repository with a name hello-world for testing

创建一个名称为hello-world的存储库以进行测试

Created ECR in us-east-1 region, 796556984717 is your AWS account id

在us-east-1地区创建的ECR 796556984717是您的AWS账户ID

使用Docker登录到AWS (Login with docker to AWS)

$ aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 796556984717.dkr.ecr.us-east-1.amazonaws.com

测试您对ECR的访问权限 (Test your access to ECR)

Make sure you configured AWS like I explained or exported needed variables and did log in with docker

确保按照我解释或导出所需变量的方式配置了AWS，并使用docker登录了

$ aws ecr list-images --repository-name hello-world --region=us-east-1

If you getting a response similar to this one

如果您收到与此类似的回复

{  "imageIds": []}

It means everything is configured properly, otherwise, you will get access denied message.

这意味着一切都已正确配置，否则，您将收到拒绝访问消息。

如何创建图像并推送到ECR？ (How to create an image and push to ECR?)

Let’s build an example image and will push it to ECR

让我们构建一个示例图像，并将其推送到ECR

Dockerfile of the example image

示例映像的Dockerfile

FROM alpine:3.4RUN apk update && \
    apk add curl && \
    apk add git && \
    apk add vim

Build a hello-world image from Dockerfile

从Dockerfile构建一个hello-world映像

$ docker build -t hello-world .

标记图像 (Tag the image)

$ docker tag hello-world:latest 796556984717.dkr.ecr.us-east-1.amazonaws.com/hello-world:1.1

推送至ECR (Push to ECR)

$ docker push 796556984717.dkr.ecr.us-east-1.amazonaws.com/hello-world:1.1

We pushed our image to hello-world repository and version is 1.1

我们将映像推送到了hello-world存储库，版本为1.1

检查我们的图像是否存在于hello-world存储库中 (Checking our image exists in hello-world repository)

$ aws ecr list-images --repository-name hello-world --region=us-east-1

The response must be similar to this one

响应必须与此相似

{
  "imageIds": [
    {
      "imageDigest": "sha256:6045a7fdc628f8764cc52f6d0fe640029a2eb9b860bfc265c3ff9a5048068546",
      "imageTag": "1.1"
    }
  ]
}

那么如何在Kubernetes上的Jenkins管道中使用ECR中的图像呢？ (So how to use images in ECR with Jenkins pipeline on Kubernetes?)

I am using ‘Jenkins Kubernetes’ plugin to run workflows with Kubernetes on Jenkins

我正在使用'Jenkins Kubernetes'插件在Jenkins上使用Kubernetes运行工作流

什么是Jenkins的Kubernetes插件？ (What is the Kubernetes plugin for Jenkins?)

Jenkins plugin to run dynamic agents in a Kubernetes cluster.

Jenkins插件可在Kubernetes集群中运行动态代理。

The plugin creates a Kubernetes Pod for each agent started, defined by the Docker image to run, and stops it after each build.

该插件为每个要启动的代理(由要运行的Docker映像定义)创建一个Kubernetes Pod，并在每次构建后停止它。

https://plugins.jenkins.io/kubernetes/

https://plugins.jenkins.io/kubernetes/

pod-template of your pipeline must be similar to this one

您的管道的pod-template必须与此模板相似

apiVersion: v1
kind: Pod
spec:
  containers: 
    - name:  hello-world
      image: 796556984717.dkr.ecr.us-east-1.amazonaws.com/hello-world:1.1
      command:
      - cat
      tty: true

Meaning we using an image in a regular way with a path to ECR

意味着我们以常规方式使用带有ECR路径的图像

image: 796556984717.dkr.ecr.us-east-1.amazonaws.com/hello-world:1.1

那么，为什么在这种情况下我们不需要在管道中访问ECR的权限？ (So why we don’t need permissions to access ECR in our pipeline in this case?)

If you using the EKS cluster like me which was created using the eksctl utility or using the AWS CloudFormation templates, by default all worker nodes created with needed IAM permission to access ECR.

如果您使用像我这样的EKS集群，该集群是使用eksctl实用程序或AWS CloudFormation模板创建的，则默认情况下，所有创建的具有IAM权限的工作节点都必须具有访问ECR的IAM权限。

Every worker node has ‘AmazonEKSWorkerNodePolicy’ attached with needed IAM policy permissions.

每个工作节点都具有附加的“ AmazonEKSWorkerNodePolicy”和所需的IAM策略权限。

I that’s not the case you need to attach this policy to your worker node policy

我不是这种情况，您需要将此策略附加到工作节点策略

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage",
        "ecr:GetDownloadUrlForLayer",
        "ecr:GetAuthorizationToken"
      ],
      "Resource": "*"
    }
  ]
}

https://docs.aws.amazon.com/AmazonECR/latest/userguide/ECR_on_EKS.html

https://docs.aws.amazon.com/AmazonECR/latest/userguide/ECR_on_EKS.html

结论 (Conclusion)

I explained in this guide how to configure ECR in your account, create an image and push it to an ECR repository, then pull an image from ECR with Jenkins pipeline on Kubernetes, I also explained why in many cases on Kubernetes clusters like EKS it will work by default.

我在本指南中解释了如何在您的帐户中配置ECR，如何创建图像并将其推送到ECR存储库，然后使用Kubernetes上的Jenkins管道从ECR中提取图像，还解释了为什么在很多情况下，在诸如EKS之类的Kubernetes集群上它会默认工作。

I hope this guide was helpful and thank you for reading.

希望本指南对您有所帮助，并感谢您的阅读。

翻译自: https://levelup.gitconnected.com/use-images-from-ecr-with-jenkins-pipeline-on-kubernetes-f67dc83852e9