dockergitlab-cikaniko

Adding build tools to a Kaniko image for Gitlab-CI


Given a monorepo of ~35 services using a Gitlab-CI with k8s runners. The images are built using Kaniko, utilizing <job>.extends of a prototype template, and life is great.

However, lately, we wanted to save a key on consul and change a gitlab-ci env-var after a successful build - which requires curl, and preferably jq.

I've been trying to create the following image to serve as image for image-building jobs:

FROM gcr.io/kaniko-project/executor:debug

RUN mkdir -p /workspace \
  && wget -qO /workspace/curl https://github.com/moparisthebest/static-curl/releases/download/v7.86.0/curl-amd64 \
  && chmod +x /workspace/curl \
  && wget -qO /workspace/jq https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 \
  && chmod +x /workspace/jq

ENV PATH "$PATH:/workspace"

The build of which appears to succeed.

However - de-facto, when used in a pipeline job, given the following script:

.build-with-kaniko:
  script:
    - mkdir -p /kaniko/.docker;
      echo "{\"auths\":{\"${CI_REGISTRY}\":{\"auth\":..... > /kaniko/.docker/config.json
    - which jq || log no jq;
      which curl || log no curl;
    - >- 
      /kaniko/executor
      --context $PROJECT_PATH
      --dockerfile $DOCKERFILE
      --destination ${CI_REGISTRY}/${DOCKER_REPO}:${TAG}
    - which jq || log no jq;
      which curl || log no curl;

Before running the executor - the curl and jq are found.

But after running the executor - they are gone!! <tam-tam-taaaaaaAAAMM!!!> :o

I tried placing them in few different folders: /busibox, /kaniko, /workspace or even a custom dir /misc- and could not get it to work...

I thought maybe it packs them to the target image - but no, they are not there.

I also noted that after building with --no-push they are still there (but then I do not get my image on the registry...).

What is going on? is there a post-push cleanup mechanism I should instruct to leave these two files?

Help? What must I do to help kaniko understand I need these two utilities?


Solution

  • OMG. :facepalm:

    I knew I'll find the answer only after I post the question... :shrug:

    Here's what worked:

    Declare it as a new volume:

    FROM gcr.io/kaniko-project/executor:debug
    
    RUN mkdir -p /misc \
      && wget -qO /misc/curl https://github.com/moparisthebest/static-curl/releases/download/v7.86.0/curl-amd64 \
      && chmod +x /misc/curl \
      && wget -qO /misc/jq https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 \
      && chmod +x /misc/jq
    
    VOLUME /misc
    
    ENV PATH "$PATH:/misc"
    

    I got the clue from the current Dockerfile of the kaniko:debug image itself (at the time of this writing).

    The image is recommended to be used as the base image for gitlab-ci jobs that use kaniko - and it includes /busybox.

    I still don't understand why putting the tools in /busybox dir did not work, but I got a working solution now, and no time to dig deeper :sad: :shrug: