OpenShift构建镜像

OpenShift构建镜像

使用镜像和仓库作为source和output

1、准备一个git仓库，包含一个Dockerfile，以下仅包含一行内容用于最简单的演示。

FROM docker.io/bitnami/nginx:1.21.6

以gitlab仓库为例，你可以使用github等其他仓库

2、创建BuildConfig文件

点击构建，选择构建配置，创建构建配置。

构建配置内容如下，注意source为git仓库地址。

apiVersion: build.openshift.io/v1
kind: BuildConfig
metadata:
  name: mywebsite
  labels:
    app: mywebsite
spec:
  source:
    type: Git
    git:
      ref: main
      uri: http://192.168.72.20:8929/root/nginx-demo
    contextDir: ./
  strategy:
    type: Docker
    dockerStrategy:
      dockerfilePath: Dockerfile
  output:
    to:
      kind: DockerImage
      name: registry.example.com:8443/library/nginx-helloworld:v1.0

其中output指定镜像构建完成后推送到本地harbor镜像仓库，推送镜像需要为openshift配置权限和ca证书：

参考：https://docs.openshift.com/container-platform/4.10/cicd/builds/setting-up-trusted-ca.html

oc create configmap registry-cas -n openshift-config \
   --from-file=registry.example.com..8443=/etc/docker/certs.d/registry.example.com:8443/ca.crt
   
oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"registry-cas"}}}' --type=merge

点击开始构建，自动生成一个新的构建任务

点击构建，查看构建日志，成功完成构建并推送镜像到harbor仓库：

使用镜像流作为source和output

如果构建完成后要输出到镜像流，需要启用openshift内置registry仓库，openshif默认未启用registry，执行以下操作启用，使用临时存储的快速解决方案（没有用于持久性的存储类）：

参考：https://docs.openshift.com/container-platform/4.10/registry/configuring-registry-operator.html

1、切换到openshift-image-registry项目

oc project openshift-image-registry

2、编辑configs.imageregistry.operator.openshift.io

oc edit configs.imageregistry.operator.openshift.io

修改以下内容

...
  managementState: Managed
...
...
  replica: 1
...
...
  storage:
    emptyDir: {
    }

确认新部署了image-registry pod

[email protected]:~# oc -n openshift-image-registry get pods
NAME                                              READY   STATUS      RESTARTS   AGE
cluster-image-registry-operator-ddd96d697-p4fdx   1/1     Running     0          2d2h
image-pruner-27486720-ddzxx                       0/1     Completed   0          31h
image-pruner-27488160-vxmmb                       0/1     Completed   0          7h6m
image-registry-746b8888d4-6pdbb                   1/1     Running     0          61s
node-ca-7zt48                                     1/1     Running     0          2d2h
node-ca-8fb9j                                     1/1     Running     0          2d2h
node-ca-dtsrl                                     1/1     Running     0          2d2h
node-ca-kn4pl                                     1/1     Running     0          2d2h
node-ca-vt6fm                                     1/1     Running     0          2d2h

然后公开注册表访问地址到集群外：

oc patch configs.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultRoute":true}}' --type=merge

查看访问地址

[email protected]:~# oc get routes
NAME            HOST/PORT                                                      PATH   SERVICES         PORT    TERMINATION   WILDCARD
default-route   default-route-openshift-image-registry.apps.okd4.example.com          image-registry   <all>   reencrypt     None

本地拉取镜像

参考：https://access.redhat.com/solutions/4308191

mkdir -p /etc/docker/certs.d/default-route-openshift-image-registry.apps.okd4.example.com/
oc extract secret/router-ca --keys=tls.crt -n openshift-ingress-operator
cp tls.crt /etc/docker/certs.d/default-route-openshift-image-registry.apps.okd4.example.com/

# token可以从console用户管理界面获取
export USERNAME=admin
export TOKEN=sha256~uC0tBK7zzeOM9dsoQ0kWIZO5W_ILPzhLvqc5qnTpZG0

docker login -u $USERNAME -p $TOKEN default-route-openshift-image-registry.apps.okd4.example.com

docker pull default-route-openshift-image-registry.apps.okd4.example.com/demo/local-image

使用内部仓库部署应用

oc create configmap registry-local -n openshift-config \
   --from-file=registry.example.com..8443=/etc/docker/certs.d/registry.example.com:8443/ca.crt \
   --from-file=default-route-openshift-image-registry.apps.okd4.example.com=/etc/docker/certs.d/default-route-openshift-image-registry.apps.okd4.example.com/tls.crt

oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"registry-local"}}}' --type=merge

2、使用imagestreamTag

创建imagestream

oc import-image bitnami-nginx:1.20.2 --from="docker.io/bitnami/nginx:1.20.2" --confirm
oc import-image mywebsite2:latest --from="docker.io/bitnami/nginx:1.20.2" --confirm

创建BuildConfig，source和output配置为ImageStreamTag

apiVersion: build.openshift.io/v1
kind: BuildConfig
metadata:
  name: mywebsite2
  labels:
    app: mywebsite2
spec:
  source:
    type: Git
    git:
      ref: master
      uri: http://192.168.72.20:8929/root/nginx-demo
    contextDir: ./
  strategy:
    type: Docker                      
    dockerStrategy:
      dockerfilePath: Dockerfile
      from:
        kind: ImageStreamTag
        namespace: demo
        name: bitnami-nginx:1.20.2
  output:
    to:
      kind: ImageStreamTag
      name: mywebsite2:latest
  triggers:
  - type: ImageChange

现在，当构建运行时，OpenShift 会将Dockerfile 中的FROM行替换为来自镜像流的镜像。
在日志中，您可以看到 OpenShift 替换了 FROM 指令：

Cloning "http://192.168.72.20:10880/gogs/nginx-demo.git" ...
Commit: 031ff4e5124c8cb057c0576bed21fce88dc60e52 (更新 'Dockerfile')
Author: gogs <[email protected]>
Date: Thu Apr 7 02:27:13 2022 +0000
Replaced Dockerfile FROM image docker.io/bitnami/nginx:1.21.6