cdflow2 build plugin for building docker images and pushing them to AWS ECR. Performs the following steps:
- Gets an auth token for ECR based on IAM credentials in the environment.
- Does a
docker login
with that auth token in order to allow a docker image to be pushed to the repo. - Does a
docker build
to create a docker image from theDockerfile
in the root of the project. - Does a
docker push
to push the image to the ECR repository. - Provides an
image
release metadata key so the resulting docker image can be used from terraform - via a terraform map variable named the same as the build (i.e. the key underbuilds
in thecdflow.yaml
- "docker" is a good choice)
Requires a cdflow2 config container with support for providing ECR config - e.g. mergermarket/cdflow2-config-acuris.
This example uses mergermarket/cdflow2-config-acuris
, which supports creating an ECR repository and providing the config for it as environment variables to the build (this config container is only suitable for developing within Acuris).
version: 2
config:
image: mergermarket/cdflow2-config-acuris
params:
account_prefix: myaccountprefix
team: myteam
builds:
docker:
image: mergermarket/cdflow2-build-docker-ecr
params:
dockerfile: Dockerfile
context: = .
secrets:
- "id=npmrc,src=.npmrc"
- "id=ssh,src=/root/.ssh/id_rsa.pub"
terraform:
image: hashicorp/terraform
Will build a docker image from a Dockerfile in the root of the project. This could be anything, in this case a simple hello world.
FROM hello-world
Change the Dockerfile path used for the build.
Default path is Dockerfile
in the same directory as the cdflow.yaml
.
Change the context of the build. A build’s context is the set of files located in the specified path.
Defaults to .
.
Use buildx for image creation with multi architecture support instead of the classic build command.
Boolean parameter.
Defaults to false
.
Comma-separated list of platforms for the build, when buildx is enabled.
E.g.: linux/arm64,linux/386,linux/s390x
.
Available platforms depends on the host and installed QEMU emulators.
Check https://github.com/tonistiigi/binfmt for more info.
If buildx not enabled, parameter ignored.
Defaults to empty list.
Import docker layer cache from specific source.
Currently only "gha" supported.
For supported options check: https://docs.docker.com/engine/reference/commandline/buildx_build/#cache-from.
If buildx not enabled, parameter ignored.
Defaults to empty string.
buildx:
image: mergermarket/cdflow2-build-docker-ecr:latest
params:
buildx: true
platforms: linux/arm64,linux/386
cache-from: type=gha
cache-to: type=gha,mode=max
Export docker layer to specific destination.
Currently only "gha" supported.
For supported options check: https://docs.docker.com/engine/reference/commandline/buildx_build/#cache-from.
If buildx not enabled, parameter ignored.
Defaults to empty string.
buildx:
image: mergermarket/cdflow2-build-docker-ecr:latest
params:
buildx: true
platforms: linux/arm64,linux/386
cache-from: type=gha
cache-to: type=gha,mode=max
Allow passing secrets to the docker build.
Secrets are passed as a list of strings.
Each string should be in the format
id=<secret_id>,src=<secret_src>
<secret_id>
is the name of the secret that will be used in
the docker build context.
<secret_src>
is the path to the secret file on the host machine.
limitation: It is only possible to pass src files, env is not available for cdflow2-build-docker-ecr plugin, as it runs in a separate container.
buildx:
image: mergermarket/cdflow2-build-docker-ecr:latest
params:
dockerfile: Dockerfile
context: = .
secrets:
- "id=npmrc,src=.npmrc"
- "id=ssh,src=/root/.ssh/id_rsa.pub"
Config containers that supports this build plugin are:
This container advertises a single "ecr"
need when it is configured for a build. A config container in its configureRelease
hook should ensure that an ECR repository exists and is provided in the environment, along with AWS credentials that can push to it and a region:
ECR_REPOSITORY
- the address of the repository of the form<account-number>.dkr.ecr.<region>.amazonaws.com/<repo-name>
)AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
AWS_SESSION_TOKEN
(for temporary credentials only)AWS_REGION