Skip to content

Commit

Permalink
Generate adoc copies in /content/en/docs to shipwright-io#78
Browse files Browse the repository at this point in the history
  • Loading branch information
rolfedh committed Jul 13, 2022
1 parent 30f770f commit c4a3683
Show file tree
Hide file tree
Showing 10 changed files with 2,081 additions and 43 deletions.
3 changes: 0 additions & 3 deletions Gemfile.lock
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,3 @@ PLATFORMS

DEPENDENCIES
asciidoctor (~> 2.0, >= 2.0.17)

BUNDLED WITH
2.3.7
16 changes: 12 additions & 4 deletions config.toml
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ disableKinds = ["taxonomy", "taxonomyTerm"]
# Highlighting config
pygmentsCodeFences = true
pygmentsUseClasses = false
pygmentsCodefencesGuessSyntax = true
# Use the new Chroma Go highlighter in Hugo.
pygmentsUseClassic = false
#pygmentsOptions = "linenos=table"
Expand Down Expand Up @@ -60,14 +61,21 @@ languageName ="English"
weight = 1

[markup]
defaultMarkdownHandler = 'goldmark'
[markup.goldmark]
[markup.goldmark.renderer]
unsafe = true
[markup.highlight]
# See a complete list of available styles at https://xyproto.github.io/splash/docs/all.html
style = "tango"
# Uncomment if you want your chosen highlight style used for code blocks without a specified language
# guessSyntax = "true"
guessSyntax = "true"

# https://gohugo.io/getting-started/configuration-markup/#table-of-contents
[markup.tableOfContents]
endLevel = 3
ordered = false
startLevel = 2

# Everything below this are Site Params

Expand All @@ -82,13 +90,13 @@ copyright = "The Shipwright Contributors"
# This menu appears only if you have at least one [params.versions] set.
version_menu = "Releases"

# Flag used in the "version-banner" partial to decide whether to display a
# Flag used in the "version-banner" partial to decide whether to display a
# banner on every page indicating that this is an archived version of the docs.
# Set this flag to "true" if you want to display the banner.
archived_version = false

# The version number for the version of the docs represented in this doc set.
# Used in the "version-banner" partial to display a version number for the
# Used in the "version-banner" partial to display a version number for the
# current doc set.
version = "0.0"

Expand Down Expand Up @@ -137,7 +145,7 @@ yes = 'Glad to hear it! Please <a href="https://github.com/USERNAME/REPOSITORY/i
no = 'Sorry to hear that. Please <a href="https://github.com/USERNAME/REPOSITORY/issues/new">tell us how we can improve</a>.'

# Adds a reading time to the top of each doc.
# If you want this feature, but occasionally need to remove the Reading time from a single page,
# If you want this feature, but occasionally need to remove the Reading time from a single page,
# add "hide_readingtime: true" to the page's front matter
[params.ui.readingtime]
enable = false
Expand Down
77 changes: 41 additions & 36 deletions content/en/docs/_index.md → content/en/docs/_index.adoc
100755 → 100644
Original file line number Diff line number Diff line change
Expand Up @@ -9,54 +9,58 @@ menu:
weight: 20
---


:toc:
:toclevels: 4

Shipwright is an extensible framework for building container images on Kubernetes.

Shipwright supports popular tools such as Kaniko, Cloud Native Buildpacks, Buildah, and more!

Shipwright is based around four elements for each build:
In Shipwright, each build is on the following elements:

1. Source code - the "what" you are trying to build
1. Output image - "where" you are trying to deliver your application
1. Build strategy - "how" your application is assembled
1. Invocation - "when" you want to build your application
* Source code - the "what" you are trying to build
* Output image - "where" you are trying to deliver your application
* Build strategy - "how" your application is assembled
* Invocation - "when" you want to build your application

## Comparison with local image builds
== Comparison with local image builds

Developers who use Docker are familiar with this process:

1. Clone source from a git-based repository ("what")
2. Build the container image ("when" and "how")

```bash
. Clone source from a git-based repository ("what")
. Build the container image ("when" and "how")
+
[source,terminal]
----
docker build -t registry.mycompany.com/myorg/myapp:latest .
```

3. Push the container image to your registry ("where")
----

```bash
. Push the container image to your registry ("where")
+
[source,terminal]
----
docker push registry.mycompany.com/myorg/myapp:latest
```
----

## Shipwright Build APIs
== Shipwright Build APIs

Shipwright's Build API consists of four core
[CustomResourceDefinitions](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions)
https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions[CustomResourceDefinitions]
(CRDs):

1. [`Build`](/docs/api/build/) - defines what to build, and where the application should be delivered.
1. [`BuildStrategy` and `ClusterBuildStrategy`](/docs/api/buildstrategies/) - defines how to build an application for an image
building tool.
1. [`BuildRun`](/docs/api/buildrun/) - invokes the build.
You create a `BuildRun` to tell Shipwright to start building your application.
* link:/docs/api/build/[`Build`] - defines what to build, and where the application should be delivered.
* link:/docs/api/buildstrategies/[`BuildStrategy` and `ClusterBuildStrategy`] - defines how to build an application for an image
building tool.
* link:/docs/api/buildrun/[`BuildRun`] - invokes the build.
You create a `BuildRun` to tell Shipwright to start building your application.

### Build
=== Build

The `Build` object provides a playbook on how to assemble your specific application. The simplest
build consists of a git source, a build strategy, and an output image:

```yaml
[source,yaml]
----
apiVersion: build.dev/v1alpha1
kind: Build
metadata:
Expand All @@ -71,11 +75,11 @@ spec:
kind: ClusterBuildStrategy
output:
image: registry.mycompany.com/my-org/taxi-app:latest
```
----

Builds can be extended to push to private registries, use a different Dockerfile, and more.

### BuildStrategy and ClusterBuildStrategy
=== BuildStrategy and ClusterBuildStrategy

`BuildStrategy` and `ClusterBuildStrategy` are related APIs to define how a given tool should be
used to assemble an application. They are distinguished by their scope - `BuildStrategy` objects
Expand All @@ -85,7 +89,8 @@ The spec of a `BuildStrategy` or `ClusterBuildStrategy` consists of a `buildStep
specifications. Below is an example spec for Kaniko, which can build an image from a
Dockerfile within a container:

```yaml
[source,yaml]
----
# this is a fragment of a manifest
spec:
buildSteps:
Expand Down Expand Up @@ -121,17 +126,17 @@ spec:
requests:
cpu: 250m
memory: 65Mi
```
----

### BuildRun
=== BuildRun

Each `BuildRun` object invokes a build on your cluster. You can think of these as a Kubernetes
`Jobs` or Tekton `TaskRuns` - they represent a workload on your cluster, ultimately resulting in a
running `Pod`. See [`BuildRun`](/docs/api/buildrun/) for more details.
running `Pod`. See link:/docs/api/buildrun/[`BuildRun`] for more details.

## Further reading
== Further reading

- [Configuration](/docs/configuration/)
- Build controller observability
- [Metrics](/docs/metrics/)
- [Profiling](/docs/profiling/)
* link:/docs/configuration/[Configuration]
* Build controller observability
** link:/docs/metrics/[Metrics]
** link:/docs/profiling/[Profiling]
165 changes: 165 additions & 0 deletions content/en/docs/authentication.adoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,165 @@
---
title: Authentication during builds
---

:toc:
:toclevels: 4

The following document provides an introduction around the different authentication methods that can take place during an image build when using the Build controller.

== Overview

There are two places where users might need to define authentication when building images. Authentication to a container registry is the most common one, but also users might have the need to define authentications for pulling source-code from Git. Overall, the authentication is done via the definition of https://kubernetes.io/docs/concepts/configuration/secret/[secrets] in which the require sensitive data will be stored.

== Build Secrets Annotation

Users need to add an annotation `build.shipwright.io/referenced.secret: "true"` to a build secret so that build controller can decide to take a reconcile action when a secret event (`create`, `update` and `delete`) happens. Below is a secret example with build annotation:

[source,yaml]
----
apiVersion: v1
data:
.dockerconfigjson: xxxxx
kind: Secret
metadata:
annotations:
build.shipwright.io/referenced.secret: "true"
name: secret-docker
type: kubernetes.io/dockerconfigjson
----

This annotation will help us filter secrets which are not referenced on a Build instance. That means if a secret doesn't have this annotation, then although event happens on this secret, Build controller will not reconcile. Being able to reconcile on secrets events allow the Build controller to re-trigger validations on the Build configuration, allowing users to understand if a dependency is missing.

If you are using `kubectl` command create secrets, then you can first create build secret using `kubectl create secret` command and annotate this secret using `kubectl annotate secrets`. Below is an example:

[source,terminal]
----
kubectl -n ${namespace} create secret docker-registry example-secret --docker-server=${docker-server} --docker-username="${username}" --docker-password="${password}" [email protected]
kubectl -n ${namespace} annotate secrets example-secret build.shipwright.io/referenced.secret='true'
----

== Authentication for Git

There are two ways for authenticating into Git (_applies to both GitLab or GitHub_): SSH and basic authentication.

=== SSH authentication

For the SSH authentication you must use the tekton annotations to specify the hostname(s) of the git repository providers that you use. This is github.com for GitHub, or gitlab.com for GitLab.

As seen in the following example, there are three things to notice:

* The Kubernetes secret should be of the type `kubernetes.io/ssh-auth`
* The `data.ssh-privatekey` can be generated by following the command example `base64 <~/.ssh/id_rsa`, where `~/.ssh/id_rsa` is the key used to authenticate into Git.

[source,yaml]
----
apiVersion: v1
kind: Secret
metadata:
name: secret-git-ssh-auth
annotations:
build.shipwright.io/referenced.secret: "true"
type: kubernetes.io/ssh-auth
data:
ssh-privatekey: <base64 <~/.ssh/id_rsa>
----

=== Basic authentication

The Basic authentication is very similar to the ssh one, but with the following differences:

* The Kubernetes secret should be of the type `kubernetes.io/basic-auth`
* The `stringData` should host your user and password in clear text.

[source,yaml]
----
apiVersion: v1
kind: Secret
metadata:
name: secret-git-basic-auth
annotations:
build.shipwright.io/referenced.secret: "true"
type: kubernetes.io/basic-auth
stringData:
username: <cleartext username>
password: <cleartext password>
----

=== Usage of git secret

With the right secret in place(_note: Ensure creation of secret in the proper Kubernetes namespace_), users should reference it on their Build YAML definitions.

Depending on the secret type, there are two ways of doing this:

When using ssh auth, users should follow:

[source,yaml]
----
apiVersion: shipwright.io/v1alpha1
kind: Build
metadata:
name: buildah-golang-build
spec:
source:
url: [email protected]:eduardooli/newtaxi.git
credentials:
name: secret-git-ssh-auth
----

When using basic auth, users should follow:

[source,yaml]
----
apiVersion: shipwright.io/v1alpha1
kind: Build
metadata:
name: buildah-golang-build
spec:
source:
url: https://gitlab.com/eduardooli/newtaxi.git
credentials:
name: secret-git-basic-auth
----

== Authentication to container registries

For pushing images to private registries, users require to define a secret in their respective namespace.

=== Docker Hub

Follow the following command to generate your secret:

[source,terminal]
----
kubectl --namespace <YOUR_NAMESPACE> create secret docker-registry <CONTAINER_REGISTRY_SECRET_NAME> \
--docker-server=<REGISTRY_HOST> \
--docker-username=<USERNAME> \
--docker-password=<PASSWORD> \
[email protected]
kubectl --namespace <YOUR_NAMESPACE> annotate secrets <CONTAINER_REGISTRY_SECRET_NAME> build.shipwright.io/referenced.secret='true'
----

_Notes:_ When generating a secret to access docker hub, the `REGISTRY_HOST` value should be `+https://index.docker.io/v1/+`, the username is the Docker ID.
_Notes:_ The value of `PASSWORD` can be your user docker hub password, or an access token. A docker access token can be created via _Account Settings_, then _Security_ in the sidebar, and the _New Access Token_ button.

=== Usage of registry secret

With the right secret in place (_note: Ensure creation of secret in the proper Kubernetes namespace_), users should reference it on their Build YAML definitions.
For container registries, the secret should be placed under the `spec.output.credentials` path.

[source,yaml]
----
apiVersion: shipwright.io/v1alpha1
kind: Build
metadata:
name: buildah-golang-build
...
output:
image: docker.io/foobar/sample:latest
credentials:
name: <CONTAINER_REGISTRY_SECRET_NAME>
----

== References

See more information in the official Tekton https://github.com/tektoncd/pipeline/blob/main/docs/auth.md#configuring-ssh-auth-authentication-for-git[documentation] for authentication.
Loading

0 comments on commit c4a3683

Please sign in to comment.