This Task builds source into a container image using Moby BuildKit.
See also buildkit-daemonless for the daemonless version of this task.
You need to determine the SAN of the BuildKit daemon Service and create mTLS certificates.
In this example, we use buildkitd as the SAN.
$ ./create-certs.sh buildkitd
$ kubectl apply -f .certs/buildkit-daemon-certs.yaml
secret/buildkit-daemon-certs created
$ kubectl apply -f .certs/buildkit-client-certs.yaml
secret/buildkit-client-certs created
$ rm -rf .certsTwo types of the daemon manifests are included:
deployment+service.rootless.yaml(recommended): Run the daemon as a non-root user. Using Ubuntu nodes is recommended. Needssysctlconfiguration for Debian hosts and RHEL/CentOS 7 hosts. Does not work on Google COS.deployment+service.privileged.yaml: Run the daemon as the root user withsecurityContext.privileged=true. Try this version ifdeployment+service.rootless.yamldoes not work or too slow.
$ kubectl apply -f deployment+service.rootless.yaml
deployment.apps/buildkitd created
service/buildkitd createdThe number of replicas can be adjusted as you like:
$ kubectl scale --replicas=10 deployment/buildkitdSee also BuildKit documentation for the further information about the manifests.
$ kubectl apply -f task.yaml
task.tekton.dev/buildkit created- DOCKERFILE: The path to the
Dockerfileto execute (default:./Dockerfile) - BUILDKIT_CLIENT_IMAGE: BuildKit client image (default:
moby/buildkit:vX.Y.Z@sha256:...) - BUILDKIT_DAEMON_ADDRESS: BuildKit daemon address (default:
tcp://buildkitd:1234) - BUILDKIT_CLIENT_CERTS: The name of Secret that contains
ca.pem,cert.pem,key.pemfor mTLS connection to BuildKit daemon (default:buildkit-client-certs)
- source: A
git-typePipelineResourcespecifying the location of the source to build.
- image: An
image-typePipelineResourcespecifying the image that should be built. Currently, generatingresourceResultis not supported. (buildkit#993)