drone-kaniko

A thin shim-wrapper around the official Google Kaniko Docker image to make it behave like the Drone Docker plugin.

Example .drone.yml for Drone 2.15 (pushing to Docker Hub):

kind: pipeline
name: default

steps:
- name: publish
  image: 1sept/drone-kaniko
  settings:
    registry: registry.example.com # if not provided index.docker.io is supposed
    repo: registry.example.com/example-project
    tags: ${DRONE_COMMIT_SHA}
    cache: true
    skip_tls_verify: false # set to true for testing registries ONLY with self-signed certs
    build_args:
    - COMMIT_SHA=${DRONE_COMMIT_SHA}
    - COMMIT_AUTHOR_EMAIL=${DRONE_COMMIT_AUTHOR_EMAIL}
    username:
      from_secret: docker-username
    password:
      from_secret: docker-password

Pushing to GCR:

kind: pipeline
name: default

steps:
- name: publish
  image: 1sept/drone-kaniko
  settings:
    registry: gcr.io
    repo: example.com/example-project
    tags: ${DRONE_COMMIT_SHA}
    cache: true
    json_key:
      from_secret: google-application-credentials

Use .tags file for tagging

kind: pipeline
name: default

steps:
- name: build
  image: golang
  commands:
      - go get 
      - go build
      - make versiontags > .tags
      
- name: publish
  image: 1sept/drone-kaniko
  settings:
    registry: registry.example.com 
    repo: registry.example.com/example-project
    tags:
      - build-${DRONE_BUILD_NUMBER}
      - latest
      - latest-${DRONE_COMMIT_AUTHOR}
      - latest-${DRONE_BRANCH}-${DRONE_COMMIT_AUTHOR}
      - latest-${DRONE_BRANCH}
    username:
      from_secret: docker-username
    password:
      from_secret: docker-password

Auto tag

Set auto_tag: true.

kind: pipeline
name: default

steps:
- name: build
  image: golang
  commands:
      - go get 
      - go build
- name: publish
  image: 1sept/drone-kaniko
  settings:
    registry: registry.example.com 
    repo: registry.example.com/example-project
    auto_tag: true # higher priority then .tags file
    # tags: ${DRONE_COMMIT_SHA} <= it must be left undefined to use auto_tag
    username:
      from_secret: docker-username
    password:
      from_secret: docker-password

Test that it can build

docker run -it --rm -w /src -v $PWD:/src -e PLUGIN_USERNAME=${DOCKER_USERNAME} -e PLUGIN_PASSWORD=${DOCKER_PASSWORD} -e PLUGIN_REPO=your_repo/drone-kaniko-test -e PLUGIN_TAGS=test -e PLUGIN_DOCKERFILE=Dockerfile.test 1sept/drone-kaniko

Test that caching works

Start a Docker registry at 127.0.0.1:5000:

docker run -d -p 5000:5000 --restart always --name registry --hostname registry.local registry:2

Add the following lines to plugin.sh's final command and build a new image from it:

+    --cache=true \
+    --cache-repo=127.0.0.1:5000/${PLUGIN_REPO} \

docker build -t 1sept/drone-kaniko .

docker buildx build --no-cache --platform linux/amd64 --push -t 1sept/drone-kaniko:latest . -t harbor.1sept.ru/drone/drone-kaniko:latest -t harbor.1sept.ru/drone/drone-kaniko:v1.23.2-debug

Warm up the alpine image to the cache:

docker run -v $PWD:/cache gcr.io/kaniko-project/warmer:latest --verbosity=debug --image=alpine:3.8

Run the builder (on the host network to be able to access the registry, if any specified) with mounting the local disk cache, this example pushes to Docker Hub:

docker run --net=host -it --rm -w /src -v $PWD:/cache -v $PWD:/src -e PLUGIN_USERNAME=${DOCKER_USERNAME} -e PLUGIN_PASSWORD=${DOCKER_PASSWORD} -e PLUGIN_REPO=your_repo/drone-kaniko-test -e PLUGIN_TAGS=test -e PLUGIN_DOCKERFILE=Dockerfile.test -e PLUGIN_CACHE=true 1sept/drone-kaniko

The very same example just pushing to GCR instead of Docker Hub:

docker run --net=host -it --rm -w /src -v $PWD:/cache -v $PWD:/src -e PLUGIN_REGISTRY=gcr.io -e PLUGIN_REPO=paas-dev1/drone-kaniko-test -e PLUGIN_TAGS=test -e PLUGIN_DOCKERFILE=Dockerfile.test -e PLUGIN_CACHE=true -e PLUGIN_JSON_KEY="$(<$HOME/google-application-credentials.json)" 1sept/drone-kaniko

docker run --rm -ti --platform linux/amd64 harbor.1sept.ru/drone/drone-kaniko:test sh