This tutorial will walk through creating a kpack builder resource and a image resource to build a docker image from source and allow kpack rebuild the image with updates.
-
kpack is installed and available on a kubernetes cluster
Follow these docs to install and setup kpack
-
kpack cli
Get the kp cli from the github release
-
Create a secret with push credentials for the docker registry that you plan on publishing OCI images to with kpack.
The easiest way to do that is with
kubectl create secret docker-registrykubectl create secret docker-registry tutorial-registry-credentials \ --docker-username=user \ --docker-password=password \ --docker-server=string \ --namespace defaultNote: The docker server must be the registry prefix for its corresponding registry. For dockerhub this should be
https://index.docker.io/v1/. For GCR this should begcr.io. If you use GCR then the username can be_json_keyand the password can be the JSON credentials you get from the GCP UI (underIAM -> Service Accountscreate an account or edit an existing one and create a key with type JSON).Your secret create should look something like this:
kubectl create secret docker-registry tutorial-registry-credentials \ --docker-username=my-dockerhub-username \ --docker-password=my-dockerhub-password \ --docker-server=https://index.docker.io/v1/ \ --namespace defaultNote: Learn more about kpack secrets with the kpack secret documentation
-
Create a service account that references the registry secret created above
apiVersion: v1 kind: ServiceAccount metadata: name: tutorial-service-account namespace: default secrets: - name: tutorial-registry-credentials imagePullSecrets: - name: tutorial-registry-credentials
Apply that service account to the cluster
kubectl apply -f service-account.yaml
-
Create a cluster store configuration
A store resource is a repository of buildpacks packaged in buildpackages that can be used by kpack to build OCI images. Later in this tutorial you will reference this store in a Builder configuration.
We recommend starting with buildpacks from the paketo project. The example below pulls in java and nodejs buildpacks from the paketo project.
apiVersion: kpack.io/v1alpha2 kind: ClusterStore metadata: name: default spec: sources: - image: gcr.io/paketo-buildpacks/java - image: gcr.io/paketo-buildpacks/nodejs
Apply this store to the cluster
kubectl apply -f store.yaml
Note: Buildpacks are packaged and distributed as buildpackages which are docker images available on a docker registry. Buildpackages for other languages are available from paketo.
-
Create a cluster stack configuration
A stack resource is the specification for a cloud native buildpacks stack used during build and in the resulting app image.
We recommend starting with the paketo base stack as shown below:
apiVersion: kpack.io/v1alpha2 kind: ClusterStack metadata: name: base spec: id: "io.buildpacks.stacks.jammy" buildImage: image: "paketobuildpacks/build-jammy-base" runImage: image: "paketobuildpacks/run-jammy-base"
Apply this stack to the cluster
kubectl apply -f stack.yaml
-
Create a Builder configuration
A Builder is the kpack configuration for a builder image that includes the stack and buildpacks needed to build an OCI image from your app source code.
The Builder configuration will write to the registry with the secret configured in step one and will reference the stack and store created in step three and four. The builder order will determine the order in which buildpacks are used in the builder.
apiVersion: kpack.io/v1alpha2 kind: Builder metadata: name: my-builder namespace: default spec: serviceAccountName: tutorial-service-account tag: <DOCKER-IMAGE-TAG> stack: name: base kind: ClusterStack store: name: default kind: ClusterStore order: - group: - id: paketo-buildpacks/java - group: - id: paketo-buildpacks/nodejs
- Replace
<DOCKER-IMAGE-TAG>with a valid image tag that exists in the registry you configured with the--docker-serverflag when creating a Secret in step #1. The tag should be something like: your-name/builder or gcr.io/your-project/builder
Apply this builder to the cluster
kubectl apply -f builder.yaml
- Replace
-
Apply a kpack image resource
An image resource is the specification for an OCI image that kpack should build and manage.
We will create a sample image resource that builds with the builder created in step five.
The example included here utilizes the Spring Pet Clinic sample app. We encourage you to substitute it with your own application.
Create an image resource:
apiVersion: kpack.io/v1alpha2 kind: Image metadata: name: tutorial-image namespace: default spec: tag: <DOCKER-IMAGE-TAG> serviceAccountName: tutorial-service-account builder: name: my-builder kind: Builder source: git: url: https://github.com/spring-projects/spring-petclinic revision: 3be289517d320a47bb8f359acc1d1daf0829ed0b
- Replace
<DOCKER-IMAGE-TAG>with a valid image tag that exists in the registry you configured with the--docker-serverflag when creating a Secret in step #1. Something like: your-name/app or gcr.io/your-project/app - If you are using your application source, replace
source.git.url&source.git.revision.
Note: To use a private git repo follow the instructions in secrets
Apply that image resource to the cluster
kubectl apply -f image.yaml
You can now check the status of the image resource.
kubectl -n default get images
You should see that the image resource has an unknown READY status as it is currently building.
NAME LATESTIMAGE READY tutorial-image UnknownYou can tail the logs for image that is currently building using the kp cli
kp build logs tutorial-image -n defaultOnce the image resource finishes building you can get the fully resolved built OCI image with
kubectl getkubectl -n default get image tutorial-imageThe output should look something like this:
NAMESPACE NAME LATESTIMAGE READY default tutorial-image index.docker.io/your-project/app@sha256:6744b... TrueThe latest OCI image is available to be used locally via
docker pulland in a kubernetes deployment. - Replace
-
Run the built app locally
Download the latest OCI image available in step #6 and run it with docker.
docker run -p 8080:8080 <latest-image-with-digest>
You should see the java app start up:
|\ _,,,--,,_ /,`.-'`' ._ \-;;,_ _______ __|,4- ) )_ .;.(__`'-'__ ___ __ _ ___ _______ | | '---''(_/._)-'(_\_) | | | | | | | | | | _ | ___|_ _| | | | | |_| | | | __ _ _ | |_| | |___ | | | | | | | | | | \ \ \ \ | ___| ___| | | | _| |___| | _ | | _| \ \ \ \ | | | |___ | | | |_| | | | | | | |_ ) ) ) ) |___| |_______| |___| |_______|_______|___|_| |__|___|_______| / / / / ==================================================================/_/_/_/ :: Built with Spring Boot :: 2.2.2.RELEASE -
kpack rebuilds
We recommend updating the kpack image resource with a CI/CD tool when new commits are ready to be built.
Note: You can also provide a branch or tag as the
spec.git.revisionand kpack will poll and rebuild on updates!We can simulate an update from a CI/CD tool by updating the
spec.git.revisionon the image resource used in step #6.If you are using your own application please push an updated commit and use the new commit sha. If you are using Spring Pet Clinic you can update the revision to:
4e1f87407d80cdb4a5a293de89d62034fdcbb847.Edit the image resource with:
kubectl -n default edit image tutorial-imageYou should see kpack schedule a new build by running:
kubectl -n default get buildsYou should see a new build with
NAME IMAGE SUCCEEDED tutorial-image-build-1-8mqkc index.docker.io/your-name/app@sha256:6744b... True tutorial-image-build-2-xsf2l UnknownYou can tail the logs for the image with the kp cli used in step #6.
kp build logs tutorial-image -n default -b 2Note: This second build should be notably faster because the buildpacks are able to leverage the cache from the previous build.
-
Next steps
The next time new buildpacks are added to the store, kpack will automatically rebuild the builder. If the updated buildpacks were used by the tutorial image resource, kpack will automatically create a new build to rebuild your OCI image.
Now you can configure kpack to sign your images with cosign with the instructions in kpack with Cosign Tutorial.