Commit 58057dc4 authored by Clement Bois's avatar Clement Bois
Browse files

Merge branch 'breaking/buildah' into 'master' 

BREAKING CHANGE: change default Docker build tool to Buildah

See merge request to-be-continuous/docker!175
parents 2f08566d 5a7634ed

README.md

+3 −1
Original line number Diff line number Diff line
@@ -56,6 +56,8 @@ By default, the template uses [Buildah](https://buildah.io/), but you may select 
> Because [Kaniko is no longer maintained](https://github.com/GoogleContainerTools/kaniko/issues/3348), [Buildah](https://buildah.io/) is now the default.

>

> This change may introduce breaking changes to your pipelines.

>

> If needed, you can override the default globally by setting the `TBC_DEFAULT_DOCKER_BUILD_TOOL` instance-level CI/CD variable to `kaniko` or `dind`.



:warning: If you choose to use 'Docker-in-Docker' option considering the associated security risks, make sure your runner has required privileges to run Docker-in-Docker ([see GitLab doc](https://docs.gitlab.com/ci/docker/using_docker_build/#use-docker-in-docker-workflow-with-docker-executor)).
@@ -67,7 +69,7 @@ The Docker template uses some global configuration used throughout all jobs. 


| Input / Variable                         | Description                                                                                                                                    | Default value                                                                       |

| ---------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- |

| `build-tool` / `DOCKER_BUILD_TOOL`       | The build tool to use for building container image, possible values are `kaniko`, `buildah`, `dind` or `external`                              | `buildah`                                                                           |

| `build-tool` / `DOCKER_BUILD_TOOL`       | The build tool to use for building container image, possible values are `kaniko`, `buildah`, `dind` or `external`                              | `$TBC_DEFAULT_DOCKER_BUILD_TOOL` (defaults to `buildah`)                            |

| `kaniko-image` / `DOCKER_KANIKO_IMAGE`   | The image used to run `kaniko` - _for kaniko build only_                                                                                       | `gcr.io/kaniko-project/executor:debug` (use `debug` images for GitLab)<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_KANIKO_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_KANIKO_IMAGE)|

| `buildah-image` / `DOCKER_BUILDAH_IMAGE` | The image used to run `buildah` - _for buildah build only_                                                                                     | `quay.io/containers/buildah:latest`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_BUILDAH_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_BUILDAH_IMAGE)|

| `image` / `DOCKER_IMAGE`                 | The Docker image used to run the docker client (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ | `docker.io/library/docker:latest`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_IMAGE) |

kicker.json

+3 −3
Original line number Diff line number Diff line
@@ -9,9 +9,9 @@ 
    {

      "name": "DOCKER_BUILD_TOOL",

      "type": "enum",

      "values": ["buildah", "dind", "kaniko", "external"],

      "description": "The build tool to use for building container image",

      "default": "buildah"

      "values": ["buildah", "dind", "kaniko", "external", "$TBC_DEFAULT_DOCKER_BUILD_TOOL"],

      "description": "The build tool to use for building container image\n\n_`$TBC_DEFAULT_DOCKER_BUILD_TOOL` defaults to `buildah`_",

      "default": "$TBC_DEFAULT_DOCKER_BUILD_TOOL"

    },

    {

      "name": "DOCKER_KANIKO_IMAGE",

templates/gitlab-ci-docker.yml

+6 −3
Original line number Diff line number Diff line
@@ -22,7 +22,8 @@ spec: 
      - dind

      - kaniko

      - external

      default: buildah

      - $TBC_DEFAULT_DOCKER_BUILD_TOOL

      default: $TBC_DEFAULT_DOCKER_BUILD_TOOL

    kaniko-image:

      description: |-

        The image used to run kaniko
@@ -283,6 +284,10 @@ workflow: 
variables:

  # Global TBC SBOM Mode (onrelease -> only generate SBOMs for releases, always -> generate SBOMs for all refs)

  TBC_SBOM_MODE: "onrelease"

  # Global default engine is Buildah; can be changed as a server instance variable (depending on your Runners capabilities)

  TBC_DEFAULT_DOCKER_BUILD_TOOL: buildah



  DOCKER_BUILD_TOOL: $[[ inputs.build-tool ]]



  DOCKER_HADOLINT_IMAGE: $[[ inputs.hadolint-image ]]

  DOCKER_IMAGE: $[[ inputs.image ]]
@@ -331,8 +336,6 @@ variables: 
  # don't use CI_PROJECT_TITLE, kaniko doesn't support space in argument right now (https://github.com/GoogleContainerTools/kaniko/issues/1231)

  DOCKER_METADATA: $[[ inputs.metadata ]]



  DOCKER_BUILD_TOOL: $[[ inputs.build-tool ]]



  DOCKER_CONTEXT_PATH: $[[ inputs.context-path ]]

  DOCKER_RELEASE_EXTRA_TAGS: $[[ inputs.release-extra-tags ]]

  DOCKER_BUILD_ARGS: $[[ inputs.build-args ]]