Create Spring Boot Images in Jenkins/CI in K8s, Part 1

  Working out Jenkins/CI pipelines it is a common task to create Spring Boot Images. Doing this with kubernetes agents is a challenge since docker is no more available from inside of containers.

The task is quiet simple, create a spring boot image with `mvn spring-boot:build-image` inside a kubernetes pod.

By default this fails because spring try to execute 'buildpacks' but the needed docker service is not available. The docker service is needed to create the container image. With spring 2.6 and beneath it is not possible to use another service then docker. But it is possible to use buildpacks separately after creating the project jar file.

As replacement of docker it is possible to use podman as service. podman is compatible with docker and also supports the docker.sock. Looking forward to spring boot 2.7 which supports also podman as alternative to docker I did not try to use 'kaniko'.

Objectives of this post:

  • Create a woking pod and script to create spring boot images inside of Kubernetes
  • Prove how creation could be done in K8s 
  • Push the image to docker hub
Out of scope
  • Creating the Jenkins pipeline

To do the task I create a 'pod.yaml' with container needed to create a spring boot image and a 'build.sh' containing all the commands executing at the pods containers.

To test the script a simple spring application will be used (https://github.com/mhus/sample-spring-service). - This files are included in the repository in '/test'.

So let's do it:

(0) First a management pod is needed to download the project. Usually this is done by Jenkins at the start of the pipeline. In this case I need to do it manually. I need an image which contains the command 'git' to clone the git repo. The image 'dockercore/docker' will do the job. As usually we need to start a dummy command to let the container alive. My name for the container is 'box'.

To simulate Jenkins I will share the folder '/home/jenkins/agent/' over all pods.

      - name: box
        image: dockercore/docker
        command:
        - cat
        tty: true
        volumeMounts:
          - name: workspace-volume
            mountPath: /home/jenkins/agent

 Now it is possible to clone the repository

kubectl exec -it -c box agent -- /bin/bash -c \
 "cd /home/jenkins/agent/;
 git clone https://github.com/mhus/sample-spring-service.git"

Preparation is done.

(1) First pipeline step is to create the jar file using maven. This is a common task in Jenkins pipelines. Using the 'maven' image and execute `mvn package` for the project.

- name: maven
     image:  maven:3.8-openjdk-11
     command:
     - cat
     tty: true
     volumeMounts:
       - name: workspace-volume
         mountPath: /home/jenkins/agent

and execute

kubectl exec -it -c maven agent -- \
 /bin/bash -c "cd /home/jenkins/agent/sample-spring-service;
 mvn package"

(2) More complicated is to execute the buildpack command. To create the image the command is 

pack build <image name> -p <jar file> -B paketobuildpacks/builder:base"` and there is an official buildpack image in docker hub 'buildpacksio/pack

But the image do not include a bash or sh command and it is not possible to start the container doing nothing and wait for exec commands - wtf. Therefore I was forced to create a separate image containing buildpacks AND a shell.

Dockerfile

FROM debian
RUN set +x \
 && apt update \
 && apt install -y curl git \
 && (curl -sSL "https://github.com/buildpacks/pack/releases/download/v0.26.0/pack-v0.26.0-linux.tgz" | tar -C /usr/local/bin/ --no-same-owner -xzv pack) \
 && apt-get clean \
 && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 

ENTRYPOINT ["/usr/local/bin/pack"]

And I pushed the image to docker hub as 'mhus/buildpacks:0.26.0-0'. Adding the container specification to the pod I created a shared folder to share the docker socket from podman into buildpacks.

- name: buildpacks
     image: mhus/buildpacks:0.26.0-0
     command: ["/bin/bash","-c"]
     args: ["cat"]
     tty: true
     volumeMounts:
       - name: workspace-volume
         mountPath: /home/jenkins/agent
       - name: docker-socket
         mountPath: /var/run

And the podman container as helper for the buildpacks command. To provide the socket it's important to start the podman as a service and set the path for the socket.

- name: podman
     image: quay.io/podman/stable
     args: ["/usr/bin/podman","system","service","-t","0","--log-level=info", "unix:///var/run/docker.sock"]
     tty: true
     securityContext:
      privileged: true
     volumeMounts:
       - name: workspace-volume
         mountPath: /home/jenkins/agent
       - name: docker-socket
         mountPath: /var/run

Now it's possible to start buildpack to create the container image for the spring boot project:

kubectl exec -it -c buildpacks agent -- /bin/bash -c \
 "cd /home/jenkins/agent/sample-spring-service;
 pack build sample-spring-service -p target/sample-spring-service-1.0.0-SNAPSHOT.jar -B paketobuildpacks/builder:base"

(3) Last step is to push the image to docker hub. To do this I need to tag the image, login to the hub and push the image. Since the podman container already exists I only need to call the command in the existing container.

kubectl exec -it -c podman agent -- /bin/bash -c \
 "podman tag sample-spring-service docker.io/$docker_user/sample-spring-service:$version;"
kubectl exec -it -c podman agent -- /bin/bash -c \
 "podman login -u $docker_user -p '$docker_pass' docker.io/$docker_user"
kubectl exec -it -c podman agent -- /bin/bash -c \
 "podman push docker.io/$docker_user/sample-spring-service:$version"

Before execution set the variables 

version="latest"
docker_user="mhus"
docker_pass="xxx"

Let's test the new image with docker:


docker run --rm --name sample-spring-service -p 8080:8080 mhus/sample-spring-service:latest

And test the rest service in the browser 'http://localhost:8080/hello'.

This proof could be more generic but I get the goal to create a spring boot image. Next this should be done all together to create a pipeline that works for this project and with parameters for all other projects too.


Kommentare

Kommentar veröffentlichen

Beliebte Posts aus diesem Blog

Sonatype Nexus fails with random "peer not authenticated" errors behind ingress

 After installing nexus3 server in a kubernetes environment in the first view everything looks good. Server is running an accessible from the world. Users and roles are defined and working. But already in the first hours of working with the repository there are problems. The trick was retry the failed activity and everything went ok. It turned out that heavy activities failed a lot of times and a lot of retries have to be done to finish the tasks. Annoying if a release deploy failed. You need to increase the version number every time. There were a few support in the internet for the problems most of the time handling SSL problems between maven and nexus. But it did not fix the problem. It looks like maven and the used http library wagon have got problems with pooled connections if using ingress (a test with a standalone installation did not show the problem)  - The 'deep' reason is not really clear for me, need to invest more time for it. The solution is to deny wagon to use p...
Mehr anzeigen

[mhus lib] Reorg in generation 7 nearly finished

 The generation 7 shows massive reorganisations and reimplementations. After renaming repository names (moved the 'cherry' prefix to 'mhus') the reorg is finished and the sources are ready for a more stable generation 8. Generation 8 will add new features to work with none OSGi services in cloud environments. Actual changes: cherry-reactiive -> mhus-reactive cherry-vault -> mhus-vault cherry-web -> mhus-web mhus-osgi-cluster -> mhus-cluster
Mehr anzeigen

[mhus lib] Implemented Bearer JWS tokens

 mhus now supports bearer tokens for authentication. I used the project jjwt to implement the tokens and added dependencies of the current version 0.11.2. The token is implemented to be used with apache shiro. A new service JwtProvider implements creation and reading of the tokens. The keys if not exists will be created and stored in the keychain. Private and public keys in separate key sources. In this way the public keys can be published to other nodes. A new interface BearerRealm must be used to mark realms with Bearer support. Using the interface a token can be created from the realm implementation. You should use the AccessUtil to create tokens. The authentication is already implemented in rest and micro calls. Via rest a node '/jwt_token' can be used to create a token - expires after one hour - and use it as authentication. To use jjwt with osgi I as forced to create a port project. First the 'feature' character of the bundles is not supported in the current felix...
Mehr anzeigen