Skip to content

feat: docker buildx build and sign task (buildkit)

Andrew Newdigaterequested to merge
docker into main

Required for https://gitlab.com/gitlab-com/gl-infra/gitlab-dedicated/instrumentor/-/merge_requests/3831

Part of Part of #24

Related to https://gitlab.com/gitlab-com/gl-infra/gitlab-dedicated/team/-/issues/5827

Adds a Docker Base Image to common-ci-tasks:

cc @WarheadsSE

Docker Extensible Tasks

.docker_buildx_base

This is not a full template, but allows users to easily define their own docker buildx container image builds without all the boilerplate.

The following variables can be configured:

  • DOCKER_DESTINATION: Required. The destination to push the tag to.
  • DOCKER_BUILD_FILE: The Dockerfile to build. Defaults to Dockerfile.
  • DOCKER_BUILD_CONTEXT: The context to use. Defaults to ..
  • DOCKER_BUILDX_EXTRA_ARGS: Additional arguments to add to the docker buildx build command.
  • GL_VERSION_YML_FILES: A set of .gitlab-ci.yml include files containing variables. These variables will be passed through as --build-args. Defaults to .gitlab-ci-asdf-versions.yml .gitlab-ci-other-versions.yml.

Usage Example

include:
  # Includes a base template for running an opinionated docker buildx build
  # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/docker.md
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
    ref: v2.25.3  # renovate:managed
    file: 'docker.yml'

.container_builds:
  stage: release
  variables:
    # DOCKER_BUILD_FILE: the Dockerfile to build
    DOCKER_BUILD_FILE: Dockerfile.alt # Defaults to Dockerfile
    # DOCKER_BUILD_CONTEXT: the build context to use
    DOCKER_BUILD_CONTEXT: sub/directory/ # Defaults to project root
    # DOCKER_BUILDX_EXTRA_ARGS: additional arguments for docker buildx build
    DOCKER_BUILDX_EXTRA_ARGS: |
      --build-arg GL_DEDICATED_CONTAINER_IMAGE_VERSION_PREFIXED
  extends:
    - .docker_buildx_base

container_image_build:
  variables:
    DOCKER_DESTINATION: $CI_REGISTRY_IMAGE/onboard:${CI_COMMIT_REF_SLUG}
  extends:
    - .container_builds
  rules:
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE != "schedule"'

# Tags use the git tag, not the slug
container_image_tagged:
  variables:
    DOCKER_DESTINATION: $CI_REGISTRY_IMAGE/onboard:${CI_COMMIT_TAG}
  extends:
    - .container_builds
  rules:
    - if: '$CI_COMMIT_TAG'

Signing and Verification

The .docker_buildx_base task signs container images using keyless signatures based on OIDC tokens.

The Sigstore project provides a CLI called Cosign which is used for keyless signing of container images built with GitLab CI/CD.

This allows certificates to be verified without the need for managing secret keys.

Following the signing of the OIDC-based certificate identity that was used to sign the container is displayed in logs:

------------------------------------------------------------
Verify this container image using:
cosign verify registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks/asdf:v1.2.3 \
  --certificate-identity https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks//.gitlab-ci.yml@refs/tags/v1.2.3 \
  --certificate-oidc-issuer https://gitlab.com
------------------------------------------------------------

This can be used to verify the container, without the need for keys.

Caching

By default, caching is enabled for Docker tasks.

Edited by Andrew Newdigate

Merge request reports