Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support building securely against remote buildkitd #6732

Open
vaskozl opened this issue Oct 14, 2021 · 3 comments · May be fixed by #9648
Open

Support building securely against remote buildkitd #6732

vaskozl opened this issue Oct 14, 2021 · 3 comments · May be fixed by #9648
Labels
area/build build/docker kind/feature-request priority/p2 May take a couple of releases

Comments

@vaskozl
Copy link

vaskozl commented Oct 14, 2021

While skaffold supports building against a remote exposed docker, it is also extremely insecure.

https://github.com/moby/buildkit#expose-buildkit-as-a-tcp-service

Buildkitd supports exposing itself directly via mTLS, I currently use buildctl in my CI to build containers against it quickly.

It would be great if skaffold supported building against a remote buildkitd with mTLS.
@nkubala
Copy link
Contributor

nkubala commented Oct 28, 2021

@vaskozl thanks for the issue, this is an interesting idea. have you tried putting together a prototype using a custom builder? this could be a lower effort way to support this in skaffold without major code changes.

we probably won't have the bandwidth to implement this on our end, but if you're interested in putting together a design proposal we would certainly consider accepting a contribution.

@afbjorklund
Copy link

afbjorklund commented Jan 14, 2022
edited
Loading

This is used in minikube, by running buildctl directly on the remote server (over ssh) towards the cluster containerd.

https://github.com/kubernetes/minikube/blob/v1.24.0/pkg/minikube/cruntime/containerd.go#L395

https://github.com/moby/buildkit#containerd-image-store

Could also have tunneled a unix socket, but it was too much hassle to set up (together with the other supported runtimes).

https://minikube.sigs.k8s.io/docs/handbook/pushing/#6-pushing-directly-to-in-cluster-containerd-buildkitd

The workaround is to tar up the build context and scp it...

@ebekebe ebekebe mentioned this issue Nov 29, 2022
Open
1 task
@ericzzzzzzz
Copy link
Contributor

Keep triage happy

reingart added a commit to reingart/skaffold that referenced this issue Jan 11, 2025
@reingart
feat: transparent buildx support for remote buildkit (GoogleContainer…
b53ff7b 
…Tools#6732)

* detect-buildx global config option for backward compatibility
* cache-tag global config option to customize cache destination
* new CacheTo in DockerArtifact in configuration yaml (for docker build --cache-to)

* export LoadDockerConfig to read ~/.docker/config.json for buildx detection
* fix avoid loading image via buildx if no docker daemon is accessible
* fix remote lookup / import missing in buildx workaround
* fix image import if no docker daemon is available (under buildx)
* adjust cache reference preserving tag and default cacheTo if not given
* parse buildx metadata to extract ImageID digest

Initially based on ebekebe's GoogleContainerTools#8172 patch
ebekebe@1c1fdeb

Signed-off-by: [email protected]
@reingart reingart linked a pull request Jan 11, 2025 that will close this issue
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/build build/docker kind/feature-request priority/p2 May take a couple of releases
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: transparent buildx support for remote buildkit (#6732) reingart/skaffold
5 participants
@aaron-prindle @vaskozl @nkubala @afbjorklund @ericzzzzzzz