How-To: GitLab CI/CD → Build Docker, Push to Registry, Helm Deploy to RKE2


Updated: 2025-08-24

Overview

Set up a GitLab pipeline that builds a container image, pushes it to a private GitLab Container Registry, and deploys to RKE2 via Helm. This edition includes an expanded Kaniko section with practical executor flags and templates.

Dockerfile (multi-stage, Go example; swap for your stack):

# syntax=docker/dockerfile:1
FROM golang:1.22 AS build
WORKDIR /src
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o app

FROM gcr.io/distroless/base-debian12
WORKDIR /app
COPY --from=build /src/app ./app
USER 65532:65532
ENTRYPOINT ["./app"]

Create imagePullSecret (run once per namespace):

kubectl create secret docker-registry regcred   --docker-server=gitlab.local:5050   --docker-username=<deploy_user_or_token_name>   --docker-password=<deploy_token_or_pat>   --docker-email=none@example.com   -n <namespace>

.gitlab-ci.yml (Docker-in-Docker build):

stages: [build, deploy]
variables:
  IMAGE: "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA"

build:
  stage: build
  image: docker:26
  services: [docker:26-dind]
  script:
    - echo "$CI_REGISTRY_PASSWORD" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$CI_REGISTRY"
    - docker build -t "$IMAGE" .
    - docker push "$IMAGE"
  only: [branches]

deploy:
  stage: deploy
  image: alpine/helm:3.14.4
  before_script:
    - apk add --no-cache curl bash
    - mkdir -p ~/.kube && echo "$KUBECONFIG_CONTENTS" > ~/.kube/config
  script:
    - helm upgrade --install myapp ./helm/myapp -n <namespace> --create-namespace         --set image.repository="$CI_REGISTRY_IMAGE"         --set image.tag="$CI_COMMIT_SHORT_SHA"         --set imagePullSecrets[0].name="regcred"
  only: [branches]

Kaniko build (no DinD) — Expanded Options

This job shows common flags you’ll actually use: multiple destinations (SHA + latest), cache repo, build args, labels, TLS toggles, and artifacts like digest/tar.

build_kaniko:
  stage: build
  image:
    name: gcr.io/kaniko-project/executor:v1.23.2-debug    # pick a pinned version
    entrypoint: [""]                                       # allow running /kaniko/executor directly
  variables:
    IMAGE_REPO: "$CI_REGISTRY_IMAGE"                       # e.g. gitlab.local:5050/group/project
    IMAGE_TAG: "$CI_COMMIT_SHORT_SHA"
    IMAGE_LATEST_TAG: "latest"
    DOCKERFILE: "Dockerfile"
    CONTEXT: "$CI_PROJECT_DIR"
    CACHE_REPO: "$CI_REGISTRY_IMAGE/cache"                 # registry path to store the cache layers
    # Optional extras:
    KANIKO_EXTRA_ARGS: "--snapshotMode=redo --use-new-run --verbosity=info"
  script:
    # Auth: use CI-provided credentials
    - mkdir -p /kaniko/.docker
    - >
      echo "{"auths":{"$CI_REGISTRY":{"username":"$CI_REGISTRY_USER",
      "password":"$CI_REGISTRY_PASSWORD"}}}" > /kaniko/.docker/config.json

    # Build and push to SHA tag and 'latest'
    - >
      /kaniko/executor
      --context $CONTEXT
      --dockerfile $DOCKERFILE
      --destination $IMAGE_REPO:$IMAGE_TAG
      --destination $IMAGE_REPO:$IMAGE_LATEST_TAG
      --build-arg GIT_SHA=$CI_COMMIT_SHA
      --build-arg VERSION=${CI_COMMIT_TAG:-$CI_COMMIT_SHORT_SHA}
      --label org.opencontainers.image.revision=$CI_COMMIT_SHA
      --label org.opencontainers.image.source=$CI_PROJECT_URL
      --cache=true
      --cache-repo $CACHE_REPO
      --cache-ttl=168h                                 # 7d cache
      --digest-file $CI_PROJECT_DIR/image-digest.txt
      $KANIKO_EXTRA_ARGS
  artifacts:
    when: always
    paths: [image-digest.txt]
  only: [branches]

Using CI_JOB_TOKEN instead of CI_REGISTRY_PASSWORD

# GitLab’s built-in token (works on same GitLab instance)
echo "{"auths":{"$CI_REGISTRY":{"username":"gitlab-ci-token","password":"$CI_JOB_TOKEN"}}}" > /kaniko/.docker/config.json

Pinning your image name explicitly

# If you want a different repo path than $CI_REGISTRY_IMAGE:
variables:
  IMAGE_REPO: "gitlab.local:5050/local/your-service"
  IMAGE_TAG: "$CI_COMMIT_SHORT_SHA"
# Then use --destination $IMAGE_REPO:$IMAGE_TAG

Security Notes

- Mask and protect registry credentials; use deploy/CI tokens with least privilege.
- Sign images after push (Cosign) and verify at admission.
- Avoid pushing ':latest' from feature branches unless you truly want it.
- Keep your Dockerfile free of secrets; use build args only for non-sensitive data.

Meme idea

“It works on my machine” — Kaniko: *cool story, push the layers.*

Taylor Swift

“You can aim for my heart, go for blood / But you would still miss me in your bones.” — I Did Something Bad

Comments

Post a Comment

Popular posts from this blog

Learning to Automate My Side Projects with SWE-agent + GitLab

Image
I wanted to share something I built. I managed to connect SWE-agent with my self-hosted GitLab so that Issues can drive automation—and I think it’s kind of cool. (Currently, it isn’t directly supported in SWE-Agent, but there is an issue ( https://github.com/SWE-agent/SWE-agent/issues/760 ) on GitHub to add support. Why wait? ^_^) I’ve been tinkering with SWE-agent in the homelab while between roles. SWE-agent doesn’t natively support GitLab, but that wasn’t going to stop me—I wired it into my self-hosted GitLab instance so Issues drive the automation end-to-end. The Flow I Built 1. Start with an Issue. When I create an Issue, I describe the task in plain language. For example: “create `/taylor-swift` route that responds with JSON key lucky=13.” 2. Label the intent. Add the label `run:swe` and tag the model (in my case: `model:qwen3-coder-30b-a3b-instruct` from LM Studio). There is also a label swe:in-progress so that the pipeline does not pick up in-progress issues. If the pipeline ne...
Read more

Ship-Ready Web Essentials: Search, Sitemap, Metadata & Icons (SvelteKit)

This guide is a pragmatic, production-minded checklist and how-to for hardening a SvelteKit landing site so it’s discoverable by search engines, understandable by AI crawlers, and delightful on modern devices. It includes file locations, example contents, and verification steps. Everything here works even if you only have a single landing page today. Branding note: this document uses a fictional brand (“Example Store”) and domain (example.com). Replace these with your own values when you implement. Quick To-Do Checklist • Serve a real XML sitemap at /sitemap.xml and reference it in robots.txt. • Add a lightweight, server-rendered /search?q=… endpoint (backs JSON-LD SearchAction). • Place ai.txt (allow/deny AI crawlers) and .well-known/security.txt (vuln-reporting). • Wire canonical Open Graph/Twitter tags and og.png for social previews. • Add platform icons (apple-touch-icon.png, safari-pinned-tab.svg) and site.webmanifest. • Harden app.html with meta theme-color (light/dark), color-sc...
Read more

Kubernetes Secrets Management — SOPS + age (GitOps‑friendly)

Image
  Owner: Platform Engineering Audience: Devs & Ops Status: Adopted This document captures the exact process we use to manage Kubernetes secrets with Mozilla SOPS and the age encryption tool. It includes why we chose this approach, how to work with secrets day‑to‑day, and trade‑offs versus other methods. Executive Summary We store Kubernetes Secret manifests in Git encrypted at rest using SOPS with an age public key.  SOPS encrypts your secret values with AES‑256‑GCM , which is industry gold standard. In SOPS you can not swap AES‑256‑GCM out. The age private key lives only in protected CI variables. CI decrypts the manifests at deploy time and applies them with kubectl. No in‑cluster controllers, CRDs, or webhooks are required. Why this approach Top benefits: • Zero in‑cluster installs (no CRDs/controllers to run or break). • GitOps‑native: encrypted YAML sits in the repo; diffs remain readable (metadata & keys stay visible). • Cloud‑agnostic: age works anywhere; no ...
Read more