Skip to content

Commit

Permalink
Use golang:1.17 and build from reproducible source (#1848)
Browse files Browse the repository at this point in the history
* cleanup: Correctly use buildx TARGETARCH

* undo changes to Go version

* Use golang:1.17 and build from reproducible source

This change updates the Go version used to build kaniko and credential
helpers to Go 1.17, which uses Go modules by default. This means that we
can build outside of $GOPATH, from source fetched from the Go module
proxy.

This change also simplfies our builds of credential helpers to simply
`go install` them at a pinned version, for reproducibility and
simplicity.

This also changes `make images` and `make push` to build and push the
slim executor image as well.
  • Loading branch information
imjasonh authored Dec 21, 2021
1 parent 0fd1058 commit f694212
Show file tree
Hide file tree
Showing 5 changed files with 56 additions and 113 deletions.
2 changes: 2 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -95,10 +95,12 @@ k8s-executor-build-push:
images:
docker build ${BUILD_ARG} --build-arg=GOARCH=$(GOARCH) -t $(REGISTRY)/executor:latest -f deploy/Dockerfile .
docker build ${BUILD_ARG} --build-arg=GOARCH=$(GOARCH) -t $(REGISTRY)/executor:debug -f deploy/Dockerfile_debug .
docker build ${BUILD_ARG} --build-arg=GOARCH=$(GOARCH) -t $(REGISTRY)/executor:slim -f deploy/Dockerfile_slim .
docker build ${BUILD_ARG} --build-arg=GOARCH=$(GOARCH) -t $(REGISTRY)/warmer:latest -f deploy/Dockerfile_warmer .

.PHONY: push
push:
docker push $(REGISTRY)/executor:latest
docker push $(REGISTRY)/executor:debug
docker push $(REGISTRY)/executor:slim
docker push $(REGISTRY)/warmer:latest
49 changes: 16 additions & 33 deletions deploy/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -12,47 +12,30 @@
# See the License for the specific language governing permissions and
# limitations under the License.

# Builds the static Go image to execute in a Kubernetes job
FROM golang:1.17
WORKDIR /src

FROM golang:1.15
ARG GOARCH=amd64
WORKDIR /go/src/github.com/GoogleContainerTools/kaniko
# This arg is passed by docker buildx & contains the target CPU architecture (e.g., amd64, arm64, etc.)
ARG TARGETARCH

RUN echo $GOARCH > /goarch

#This arg is passed by docker buildx & contains the platform info in the form linux/amd64, linux/ppc64le etc.
ARG TARGETPLATFORM

#Capture ARCH has write to /goarch
RUN [ ! "x" = "x$TARGETPLATFORM" ] && `echo $TARGETPLATFORM | awk '{split($0,a,"/"); print a[2]}' > /goarch` || echo "$GOARCH"
ENV GOARCH=$TARGETARCH
ENV CGO_ENABLED=0
ENV GOBIN=/usr/local/bin

# Get GCR credential helper
RUN GOARCH=$(cat /goarch) && CGO_ENABLED=0 && \
(mkdir -p /go/src/github.com/GoogleCloudPlatform || true) && \
cd /go/src/github.com/GoogleCloudPlatform && \
git clone https://github.com/GoogleCloudPlatform/docker-credential-gcr.git && \
cd /go/src/github.com/GoogleCloudPlatform/docker-credential-gcr && \
git checkout 4cdd60d0f2d8a69bc70933f4d7718f9c4e956ff8 && \
go get -u -t ./... && \
go build -ldflags "-linkmode external -extldflags -static" -i -o /usr/local/bin/docker-credential-gcr main.go

RUN go install github.com/GoogleCloudPlatform/docker-credential-gcr@4cdd60d0f2d8a69bc70933f4d7718f9c4e956ff8

# Get Amazon ECR credential helper
RUN GOARCH=$(cat /goarch) && go get -u github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login && \
make -C /go/src/github.com/awslabs/amazon-ecr-credential-helper
RUN go install github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/[email protected]

# ACR docker env credential helper
RUN GOARCH=$(cat /goarch) && (mkdir -p /go/src/github.com/chrismellard || true) && \
cd /go/src/github.com/chrismellard && \
git clone https://github.com/chrismellard/docker-credential-acr-env && \
cd docker-credential-acr-env && \
make build
# Get ACR docker env credential helper
RUN go install github.com/chrismellard/docker-credential-acr-env@09e2b5a8ac86c3ec347b2473e42b34367d8fa419

# Add .docker config dir
RUN mkdir -p /kaniko/.docker

COPY . .
RUN make GOARCH=$(cat /goarch)
RUN make GOARCH=$TARGETARCH

# Generate latest ca-certificates

Expand All @@ -64,10 +47,10 @@ RUN \
cat /etc/ssl/certs/* > /ca-certificates.crt

FROM scratch
COPY --from=0 /go/src/github.com/GoogleContainerTools/kaniko/out/executor /kaniko/executor
COPY --from=0 /src/out/executor /kaniko/executor
COPY --from=0 /usr/local/bin/docker-credential-gcr /kaniko/docker-credential-gcr
COPY --from=0 /go/src/github.com/awslabs/amazon-ecr-credential-helper/bin/local/docker-credential-ecr-login /kaniko/docker-credential-ecr-login
COPY --from=0 /go/src/github.com/chrismellard/docker-credential-acr-env/build/docker-credential-acr-env /kaniko/docker-credential-acr
COPY --from=0 /usr/local/bin/docker-credential-ecr-login /kaniko/docker-credential-ecr-login
COPY --from=0 /usr/local/bin/docker-credential-acr-env /kaniko/docker-credential-acr
COPY --from=certs /ca-certificates.crt /kaniko/ssl/certs/
COPY --from=0 /kaniko/.docker /kaniko/.docker
COPY files/nsswitch.conf /etc/nsswitch.conf
Expand All @@ -79,4 +62,4 @@ ENV DOCKER_CONFIG /kaniko/.docker/
ENV DOCKER_CREDENTIAL_GCR_CONFIG /kaniko/.config/gcloud/docker_credential_gcr_config.json
WORKDIR /workspace

ENTRYPOINT ["/kaniko/executor"]
ENTRYPOINT ["/kaniko/executor"]
53 changes: 17 additions & 36 deletions deploy/Dockerfile_debug
Original file line number Diff line number Diff line change
Expand Up @@ -12,50 +12,31 @@
# See the License for the specific language governing permissions and
# limitations under the License.

# Builds the static Go image to execute in a Kubernetes job
FROM golang:1.17
WORKDIR /src

# Stage 0: Build the executor binary and get credential helpers
FROM golang:1.14
ARG GOARCH=amd64
WORKDIR /go/src/github.com/GoogleContainerTools/kaniko
RUN echo $GOARCH > /goarch

#This arg is passed by docker buildx & contains the platform info in the form linux/amd64, linux/ppc64le etc.
ARG TARGETPLATFORM

#Capture ARCH has write to /goarch
RUN [ ! "x" = "x$TARGETPLATFORM" ] && `echo $TARGETPLATFORM | awk '{split($0,a,"/"); print a[2]}' > /goarch` || echo "$GOARCH"
RUN echo "I am runninng $TARGETPLATFORM with with $(cat /goarch)"
RUN cat /goarch
# This arg is passed by docker buildx & contains the target CPU architecture (e.g., amd64, arm64, etc.)
ARG TARGETARCH

ENV GOARCH=$TARGETARCH
ENV CGO_ENABLED=0
ENV GOBIN=/usr/local/bin

# Get GCR credential helper
RUN GOARCH=$(cat /goarch) && CGO_ENABLED=0 && \
(mkdir -p /go/src/github.com/GoogleCloudPlatform || true) && \
cd /go/src/github.com/GoogleCloudPlatform && \
git clone https://github.com/GoogleCloudPlatform/docker-credential-gcr.git && \
cd /go/src/github.com/GoogleCloudPlatform/docker-credential-gcr && \
git checkout 4cdd60d0f2d8a69bc70933f4d7718f9c4e956ff8 && \
go get -u -t ./... && \
go build -ldflags "-linkmode external -extldflags -static" -i -o /usr/local/bin/docker-credential-gcr main.go

RUN go install github.com/GoogleCloudPlatform/docker-credential-gcr@4cdd60d0f2d8a69bc70933f4d7718f9c4e956ff8

# Get Amazon ECR credential helper
RUN GOARCH=$(cat /goarch) && go get -u github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login && \
make -C /go/src/github.com/awslabs/amazon-ecr-credential-helper
RUN go install github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/[email protected]

# Azure docker env credential helper
RUN GOARCH=$(cat /goarch) && (mkdir -p /go/src/github.com/chrismellard || true) && \
cd /go/src/github.com/chrismellard && \
git clone https://github.com/chrismellard/docker-credential-acr-env && \
cd docker-credential-acr-env && \
make build
# Get ACR docker env credential helper
RUN go install github.com/chrismellard/docker-credential-acr-env@09e2b5a8ac86c3ec347b2473e42b34367d8fa419

# Add .docker config dir
RUN mkdir -p /kaniko/.docker

COPY . .
RUN make GOARCH=$(cat /goarch) && make GOARCH=$(cat /goarch) out/warmer
RUN make GOARCH=$TARGETARCH
RUN make GOARCH=$TARGETARCH out/warmer

# Generate latest ca-certificates

Expand All @@ -67,11 +48,11 @@ RUN \
cat /etc/ssl/certs/* > /ca-certificates.crt

FROM scratch
COPY --from=0 /go/src/github.com/GoogleContainerTools/kaniko/out/* /kaniko/
COPY --from=0 /go/src/github.com/GoogleContainerTools/kaniko/out/warmer /kaniko/warmer
COPY --from=0 /src/out/executor /kaniko/executor
COPY --from=0 /src/out/warmer /kaniko/warmer
COPY --from=0 /usr/local/bin/docker-credential-gcr /kaniko/docker-credential-gcr
COPY --from=0 /go/src/github.com/awslabs/amazon-ecr-credential-helper/bin/local/docker-credential-ecr-login /kaniko/docker-credential-ecr-login
COPY --from=0 /go/src/github.com/chrismellard/docker-credential-acr-env/build/docker-credential-acr-env /kaniko/docker-credential-acr
COPY --from=0 /usr/local/bin/docker-credential-ecr-login /kaniko/docker-credential-ecr-login
COPY --from=0 /usr/local/bin/docker-credential-acr-env /kaniko/docker-credential-acr
COPY --from=busybox:1.32.0 /bin /busybox
# Declare /busybox as a volume to get it automatically in the path to ignore
VOLUME /busybox
Expand Down
18 changes: 6 additions & 12 deletions deploy/Dockerfile_slim
Original file line number Diff line number Diff line change
Expand Up @@ -13,21 +13,15 @@
# limitations under the License.

# Builds the static Go image to execute in a Kubernetes job
FROM golang:1.15 as build_env
ARG GOARCH=amd64
RUN echo $GOARCH > /goarch
FROM golang:1.17

#This arg is passed by docker buildx & contains the platform info in the form linux/amd64, linux/ppc64le etc.
ARG TARGETPLATFORM
# This arg is passed by docker buildx & contains the target CPU architecture (e.g., amd64, arm64, etc.)
ARG TARGETARCH

#Capture ARCH has write to /goarch
RUN [ ! "x" = "x$TARGETPLATFORM" ] && `echo $TARGETPLATFORM | awk '{split($0,a,"/"); print a[2]}' > /goarch` || echo "$GOARCH"
RUN echo "I am runninng $TARGETPLATFORM with $(cat /goarch)"

WORKDIR /go/src/github.com/GoogleContainerTools/kaniko
WORKDIR /src
COPY . .

RUN make GOARCH=$(cat /goarch)
RUN make GOARCH=$TARGETARCH

# Generate latest ca-certificates

Expand All @@ -39,7 +33,7 @@ RUN \
cat /etc/ssl/certs/* > /ca-certificates.crt

FROM scratch
COPY --from=build_env /go/src/github.com/GoogleContainerTools/kaniko/out/executor /kaniko/executor
COPY --from=0 /src/out/executor /kaniko/executor
COPY files/nsswitch.conf /etc/nsswitch.conf
COPY --from=certs /ca-certificates.crt /kaniko/ssl/certs/
ENV HOME /root
Expand Down
47 changes: 15 additions & 32 deletions deploy/Dockerfile_warmer
Original file line number Diff line number Diff line change
Expand Up @@ -12,47 +12,30 @@
# See the License for the specific language governing permissions and
# limitations under the License.

# Builds the static Go image to execute in a Kubernetes job
FROM golang:1.17
WORKDIR /src

FROM golang:1.15
ARG GOARCH=amd64
WORKDIR /go/src/github.com/GoogleContainerTools/kaniko
RUN echo $GOARCH > /goarch
# This arg is passed by docker buildx & contains the target CPU architecture (e.g., amd64, arm64, etc.)
ARG TARGETARCH

#This arg is passed by docker buildx & contains the platform info in the form linux/amd64, linux/ppc64le etc.
ARG TARGETPLATFORM

#Capture ARCH has write to /goarch
RUN [ ! "x" = "x$TARGETPLATFORM" ] && `echo $TARGETPLATFORM | awk '{split($0,a,"/"); print a[2]}' > /goarch` || echo "$GOARCH"
RUN echo "I am runninng $TARGETPLATFORM with $(cat /goarch)"
ENV GOARCH=$TARGETARCH
ENV CGO_ENABLED=0
ENV GOBIN=/usr/local/bin

# Get GCR credential helper
RUN GOARCH=$(cat /goarch) && CGO_ENABLED=0 && \
(mkdir -p /go/src/github.com/GoogleCloudPlatform || true) && \
cd /go/src/github.com/GoogleCloudPlatform && \
git clone https://github.com/GoogleCloudPlatform/docker-credential-gcr.git && \
cd /go/src/github.com/GoogleCloudPlatform/docker-credential-gcr && \
git checkout 4cdd60d0f2d8a69bc70933f4d7718f9c4e956ff8 && \
go get -u -t ./... && \
go build -ldflags "-linkmode external -extldflags -static" -i -o /usr/local/bin/docker-credential-gcr main.go

RUN go install github.com/GoogleCloudPlatform/docker-credential-gcr@4cdd60d0f2d8a69bc70933f4d7718f9c4e956ff8

# Get Amazon ECR credential helper
RUN GOARCH=$(cat /goarch) && go get -u github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login && \
make -C /go/src/github.com/awslabs/amazon-ecr-credential-helper
RUN go install github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/[email protected]

# ACR docker env credential helper
RUN GOARCH=$(cat /goarch) && (mkdir -p /go/src/github.com/chrismellard || true) && \
cd /go/src/github.com/chrismellard && \
git clone https://github.com/chrismellard/docker-credential-acr-env && \
cd docker-credential-acr-env && \
make build
# Get ACR docker env credential helper
RUN go install github.com/chrismellard/docker-credential-acr-env@09e2b5a8ac86c3ec347b2473e42b34367d8fa419

# Add .docker config dir
RUN mkdir -p /kaniko/.docker

COPY . .
RUN make GOARCH=$(cat /goarch) out/warmer
RUN make GOARCH=$TARGETARCH out/warmer

# Generate latest ca-certificates

Expand All @@ -64,10 +47,10 @@ RUN \
cat /etc/ssl/certs/* > /ca-certificates.crt

FROM scratch
COPY --from=0 /go/src/github.com/GoogleContainerTools/kaniko/out/warmer /kaniko/warmer
COPY --from=0 /src/out/warmer /kaniko/warmer
COPY --from=0 /usr/local/bin/docker-credential-gcr /kaniko/docker-credential-gcr
COPY --from=0 /go/src/github.com/awslabs/amazon-ecr-credential-helper/bin/local/docker-credential-ecr-login /kaniko/docker-credential-ecr-login
COPY --from=0 /go/src/github.com/chrismellard/docker-credential-acr-env/build/docker-credential-acr-env /kaniko/docker-credential-acr
COPY --from=0 /usr/local/bin/docker-credential-ecr-login /kaniko/docker-credential-ecr-login
COPY --from=0 /usr/local/bin/docker-credential-acr-env /kaniko/docker-credential-acr
COPY --from=certs /ca-certificates.crt /kaniko/ssl/certs/
COPY --from=0 /kaniko/.docker /kaniko/.docker
COPY files/nsswitch.conf /etc/nsswitch.conf
Expand Down

0 comments on commit f694212

Please sign in to comment.