-
Notifications
You must be signed in to change notification settings - Fork 1.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Use golang:1.17 and build from reproducible source (#1848)
* cleanup: Correctly use buildx TARGETARCH * undo changes to Go version * Use golang:1.17 and build from reproducible source This change updates the Go version used to build kaniko and credential helpers to Go 1.17, which uses Go modules by default. This means that we can build outside of $GOPATH, from source fetched from the Go module proxy. This change also simplfies our builds of credential helpers to simply `go install` them at a pinned version, for reproducibility and simplicity. This also changes `make images` and `make push` to build and push the slim executor image as well.
- Loading branch information
Showing
5 changed files
with
56 additions
and
113 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -12,47 +12,30 @@ | |
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
# Builds the static Go image to execute in a Kubernetes job | ||
FROM golang:1.17 | ||
WORKDIR /src | ||
|
||
FROM golang:1.15 | ||
ARG GOARCH=amd64 | ||
WORKDIR /go/src/github.com/GoogleContainerTools/kaniko | ||
# This arg is passed by docker buildx & contains the target CPU architecture (e.g., amd64, arm64, etc.) | ||
ARG TARGETARCH | ||
|
||
RUN echo $GOARCH > /goarch | ||
|
||
#This arg is passed by docker buildx & contains the platform info in the form linux/amd64, linux/ppc64le etc. | ||
ARG TARGETPLATFORM | ||
|
||
#Capture ARCH has write to /goarch | ||
RUN [ ! "x" = "x$TARGETPLATFORM" ] && `echo $TARGETPLATFORM | awk '{split($0,a,"/"); print a[2]}' > /goarch` || echo "$GOARCH" | ||
ENV GOARCH=$TARGETARCH | ||
ENV CGO_ENABLED=0 | ||
ENV GOBIN=/usr/local/bin | ||
|
||
# Get GCR credential helper | ||
RUN GOARCH=$(cat /goarch) && CGO_ENABLED=0 && \ | ||
(mkdir -p /go/src/github.com/GoogleCloudPlatform || true) && \ | ||
cd /go/src/github.com/GoogleCloudPlatform && \ | ||
git clone https://github.com/GoogleCloudPlatform/docker-credential-gcr.git && \ | ||
cd /go/src/github.com/GoogleCloudPlatform/docker-credential-gcr && \ | ||
git checkout 4cdd60d0f2d8a69bc70933f4d7718f9c4e956ff8 && \ | ||
go get -u -t ./... && \ | ||
go build -ldflags "-linkmode external -extldflags -static" -i -o /usr/local/bin/docker-credential-gcr main.go | ||
|
||
RUN go install github.com/GoogleCloudPlatform/docker-credential-gcr@4cdd60d0f2d8a69bc70933f4d7718f9c4e956ff8 | ||
|
||
# Get Amazon ECR credential helper | ||
RUN GOARCH=$(cat /goarch) && go get -u github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login && \ | ||
make -C /go/src/github.com/awslabs/amazon-ecr-credential-helper | ||
RUN go install github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/[email protected] | ||
|
||
# ACR docker env credential helper | ||
RUN GOARCH=$(cat /goarch) && (mkdir -p /go/src/github.com/chrismellard || true) && \ | ||
cd /go/src/github.com/chrismellard && \ | ||
git clone https://github.com/chrismellard/docker-credential-acr-env && \ | ||
cd docker-credential-acr-env && \ | ||
make build | ||
# Get ACR docker env credential helper | ||
RUN go install github.com/chrismellard/docker-credential-acr-env@09e2b5a8ac86c3ec347b2473e42b34367d8fa419 | ||
|
||
# Add .docker config dir | ||
RUN mkdir -p /kaniko/.docker | ||
|
||
COPY . . | ||
RUN make GOARCH=$(cat /goarch) | ||
RUN make GOARCH=$TARGETARCH | ||
|
||
# Generate latest ca-certificates | ||
|
||
|
@@ -64,10 +47,10 @@ RUN \ | |
cat /etc/ssl/certs/* > /ca-certificates.crt | ||
|
||
FROM scratch | ||
COPY --from=0 /go/src/github.com/GoogleContainerTools/kaniko/out/executor /kaniko/executor | ||
COPY --from=0 /src/out/executor /kaniko/executor | ||
COPY --from=0 /usr/local/bin/docker-credential-gcr /kaniko/docker-credential-gcr | ||
COPY --from=0 /go/src/github.com/awslabs/amazon-ecr-credential-helper/bin/local/docker-credential-ecr-login /kaniko/docker-credential-ecr-login | ||
COPY --from=0 /go/src/github.com/chrismellard/docker-credential-acr-env/build/docker-credential-acr-env /kaniko/docker-credential-acr | ||
COPY --from=0 /usr/local/bin/docker-credential-ecr-login /kaniko/docker-credential-ecr-login | ||
COPY --from=0 /usr/local/bin/docker-credential-acr-env /kaniko/docker-credential-acr | ||
COPY --from=certs /ca-certificates.crt /kaniko/ssl/certs/ | ||
COPY --from=0 /kaniko/.docker /kaniko/.docker | ||
COPY files/nsswitch.conf /etc/nsswitch.conf | ||
|
@@ -79,4 +62,4 @@ ENV DOCKER_CONFIG /kaniko/.docker/ | |
ENV DOCKER_CREDENTIAL_GCR_CONFIG /kaniko/.config/gcloud/docker_credential_gcr_config.json | ||
WORKDIR /workspace | ||
|
||
ENTRYPOINT ["/kaniko/executor"] | ||
ENTRYPOINT ["/kaniko/executor"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -12,50 +12,31 @@ | |
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
# Builds the static Go image to execute in a Kubernetes job | ||
FROM golang:1.17 | ||
WORKDIR /src | ||
|
||
# Stage 0: Build the executor binary and get credential helpers | ||
FROM golang:1.14 | ||
ARG GOARCH=amd64 | ||
WORKDIR /go/src/github.com/GoogleContainerTools/kaniko | ||
RUN echo $GOARCH > /goarch | ||
|
||
#This arg is passed by docker buildx & contains the platform info in the form linux/amd64, linux/ppc64le etc. | ||
ARG TARGETPLATFORM | ||
|
||
#Capture ARCH has write to /goarch | ||
RUN [ ! "x" = "x$TARGETPLATFORM" ] && `echo $TARGETPLATFORM | awk '{split($0,a,"/"); print a[2]}' > /goarch` || echo "$GOARCH" | ||
RUN echo "I am runninng $TARGETPLATFORM with with $(cat /goarch)" | ||
RUN cat /goarch | ||
# This arg is passed by docker buildx & contains the target CPU architecture (e.g., amd64, arm64, etc.) | ||
ARG TARGETARCH | ||
|
||
ENV GOARCH=$TARGETARCH | ||
ENV CGO_ENABLED=0 | ||
ENV GOBIN=/usr/local/bin | ||
|
||
# Get GCR credential helper | ||
RUN GOARCH=$(cat /goarch) && CGO_ENABLED=0 && \ | ||
(mkdir -p /go/src/github.com/GoogleCloudPlatform || true) && \ | ||
cd /go/src/github.com/GoogleCloudPlatform && \ | ||
git clone https://github.com/GoogleCloudPlatform/docker-credential-gcr.git && \ | ||
cd /go/src/github.com/GoogleCloudPlatform/docker-credential-gcr && \ | ||
git checkout 4cdd60d0f2d8a69bc70933f4d7718f9c4e956ff8 && \ | ||
go get -u -t ./... && \ | ||
go build -ldflags "-linkmode external -extldflags -static" -i -o /usr/local/bin/docker-credential-gcr main.go | ||
|
||
RUN go install github.com/GoogleCloudPlatform/docker-credential-gcr@4cdd60d0f2d8a69bc70933f4d7718f9c4e956ff8 | ||
|
||
# Get Amazon ECR credential helper | ||
RUN GOARCH=$(cat /goarch) && go get -u github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login && \ | ||
make -C /go/src/github.com/awslabs/amazon-ecr-credential-helper | ||
RUN go install github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/[email protected] | ||
|
||
# Azure docker env credential helper | ||
RUN GOARCH=$(cat /goarch) && (mkdir -p /go/src/github.com/chrismellard || true) && \ | ||
cd /go/src/github.com/chrismellard && \ | ||
git clone https://github.com/chrismellard/docker-credential-acr-env && \ | ||
cd docker-credential-acr-env && \ | ||
make build | ||
# Get ACR docker env credential helper | ||
RUN go install github.com/chrismellard/docker-credential-acr-env@09e2b5a8ac86c3ec347b2473e42b34367d8fa419 | ||
|
||
# Add .docker config dir | ||
RUN mkdir -p /kaniko/.docker | ||
|
||
COPY . . | ||
RUN make GOARCH=$(cat /goarch) && make GOARCH=$(cat /goarch) out/warmer | ||
RUN make GOARCH=$TARGETARCH | ||
RUN make GOARCH=$TARGETARCH out/warmer | ||
|
||
# Generate latest ca-certificates | ||
|
||
|
@@ -67,11 +48,11 @@ RUN \ | |
cat /etc/ssl/certs/* > /ca-certificates.crt | ||
|
||
FROM scratch | ||
COPY --from=0 /go/src/github.com/GoogleContainerTools/kaniko/out/* /kaniko/ | ||
COPY --from=0 /go/src/github.com/GoogleContainerTools/kaniko/out/warmer /kaniko/warmer | ||
COPY --from=0 /src/out/executor /kaniko/executor | ||
COPY --from=0 /src/out/warmer /kaniko/warmer | ||
COPY --from=0 /usr/local/bin/docker-credential-gcr /kaniko/docker-credential-gcr | ||
COPY --from=0 /go/src/github.com/awslabs/amazon-ecr-credential-helper/bin/local/docker-credential-ecr-login /kaniko/docker-credential-ecr-login | ||
COPY --from=0 /go/src/github.com/chrismellard/docker-credential-acr-env/build/docker-credential-acr-env /kaniko/docker-credential-acr | ||
COPY --from=0 /usr/local/bin/docker-credential-ecr-login /kaniko/docker-credential-ecr-login | ||
COPY --from=0 /usr/local/bin/docker-credential-acr-env /kaniko/docker-credential-acr | ||
COPY --from=busybox:1.32.0 /bin /busybox | ||
# Declare /busybox as a volume to get it automatically in the path to ignore | ||
VOLUME /busybox | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -12,47 +12,30 @@ | |
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
# Builds the static Go image to execute in a Kubernetes job | ||
FROM golang:1.17 | ||
WORKDIR /src | ||
|
||
FROM golang:1.15 | ||
ARG GOARCH=amd64 | ||
WORKDIR /go/src/github.com/GoogleContainerTools/kaniko | ||
RUN echo $GOARCH > /goarch | ||
# This arg is passed by docker buildx & contains the target CPU architecture (e.g., amd64, arm64, etc.) | ||
ARG TARGETARCH | ||
|
||
#This arg is passed by docker buildx & contains the platform info in the form linux/amd64, linux/ppc64le etc. | ||
ARG TARGETPLATFORM | ||
|
||
#Capture ARCH has write to /goarch | ||
RUN [ ! "x" = "x$TARGETPLATFORM" ] && `echo $TARGETPLATFORM | awk '{split($0,a,"/"); print a[2]}' > /goarch` || echo "$GOARCH" | ||
RUN echo "I am runninng $TARGETPLATFORM with $(cat /goarch)" | ||
ENV GOARCH=$TARGETARCH | ||
ENV CGO_ENABLED=0 | ||
ENV GOBIN=/usr/local/bin | ||
|
||
# Get GCR credential helper | ||
RUN GOARCH=$(cat /goarch) && CGO_ENABLED=0 && \ | ||
(mkdir -p /go/src/github.com/GoogleCloudPlatform || true) && \ | ||
cd /go/src/github.com/GoogleCloudPlatform && \ | ||
git clone https://github.com/GoogleCloudPlatform/docker-credential-gcr.git && \ | ||
cd /go/src/github.com/GoogleCloudPlatform/docker-credential-gcr && \ | ||
git checkout 4cdd60d0f2d8a69bc70933f4d7718f9c4e956ff8 && \ | ||
go get -u -t ./... && \ | ||
go build -ldflags "-linkmode external -extldflags -static" -i -o /usr/local/bin/docker-credential-gcr main.go | ||
|
||
RUN go install github.com/GoogleCloudPlatform/docker-credential-gcr@4cdd60d0f2d8a69bc70933f4d7718f9c4e956ff8 | ||
|
||
# Get Amazon ECR credential helper | ||
RUN GOARCH=$(cat /goarch) && go get -u github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login && \ | ||
make -C /go/src/github.com/awslabs/amazon-ecr-credential-helper | ||
RUN go install github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/[email protected] | ||
|
||
# ACR docker env credential helper | ||
RUN GOARCH=$(cat /goarch) && (mkdir -p /go/src/github.com/chrismellard || true) && \ | ||
cd /go/src/github.com/chrismellard && \ | ||
git clone https://github.com/chrismellard/docker-credential-acr-env && \ | ||
cd docker-credential-acr-env && \ | ||
make build | ||
# Get ACR docker env credential helper | ||
RUN go install github.com/chrismellard/docker-credential-acr-env@09e2b5a8ac86c3ec347b2473e42b34367d8fa419 | ||
|
||
# Add .docker config dir | ||
RUN mkdir -p /kaniko/.docker | ||
|
||
COPY . . | ||
RUN make GOARCH=$(cat /goarch) out/warmer | ||
RUN make GOARCH=$TARGETARCH out/warmer | ||
|
||
# Generate latest ca-certificates | ||
|
||
|
@@ -64,10 +47,10 @@ RUN \ | |
cat /etc/ssl/certs/* > /ca-certificates.crt | ||
|
||
FROM scratch | ||
COPY --from=0 /go/src/github.com/GoogleContainerTools/kaniko/out/warmer /kaniko/warmer | ||
COPY --from=0 /src/out/warmer /kaniko/warmer | ||
COPY --from=0 /usr/local/bin/docker-credential-gcr /kaniko/docker-credential-gcr | ||
COPY --from=0 /go/src/github.com/awslabs/amazon-ecr-credential-helper/bin/local/docker-credential-ecr-login /kaniko/docker-credential-ecr-login | ||
COPY --from=0 /go/src/github.com/chrismellard/docker-credential-acr-env/build/docker-credential-acr-env /kaniko/docker-credential-acr | ||
COPY --from=0 /usr/local/bin/docker-credential-ecr-login /kaniko/docker-credential-ecr-login | ||
COPY --from=0 /usr/local/bin/docker-credential-acr-env /kaniko/docker-credential-acr | ||
COPY --from=certs /ca-certificates.crt /kaniko/ssl/certs/ | ||
COPY --from=0 /kaniko/.docker /kaniko/.docker | ||
COPY files/nsswitch.conf /etc/nsswitch.conf | ||
|