Skip to content

Instantly share code, notes, and snippets.

@lisa
Created April 3, 2019 03:03
Show Gist options
  • Save lisa/c4acfd087387602f193bf2bc23ffb64d to your computer and use it in GitHub Desktop.
Save lisa/c4acfd087387602f193bf2bc23ffb64d to your computer and use it in GitHub Desktop.
# Copyright 2018 Google, Inc. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Builds the static Go image to execute in a Kubernetes job
FROM golang:1.10
WORKDIR /go/src/github.com/GoogleContainerTools/kaniko
# Get GCR credential helper
# docker-credential-gcr is special in that we have to work with `master`.
# Pulling down a version tarball causes issues with `make deps`, so we'll
# hope `master` is stable [ed: hope is not a plan -lisa]
# Second, the `build` Makefile target for docker-credential-gcr will
# dynamically link the binary (??), which this Dockerfile later wants to use
# statically. So, we force Go to statically compile it for the `FROM scratch`
# image to source.
# Note: In the upstream Dockerfile, the amd64 tarball contains a statically
# compiled binary (WHERE DID IT COME FROM? THE MAKEFILE DOESN'T MAKE IT!?!)
RUN \
(mkdir -p /go/src/github.com/GoogleCloudPlatform || true) && \
cd /go/src/github.com/GoogleCloudPlatform && \
git clone https://github.com/GoogleCloudPlatform/docker-credential-gcr.git && \
cd /go/src/github.com/GoogleCloudPlatform/docker-credential-gcr && \
make deps OUT_DIR=/usr/local/bin && \
go build -ldflags "-linkmode external -extldflags -static" -i -o /usr/local/bin/docker-credential-gcr main.go
RUN docker-credential-gcr configure-docker
# Get Amazon ECR credential helper
RUN go get -u github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login
# Build whatever arch we are, however, it's possible that this results in a
# non-portable build, with the `docker-credential-ecr-login` binary ending up
# in a non-"local" (see below) directory on other architectures.
RUN make -C /go/src/github.com/awslabs/amazon-ecr-credential-helper
COPY . .
RUN make
FROM scratch
COPY --from=0 /go/src/github.com/GoogleContainerTools/kaniko/out/executor /kaniko/executor
COPY --from=0 /usr/local/bin/docker-credential-gcr /kaniko/docker-credential-gcr
# `local`, here, relates to building the Amazon ECR credential helper. If it
# were built `make amd64`, for example, `local` would be `linux-amd64`
COPY --from=0 /go/src/github.com/awslabs/amazon-ecr-credential-helper/bin/local/docker-credential-ecr-login /kaniko/docker-credential-ecr-login
COPY files/ca-certificates.crt /kaniko/ssl/certs/
COPY --from=0 /root/.docker/config.json /kaniko/.docker/config.json
ENV HOME /root
ENV USER /root
ENV PATH /usr/local/bin:/kaniko
ENV SSL_CERT_DIR=/kaniko/ssl/certs
ENV DOCKER_CONFIG /kaniko/.docker/
ENV DOCKER_CREDENTIAL_GCR_CONFIG /kaniko/.config/gcloud/docker_credential_gcr_config.json
WORKDIR /workspace
RUN ["/kaniko/docker-credential-gcr", "config", "--token-source=env"]
ENTRYPOINT ["/kaniko/executor"]
diff --git a/deploy/Dockerfile b/deploy/Dockerfile
index 07847bd..7e8e0c5 100644
--- a/deploy/Dockerfile
+++ b/deploy/Dockerfile
@@ -17,12 +17,32 @@
FROM golang:1.10
WORKDIR /go/src/github.com/GoogleContainerTools/kaniko
# Get GCR credential helper
-ADD https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases/download/v1.5.0/docker-credential-gcr_linux_amd64-1.5.0.tar.gz /usr/local/bin/
-RUN tar -C /usr/local/bin/ -xvzf /usr/local/bin/docker-credential-gcr_linux_amd64-1.5.0.tar.gz
+
+# docker-credential-gcr is special in that we have to work with `master`.
+# Pulling down a version tarball causes issues with `make deps`, so we'll
+# hope `master` is stable [ed: hope is not a plan -lisa]
+# Second, the `build` Makefile target for docker-credential-gcr will
+# dynamically link the binary (??), which this Dockerfile later wants to use
+# statically. So, we force Go to statically compile it for the `FROM scratch`
+# image to source.
+# Note: In the upstream Dockerfile, the amd64 tarball contains a statically
+# compiled binary (WHERE DID IT COME FROM? THE MAKEFILE DOESN'T MAKE IT!?!)
+RUN \
+ (mkdir -p /go/src/github.com/GoogleCloudPlatform || true) && \
+ cd /go/src/github.com/GoogleCloudPlatform && \
+ git clone https://github.com/GoogleCloudPlatform/docker-credential-gcr.git && \
+ cd /go/src/github.com/GoogleCloudPlatform/docker-credential-gcr && \
+ make deps OUT_DIR=/usr/local/bin && \
+ go build -ldflags "-linkmode external -extldflags -static" -i -o /usr/local/bin/docker-credential-gcr main.go
+
RUN docker-credential-gcr configure-docker
+
# Get Amazon ECR credential helper
RUN go get -u github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login
-RUN make -C /go/src/github.com/awslabs/amazon-ecr-credential-helper linux-amd64
+# Build whatever arch we are, however, it's possible that this results in a
+# non-portable build, with the `docker-credential-ecr-login` binary ending up
+# in a non-"local" (see below) directory on other architectures.
+RUN make -C /go/src/github.com/awslabs/amazon-ecr-credential-helper
COPY . .
RUN make
@@ -30,7 +50,9 @@ RUN make
FROM scratch
COPY --from=0 /go/src/github.com/GoogleContainerTools/kaniko/out/executor /kaniko/executor
COPY --from=0 /usr/local/bin/docker-credential-gcr /kaniko/docker-credential-gcr
-COPY --from=0 /go/src/github.com/awslabs/amazon-ecr-credential-helper/bin/linux-amd64/docker-credential-ecr-login /kaniko/docker-credential-ecr-login
+# `local`, here, relates to building the Amazon ECR credential helper. If it
+# were built `make amd64`, for example, `local` would be `linux-amd64`
+COPY --from=0 /go/src/github.com/awslabs/amazon-ecr-credential-helper/bin/local/docker-credential-ecr-login /kaniko/docker-credential-ecr-login
COPY files/ca-certificates.crt /kaniko/ssl/certs/
COPY --from=0 /root/.docker/config.json /kaniko/.docker/config.json
ENV HOME /root
@@ -40,5 +62,6 @@ ENV SSL_CERT_DIR=/kaniko/ssl/certs
ENV DOCKER_CONFIG /kaniko/.docker/
ENV DOCKER_CREDENTIAL_GCR_CONFIG /kaniko/.config/gcloud/docker_credential_gcr_config.json
WORKDIR /workspace
-RUN ["docker-credential-gcr", "config", "--token-source=env"]
+RUN ["/kaniko/docker-credential-gcr", "config", "--token-source=env"]
ENTRYPOINT ["/kaniko/executor"]
+
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment