fix build issue

.github/workflows/image-push.yml

@@ -7,6 +7,9 @@ permissions:
 
 jobs:
   push-multiarch:
+    permissions:
+      contents: read
+      id-token: write
     runs-on: ubuntu-latest
     steps:
     - name: Check out code
@@ -18,11 +21,18 @@ jobs:
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v3
 
+    - name: "Read secrets"
+      uses: rancher-eio/read-vault-secrets@main
+      with:
+        secrets: |
+          secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ;
+          secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD
+
     - name: Login to Container Registry
       uses: docker/login-action@v3
       with:
-        username: ${{ secrets.docker_username }}
-        password: ${{ secrets.docker_password }}
+        username: ${{ env.DOCKER_USERNAME }}
+        password: ${{ env.DOCKER_PASSWORD }}
 
     - name: Build container image
       uses: docker/build-push-action@v5

Dockerfile

@@ -1,38 +1,49 @@
 ARG BCI_IMAGE=registry.suse.com/bci/bci-busybox
 ARG GO_IMAGE=rancher/hardened-build-base:v1.20.14b1
 
-FROM --platform=$BUILDPLATFORM ${BCI_IMAGE} as bci
-FROM --platform=$BUILDPLATFORM ${GO_IMAGE} as base
+# Image that provides cross compilation tooling.
+FROM --platform=$BUILDPLATFORM rancher/mirrored-tonistiigi-xx:1.3.0 as xx
+
+FROM ${BCI_IMAGE} as bci
 
+FROM --platform=$BUILDPLATFORM ${GO_IMAGE} as base
+COPY --from=xx / /
 RUN set -x && \
-    apk --no-cache add \
-    file \
-    gcc \
-    git \
-    make
+    apk add file make git clang lld
 
 FROM base as builder
-ARG K3S_ROOT_VERSION=v0.13.0
+ARG TARGETPLATFORM
+RUN set -x && \
+    xx-apk add musl-dev gcc  lld 
 ARG TAG=1.23.0
-ARG ARCH
-ADD https://github.com/rancher/k3s-root/releases/download/${K3S_ROOT_VERSION}/k3s-root-xtables-${ARCH}.tar /opt/xtables/k3s-root-xtables.tar
+ARG K3S_ROOT_VERSION=v0.13.0
+RUN export ARCH=$(xx-info arch) &&\
+    mkdir -p /opt/xtables/ &&\
+    wget https://github.com/rancher/k3s-root/releases/download/${K3S_ROOT_VERSION}/k3s-root-xtables-${ARCH}.tar -O /opt/xtables/k3s-root-xtables.tar
 RUN tar xvf /opt/xtables/k3s-root-xtables.tar -C /opt/xtables
+
 ARG SRC=github.com/kubernetes/dns
 ARG PKG=github.com/kubernetes/dns
 RUN git clone --depth=1 https://${SRC}.git $GOPATH/src/${PKG}
 WORKDIR $GOPATH/src/${PKG}
 RUN git tag --list
 RUN git fetch --all --tags --prune
 RUN git checkout tags/${TAG} -b ${TAG}
-RUN GOARCH=${ARCH} GO_LDFLAGS="-linkmode=external -X ${PKG}/pkg/version.VERSION=${TAG}" \
+RUN xx-go --wrap &&\
+    GO_LDFLAGS="-linkmode=external -X ${PKG}/pkg/version.VERSION=${TAG}" \
     go-build-static.sh -gcflags=-trimpath=${GOPATH}/src -o . ./...
 RUN go-assert-static.sh node-cache
-RUN if [ "${ARCH}" = "amd64" ]; then \
+RUN if [ `xx-info arch` = "amd64" ]; then \
         go-assert-boring.sh node-cache; \
     fi
-RUN install -s node-cache /usr/local/bin
+RUN install  node-cache /usr/local/bin
 
-FROM bci
+#strip needs to run on TARGETPLATFORM, not BUILDPLATFORM
+FROM ${GO_IMAGE} as strip_binary
 COPY --from=builder /usr/local/bin/node-cache /node-cache
+RUN strip /node-cache
+
+FROM bci
+COPY --from=strip_binary /node-cache /node-cache
 COPY --from=builder /opt/xtables/bin/ /usr/sbin/
 ENTRYPOINT ["/node-cache"]

Makefile

@@ -28,7 +28,6 @@ image-build:
 		--load \
 		--build-arg PKG=$(PKG) \
 		--build-arg SRC=$(SRC) \
-		--build-arg ARCH=$(ARCH) \
 		--build-arg TAG=$(TAG:$(BUILD_META)=) \
 		--tag $(ORG)/hardened-dns-node-cache:$(TAG) \
 		--tag $(ORG)/hardened-dns-node-cache:$(TAG)-$(ARCH) \
@@ -50,5 +49,4 @@ log:
 	@echo "PKG=$(PKG)"
 	@echo "SRC=$(SRC)"
 	@echo "BUILD_META=$(BUILD_META)"
-	@echo "K3S_ROOT_VERSION=$(K3S_ROOT_VERSION)"
 	@echo "UNAME_M=$(UNAME_M)"