diff --git a/.github/workflows/image-push.yml b/.github/workflows/image-push.yml index ea72519..9f3c90a 100644 --- a/.github/workflows/image-push.yml +++ b/.github/workflows/image-push.yml @@ -7,6 +7,9 @@ permissions: jobs: push-multiarch: + permissions: + contents: read + id-token: write runs-on: ubuntu-latest steps: - name: Check out code @@ -18,11 +21,18 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 + - name: "Read secrets" + uses: rancher-eio/read-vault-secrets@main + with: + secrets: | + secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ; + secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD + - name: Login to Container Registry uses: docker/login-action@v3 with: - username: ${{ secrets.docker_username }} - password: ${{ secrets.docker_password }} + username: ${{ env.DOCKER_USERNAME }} + password: ${{ env.DOCKER_PASSWORD }} - name: Build container image uses: docker/build-push-action@v5 diff --git a/Dockerfile b/Dockerfile index ffa79e0..2e26e62 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,22 +1,27 @@ ARG BCI_IMAGE=registry.suse.com/bci/bci-busybox ARG GO_IMAGE=rancher/hardened-build-base:v1.20.14b1 -FROM --platform=$BUILDPLATFORM ${BCI_IMAGE} as bci -FROM --platform=$BUILDPLATFORM ${GO_IMAGE} as base +# Image that provides cross compilation tooling. +FROM --platform=$BUILDPLATFORM rancher/mirrored-tonistiigi-xx:1.3.0 as xx + +FROM ${BCI_IMAGE} as bci +FROM --platform=$BUILDPLATFORM ${GO_IMAGE} as base +COPY --from=xx / / RUN set -x && \ - apk --no-cache add \ - file \ - gcc \ - git \ - make + apk add file make git clang lld FROM base as builder -ARG K3S_ROOT_VERSION=v0.13.0 +ARG TARGETPLATFORM +RUN set -x && \ + xx-apk add musl-dev gcc lld ARG TAG=1.23.0 -ARG ARCH -ADD https://github.com/rancher/k3s-root/releases/download/${K3S_ROOT_VERSION}/k3s-root-xtables-${ARCH}.tar /opt/xtables/k3s-root-xtables.tar +ARG K3S_ROOT_VERSION=v0.13.0 +RUN export ARCH=$(xx-info arch) &&\ + mkdir -p /opt/xtables/ &&\ + wget https://github.com/rancher/k3s-root/releases/download/${K3S_ROOT_VERSION}/k3s-root-xtables-${ARCH}.tar -O /opt/xtables/k3s-root-xtables.tar RUN tar xvf /opt/xtables/k3s-root-xtables.tar -C /opt/xtables + ARG SRC=github.com/kubernetes/dns ARG PKG=github.com/kubernetes/dns RUN git clone --depth=1 https://${SRC}.git $GOPATH/src/${PKG} @@ -24,15 +29,21 @@ WORKDIR $GOPATH/src/${PKG} RUN git tag --list RUN git fetch --all --tags --prune RUN git checkout tags/${TAG} -b ${TAG} -RUN GOARCH=${ARCH} GO_LDFLAGS="-linkmode=external -X ${PKG}/pkg/version.VERSION=${TAG}" \ +RUN xx-go --wrap &&\ + GO_LDFLAGS="-linkmode=external -X ${PKG}/pkg/version.VERSION=${TAG}" \ go-build-static.sh -gcflags=-trimpath=${GOPATH}/src -o . ./... RUN go-assert-static.sh node-cache -RUN if [ "${ARCH}" = "amd64" ]; then \ +RUN if [ `xx-info arch` = "amd64" ]; then \ go-assert-boring.sh node-cache; \ fi -RUN install -s node-cache /usr/local/bin +RUN install node-cache /usr/local/bin -FROM bci +#strip needs to run on TARGETPLATFORM, not BUILDPLATFORM +FROM ${GO_IMAGE} as strip_binary COPY --from=builder /usr/local/bin/node-cache /node-cache +RUN strip /node-cache + +FROM bci +COPY --from=strip_binary /node-cache /node-cache COPY --from=builder /opt/xtables/bin/ /usr/sbin/ ENTRYPOINT ["/node-cache"] diff --git a/Makefile b/Makefile index 2aab356..a62a4a6 100644 --- a/Makefile +++ b/Makefile @@ -28,7 +28,6 @@ image-build: --load \ --build-arg PKG=$(PKG) \ --build-arg SRC=$(SRC) \ - --build-arg ARCH=$(ARCH) \ --build-arg TAG=$(TAG:$(BUILD_META)=) \ --tag $(ORG)/hardened-dns-node-cache:$(TAG) \ --tag $(ORG)/hardened-dns-node-cache:$(TAG)-$(ARCH) \ @@ -50,5 +49,4 @@ log: @echo "PKG=$(PKG)" @echo "SRC=$(SRC)" @echo "BUILD_META=$(BUILD_META)" - @echo "K3S_ROOT_VERSION=$(K3S_ROOT_VERSION)" @echo "UNAME_M=$(UNAME_M)"