alauda · kycheng · Apr 11, 2024 · Apr 8, 2024 · Apr 8, 2024 · Apr 8, 2024
diff --git a/.build/build.yaml b/.build/build.yaml
@@ -0,0 +1,168 @@
+apiVersion: builds.katanomi.dev/v1alpha1
+kind: Build
+spec:
+  workspaces:
+    - description: |
+        This workspace is shared among all the pipeline tasks to read/write common resources
+      name: source
+  tasks:
+    - name: buildkit-oss-version
+      workspaces:
+        - name: source
+          workspace: source
+      taskSpec:
+        description: |
+          generate oss version
+        results:
+          - description: oss version
+            name: oss-version
+        steps:
+          - image: build-harbor.alauda.cn/devops/builder-tools:alpine-v3.8.0
+            name: read-oss-file
+            imagePullPolicy: IfNotPresent
+            workingDir: $(workspaces.source.path)
+            resources:
+              requests:
+                cpu: 100m
+                memory: 100Mi
+            script: |
+              echo "generate oss version"
+              echo -n "$(cat ./buildkit_version| xargs echo -e)"
+              echo -n "$(cat ./buildkit_version| xargs echo -e)" > $(results.oss-version.path)
+        workspaces:
+          - name: source
+            workspace: source
+    - name: build-buildkit-image
+      runAfter:
+        - buildkit-oss-version
+      timeout: 30m
+      retries: 0
+      taskRef:
+        kind: ClusterTask
+        name: alauda-build-image
+      workspaces:
+        - name: source
+          workspace: source
+      params:
+        - name: container-image
+          value: build-harbor.alauda.cn/devops/buildkit
+        - name: container-image-tag
+          value: $(tasks.buildkit-oss-version.results.oss-version)-alpine-$(build.git.lastCommit.shortID)
+        - name: dockerfile
+          value: Dockerfile
+        - name: labels
+          value:
+            - branch=$(build.git.branch)
+            - commit=$(build.git.lastCommit.id)
+        - name: build-extra-args
+          value: --build-arg app_version=$(build.git.version.docker) --build-arg
+            commit_id=$(build.git.lastCommit.id) --build-arg GIT_REVISION=$(build.git.lastCommit.id) --build-arg GIT_VERSION=$(build.git.version.docker)
+        - name: platform
+          value:
+            - linux/amd64
+            - linux/arm64
+        - name: tools-image
+          value: registry.alauda.cn:60080/devops/builder-tools:v3.8-0-g377a3f9
+        - name: verbose
+          value: "false"
+    - name: image-scan
+      runAfter:
+        - build-buildkit-image
+      timeout: 30m
+      retries: 0
+      taskRef:
+        kind: ClusterTask
+        name: trivy-image-scan
+      workspaces:
+        - name: source
+          workspace: source
+      when: []
+      params:
+        - name: targets
+          value:
+            - $(tasks.build-buildkit-image.results.ociContainerImageBuild-url)
+        - name: quality-gate
+          value: "false"
+    - name: test-image
+      runAfter:
+        - build-buildkit-image
+      timeout: "1h"
+      workspaces:
+        - name: source
+          workspace: source
+      params:
+        - name: tools-image
+          value: build-harbor.alauda.cn/devops/buildkit:$(tasks.buildkit-oss-version.results.oss-version)-alpine-$(build.git.lastCommit.shortID)
+      taskSpec:
+        params:
+          - name: tools-image
+            description: test image reference
+        volumes:
+          - name: dind-certs
+            emptyDir: {}
+        sidecars:
+          - image: docker-mirrors.alauda.cn/library/docker:20.10-dind
+            name: docker-daemon
+            args:
+              - --storage-driver=overlay2
+              - --userland-proxy=false
+              - --debug
+              - --registry-mirror=https://docker-mirrors.alauda.cn
+            securityContext:
+              privileged: true
+            env:
+              - name: DOCKER_TLS_CERTDIR  # 将生成的证书写入与客户端共享的路径
+                value: /certs
+            resources:
+              requests:
+                cpu: 1000m
+                memory: 2000Mi
+              limits:
+                cpu: 4000m
+                memory: 8000Mi
+            volumeMounts:
+              - mountPath: /certs/client
+                name: dind-certs
+              - mountPath: /workspace/source
+                name: $(workspaces.source.volume)
+            readinessProbe: # 等待 dind daemon 生成它与客户端共享的证书
+              periodSeconds: 1
+              exec:
+                command: [ 'ls', '/certs/client/ca.pem' ]
+        steps:
+          - name: test-run
+            image: registry.alauda.cn:60080/devops/builder-tools:ubuntu-v3.8.1
+            imagePullPolicy: IfNotPresent
+            workingDir: $(workspaces.source.path)
+            timeout: 2.5h
+            resources:
+              requests:
+                cpu: 1000m
+                memory: 2000Mi
+              limits:
+                cpu: 2000m
+                memory: 4000Mi
+            env:
+              - name: DOCKER_HOST
+                value: tcp://localhost:2376
+              - name: DOCKER_TLS_VERIFY
+                value: "1"
+              - name: DOCKER_CERT_PATH
+                value: /certs/client
+            volumeMounts:
+              - mountPath: /certs/client
+                name: dind-certs
+            script: |
+              #!/bin/bash
+              set -e
+              /katanomi/bin/ktn-settings copy docker --always-match=true ~/.docker/config.json
+              cd e2e
+              source ./tools.sh
+              perpare
+              docker run --rm --net=host -v $(pwd):/workspace -v ~/.docker/:/root/.docker/ --privileged --entrypoint /workspace/test.sh $(params.tools-image)
+        workspaces:
+          - name: source
+            workspace: source
+  runTemplate:
+    spec:
+      taskRunSpecs: []
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -0,0 +1,7 @@
+# buildkit 变更记录
+
+官方地址：[buildkit](https://github.com/moby/buildkit/tree/v0.13.1)
+
+- 自动识别 http/https 仓库，默认使用insecure client请求。
+  - [DEVOPS-19463](https://jira.alauda.cn/browse/DEVOPS-19463) pull http仓库失败问题
+  - [DEVOPS-19601](https://jira.alauda.cn/browse/DEVOPS-19601) 连接自签名https仓库拉取失败问题
diff --git a/Dockerfile b/Dockerfile
@@ -19,6 +19,7 @@ ARG DELVE_VERSION=v1.21.0
 
 ARG GO_VERSION=1.21
 ARG ALPINE_VERSION=3.19
+ARG ALPINE_IMAGE=build-harbor.alauda.cn/ops/alpine
 ARG XX_VERSION=1.4.0
 ARG BUILDKIT_DEBUG
 
@@ -28,12 +29,12 @@ FROM minio/mc:${MINIO_MC_VERSION} AS minio-mc
 
 # alpine base for buildkit image
 # TODO: remove this when alpine image supports riscv64
-FROM alpine:${ALPINE_VERSION} AS alpine-amd64
-FROM alpine:${ALPINE_VERSION} AS alpine-arm
-FROM alpine:${ALPINE_VERSION} AS alpine-arm64
-FROM alpine:${ALPINE_VERSION} AS alpine-s390x
-FROM alpine:${ALPINE_VERSION} AS alpine-ppc64le
-FROM alpine:edge@sha256:2d01a16bab53a8405876cec4c27235d47455a7b72b75334c614f2fb0968b3f90 AS alpine-riscv64
+FROM ${ALPINE_IMAGE}:${ALPINE_VERSION} AS alpine-amd64
+FROM ${ALPINE_IMAGE}:${ALPINE_VERSION} AS alpine-arm
+FROM ${ALPINE_IMAGE}:${ALPINE_VERSION} AS alpine-arm64
+FROM ${ALPINE_IMAGE}:${ALPINE_VERSION} AS alpine-s390x
+FROM ${ALPINE_IMAGE}:${ALPINE_VERSION} AS alpine-ppc64le
+FROM ${ALPINE_IMAGE}:edge@sha256:2d01a16bab53a8405876cec4c27235d47455a7b72b75334c614f2fb0968b3f90 AS alpine-riscv64
 FROM alpine-$TARGETARCH AS alpinebase
 
 # xx is a helper for cross-compilation
@@ -43,7 +44,7 @@ FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
 FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS golatest
 
 # git stage is used for checking out remote repository sources
-FROM --platform=$BUILDPLATFORM alpine:${ALPINE_VERSION} AS git
+FROM --platform=$BUILDPLATFORM ${ALPINE_IMAGE}:${ALPINE_VERSION} AS git
 RUN apk add --no-cache git
 
 # gobuild is base stage for compiling go/cgo
@@ -164,7 +165,7 @@ RUN --mount=from=dnsname-src,src=/usr/src/dnsname,target=.,rw \
     CGO_ENABLED=0 xx-go build -o /usr/bin/dnsname ./plugins/meta/dnsname && \
     xx-verify --static /usr/bin/dnsname
 
-FROM --platform=$BUILDPLATFORM alpine:${ALPINE_VERSION} AS cni-plugins
+FROM --platform=$BUILDPLATFORM ${ALPINE_IMAGE}:${ALPINE_VERSION} AS cni-plugins
 RUN apk add --no-cache curl
 COPY --from=xx / /
 ARG CNI_VERSION
@@ -208,7 +209,7 @@ FROM binaries-$TARGETOS AS binaries
 # enable scanning for this stage
 ARG BUILDKIT_SBOM_SCAN_STAGE=true
 
-FROM --platform=$BUILDPLATFORM alpine:${ALPINE_VERSION} AS releaser
+FROM --platform=$BUILDPLATFORM ${ALPINE_IMAGE}:${ALPINE_VERSION} AS releaser
 RUN apk add --no-cache tar gzip
 WORKDIR /work
 ARG TARGETPLATFORM
@@ -220,7 +221,7 @@ FROM scratch AS release
 COPY --link --from=releaser /out/ /
 
 FROM alpinebase AS buildkit-export
-RUN apk add --no-cache fuse3 git openssh pigz xz iptables ip6tables \
+RUN apk add --no-cache fuse3 git openssh pigz xz iptables ip6tables bash skopeo \
   && ln -s fusermount3 /usr/bin/fusermount
 COPY --link examples/buildctl-daemonless/buildctl-daemonless.sh /usr/bin/
 VOLUME /var/lib/buildkit

diff --git a/buildkit_version b/buildkit_version
@@ -0,0 +1 @@
+v0.13.1
diff --git a/catalog.yaml b/catalog.yaml
@@ -0,0 +1,26 @@
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: buildkit
+  title: buildkit
+  description: Buildkit 是一个高效的构建镜像的工具，该镜像基于官方版本做了若干参数的调整定制。
+  annotations:
+    # gitlab plugin
+    gitlab.com/project-slug: devops/builder-buildkit
+    gitlab.com/instance: gitlab-ce.alauda.cn
+    # acp cicd plugin
+    acp.cpaas.io/ci-pipeline: devops/business-build/tools/builder-buildkit
+    acp.cpaas.io/instance: edge.alauda.cn
+    # harbor plugin
+    goharbor.io/repository-slug: devops/buildkit
+    # sonarqube plugin
+    sonarqube.org/project-key: ""
+    # backstage techdocs plugin
+    backstage.io/techdocs-ref: dir:./buildkit-v0.10.4
+    acp.cpaas.io/owner: [email protected]
+
+spec:
+  type: tools
+  system: system:katanomi-system
+  lifecycle: production
+  owner: devops
diff --git a/e2e/Dockerfile b/e2e/Dockerfile
@@ -0,0 +1,7 @@
+ARG FROM_IMAGE=registry.alauda.cn:60080
+
+FROM ${FROM_IMAGE}/ops/alpine:3
+COPY Dockerfile .
+
+
+
diff --git a/e2e/certs/domain.crt b/e2e/certs/domain.crt
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE7DCCAtQCCQCRFDmZ5nbJSTANBgkqhkiG9w0BAQsFADA4MQswCQYDVQQGEwJj
+cTELMAkGA1UECAwCY3ExCzAJBgNVBAcMAmNxMQ8wDQYDVQQKDAZhbGF1ZGEwHhcN
+MjQwNDA4MDcxNDI1WhcNMjUwNDA4MDcxNDI1WjA4MQswCQYDVQQGEwJjcTELMAkG
+A1UECAwCY3ExCzAJBgNVBAcMAmNxMQ8wDQYDVQQKDAZhbGF1ZGEwggIiMA0GCSqG
+SIb3DQEBAQUAA4ICDwAwggIKAoICAQC98eorsKlIURK8CD/kRrq1XZfvMdeY9V/5
+oki8gUUJMvIZe3vTG7qFgr1He+tGxl0PK7M1/QrVVTGxovO+98kd5U7TE5w74OAo
+2jNBhRZ/cPUEQjKy4wbM0EyTAqtAuDkr2MKXToZQ3P2kSEo8p3lhsArlYXkRrWS3
+d3hQKpcej9NLK9FQerAdyRMzjVdl6VhZ5erjU+xBO/VI5PEyrFVF3RoRGmRwy8Bn
+WgUEPSl5IMCg6yZhg0YSoioi0OSXAIaj77CAm1UD7Yn18r4vl/eI2mi5dYYuNzqt
+Wo9p3NubwD/ZcG3MtewviUNJdTsjl/SwQJTGUjUizYyN7XosyhlCgFFUukFCsVGr
+Vc0M7TU4Ov+jAyKILRNscwJC+38aCS4OivVj4zLsDFiFREUJei4IuxWKZhupM2a9
+BenSuk6RITOE5siml5mAt9NSPADBLHAzDu/vrTudzmvUTDVA524xTjMzfTPC9PdD
+/WSbhl9MOIGCW7S4RMdU63xUHcS2aUviRttjSrIHQB0/pQURKOI9ZfYGhHWiFtjE
+ErwpCm/VTsEHRuJ5pULS4bnoUF2dfl3hg21tPhtKrLqtbKSR3SS2e1gFAkb6Wl4z
+SRBPT/wyFmXGrlhQhl9t9bU634MorkPgE6eFvAz+TPVY+BC0Khs+7k4aahSuN+5z
+ZXHzWbOToQIDAQABMA0GCSqGSIb3DQEBCwUAA4ICAQA3b6BSiaSMpz+iNEYstg3E
+rDgrYmFZ/Td+58A89B/e9WUv9albnKZyf3RtYF0O/HuJ3gIfq7DBvV4aLMwsNfP7
+m5loF2ZWYEAc5/EZ+ZS/jm+Y0xPdCUWj90AoH9aZhSlpxrY+1mwokzUd7pR4qulC
+UfYcQ1Q+Rhst0VaMdwM0uq2BCxShcE5scYCfjbFMKAFoFlaGOiyKUYKIxe42ND/G
+UD3Kh48Um/feKsx0y7MfN/dvl9Qvr0rUPjM5ZPKmy3CQvjAxUAmUvYO+HgYGYRo7
+PqSr7DAfdIbN5PZfkyQFhUvy5PONqQs28g/Ad1qinduMnOYK6nQhsqk4SSEf2bbK
+R3AQ5WH+EOl3Irbai71oC/WZ0x4EgqHZN9SL/RGpy4aFOKqpBzhChqro6xxOoAu8
+Rh9ezL8hAR0/lhhSfu/XfSjVuN08hzZTDfbuvCCt55v8l/O2cfRrMccgC2mzrLnH
+WkD8fwvkX7lKCRVk8zGNlNrAKuwK+8+bO3B97AxjBA7Nv+mm6HYKk3mf6fpQMFAk
+IlpR/GbUB6bHMOynhC3xZ3nevJVhyPzHxY7ENR7M0P9c+UDy7MJdIFtVAgRqFXdn
+O4g8MYFaz0luiOWpITI6jlNEXvV92sdUX/Zzc3Q1ljqARPoRwFykXI71gPrhOli0
+rd8FH4ceNfAsbJO6IBPkaQ==
+-----END CERTIFICATE-----
diff --git a/e2e/certs/domain.key b/e2e/certs/domain.key
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQC98eorsKlIURK8
+CD/kRrq1XZfvMdeY9V/5oki8gUUJMvIZe3vTG7qFgr1He+tGxl0PK7M1/QrVVTGx
+ovO+98kd5U7TE5w74OAo2jNBhRZ/cPUEQjKy4wbM0EyTAqtAuDkr2MKXToZQ3P2k
+SEo8p3lhsArlYXkRrWS3d3hQKpcej9NLK9FQerAdyRMzjVdl6VhZ5erjU+xBO/VI
+5PEyrFVF3RoRGmRwy8BnWgUEPSl5IMCg6yZhg0YSoioi0OSXAIaj77CAm1UD7Yn1
+8r4vl/eI2mi5dYYuNzqtWo9p3NubwD/ZcG3MtewviUNJdTsjl/SwQJTGUjUizYyN
+7XosyhlCgFFUukFCsVGrVc0M7TU4Ov+jAyKILRNscwJC+38aCS4OivVj4zLsDFiF
+REUJei4IuxWKZhupM2a9BenSuk6RITOE5siml5mAt9NSPADBLHAzDu/vrTudzmvU
+TDVA524xTjMzfTPC9PdD/WSbhl9MOIGCW7S4RMdU63xUHcS2aUviRttjSrIHQB0/
+pQURKOI9ZfYGhHWiFtjEErwpCm/VTsEHRuJ5pULS4bnoUF2dfl3hg21tPhtKrLqt
+bKSR3SS2e1gFAkb6Wl4zSRBPT/wyFmXGrlhQhl9t9bU634MorkPgE6eFvAz+TPVY
++BC0Khs+7k4aahSuN+5zZXHzWbOToQIDAQABAoICAGvOu5dynJJEGbsJf6IEFwLL
+jWmgw3q4gnHAj0IWqOVQuiKGeMBYc6RFkULaba5s9fKfXgcdiSGOSjdFgsz3/Hlw
+Zi3daoZ92xy0w/TDIgLRTO/O1tG7k2d6LoweLq78IM7nJ4MTeZ6532h381K7x2QP
+tA9/JGVJIeoT8ACoO7+H6Gg5BYOFLyKotrJC3cElERVtLsU6I9TewBhQgSm+sGOH
+27yrWyi+LIU8ja5bPIfYdByhetZL2ODIk9vQ7n1aOhEgAPDtuPISx4QF87Y1rbRK
+KrhgoPjoNfCgfteaGDcthc/XRSq0csqEQOGXnSpVm/bRoN9zV19ahRUlHXwAdRbT
+qtoJPcxGvqVb8XKBJTXwWPFKf6QynHlppN/ch5tuEHg+8ByclimpYddRPKP/D3MZ
+jLxOifh/8sIedtC16uQvowgxZHLujnMjKt4zTPQ350Fy5SCWTClrJpnwZARiVhNH
+omZbkruvyX9+Jq0p9Hhm/oCl5qymXrpbdZmAbOUzmppnkF7ZbGISTsWsr69SxmqR
+QejzEYgrmtLl85qBEanhJFfROt2+QrDew6WvZTgeZj1YBlkguXHAyckfu/F24DTK
+L3OB/bdDh4Ju7ZlxfVrocBFDXAIGHSuwURXJ8VHFsgEL+GY7rlilWfBB//Ctsz2t
+HkGDuF9szTPOVwOWwzYFAoIBAQDsbMWO/sixzqixtWM2HFCPU6ukxBJCOtzwEfii
+yn1ixm6YTvufvUzhJrf7imjy052h0BvtRSpdzcVpwd5vGr9dxLqIH1vPQSBBWkOd
+1JIUfayB1oYJwCImGWoN53OIgUx8dPq1afX7244AHgVwhWYVPo71MXzMTkrUDxyg
+eCU9Wm5QpmHOpuKUk6nf987thqR/KCYr/uhLkasvOZ1nGV8Gp5smeNEGpOGAheVj
+A/qrndlVxme8yqe4aFnc05la19VzCWoJV9hStaBOVkCohfm4kr8VdB0r2xdfDO02
+N7cnRhzIbsCeEZgbPN4dikS/aYkg5yHj4w4TY/FgsgtgiEojAoIBAQDNq/YiUhwJ
+m8yv0HSybRol8y/CSw/DE1XGdy32Eojb3fMahD8r6Oz52h+vXx5k0l5RfmBgD00t
+5vhw8xjhu/pE0y71S87VMRoNiCsFFQrMIsZZTJ7O4jsA1bGc1Q+mzPn6OEy2MI7i
+bgxrXQp84aAUcdQTkLJ2/1XLlZFbp+I4hLhH6/7rO2J0Um//JIHJWQqlrkrLOrJo
+jvOb5Xte3yh8WRcwQgYZxbUw6d9aNS8X8SqRNqrUpgWKl6UyHRge2ovMtjaXY9yH
+8FQ5Sxd9iU8Skt5Hrb7ScjYwtjt8Krhfk/hlzEwLJ680F0r11Sgqw+lD+jg4RgRJ
+GGqNmtv+KP1rAoIBAQDdoWnhjr6c0FobnSqQAyMR+SGip5tmMsAC3RXzpVa9Tb9H
+UGNZb5+uQRmf2DRhzjarBefoGTqKDOfPKEpYZP6X7F/gU2VBeI/AM9nHDwqR4u3g
+GTY11cMtbA2bUylfAbatxQtxHQ/XNg571ajLvoHf0HE7MVUIQSysdi4jz/048pkP
+SanOi2tEVNieeDOnPtzdxslh3OfuT3PmJWCE0affGSe8fO2WCOLMFLjghU5rquGe
+IwwEUwW/PTNga4wLOOGDoYOhlpPXlSPdy8V5NX7Po+E1P1BJWG0kUX3doYU0b+lz
+iz9N7rhkcD7X+lJQDaLbEVEXzDXZv4r7VmyL5bd5AoIBAQDDeCGPcNYw05/voICo
+a0SkuMG1OL2cOy4UV4SZD/h+biz0EKgxRUikFYhzlkU+sSju7tsNsL07WP7Z6lDF
+iXBMJSHGA+xpdic6oSWxyNPgO1Sj3kw4d454NqB9W4lqj/kstIFDzlaeINUw3NZw
+5cbMZ3qVtbnHmtihil8B60b3TDwQLtyyGFh0ET1cEgg/op6Z5FI1YG3bLbGdgraD
+7jd+JvYA6V7+84ZHHJ8oDs/ZQ12fcYNeYwN1OrbIMBqSiEbBopOzwjcAA4sogJOs
+vekmz+rt2NU5EU8rcKaMVdWxEOLNbSMAnxDGwzR8+78XFecGsjLoWLMN/WSXfIyE
+u9RNAoIBAQCZPR+Y6ITQHi0CKYc2D1mdzWvILM33YSCthfatFXnnpfkCYIgZud+S
+xk5DfpMyRpcSN9nh/b60XtkOR5o5goPXQTQAF5h25ZPdOajEtCUkGdagiIVqQBT3
+Y9rfStKq2H1z9KYFNlauZ8gl2WkMshk92nBeeySGd+zyxv0r9midKnJWb3hKtJBE
+1pG51Ycrjqu6w3vjdCjBGA2khyqYghCK6z9hE08cdyWMQ7siVqKWXaQsjDsCARsW
+eMaZGnSbd1Bl+5/cr7EYiObVgz7xhEs2QV5f3irCSPngZC5E7b/skNPeWy7qd/Dx
+YvaECL/KMlkXknQFjzoCsoFJQlPpyKkt
+-----END PRIVATE KEY-----