-
Notifications
You must be signed in to change notification settings - Fork 0
/
Dockerfile
243 lines (195 loc) · 8.77 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
# Copyright (c) Edgeless Systems GmbH
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
#
# This file incorporates work covered by the following copyright and
# permission notice:
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
################################################################################
## BUILD ARGS ##
################################################################################
# This build arg allows the specification of a custom Golang image.
ARG GOLANG_IMAGE=golang:1.21.5-bullseye
# The distroless image on which the CPI manager image is built.
#
# Please do not use "latest". Explicit tags should be used to provide
# deterministic builds. Follow what kubernetes uses to build
# kube-controller-manager, for example for 1.27.x:
# https://github.com/kubernetes/kubernetes/blob/release-1.27/build/common.sh#L99
ARG DISTROLESS_IMAGE=registry.k8s.io/build-image/go-runner:v2.3.1-go1.21.5-bookworm.0
# We use Alpine as the source for default CA certificates and some output
# images
ARG ALPINE_IMAGE=alpine:3.17.5
# cinder-csi-plugin uses Debian as a base image
ARG DEBIAN_IMAGE=registry.k8s.io/build-image/debian-base:bullseye-v1.4.3
################################################################################
## BUILD STAGE ##
################################################################################
# Build an image containing a common ca-certificates used by all target images
# regardless of how they are built. We arbitrarily take ca-certificates from
# the amd64 Alpine image.
FROM --platform=linux/amd64 ${ALPINE_IMAGE} as certs
RUN apk add --no-cache ca-certificates
# Build all command targets. We build all command targets in a single build
# stage for efficiency. Target images copy their binary from this image.
# We use go's native cross compilation for multi-arch in this stage, so the
# builder itself is always amd64
FROM --platform=linux/amd64 ${GOLANG_IMAGE} as builder
RUN apt-get update && apt-get install -y build-essential git wget pkg-config libcryptsetup12 libcryptsetup-dev
ARG GOPROXY=direct
ARG TARGETOS
ARG TARGETARCH
ARG VERSION
WORKDIR /build
COPY Makefile go.mod go.sum ./
COPY cmd/ cmd/
COPY pkg/ pkg/
RUN make build GOOS=${TARGETOS} GOARCH=${TARGETARCH} GOPROXY=${GOPROXY} VERSION=${VERSION}
################################################################################
## TARGET IMAGES ##
################################################################################
##
## openstack-cloud-controller-manager
##
FROM --platform=${TARGETPLATFORM} ${DISTROLESS_IMAGE} as openstack-cloud-controller-manager
COPY --from=certs /etc/ssl/certs /etc/ssl/certs
COPY --from=builder /build/openstack-cloud-controller-manager /bin/openstack-cloud-controller-manager
LABEL name="openstack-cloud-controller-manager" \
license="Apache Version 2.0" \
maintainers="Kubernetes Authors" \
description="OpenStack cloud controller manager" \
distribution-scope="public" \
summary="OpenStack cloud controller manager" \
help="none"
CMD [ "/bin/openstack-cloud-controller-manager" ]
##
## barbican-kms-plugin
##
FROM --platform=${TARGETPLATFORM} ${ALPINE_IMAGE} as barbican-kms-plugin
# barbican-kms-plugin uses ALPINE instead of distroless because its entrypoint
# uses a shell for environment substitution. If there are no other uses this
# could be replaced by callers passing arguments explicitly.
COPY --from=builder /build/barbican-kms-plugin /bin/barbican-kms-plugin
COPY --from=certs /etc/ssl/certs /etc/ssl/certs
LABEL name="barbican-kms-plugin" \
license="Apache Version 2.0" \
maintainers="Kubernetes Authors" \
description="Barbican kms plugin" \
distribution-scope="public" \
summary="Barbican kms plugin" \
help="none"
CMD ["sh", "-c", "/bin/barbican-kms-plugin --socketpath ${socketpath} --cloud-config ${cloudconfig}"]
##
## cinder-csi-plugin
##
# step 1: copy all necessary files from Debian distro to /dest folder
# all magic happens in tools/csi-deps.sh
FROM --platform=${TARGETPLATFORM} ${DEBIAN_IMAGE} as cinder-csi-plugin-utils
RUN clean-install bash rsync mount udev btrfs-progs e2fsprogs xfsprogs util-linux libcryptsetup12 libcryptsetup-dev libgcc-s1
COPY tools/csi-deps.sh /tools/csi-deps.sh
RUN /tools/csi-deps.sh
# step 2: check if all necessary files are copied and work properly
# the build have to finish without errors, but the result image will not be used
FROM --platform=${TARGETPLATFORM} ${DISTROLESS_IMAGE} as cinder-csi-plugin-utils-check
COPY --from=cinder-csi-plugin-utils /dest /
COPY --from=cinder-csi-plugin-utils /bin/sh /bin/sh
COPY tools/csi-deps-check.sh /tools/csi-deps-check.sh
SHELL ["/bin/sh"]
RUN /tools/csi-deps-check.sh
# step 3: build tiny cinder-csi-plugin image with only necessary files
FROM --platform=${TARGETPLATFORM} ${DISTROLESS_IMAGE} as cinder-csi-plugin
# Copying csi-deps-check.sh simply ensures that the resulting image has a dependency
# on cinder-csi-plugin-utils-check and therefore that the check has passed
COPY --from=cinder-csi-plugin-utils-check /tools/csi-deps-check.sh /bin/csi-deps-check.sh
COPY --from=cinder-csi-plugin-utils /dest /
COPY --from=builder /build/cinder-csi-plugin /bin/cinder-csi-plugin
COPY --from=certs /etc/ssl/certs /etc/ssl/certs
LABEL name="cinder-csi-plugin" \
license="Apache Version 2.0" \
maintainers="Kubernetes Authors" \
description="Cinder CSI Plugin" \
distribution-scope="public" \
summary="Cinder CSI Plugin" \
help="none"
CMD ["/bin/cinder-csi-plugin"]
##
## k8s-keystone-auth
##
FROM --platform=${TARGETPLATFORM} ${DISTROLESS_IMAGE} as k8s-keystone-auth
COPY --from=builder /build/k8s-keystone-auth /bin/k8s-keystone-auth
COPY --from=certs /etc/ssl/certs /etc/ssl/certs
LABEL name="k8s-keystone-auth" \
license="Apache Version 2.0" \
maintainers="Kubernetes Authors" \
description="K8s Keystone Auth" \
distribution-scope="public" \
summary="K8s Keystone Auth" \
help="none"
EXPOSE 8443
CMD ["/bin/k8s-keystone-auth"]
##
## magnum-auto-healer
##
FROM --platform=${TARGETPLATFORM} ${DISTROLESS_IMAGE} as magnum-auto-healer
COPY --from=builder /build/magnum-auto-healer /bin/magnum-auto-healer
COPY --from=certs /etc/ssl/certs /etc/ssl/certs
LABEL name="magnum-auto-healer" \
license="Apache Version 2.0" \
maintainers="Kubernetes Authors" \
description="Magnum auto healer" \
distribution-scope="public" \
summary="Magnum auto healer" \
help="none"
CMD ["/bin/magnum-auto-healer"]
##
## manila-csi-plugin
##
FROM --platform=${TARGETPLATFORM} ${ALPINE_IMAGE} as manila-csi-plugin
# manila-csi-plugin uses ALPINE because it pulls in jq and curl
RUN apk add --no-cache jq curl
COPY --from=builder /build/manila-csi-plugin /bin/manila-csi-plugin
COPY --from=certs /etc/ssl/certs /etc/ssl/certs
LABEL name="manila-csi-plugin" \
license="Apache Version 2.0" \
maintainers="Kubernetes Authors" \
description="Manila CSI Plugin" \
distribution-scope="public" \
summary="Manila CSI Plugin" \
help="none"
ENTRYPOINT ["/bin/manila-csi-plugin"]
##
## octavia-ingress-controller
##
FROM --platform=${TARGETPLATFORM} ${DISTROLESS_IMAGE} as octavia-ingress-controller
COPY --from=builder /build/octavia-ingress-controller /bin/octavia-ingress-controller
COPY --from=certs /etc/ssl/certs /etc/ssl/certs
LABEL name="octavia-ingress-controller" \
license="Apache Version 2.0" \
maintainers="Kubernetes Authors" \
description="Octavia ingress controller" \
distribution-scope="public" \
summary="Octavia ingress controller" \
help="none"
CMD ["/bin/octavia-ingress-controller"]