From b881c3bfe9484446f78bcebf5a3c5b59fd9b0ed2 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Tue, 29 Oct 2024 09:13:30 +0100 Subject: [PATCH 1/2] Improve cacheability of Docker layers and add ca-certs to scratch image Signed-off-by: Marco Franssen --- Dockerfile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 58964e40ce..4c5c491e08 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,12 +15,13 @@ COPY . . RUN make FROM scratch AS cilium-cli -COPY --from=builder /go/src/github.com/cilium/cilium-cli/cilium /usr/local/bin/cilium ENTRYPOINT ["cilium"] +COPY --from=builder --chown=root:root --chmod=755 /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ +COPY --from=builder /go/src/github.com/cilium/cilium-cli/cilium /usr/local/bin/cilium FROM ubuntu:24.04@sha256:99c35190e22d294cdace2783ac55effc69d32896daaa265f0bbedbcde4fbe3e5 AS cilium-cli-ci -COPY --from=builder /go/src/github.com/cilium/cilium-cli/cilium /usr/local/bin/cilium ENTRYPOINT [] +COPY --from=builder /go/src/github.com/cilium/cilium-cli/cilium /usr/local/bin/cilium # Install cloud CLIs. Based on these instructions: # - https://cloud.google.com/sdk/docs/install#deb From 0be3ce5e945b95f4b7820be0dd4a8b88b2538882 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Tue, 29 Oct 2024 10:07:03 +0100 Subject: [PATCH 2/2] Refactor Dockerfile to use native docker features to target the specific image Signed-off-by: Marco Franssen --- .github/workflows/images.yaml | 22 +++++++++++++--------- Dockerfile | 15 ++++++--------- 2 files changed, 19 insertions(+), 18 deletions(-) diff --git a/.github/workflows/images.yaml b/.github/workflows/images.yaml index 1c6163fe53..da84758122 100644 --- a/.github/workflows/images.yaml +++ b/.github/workflows/images.yaml @@ -25,8 +25,10 @@ jobs: strategy: matrix: include: - - name: cilium-cli + - name: cilium-cli-ci dockerfile: ./Dockerfile + platforms: linux/amd64 + steps: - name: Set up Docker Buildx uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 @@ -62,19 +64,20 @@ jobs: with: context: . file: ${{ matrix.dockerfile }} + target: ${{ matrix.name }} + platforms: ${{ matrix.platforms }} push: true - platforms: linux/amd64 tags: | - quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:latest - quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }} + quay.io/${{ github.repository_owner }}/${{ matrix.name }}:latest + quay.io/${{ github.repository_owner }}/${{ matrix.name }}:${{ steps.tag.outputs.tag }} - name: CI Image Releases digests if: ${{ github.event_name != 'pull_request_target' }} shell: bash run: | mkdir -p image-digest/ - echo "quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:latest@${{ steps.docker_build_ci_main.outputs.digest }}" > image-digest/${{ matrix.name }}.txt - echo "quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_ci_main.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt + echo "quay.io/${{ github.repository_owner }}/${{ matrix.name }}:latest@${{ steps.docker_build_ci_main.outputs.digest }}" > image-digest/${{ matrix.name }}.txt + echo "quay.io/${{ github.repository_owner }}/${{ matrix.name }}:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_ci_main.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt # PR updates - name: CI Build ${{ matrix.name }} @@ -84,17 +87,18 @@ jobs: with: context: . file: ${{ matrix.dockerfile }} + target: ${{ matrix.name }} + platforms: ${{ matrix.platforms }} push: true - platforms: linux/amd64 tags: | - quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }} + quay.io/${{ github.repository_owner }}/${{ matrix.name }}:${{ steps.tag.outputs.tag }} - name: CI Image Releases digests if: ${{ github.event_name == 'pull_request_target' }} shell: bash run: | mkdir -p image-digest/ - echo "quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_ci_pr.outputs.digest }}" > image-digest/${{ matrix.name }}.txt + echo "quay.io/${{ github.repository_owner }}/${{ matrix.name }}:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_ci_pr.outputs.digest }}" > image-digest/${{ matrix.name }}.txt # Upload artifact digests - name: Upload artifact digests diff --git a/Dockerfile b/Dockerfile index 4c5c491e08..c7c7a292a0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,24 +3,25 @@ # Copyright Authors of Cilium # SPDX-License-Identifier: Apache-2.0 -# FINAL_CONTAINER specifies the source for the output -# cilium-cli-ci (default) is based on ubuntu with cloud CLIs -# cilium-cli is from scratch only including cilium binaries -ARG FINAL_CONTAINER="cilium-cli-ci" - FROM docker.io/library/golang:1.23.3-alpine3.19@sha256:36cc30986d1f9bc46670526fe6553b078097e562e196344dea6a075e434f8341 AS builder WORKDIR /go/src/github.com/cilium/cilium-cli RUN apk add --no-cache curl git make ca-certificates COPY . . RUN make +# cilium-cli is from scratch only including cilium binaries FROM scratch AS cilium-cli ENTRYPOINT ["cilium"] +LABEL maintainer="maintainer@cilium.io" +WORKDIR /root/app COPY --from=builder --chown=root:root --chmod=755 /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ COPY --from=builder /go/src/github.com/cilium/cilium-cli/cilium /usr/local/bin/cilium +# cilium-cli-ci is based on ubuntu with cloud CLIs FROM ubuntu:24.04@sha256:99c35190e22d294cdace2783ac55effc69d32896daaa265f0bbedbcde4fbe3e5 AS cilium-cli-ci ENTRYPOINT [] +LABEL maintainer="maintainer@cilium.io" +WORKDIR /root/app COPY --from=builder /go/src/github.com/cilium/cilium-cli/cilium /usr/local/bin/cilium # Install cloud CLIs. Based on these instructions: @@ -39,7 +40,3 @@ RUN apt-get update -y \ && ./aws/install \ && rm -r ./aws awscliv2.zip \ && curl -sL https://aka.ms/InstallAzureCLIDeb | bash - -FROM ${FINAL_CONTAINER} -LABEL maintainer="maintainer@cilium.io" -WORKDIR /root/app