feat: move the container build process to bake

Closes #6804 Signed-off-by: Jonathan Gonzalez V. <jonathan.gonzalez@enterprisedb.com>
cloudnative-pg · Feb 11, 2025 · 9fc4459 · 9fc4459
1 parent 7aaa52d
commit 9fc4459
Show file tree

Hide file tree

Showing 6 changed files with 161 additions and 90 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,36 +1,26 @@
+ARG BASE=gcr.io/distroless/static-debian12:nonroot
+
 # This builder stage it's only because we need a command
 # to create a symlink and reduce the size of the image
 FROM gcr.io/distroless/static-debian12:debug-nonroot AS builder
 ARG TARGETARCH
 
 SHELL ["/busybox/sh", "-c"]
-COPY --chown=nonroot:nonroot --chmod=0755 dist/manager/* bin/
-RUN ln -sf bin/manager_${TARGETARCH} manager
-
-FROM gcr.io/distroless/static-debian12:nonroot
-ARG VERSION="dev"
-ARG TARGETARCH
-
-ENV SUMMARY="CloudNativePG Operator Container Image." \
-    DESCRIPTION="This Docker image contains CloudNativePG Operator." \
-    MAINTAINER="CloudNativePG Contributors."
-
-LABEL summary="$SUMMARY" \
-      description="$DESCRIPTION" \
-      io.k8s.display-name="$SUMMARY" \
-      io.k8s.description="$DESCRIPTION" \
-      name="CloudNativePG Operator" \
-      vendor="$MAINTAINER" \
-      maintainer="$MAINTAINER" \
-      url="https://cloudnative-pg.io/" \
-      version="$VERSION" \
-      release="1"
+COPY --chown=nonroot:nonroot --chmod=0755 dist/manager/* operator/
+RUN ln -sf operator/manager_${TARGETARCH} manager
 
+FROM ${BASE} AS data
 WORKDIR /
-
 # Needs to copy the entire content, otherwise, it will not
 # copy the symlink properly.
 COPY --from=builder /home/nonroot/ .
 USER 65532:65532
-
 ENTRYPOINT ["/manager"]
+
+FROM data AS distroless
+
+FROM data AS ubi
+USER root
+COPY licenses /licenses
+COPY LICENSE /licenses
+USER 65532:65532
diff --git a/Dockerfile-ubi8 b/Dockerfile-ubi8
diff --git a/Dockerfile-ubi9 b/Dockerfile-ubi9
diff --git a/Makefile b/Makefile
@@ -143,7 +143,7 @@ run: generate fmt vet manifests ## Run against the configured Kubernetes cluster
 docker-build: go-releaser ## Build the docker image.
 	GOOS=linux GOARCH=${ARCH} GOPATH=$(go env GOPATH) DATE=${DATE} COMMIT=${COMMIT} VERSION=${VERSION} \
 	  $(GO_RELEASER) build --skip=validate --clean --single-target $(if $(VERSION),,--snapshot)
-	DOCKER_BUILDKIT=1 docker build . -t ${CONTROLLER_IMG} --build-arg VERSION=${VERSION}
+	DOCKER_BUILDKIT=1 VERSION=${VERSION} docker buildx bake --set=*.platform="linux/${ARCH}" --push
 
 docker-push: ## Push the docker image.
 	docker push ${CONTROLLER_IMG}

diff --git a/docker-bake.hcl b/docker-bake.hcl
@@ -0,0 +1,131 @@
+#
+# Copyright The CloudNativePG Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+variable "environment" {
+  default = "testing"
+  validation {
+    condition = contains(["testing", "production"], environment)
+    error_message = "environment must be either testing or production"
+  }
+}
+
+variable "REGISTRY" {
+  default = "localhost:5000"
+}
+
+variable "INSECURE" {
+        default = "false"
+}
+
+suffix = (environment == "testing") ? "-testing" : ""
+
+variable "VERSION" {
+  default = "dev"
+}
+
+title = "CloudNativePG Operator"
+description = "This Docker image contains CloudNativePG Operator."
+authors = "The CloudNativePG Contributors"
+url = "https://github.com/cloudnative-pg/cloudnative-pg"
+documentation = ""
+license = "Apache-2.0"
+now = timestamp()
+revision = "1"
+
+distros = {
+  distroless = {
+    baseImage = "gcr.io/distroless/static-debian12:nonroot@sha256:6ec5aa99dc335666e79dc64e4a6c8b89c33a543a1967f20d360922a80dd21f02",
+    tag = ""
+  }
+  ubi = {
+    baseImage = "registry.access.redhat.com/ubi9/ubi-micro:latest@sha256:7e85855f6925e03f91b5c51f07886ff1c18c6ec69b5fc65491428a899da914a2",
+    tag = "-ubi9"
+  }
+}
+
+target "default" {
+  matrix = {
+    distro = [
+      "distroless",
+      "ubi"
+    ]
+  }
+
+  name = "${distro}"
+  platforms = ["linux/amd64", "linux/arm64"]
+  tags = [ "${REGISTRY}/cloudnative-pg${suffix}:${VERSION}${distros[distro].tag}" ]
+
+  dockerfile = "Dockerfile"
+
+  context = "."
+  target = "${distro}"
+
+  args = {
+    BASE = "${distros[distro].baseImage}"
+  }
+
+  output = [
+  "type=registry,registry.insecure=${INSECURE}",
+  ]
+
+  attest = [
+    "type=provenance,mode=max",
+    "type=sbom"
+  ]
+  annotations = [
+    "index,manifest:org.opencontainers.image.created=${now}",
+    "index,manifest:org.opencontainers.image.url=${url}",
+    "index,manifest:org.opencontainers.image.source=${url}",
+    "index,manifest:org.opencontainers.image.version=${VERSION}",
+    "index,manifest:org.opencontainers.image.revision=${revision}",
+    "index,manifest:org.opencontainers.image.vendor=${authors}",
+    "index,manifest:org.opencontainers.image.title=${title}",
+    "index,manifest:org.opencontainers.image.description=${description}",
+    "index,manifest:org.opencontainers.image.documentation=${documentation}",
+    "index,manifest:org.opencontainers.image.authors=${authors}",
+    "index,manifest:org.opencontainers.image.licenses=${license}",
+    "index,manifest:org.opencontainers.image.base.name=${distros[distro].baseImage}",
+    "index,manifest:org.opencontainers.image.base.digest=digest($distros[distro].baseImage)",
+  ]
+  labels = {
+    "org.opencontainers.image.created" = "${now}",
+    "org.opencontainers.image.url" = "${url}",
+    "org.opencontainers.image.source" = "${url}",
+    "org.opencontainers.image.version" = "${VERSION}",
+    "org.opencontainers.image.revision" = "${revision}",
+    "org.opencontainers.image.vendor" = "${authors}",
+    "org.opencontainers.image.title" = "${title}",
+    "org.opencontainers.image.description" = "${description}",
+    "org.opencontainers.image.documentation" = "${documentation}",
+    "org.opencontainers.image.authors" = "${authors}",
+    "org.opencontainers.image.licenses" = "${license}",
+    "org.opencontainers.image.base.name" = "${distros[distro].baseImage}",
+    "org.opencontainers.image.base.digest" = "digest($distros[distro].baseImage)",
+    "name" = "${title}",
+    "maintainer" = "${authors}",
+    "vendor" = "${authors}",
+    "version" = "${VERSION}",
+    "release" = "${revision}",
+    "description" = "${description}",
+    "summary" = "${description}",
+  }
+
+}
+
+function digest {
+  params = [ imageNameWithSha ]
+  result = index(split("@", imageNameWithSha), 1)
+}
diff --git a/hack/setup-cluster.sh b/hack/setup-cluster.sh
@@ -74,6 +74,7 @@ export DOCKER_DEFAULT_PLATFORM
 # Constants
 registry_volume=registry_dev_data
 registry_name=registry.dev
+builder_name=cnpg-builder
 
 # #########################################################################
 # IMPORTANT: here we build a catalog of images that will be needed in the
@@ -361,6 +362,16 @@ check_registry() {
     jq -r ".[].Containers | .[] | select(.Name==\"${registry_name}\") | .Name"
 }
 
+# An existing builder will not have any knowledge of the local registry or the
+# any host outside the builder, but when having the builder inside Kubernetes
+# this is fixed since we already solved the issue of the kubernetes cluster reaching
+# out the local registry. The following functions will handle that builder
+create_builder() {
+  if ! docker buildx inspect "${builder_name}" &>/dev/null; then
+    docker buildx create --name "${builder_name}" --driver kubernetes --use
+  fi
+}
+
 deploy_fluentd() {
   local FLUENTD_IMAGE=fluent/fluentd-kubernetes-daemonset:v1.14.3-debian-forward-1.0
   local FLUENTD_LOCAL_IMAGE="${registry_name}:5000/fluentd-kubernetes-daemonset:local"
@@ -584,6 +595,7 @@ create() {
     sed -i -E -e 's/0\.0\.0\.0/docker/g' "${HOME}/.kube/config"
   fi
 
+  create_builder
   deploy_fluentd
   deploy_csi_host_path
   deploy_prometheus_crds
@@ -619,12 +631,10 @@ load() {
   echo "${bright}Building operator from current worktree${reset}"
 
   CONTROLLER_IMG="$(ENABLE_REGISTRY="${ENABLE_REGISTRY}" print_image)"
-  make -C "${ROOT_DIR}" CONTROLLER_IMG="${CONTROLLER_IMG}" ARCH="${ARCH}" docker-build
+  make -C "${ROOT_DIR}" VERSION=latest REGISTRY="${registry_name}:5000" INSECURE="true" ARCH="${ARCH}" docker-build
 
   echo "${bright}Loading new operator image on cluster ${CLUSTER_NAME}${reset}"
 
-  load_image "${CLUSTER_NAME}" "${CONTROLLER_IMG}"
-
   echo "${bright}Done loading new operator image on cluster ${CLUSTER_NAME}${reset}"
 
   if [[ "${TEST_UPGRADE_TO_V1}" != "false" ]]; then
@@ -638,11 +648,9 @@ load() {
     PRIME_CONTROLLER_IMG="${CONTROLLER_IMG}-prime"
     CURRENT_VERSION=$(make -C "${ROOT_DIR}" -s print-version)
     PRIME_VERSION="${CURRENT_VERSION}-prime"
-    make -C "${ROOT_DIR}" CONTROLLER_IMG="${PRIME_CONTROLLER_IMG}"  VERSION="${PRIME_VERSION}" \
+    make -C "${ROOT_DIR}" REGISTRY="${registry_name}:5000" INSECURE="true" VERSION="${PRIME_VERSION}" \
       ARCH="${ARCH}" docker-build
 
-    load_image "${CLUSTER_NAME}" "${PRIME_CONTROLLER_IMG}"
-
     echo "${bright}Done loading new 'prime' operator image on cluster ${CLUSTER_NAME}${reset}"
   fi
 }
@@ -666,7 +674,7 @@ print_image() {
   if [ -n "${ENABLE_REGISTRY:-}" ] || "check_registry_${ENGINE}"; then
     tag=latest
   fi
-  echo "${registry_name}:5000/cloudnative-pg:${tag}"
+  echo "${registry_name}:5000/cloudnative-pg-testing:${tag}"
 }
 
 export_logs() {
@@ -766,7 +774,7 @@ main() {
   fi
   KUBECTL_VERSION=${KUBECTL_VERSION:-$K8S_VERSION}
 
-  # Only here the K8S_VERSION veriable contains its final value
+  # Only here the K8S_VERSION variable contains its final value
   # so we can set the default cluster name
   CLUSTER_NAME=${CLUSTER_NAME:-pg-operator-e2e-${K8S_VERSION//./-}}