diff --git a/Dockerfile b/Dockerfile index 9fdd193..6ff0be7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -17,6 +17,9 @@ # Build the manager binary # Run this with docker build --build-arg builder_image= ARG builder_image +ARG deployment_base_image +ARG deployment_base_image_tag +ARG goprivate # Build architecture ARG ARCH @@ -32,6 +35,7 @@ WORKDIR /workspace ARG goproxy=https://proxy.golang.org # Run this with docker build --build-arg package=./controlplane/kubeadm or --build-arg package=./bootstrap/kubeadm ENV GOPROXY=$goproxy +ENV GOPRIVATE=$goprivate # Copy the Go Modules manifests COPY go.mod go.mod @@ -39,14 +43,16 @@ COPY go.sum go.sum # Cache deps before building and copying source so that we don't need to re-download as much # and so that source changes don't invalidate our downloaded layer -RUN --mount=type=cache,target=/go/pkg/mod \ +RUN --mount=type=secret,id=netrc,required=false,target=/root/.netrc \ + --mount=type=cache,target=/go/pkg/mod \ go mod download # Copy the sources COPY ./ ./ # Cache the go build into the Go’s compiler cache folder so we take benefits of compiler caching across docker build calls -RUN --mount=type=cache,target=/root/.cache/go-build \ +RUN --mount=type=secret,id=netrc,required=false,target=/root/.netrc \ + --mount=type=cache,target=/root/.cache/go-build \ --mount=type=cache,target=/go/pkg/mod \ go build . @@ -63,7 +69,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \ -o manager ${package} # Production image -FROM gcr.io/distroless/static:nonroot-${ARCH} +FROM ${deployment_base_image}:${deployment_base_image_tag} WORKDIR / COPY --from=builder /workspace/manager . # Use uid of nonroot user (65532) because kubernetes expects numeric user when applying pod security policies diff --git a/Makefile b/Makefile index c3876fb..7def9e9 100644 --- a/Makefile +++ b/Makefile @@ -24,7 +24,8 @@ SHELL:=/usr/bin/env bash # Go. # GO_VERSION ?= 1.22.9 -GO_CONTAINER_IMAGE ?= docker.io/library/golang:$(GO_VERSION) +GO_BASE_CONTAINER ?= docker.io/library/golang +GO_CONTAINER_IMAGE ?= $(GO_BASE_CONTAINER):$(GO_VERSION) # Use GOPROXY environment variable if set GOPROXY := $(shell go env GOPROXY) @@ -33,9 +34,20 @@ GOPROXY := https://proxy.golang.org endif export GOPROXY +# Use GOPRIVATE environment variable if set +GOPRIVATE := $(shell go env GOPRIVATE) +export GOPRIVATE + # Active module mode, as we use go modules to manage dependencies export GO111MODULE=on +# Base docker images + +DOCKERFILE_CONTAINER_IMAGE ?= docker.io/docker/dockerfile:1.4 +DEPLOYMENT_BASE_IMAGE ?= gcr.io/distroless/static +DEPLOYMENT_BASE_IMAGE_TAG ?= nonroot-${ARCH} +BUILD_CONTAINER_ADDITIONAL_ARGS ?= + # # Kubebuilder. # @@ -387,9 +399,9 @@ manager: ## Build the manager binary into the ./bin folder .PHONY: docker-pull-prerequisites docker-pull-prerequisites: - docker pull docker.io/docker/dockerfile:1.4 + docker pull $(DOCKERFILE_CONTAINER_IMAGE) docker pull $(GO_CONTAINER_IMAGE) - docker pull gcr.io/distroless/static:latest + docker pull $(DEPLOYMENT_BASE_IMAGE):$(DEPLOYMENT_BASE_IMAGE_TAG) .PHONY: docker-build-all docker-build-all: $(addprefix docker-build-,$(ALL_ARCH)) ## Build docker images for all architectures @@ -399,7 +411,7 @@ docker-build-%: .PHONY: docker-build docker-build: docker-pull-prerequisites ## Build the docker image for core controller manager - DOCKER_BUILDKIT=1 docker build --build-arg builder_image=$(GO_CONTAINER_IMAGE) --build-arg goproxy=$(GOPROXY) --build-arg ARCH=$(ARCH) --build-arg ldflags="$(LDFLAGS)" . -t $(CONTROLLER_IMG)-$(ARCH):$(TAG) + DOCKER_BUILDKIT=1 docker build $(BUILD_CONTAINER_ADDITIONAL_ARGS) --build-arg builder_image=$(GO_CONTAINER_IMAGE) --build-arg deployment_base_image=$(DEPLOYMENT_BASE_IMAGE) --build-arg deployment_base_image_tag=$(DEPLOYMENT_BASE_IMAGE_TAG) --build-arg goproxy=$(GOPROXY) --build-arg goprivate=$(GOPRIVATE) --build-arg ARCH=$(ARCH) --build-arg ldflags="$(LDFLAGS)" . -t $(CONTROLLER_IMG)-$(ARCH):$(TAG) $(MAKE) set-manifest-image MANIFEST_IMG=$(CONTROLLER_IMG)-$(ARCH) MANIFEST_TAG=$(TAG) TARGET_RESOURCE="./config/default/manager_image_patch.yaml" $(MAKE) set-manifest-pull-policy TARGET_RESOURCE="./config/default/manager_pull_policy.yaml"