As all Kaniko variants should be upgraded at once, all following the same specifications, it is easier for maintainers to bump Go or other image dependencies in a single place.
On top of that, there were an issue building `ppc64le` images because of a semantic error on the if condition that checks the arch used.
Signed-off-by: Ferran Vidal <ferran.vidal.p@gmail.com>
As described in #2539, using `go install` with a pinned hash version it installs `1.5.1` in all cases.
This seems to be an issue on the upstream project https://github.com/GoogleCloudPlatform/docker-credential-gcr and how go proxy deals with versions.
As a temporary solution, we download the compiled version from the release artifacts.
Closes#2539
Signed-off-by: Ferran Vidal <ferran.vidal.p@gmail.com>
* Bump the version of ACR credential helper to enable Azure Workload Identity
* Bump ACR credential helper version in go.mod
* remove garbage
* Update vendor
* Fix the /kaniko directory permissions in container
Create /kaniko directory with world permission to allow the creation of
sub directories by any user when the executor is run as non root. This
can lower the security but shouldn't have any impact in a container.
The tar unpack is the only way I found to have a directory with specific
permission as the image is created from "scratch" which doesn't have any
tool to change the permission otherwise.
Fixes#1363
* Avoid blackbox tar file creation
Use the Makefile to create the tar file use to create kaniko directory
in scratch container. This avoid having a "blackbox" binary file with
the empty directory.
* deploy: avoid duplicate certificates in images
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
* deploy: use current stable Debian release image
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
* Run GitHub Actions on pushes and PRs to main, not master
* fix go install ecr-login, bump to latest v0.6.0
* master -> main in some integration tests
* skip no-ref integration test
* Add s390x support to docker images
1. add s390x support to docker images `executor`, `executor(slim)`,
`executor(debug)` and `warmer`. Fixes#1462 and #1665.
2. Address the building issue of dependency `docker-credential-gcr`
in Dockerfiles. This issue was introduced when recent commits
in `docker-credential-gcr` removed the Makefile.
Signed-off-by: Kun-Lu <kun.lu@ibm.com>
* Add s390x support to all images except debug image
* Add s390x support to images.yaml
* Fix ld64.so.1 not found issue on s390x
* Add a comment for copying /lib from busybox container on s390x
On my machine this makes image rebuilds go from ~5m to 1.5s.
This also required setting DOCKER_BUILDKIT=1 in integration test image
builds.
I also took the opportunity to bump the Go version used in those tests
to Go 1.17 to match the image build processes, and tidied up the
workflow files a bit too (renaming for consistency, typos, whitespace,
etc.)
* cleanup: Correctly use buildx TARGETARCH
* undo changes to Go version
* Use golang:1.17 and build from reproducible source
This change updates the Go version used to build kaniko and credential
helpers to Go 1.17, which uses Go modules by default. This means that we
can build outside of $GOPATH, from source fetched from the Go module
proxy.
This change also simplfies our builds of credential helpers to simply
`go install` them at a pinned version, for reproducibility and
simplicity.
This also changes `make images` and `make push` to build and push the
slim executor image as well.
1. add s390x support to docker images `executor`, `executor(slim)`,
`executor(debug)` and `warmer`. Fixes#1462 and #1665.
2. Address the building issue of dependency `docker-credential-gcr`
in Dockerfiles. This issue was introduced when recent commits
in `docker-credential-gcr` removed the Makefile.
Signed-off-by: Kun-Lu <kun.lu@ibm.com>
Co-authored-by: Kun-Lu <kun.lu@ibm.com>
The Makefile from the `docker-credential-gcr` repo was removed, so all builds were failing. This PR removes the `make` command and pins `docker-credential-gcr` to a specific commit so that this doesn't happen again.
* initial commit
* remove bazel jobs
* fix arch
* more fixes after testing and code review comments
* fix build platform
* add individual cloudbuild.yaml as its taking 45 mins for a cloud build trigger
* add buildx plugin
* add more debugging
* update busybox version to fix CVE-2018-1000500
* fix
* lint + more debug
* fix
* fix
* fix
* remove images from cloudbiuld
* move CI job back to docker
* one more fix
* lets see
* bring it back
* move CI job back to docker
* remove aerg from top
* live restart config
* remove live restore as minikube setup failed
* add --force-systemd
* add --force-systemd and docker driver none
* change the --run flag
* docker info and some logs removed
* fix docker command
* upgrade version for buildx to 0.5.1
* remove docker service from travis.yml and add systemd cgroup config
* move the docker config up
* move them back to docker build
* fix
* fix all dockerfiles
* fix warmer
* fix
* rm bazel jobs
* add more logs
* fix debug
Co-authored-by: ankitm123 <ankitmohapatra123@gmail.com>
This is extenion of current code to build s390x version of kaniko
executor image and add it to multi-arch manifest
Signed-off-by: Yulia Gaponenko <yulia.gaponenko1@de.ibm.com>
During image build we extract archives as root which is
capable to preserve owner and group.
With option `--no-same-owner` we drop all the user and
group information, defaults to current user (root).
To avoid future issues: add option above to all tar
execution.
Fixes#1303
Signed-off-by: Alex Szakaly <alex.szakaly@gmail.com>
dependabot[bot]
Liam Newman
Ferran Vidal
Aaron Prindle
Viacheslav Artamonov
Lukas
claudex
Konstantin Demin
Jason Hall
Kun Lu
ankitm123
Tejal Desai
Anbraten
priyawadhwa
Sascha Schwarze
bahetiamit
Yulia Gaponenko
Chris Mellard
Sladyn
Matt Moore
Pierre-Louis Bonicoli
Alex Szakaly
Tejal Desai