Alauda/v0.13.1

.build/build.yaml

@@ -0,0 +1,188 @@
+apiVersion: builds.katanomi.dev/v1alpha1
+kind: Build
+spec:
+  runTemplate:
+    spec:
+      workspaces:
+        - name: cache
+          persistentVolumeClaim:
+            claimName: build-cache
+          subPath: golang
+  workspaces:
+    - description: |
+        This workspace is shared among all the pipeline tasks to read/write common resources
+      name: source
+    - description: golang cache
+      name: cache
+  tasks:
+    - name: buildkit-oss-version
+      workspaces:
+        - name: source
+          workspace: source
+      taskSpec:
+        description: |
+          generate oss version
+        results:
+          - description: oss version
+            name: oss-version
+        steps:
+          - image: build-harbor.alauda.cn/devops/builder-tools:alpine-v3.8.0
+            name: read-oss-file
+            imagePullPolicy: IfNotPresent
+            workingDir: $(workspaces.source.path)
+            resources:
+              requests:
+                cpu: 100m
+                memory: 100Mi
+            script: |
+              echo "generate oss version"
+              echo -n "$(cat ./buildkit_version| xargs echo -e)"
+              echo -n "$(cat ./buildkit_version| xargs echo -e)" > $(results.oss-version.path)
+        workspaces:
+          - name: source
+            workspace: source
+    - name: build-buildkit-image
+      runAfter:
+        - buildkit-oss-version
+      timeout: 30m
+      retries: 0
+      taskRef:
+        kind: ClusterTask
+        name: alauda-build-image
+      workspaces:
+        - name: source
+          workspace: source
+      params:
+        - name: container-image
+          value: build-harbor.alauda.cn/devops/buildkit
+        - name: container-image-tag
+          value: $(tasks.buildkit-oss-version.results.oss-version)-alpine-$(build.git.lastCommit.shortID)
+        - name: dockerfile
+          value: Dockerfile
+        - name: labels
+          value:
+            - branch=$(build.git.branch)
+            - commit=$(build.git.lastCommit.id)
+        - name: build-extra-args
+          value: >-
+            --build-arg app_version=$(build.git.version.docker) 
+            --build-arg commit_id=$(build.git.lastCommit.id)
+            --build-arg GIT_REVISION=$(build.git.lastCommit.id)
+            --build-arg GIT_VERSION=$(build.git.version.docker)
+            --build-arg RUNC_VERSION=release-1.1
+        - name: platform
+          value:
+            - linux/amd64
+            - linux/arm64
+        - name: tools-image
+          value: registry.alauda.cn:60080/devops/builder-tools:v3.8-0-g377a3f9
+        - name: verbose
+          value: "false"
+    - name: image-scan
+      runAfter:
+        - build-buildkit-image
+      timeout: 30m
+      retries: 0
+      taskRef:
+        kind: ClusterTask
+        name: trivy-image-scan
+      workspaces:
+        - name: source
+          workspace: source
+        - name: cache
+          workspace: cache
+      when: []
+      params:
+        - name: targets
+          value:
+            - $(tasks.build-buildkit-image.results.ociContainerImageBuild-url)
+        - name: quality-gate
+          value: "false"
+        - name: scan-flags
+          value:
+            - vulnerability.ignore-unfixed=true
+            - db.skip-update=false
+            - db.repository=build-harbor.alauda.cn/ops/aquasecurity/trivy-db
+        - name: quality-gate-rules
+          value:
+            - severity=High
+    - name: test-image
+      runAfter:
+        - build-buildkit-image
+      timeout: "1h"
+      workspaces:
+        - name: source
+          workspace: source
+      params:
+        - name: tools-image
+          value: build-harbor.alauda.cn/devops/buildkit:$(tasks.buildkit-oss-version.results.oss-version)-alpine-$(build.git.lastCommit.shortID)
+      taskSpec:
+        params:
+          - name: tools-image
+            description: test image reference
+        volumes:
+          - name: dind-certs
+            emptyDir: {}
+        sidecars:
+          - image: docker-mirrors.alauda.cn/library/docker:20.10-dind
+            name: docker-daemon
+            args:
+              - --storage-driver=overlay2
+              - --userland-proxy=false
+              - --debug
+              - --registry-mirror=https://docker-mirrors.alauda.cn
+            securityContext:
+              privileged: true
+            env:
+              - name: DOCKER_TLS_CERTDIR  # 将生成的证书写入与客户端共享的路径
+                value: /certs
+            resources:
+              requests:
+                cpu: 1000m
+                memory: 2000Mi
+              limits:
+                cpu: 4000m
+                memory: 8000Mi
+            volumeMounts:
+              - mountPath: /certs/client
+                name: dind-certs
+              - mountPath: /workspace/source
+                name: $(workspaces.source.volume)
+            readinessProbe: # 等待 dind daemon 生成它与客户端共享的证书
+              periodSeconds: 1
+              exec:
+                command: [ 'ls', '/certs/client/ca.pem' ]
+        steps:
+          - name: test-run
+            image: registry.alauda.cn:60080/devops/builder-tools:ubuntu-v3.8.1
+            imagePullPolicy: IfNotPresent
+            workingDir: $(workspaces.source.path)
+            timeout: 2.5h
+            resources:
+              requests:
+                cpu: 1000m
+                memory: 2000Mi
+              limits:
+                cpu: 2000m
+                memory: 4000Mi
+            env:
+              - name: DOCKER_HOST
+                value: tcp://localhost:2376
+              - name: DOCKER_TLS_VERIFY
+                value: "1"
+              - name: DOCKER_CERT_PATH
+                value: /certs/client
+            volumeMounts:
+              - mountPath: /certs/client
+                name: dind-certs
+            script: |
+              #!/bin/bash
+              set -e
+              /katanomi/bin/ktn-settings copy docker --always-match=true ~/.docker/config.json
+              cd e2e
+              source ./tools.sh
+              perpare
+              docker run --rm --net=host -v $(pwd):/workspace -v ~/.docker/:/root/.docker/ --privileged --entrypoint /workspace/test.sh $(params.tools-image)
+        workspaces:
+          - name: source
+            workspace: source

CHANGELOG.md

@@ -0,0 +1,7 @@
+# buildkit 变更记录
+
+官方地址：[buildkit](https://github.com/moby/buildkit/tree/v0.13.1)
+
+- 自动识别 http/https 仓库，默认使用insecure client请求。
+  - [DEVOPS-19463](https://jira.alauda.cn/browse/DEVOPS-19463) pull http仓库失败问题
+  - [DEVOPS-19601](https://jira.alauda.cn/browse/DEVOPS-19601) 连接自签名https仓库拉取失败问题

Dockerfile

@@ -1,12 +1,13 @@
-# syntax=docker/dockerfile-upstream:master
+# syntax=docker-mirrors.alauda.cn/docker/dockerfile-upstream:master
 
+ARG MIRROR_REGISTRY=docker-mirrors.alauda.cn
 ARG RUNC_VERSION=v1.1.12
 ARG CONTAINERD_VERSION=v1.7.11
 # containerd v1.6 for integration tests
 ARG CONTAINERD_ALT_VERSION_16=v1.6.24
 ARG REGISTRY_VERSION=v2.8.3
 ARG ROOTLESSKIT_VERSION=v2.0.0
-ARG CNI_VERSION=v1.3.0
+ARG CNI_VERSION=v1.5.1
 ARG STARGZ_SNAPSHOTTER_VERSION=v0.15.1
 ARG NERDCTL_VERSION=v1.6.2
 ARG DNSNAME_VERSION=v1.3.1
@@ -17,8 +18,9 @@ ARG AZURITE_VERSION=3.18.0
 ARG GOTESTSUM_VERSION=v1.9.0
 ARG DELVE_VERSION=v1.21.0
 
-ARG GO_VERSION=1.21
+ARG GO_VERSION=1.23
 ARG ALPINE_VERSION=3.19
+ARG ALPINE_IMAGE=build-harbor.alauda.cn/ops/alpine
 ARG XX_VERSION=1.4.0
 ARG BUILDKIT_DEBUG
 
@@ -28,22 +30,22 @@ FROM minio/mc:${MINIO_MC_VERSION} AS minio-mc
 
 # alpine base for buildkit image
 # TODO: remove this when alpine image supports riscv64
-FROM alpine:${ALPINE_VERSION} AS alpine-amd64
-FROM alpine:${ALPINE_VERSION} AS alpine-arm
-FROM alpine:${ALPINE_VERSION} AS alpine-arm64
-FROM alpine:${ALPINE_VERSION} AS alpine-s390x
-FROM alpine:${ALPINE_VERSION} AS alpine-ppc64le
-FROM alpine:edge@sha256:2d01a16bab53a8405876cec4c27235d47455a7b72b75334c614f2fb0968b3f90 AS alpine-riscv64
+FROM ${ALPINE_IMAGE}:${ALPINE_VERSION} AS alpine-amd64
+FROM ${ALPINE_IMAGE}:${ALPINE_VERSION} AS alpine-arm
+FROM ${ALPINE_IMAGE}:${ALPINE_VERSION} AS alpine-arm64
+FROM ${ALPINE_IMAGE}:${ALPINE_VERSION} AS alpine-s390x
+FROM ${ALPINE_IMAGE}:${ALPINE_VERSION} AS alpine-ppc64le
+FROM ${ALPINE_IMAGE}:edge@sha256:2d01a16bab53a8405876cec4c27235d47455a7b72b75334c614f2fb0968b3f90 AS alpine-riscv64
 FROM alpine-$TARGETARCH AS alpinebase
 
 # xx is a helper for cross-compilation
-FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
+FROM --platform=$BUILDPLATFORM ${MIRROR_REGISTRY}/tonistiigi/xx:${XX_VERSION} AS xx
 
 # go base image
-FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS golatest
+FROM --platform=$BUILDPLATFORM ${MIRROR_REGISTRY}/library/golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS golatest
 
 # git stage is used for checking out remote repository sources
-FROM --platform=$BUILDPLATFORM alpine:${ALPINE_VERSION} AS git
+FROM --platform=$BUILDPLATFORM ${ALPINE_IMAGE}:${ALPINE_VERSION} AS git
 RUN apk add --no-cache git
 
 # gobuild is base stage for compiling go/cgo
@@ -164,7 +166,7 @@ RUN --mount=from=dnsname-src,src=/usr/src/dnsname,target=.,rw \
     CGO_ENABLED=0 xx-go build -o /usr/bin/dnsname ./plugins/meta/dnsname && \
     xx-verify --static /usr/bin/dnsname
 
-FROM --platform=$BUILDPLATFORM alpine:${ALPINE_VERSION} AS cni-plugins
+FROM --platform=$BUILDPLATFORM ${ALPINE_IMAGE}:${ALPINE_VERSION} AS cni-plugins
 RUN apk add --no-cache curl
 COPY --from=xx / /
 ARG CNI_VERSION
@@ -185,10 +187,12 @@ COPY --link --from=cni-plugins /opt/cni/bin/firewall /buildkit-cni-firewall
 FROM scratch AS cni-plugins-export-squashed
 COPY --from=cni-plugins-export / /
 
+FROM ${MIRROR_REGISTRY}/tonistiigi/binfmt:buildkit-v7.1.0-30@sha256:45dd57b4ba2f24e2354f71f1e4e51f073cb7a28fd848ce6f5f2a7701142a6bf0 AS binfmt
+
 FROM scratch AS binaries-linux
 COPY --link --from=runc /usr/bin/runc /buildkit-runc
 # built from https://github.com/tonistiigi/binfmt/releases/tag/buildkit%2Fv7.1.0-30
-COPY --link --from=tonistiigi/binfmt:buildkit-v7.1.0-30@sha256:45dd57b4ba2f24e2354f71f1e4e51f073cb7a28fd848ce6f5f2a7701142a6bf0 / /
+COPY --link --from=binfmt / /
 COPY --link --from=cni-plugins-export-squashed / /
 COPY --link --from=buildctl /usr/bin/buildctl /
 COPY --link --from=buildkitd /usr/bin/buildkitd /
@@ -208,7 +212,7 @@ FROM binaries-$TARGETOS AS binaries
 # enable scanning for this stage
 ARG BUILDKIT_SBOM_SCAN_STAGE=true
 
-FROM --platform=$BUILDPLATFORM alpine:${ALPINE_VERSION} AS releaser
+FROM --platform=$BUILDPLATFORM ${ALPINE_IMAGE}:${ALPINE_VERSION} AS releaser
 RUN apk add --no-cache tar gzip
 WORKDIR /work
 ARG TARGETPLATFORM
@@ -220,7 +224,7 @@ FROM scratch AS release
 COPY --link --from=releaser /out/ /
 
 FROM alpinebase AS buildkit-export
-RUN apk add --no-cache fuse3 git openssh pigz xz iptables ip6tables \
+RUN apk add --no-cache fuse3 git openssh pigz xz iptables ip6tables bash skopeo \
   && ln -s fusermount3 /usr/bin/fusermount
 COPY --link examples/buildctl-daemonless/buildctl-daemonless.sh /usr/bin/
 VOLUME /var/lib/buildkit

buildkit_version

@@ -0,0 +1 @@
+v0.13.1

catalog.yaml

@@ -0,0 +1,26 @@
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: buildkit
+  title: buildkit
+  description: Buildkit 是一个高效的构建镜像的工具，该镜像基于官方版本做了若干参数的调整定制。
+  annotations:
+    # gitlab plugin
+    gitlab.com/project-slug: devops/builder-buildkit
+    gitlab.com/instance: gitlab-ce.alauda.cn
+    # acp cicd plugin
+    acp.cpaas.io/ci-pipeline: devops/business-build/tools/builder-buildkit
+    acp.cpaas.io/instance: edge.alauda.cn
+    # harbor plugin
+    goharbor.io/repository-slug: devops/buildkit
+    # sonarqube plugin
+    sonarqube.org/project-key: ""
+    # backstage techdocs plugin
+    backstage.io/techdocs-ref: dir:./buildkit-v0.10.4
+    acp.cpaas.io/owner: [email protected]
+
+spec:
+  type: tools
+  system: system:katanomi-system
+  lifecycle: production
+  owner: devops

e2e/Dockerfile

@@ -0,0 +1,7 @@
+ARG FROM_IMAGE=registry.alauda.cn:60080
+
+FROM ${FROM_IMAGE}/ops/alpine:3
+COPY Dockerfile .
+
+
+

e2e/certs/domain.crt

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE7DCCAtQCCQCRFDmZ5nbJSTANBgkqhkiG9w0BAQsFADA4MQswCQYDVQQGEwJj
+cTELMAkGA1UECAwCY3ExCzAJBgNVBAcMAmNxMQ8wDQYDVQQKDAZhbGF1ZGEwHhcN
+MjQwNDA4MDcxNDI1WhcNMjUwNDA4MDcxNDI1WjA4MQswCQYDVQQGEwJjcTELMAkG
+A1UECAwCY3ExCzAJBgNVBAcMAmNxMQ8wDQYDVQQKDAZhbGF1ZGEwggIiMA0GCSqG
+SIb3DQEBAQUAA4ICDwAwggIKAoICAQC98eorsKlIURK8CD/kRrq1XZfvMdeY9V/5
+oki8gUUJMvIZe3vTG7qFgr1He+tGxl0PK7M1/QrVVTGxovO+98kd5U7TE5w74OAo
+2jNBhRZ/cPUEQjKy4wbM0EyTAqtAuDkr2MKXToZQ3P2kSEo8p3lhsArlYXkRrWS3
+d3hQKpcej9NLK9FQerAdyRMzjVdl6VhZ5erjU+xBO/VI5PEyrFVF3RoRGmRwy8Bn
+WgUEPSl5IMCg6yZhg0YSoioi0OSXAIaj77CAm1UD7Yn18r4vl/eI2mi5dYYuNzqt
+Wo9p3NubwD/ZcG3MtewviUNJdTsjl/SwQJTGUjUizYyN7XosyhlCgFFUukFCsVGr
+Vc0M7TU4Ov+jAyKILRNscwJC+38aCS4OivVj4zLsDFiFREUJei4IuxWKZhupM2a9
+BenSuk6RITOE5siml5mAt9NSPADBLHAzDu/vrTudzmvUTDVA524xTjMzfTPC9PdD
+/WSbhl9MOIGCW7S4RMdU63xUHcS2aUviRttjSrIHQB0/pQURKOI9ZfYGhHWiFtjE
+ErwpCm/VTsEHRuJ5pULS4bnoUF2dfl3hg21tPhtKrLqtbKSR3SS2e1gFAkb6Wl4z
+SRBPT/wyFmXGrlhQhl9t9bU634MorkPgE6eFvAz+TPVY+BC0Khs+7k4aahSuN+5z
+ZXHzWbOToQIDAQABMA0GCSqGSIb3DQEBCwUAA4ICAQA3b6BSiaSMpz+iNEYstg3E
+rDgrYmFZ/Td+58A89B/e9WUv9albnKZyf3RtYF0O/HuJ3gIfq7DBvV4aLMwsNfP7
+m5loF2ZWYEAc5/EZ+ZS/jm+Y0xPdCUWj90AoH9aZhSlpxrY+1mwokzUd7pR4qulC
+UfYcQ1Q+Rhst0VaMdwM0uq2BCxShcE5scYCfjbFMKAFoFlaGOiyKUYKIxe42ND/G
+UD3Kh48Um/feKsx0y7MfN/dvl9Qvr0rUPjM5ZPKmy3CQvjAxUAmUvYO+HgYGYRo7
+PqSr7DAfdIbN5PZfkyQFhUvy5PONqQs28g/Ad1qinduMnOYK6nQhsqk4SSEf2bbK
+R3AQ5WH+EOl3Irbai71oC/WZ0x4EgqHZN9SL/RGpy4aFOKqpBzhChqro6xxOoAu8
+Rh9ezL8hAR0/lhhSfu/XfSjVuN08hzZTDfbuvCCt55v8l/O2cfRrMccgC2mzrLnH
+WkD8fwvkX7lKCRVk8zGNlNrAKuwK+8+bO3B97AxjBA7Nv+mm6HYKk3mf6fpQMFAk
+IlpR/GbUB6bHMOynhC3xZ3nevJVhyPzHxY7ENR7M0P9c+UDy7MJdIFtVAgRqFXdn
+O4g8MYFaz0luiOWpITI6jlNEXvV92sdUX/Zzc3Q1ljqARPoRwFykXI71gPrhOli0
+rd8FH4ceNfAsbJO6IBPkaQ==
+-----END CERTIFICATE-----