-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Build image with ko #2955
Build image with ko #2955
Conversation
Codecov ReportBase: 54.07% // Head: 54.01% // Decreases project coverage by
Additional details and impacted files@@ Coverage Diff @@
## main #2955 +/- ##
==========================================
- Coverage 54.07% 54.01% -0.06%
==========================================
Files 144 144
Lines 8301 8312 +11
==========================================
+ Hits 4489 4490 +1
- Misses 3484 3494 +10
Partials 328 328
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report at Codecov. |
7c1a05a
to
e65c2fa
Compare
/retest |
I strongly support this! Building LBC is a bit prohibitive right now. |
Thanks for the contribution, I will look into this changes post the v2.4.6 patch release. |
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have two items I'm trying to work through at the moment:
- ability to save to tarball, the
--tarball
flag to build command appears to be the way to go - Configuring a base image. The ko build appears to use a debian based image, I'm not certain if there is a fixed image per ko version, or it depends on the latest one available at the time of the build. I'm also interested to see how we can address the base image CVEs.
hack/install-ko.sh
Outdated
|
||
if ! command -v ko &> /dev/null; then | ||
cd "$(dirname "${BASH_SOURCE[0]}")" || exit 1 | ||
go install github.com/google/ko@v0.12.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It failed for me with the following error:
go: downloading github.com/go-openapi/analysis v0.21.3
../../go/pkg/mod/github.com/go-openapi/validate@v0.22.0/spec.go:23:2: github.com/go-openapi/analysis@v0.21.3: verifying module: checksum mismatch
downloaded: h1:vR88pR69D/jGh02vPbT4qoxiG+p9e5uT75JJG3O1JIU=
sum.golang.org: h1:CPEa+B2oYCkb+lIKB4xP6Ork8Gvh0GNg9dm/twI3+QA=
I was able to install v0.11.2 and run the tests
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're apparently not the first to run across this. I found go-openapi/analysis#81
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Filed ko-build/ko#940
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shall I back off to v0.11.2?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lets back off to v0.11.2, we can update in future
@@ -153,8 +153,6 @@ spec: | |||
value: "{{ $value }}" | |||
{{- end }} | |||
{{- end }} | |||
command: | |||
- /controller |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a standard entrypoint for ko built container images?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. See the last sentence of https://ko.build/get-started
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. The entrypoint change will introduce backwards incompatibility with the existing manifests, we will release note it.
n=$((n + 1)) | ||
sleep 2 | ||
done | ||
make docker-push IMG=${CONTROLLER_IMAGE_NAME} IMG_PLATFORM=linux/amd64 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
would this not affect the multi-arch tests?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The old code specified --platform linux/amd64
so I preserved that behavior.
The base image is Information on overriding the base image is at https://ko.build/configuration/#overriding-base-images I doubt we'd be faster at fixing CVEs than Chainguard. |
Did you want a make target to create a tarball? Should that be instead of or in addition to pushing to a registry? |
Lets use |
This is a separate requirement for publishing the official ECR images. We can revisit it when it is time to publish the v2.5.0 images. |
Please preserve the existing ldflags and the build flags to the extent possible/necessary, especially the version information. |
Is there any particular reason to use CGO? It doesn't appear to be needed. |
This configuration removes a whole swath of attack surface by disabling CGO. |
We don't need, lets remove it |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: johngmyers, kishorj The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
* Build image with ko * Downgrade to ko v0.11.2 * Use eks-distro-minimal-base-nonroot as base image * Specify ko build options
Issue
N/A
Description
Uses ko to build the LBC image.
Reduces build time significantly and increases build reliability. Previously builds would take 15 minutes to over 2 hours and would fail about 3 out of 4 times, both because of the
go mod download
in the Dockerfile.Checklist
README.md
, or thedocs
directory)BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯