Build image with ko

[johngmyers]

Issue

N/A

Description

Uses ko to build the LBC image.

Reduces build time significantly and increases build reliability. Previously builds would take 15 minutes to over 2 hours and would fail about 3 out of 4 times, both because of the go mod download in the Dockerfile.

Checklist

• N/A Added tests that cover your change (if possible)
• N/A Added/modified documentation as required (such as the README.md, or the docs directory)
• Manually tested
• Made sure the title of the PR is a good description that can go into the release notes

BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯

• Backfilled missing tests for code in same general area 🎉
• Refactored something and made the world a better place 🌟

[codecov-commenter]

Codecov Report

Base: 54.07% // Head: 54.01% // Decreases project coverage by -0.06% ⚠️

Coverage data is based on head (28b7f84) compared to base (a92e689).
Patch has no changes to coverable lines.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2955      +/-   ##
==========================================
- Coverage   54.07%   54.01%   -0.06%     
==========================================
  Files         144      144              
  Lines        8301     8312      +11     
==========================================
+ Hits         4489     4490       +1     
- Misses       3484     3494      +10     
  Partials      328      328              

Impacted Files	Coverage Δ
pkg/config/controller_config.go	15.38% <0.00%> (-2.48%)	⬇️
pkg/ingress/model_builder.go	63.90% <0.00%> (-0.32%)	⬇️
pkg/service/model_builder.go	88.29% <0.00%> (+0.12%)	⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[johngmyers]

/retest

[olemarkus]

I strongly support this! Building LBC is a bit prohibitive right now.

[kishorj]

Thanks for the contribution, I will look into this changes post the v2.4.6 patch release.

[johngmyers]

/retest

[kishorj]

I have two items I'm trying to work through at the moment:

1. ability to save to tarball, the --tarball flag to build command appears to be the way to go
2. Configuring a base image. The ko build appears to use a debian based image, I'm not certain if there is a fixed image per ko version, or it depends on the latest one available at the time of the build. I'm also interested to see how we can address the base image CVEs.

[kishorj]

It failed for me with the following error:

go: downloading github.com/go-openapi/analysis v0.21.3
../../go/pkg/mod/github.com/go-openapi/validate@v0.22.0/spec.go:23:2: github.com/go-openapi/analysis@v0.21.3: verifying module: checksum mismatch
	downloaded: h1:vR88pR69D/jGh02vPbT4qoxiG+p9e5uT75JJG3O1JIU=
	sum.golang.org: h1:CPEa+B2oYCkb+lIKB4xP6Ork8Gvh0GNg9dm/twI3+QA=

I was able to install v0.11.2 and run the tests

[johngmyers]

You're apparently not the first to run across this. I found go-openapi/analysis#81

[johngmyers]

Filed ko-build/ko#940

[johngmyers]

Shall I back off to v0.11.2?

[kishorj]

lets back off to v0.11.2, we can update in future

[kishorj]

Is there a standard entrypoint for ko built container images?

[johngmyers]

Yes. See the last sentence of https://ko.build/get-started

[kishorj]

Thanks. The entrypoint change will introduce backwards incompatibility with the existing manifests, we will release note it.

[kishorj]

would this not affect the multi-arch tests?

[johngmyers]

The old code specified --platform linux/amd64 so I preserved that behavior.

[johngmyers]

The base image is cgr.dev/chainguard/static and it takes what is the latest at the time of build.

Information on overriding the base image is at https://ko.build/configuration/#overriding-base-images

I doubt we'd be faster at fixing CVEs than Chainguard.

[johngmyers]

Did you want a make target to create a tarball? Should that be instead of or in addition to pushing to a registry?

[kishorj]

The base image is cgr.dev/chainguard/static and it takes what is the latest at the time of build.

Information on overriding the base image is at https://ko.build/configuration/#overriding-base-images

I doubt we'd be faster at fixing CVEs than Chainguard.

Lets use public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-nonroot:2022-07-27-1658910674.2 as the base image. Since the base image is internal, it will help us meet the SLAs for addressing the CVEs.

[kishorj]

Did you want a make target to create a tarball? Should that be instead of or in addition to pushing to a registry?

This is a separate requirement for publishing the official ECR images. We can revisit it when it is time to publish the v2.5.0 images.

[kishorj]

Please preserve the existing ldflags and the build flags to the extent possible/necessary, especially the version information.

[johngmyers]

Is there any particular reason to use CGO? It doesn't appear to be needed.

[johngmyers]

This configuration removes a whole swath of attack surface by disabling CGO.

[kishorj]

Is there any particular reason to use CGO? It doesn't appear to be needed.

We don't need, lets remove it

[kishorj]

/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: johngmyers, kishorj

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [kishorj]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment