Use golang:1.17 and build from reproducible source

Makefile

@@ -95,10 +95,12 @@ k8s-executor-build-push:
 images:
 	docker build ${BUILD_ARG} --build-arg=GOARCH=$(GOARCH) -t $(REGISTRY)/executor:latest -f deploy/Dockerfile .
 	docker build ${BUILD_ARG} --build-arg=GOARCH=$(GOARCH) -t $(REGISTRY)/executor:debug -f deploy/Dockerfile_debug .
+	docker build ${BUILD_ARG} --build-arg=GOARCH=$(GOARCH) -t $(REGISTRY)/executor:slim -f deploy/Dockerfile_slim .
 	docker build ${BUILD_ARG} --build-arg=GOARCH=$(GOARCH) -t $(REGISTRY)/warmer:latest -f deploy/Dockerfile_warmer .
 
 .PHONY: push
 push:
 	docker push $(REGISTRY)/executor:latest
 	docker push $(REGISTRY)/executor:debug
+	docker push $(REGISTRY)/executor:slim
 	docker push $(REGISTRY)/warmer:latest

deploy/Dockerfile

@@ -12,47 +12,30 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# Builds the static Go image to execute in a Kubernetes job
+FROM golang:1.17
+WORKDIR /src
 
-FROM golang:1.15
-ARG GOARCH=amd64
-WORKDIR /go/src/github.com/GoogleContainerTools/kaniko
+# This arg is passed by docker buildx & contains the target CPU architecture (e.g., amd64, arm64, etc.)
+ARG TARGETARCH
 
-RUN echo $GOARCH > /goarch
-
-#This arg is passed by docker buildx & contains the platform info in the form linux/amd64, linux/ppc64le etc.
-ARG TARGETPLATFORM
-
-#Capture ARCH has write to /goarch
-RUN [ ! "x" = "x$TARGETPLATFORM" ] && `echo $TARGETPLATFORM |  awk '{split($0,a,"/"); print a[2]}' > /goarch` || echo "$GOARCH"
+ENV GOARCH=$TARGETARCH
+ENV CGO_ENABLED=0
+ENV GOBIN=/usr/local/bin
 
 # Get GCR credential helper
-RUN GOARCH=$(cat /goarch) && CGO_ENABLED=0 && \
-  (mkdir -p /go/src/github.com/GoogleCloudPlatform || true)                  && \
-  cd /go/src/github.com/GoogleCloudPlatform                                  && \
-  git clone https://github.com/GoogleCloudPlatform/docker-credential-gcr.git && \
-  cd /go/src/github.com/GoogleCloudPlatform/docker-credential-gcr            && \
-  git checkout 4cdd60d0f2d8a69bc70933f4d7718f9c4e956ff8                      && \
-  go get -u -t ./...                                                         && \
-  go build -ldflags "-linkmode external -extldflags -static" -i -o /usr/local/bin/docker-credential-gcr main.go
-
+RUN go install github.com/GoogleCloudPlatform/docker-credential-gcr@4cdd60d0f2d8a69bc70933f4d7718f9c4e956ff8
 
 # Get Amazon ECR credential helper
-RUN GOARCH=$(cat /goarch) && go get -u github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login && \
-  make -C /go/src/github.com/awslabs/amazon-ecr-credential-helper
+RUN go install github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login@v0.4.0
 
-# ACR docker env credential helper
-RUN GOARCH=$(cat /goarch) && (mkdir -p /go/src/github.com/chrismellard || true)   && \
-  cd /go/src/github.com/chrismellard                                              && \
-  git clone https://github.com/chrismellard/docker-credential-acr-env             && \
-  cd  docker-credential-acr-env                                                   && \
-  make build
+# Get ACR docker env credential helper
+RUN go install github.com/chrismellard/docker-credential-acr-env@09e2b5a8ac86c3ec347b2473e42b34367d8fa419
 
 # Add .docker config dir
 RUN mkdir -p /kaniko/.docker
 
 COPY . .
-RUN make GOARCH=$(cat /goarch)
+RUN make GOARCH=$TARGETARCH
 
 # Generate latest ca-certificates
 
@@ -64,10 +47,10 @@ RUN \
   cat /etc/ssl/certs/* > /ca-certificates.crt
 
 FROM scratch
-COPY --from=0 /go/src/github.com/GoogleContainerTools/kaniko/out/executor /kaniko/executor
+COPY --from=0 /src/out/executor /kaniko/executor
 COPY --from=0 /usr/local/bin/docker-credential-gcr /kaniko/docker-credential-gcr
-COPY --from=0 /go/src/github.com/awslabs/amazon-ecr-credential-helper/bin/local/docker-credential-ecr-login /kaniko/docker-credential-ecr-login
-COPY --from=0 /go/src/github.com/chrismellard/docker-credential-acr-env/build/docker-credential-acr-env /kaniko/docker-credential-acr
+COPY --from=0 /usr/local/bin/docker-credential-ecr-login /kaniko/docker-credential-ecr-login
+COPY --from=0 /usr/local/bin/docker-credential-acr-env /kaniko/docker-credential-acr
 COPY --from=certs /ca-certificates.crt /kaniko/ssl/certs/
 COPY --from=0 /kaniko/.docker /kaniko/.docker
 COPY files/nsswitch.conf /etc/nsswitch.conf
@@ -79,4 +62,4 @@ ENV DOCKER_CONFIG /kaniko/.docker/
 ENV DOCKER_CREDENTIAL_GCR_CONFIG /kaniko/.config/gcloud/docker_credential_gcr_config.json
 WORKDIR /workspace
 
-ENTRYPOINT ["/kaniko/executor"]
+ENTRYPOINT ["/kaniko/executor"]

deploy/Dockerfile_debug

@@ -12,50 +12,31 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# Builds the static Go image to execute in a Kubernetes job
+FROM golang:1.17
+WORKDIR /src
 
-# Stage 0: Build the executor binary and get credential helpers
-FROM golang:1.14
-ARG GOARCH=amd64
-WORKDIR /go/src/github.com/GoogleContainerTools/kaniko
-RUN echo $GOARCH > /goarch
-
-#This arg is passed by docker buildx & contains the platform info in the form linux/amd64, linux/ppc64le etc.
-ARG TARGETPLATFORM
-
-#Capture ARCH has write to /goarch
-RUN [ ! "x" = "x$TARGETPLATFORM" ] && `echo $TARGETPLATFORM |  awk '{split($0,a,"/"); print a[2]}' > /goarch` || echo "$GOARCH"
-RUN echo "I am runninng $TARGETPLATFORM with with $(cat /goarch)"
-RUN cat /goarch
+# This arg is passed by docker buildx & contains the target CPU architecture (e.g., amd64, arm64, etc.)
+ARG TARGETARCH
 
+ENV GOARCH=$TARGETARCH
+ENV CGO_ENABLED=0
+ENV GOBIN=/usr/local/bin
 
 # Get GCR credential helper
-RUN GOARCH=$(cat /goarch) && CGO_ENABLED=0 && \
-  (mkdir -p /go/src/github.com/GoogleCloudPlatform || true)                  && \
-  cd /go/src/github.com/GoogleCloudPlatform                                  && \
-  git clone https://github.com/GoogleCloudPlatform/docker-credential-gcr.git && \
-  cd /go/src/github.com/GoogleCloudPlatform/docker-credential-gcr            && \
-  git checkout 4cdd60d0f2d8a69bc70933f4d7718f9c4e956ff8                      && \
-  go get -u -t ./...                                                         && \
-  go build -ldflags "-linkmode external -extldflags -static" -i -o /usr/local/bin/docker-credential-gcr main.go
-
+RUN go install github.com/GoogleCloudPlatform/docker-credential-gcr@4cdd60d0f2d8a69bc70933f4d7718f9c4e956ff8
 
 # Get Amazon ECR credential helper
-RUN GOARCH=$(cat /goarch) && go get -u github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login && \
-  make -C /go/src/github.com/awslabs/amazon-ecr-credential-helper
+RUN go install github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login@v0.4.0
 
-# Azure docker env credential helper
-RUN GOARCH=$(cat /goarch) && (mkdir -p /go/src/github.com/chrismellard || true)   && \
-  cd /go/src/github.com/chrismellard                                              && \
-  git clone https://github.com/chrismellard/docker-credential-acr-env             && \
-  cd  docker-credential-acr-env                                                   && \
-  make build
+# Get ACR docker env credential helper
+RUN go install github.com/chrismellard/docker-credential-acr-env@09e2b5a8ac86c3ec347b2473e42b34367d8fa419
 
 # Add .docker config dir
 RUN mkdir -p /kaniko/.docker
 
 COPY . .
-RUN make GOARCH=$(cat /goarch) && make GOARCH=$(cat /goarch) out/warmer
+RUN make GOARCH=$TARGETARCH
+RUN make GOARCH=$TARGETARCH out/warmer
 
 # Generate latest ca-certificates
 
@@ -67,11 +48,11 @@ RUN \
   cat /etc/ssl/certs/* > /ca-certificates.crt
 
 FROM scratch
-COPY --from=0 /go/src/github.com/GoogleContainerTools/kaniko/out/* /kaniko/
-COPY --from=0 /go/src/github.com/GoogleContainerTools/kaniko/out/warmer /kaniko/warmer
+COPY --from=0 /src/out/executor /kaniko/executor
+COPY --from=0 /src/out/warmer /kaniko/warmer
 COPY --from=0 /usr/local/bin/docker-credential-gcr /kaniko/docker-credential-gcr
-COPY --from=0 /go/src/github.com/awslabs/amazon-ecr-credential-helper/bin/local/docker-credential-ecr-login /kaniko/docker-credential-ecr-login
-COPY --from=0 /go/src/github.com/chrismellard/docker-credential-acr-env/build/docker-credential-acr-env /kaniko/docker-credential-acr
+COPY --from=0 /usr/local/bin/docker-credential-ecr-login /kaniko/docker-credential-ecr-login
+COPY --from=0 /usr/local/bin/docker-credential-acr-env /kaniko/docker-credential-acr
 COPY --from=busybox:1.32.0 /bin /busybox
 # Declare /busybox as a volume to get it automatically in the path to ignore
 VOLUME /busybox

deploy/Dockerfile_slim

@@ -13,21 +13,15 @@
 # limitations under the License.
 
 # Builds the static Go image to execute in a Kubernetes job
-FROM golang:1.15 as build_env
-ARG GOARCH=amd64
-RUN echo $GOARCH > /goarch
+FROM golang:1.17
 
-#This arg is passed by docker buildx & contains the platform info in the form linux/amd64, linux/ppc64le etc.
-ARG TARGETPLATFORM
+# This arg is passed by docker buildx & contains the target CPU architecture (e.g., amd64, arm64, etc.)
+ARG TARGETARCH
 
-#Capture ARCH has write to /goarch
-RUN [ ! "x" = "x$TARGETPLATFORM" ] && `echo $TARGETPLATFORM |  awk '{split($0,a,"/"); print a[2]}' > /goarch` || echo "$GOARCH"
-RUN echo "I am runninng $TARGETPLATFORM with $(cat /goarch)"
-
-WORKDIR /go/src/github.com/GoogleContainerTools/kaniko
+WORKDIR /src
 COPY . .
 
-RUN make GOARCH=$(cat /goarch)
+RUN make GOARCH=$TARGETARCH
 
 # Generate latest ca-certificates
 
@@ -39,7 +33,7 @@ RUN \
   cat /etc/ssl/certs/* > /ca-certificates.crt
 
 FROM scratch
-COPY --from=build_env /go/src/github.com/GoogleContainerTools/kaniko/out/executor /kaniko/executor
+COPY --from=0 /src/out/executor /kaniko/executor
 COPY files/nsswitch.conf /etc/nsswitch.conf
 COPY --from=certs /ca-certificates.crt /kaniko/ssl/certs/
 ENV HOME /root

deploy/Dockerfile_warmer

@@ -12,47 +12,30 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# Builds the static Go image to execute in a Kubernetes job
+FROM golang:1.17
+WORKDIR /src
 
-FROM golang:1.15
-ARG GOARCH=amd64
-WORKDIR /go/src/github.com/GoogleContainerTools/kaniko
-RUN echo $GOARCH > /goarch
+# This arg is passed by docker buildx & contains the target CPU architecture (e.g., amd64, arm64, etc.)
+ARG TARGETARCH
 
-#This arg is passed by docker buildx & contains the platform info in the form linux/amd64, linux/ppc64le etc.
-ARG TARGETPLATFORM
-
-#Capture ARCH has write to /goarch
-RUN [ ! "x" = "x$TARGETPLATFORM" ] && `echo $TARGETPLATFORM |  awk '{split($0,a,"/"); print a[2]}' > /goarch` || echo "$GOARCH"
-RUN echo "I am runninng $TARGETPLATFORM with $(cat /goarch)"
+ENV GOARCH=$TARGETARCH
+ENV CGO_ENABLED=0
+ENV GOBIN=/usr/local/bin
 
 # Get GCR credential helper
-RUN GOARCH=$(cat /goarch) && CGO_ENABLED=0 && \
-  (mkdir -p /go/src/github.com/GoogleCloudPlatform || true)                  && \
-  cd /go/src/github.com/GoogleCloudPlatform                                  && \
-  git clone https://github.com/GoogleCloudPlatform/docker-credential-gcr.git && \
-  cd /go/src/github.com/GoogleCloudPlatform/docker-credential-gcr            && \
-  git checkout 4cdd60d0f2d8a69bc70933f4d7718f9c4e956ff8                      && \
-  go get -u -t ./...                                                         && \
-  go build -ldflags "-linkmode external -extldflags -static" -i -o /usr/local/bin/docker-credential-gcr main.go
-
+RUN go install github.com/GoogleCloudPlatform/docker-credential-gcr@4cdd60d0f2d8a69bc70933f4d7718f9c4e956ff8
 
 # Get Amazon ECR credential helper
-RUN GOARCH=$(cat /goarch) && go get -u github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login && \
-  make -C /go/src/github.com/awslabs/amazon-ecr-credential-helper
+RUN go install github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login@v0.4.0
 
-# ACR docker env credential helper
-RUN GOARCH=$(cat /goarch) && (mkdir -p /go/src/github.com/chrismellard || true)   && \
-  cd /go/src/github.com/chrismellard                                              && \
-  git clone https://github.com/chrismellard/docker-credential-acr-env             && \
-  cd  docker-credential-acr-env                                                   && \
-  make build
+# Get ACR docker env credential helper
+RUN go install github.com/chrismellard/docker-credential-acr-env@09e2b5a8ac86c3ec347b2473e42b34367d8fa419
 
 # Add .docker config dir
 RUN mkdir -p /kaniko/.docker
 
 COPY . .
-RUN  make GOARCH=$(cat /goarch) out/warmer
+RUN make GOARCH=$TARGETARCH out/warmer
 
 # Generate latest ca-certificates
 
@@ -64,10 +47,10 @@ RUN \
   cat /etc/ssl/certs/* > /ca-certificates.crt
 
 FROM scratch
-COPY --from=0 /go/src/github.com/GoogleContainerTools/kaniko/out/warmer /kaniko/warmer
+COPY --from=0 /src/out/warmer /kaniko/warmer
 COPY --from=0 /usr/local/bin/docker-credential-gcr /kaniko/docker-credential-gcr
-COPY --from=0 /go/src/github.com/awslabs/amazon-ecr-credential-helper/bin/local/docker-credential-ecr-login /kaniko/docker-credential-ecr-login
-COPY --from=0 /go/src/github.com/chrismellard/docker-credential-acr-env/build/docker-credential-acr-env /kaniko/docker-credential-acr
+COPY --from=0 /usr/local/bin/docker-credential-ecr-login /kaniko/docker-credential-ecr-login
+COPY --from=0 /usr/local/bin/docker-credential-acr-env /kaniko/docker-credential-acr
 COPY --from=certs /ca-certificates.crt /kaniko/ssl/certs/
 COPY --from=0 /kaniko/.docker /kaniko/.docker
 COPY files/nsswitch.conf /etc/nsswitch.conf